From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 468ADC4332F for ; Tue, 15 Nov 2022 21:57:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231499AbiKOV5n (ORCPT ); Tue, 15 Nov 2022 16:57:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229731AbiKOV5l (ORCPT ); Tue, 15 Nov 2022 16:57:41 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AFEE30563 for ; Tue, 15 Nov 2022 13:57:41 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 06FDA61A47 for ; Tue, 15 Nov 2022 21:57:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4D8D6C433C1; Tue, 15 Nov 2022 21:57:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1668549460; bh=PhHq9gYFOhnmkSE9sxpEYnragsYTRi53MDR0OZm6TKk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=iMGFViu3l/KZZRNn+4oO/dr8nadYoUwvd8fsRT3kFmMYwZuM93bxcM65IH70bNV2g eEAr0Sbe2a6uaIhzs3knhzZumP/VFVIyKfgM2/+xgsiXyX+YSIJ+LfdoOoQ7TttxPb EBW78etyonvw8MD/9ZknmuLRX1BsqjmZjaZE6+6K6CUe19smks/RadY8uKJS29IG8s yJC3Rr+NLzF4Yt25T/tvi7TLKr+QhczlOIYlqkVm2x4tFEkvFwZP4fbOah9i3lJ/hR Q0d6ONJ68uew5Gy+meKl/T3Ltcv/E7D/AjJW5pkzIQjEwRAnmQblMlbv+1dB/dIcvI gSQ3SP8HtmB+A== Date: Tue, 15 Nov 2022 13:57:33 -0800 From: Saeed Mahameed To: Vladimir Oltean Cc: netdev@vger.kernel.org, Andrew Lunn , Florian Fainelli , Vladimir Oltean , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Subject: Re: [PATCH net] net: dsa: don't leak tagger-owned storage on switch driver unbind Message-ID: References: <20221114143551.1906361-1-vladimir.oltean@nxp.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20221114143551.1906361-1-vladimir.oltean@nxp.com> Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 14 Nov 16:35, Vladimir Oltean wrote: >In the initial commit dc452a471dba ("net: dsa: introduce tagger-owned >storage for private and shared data"), we had a call to >tag_ops->disconnect(dst) issued from dsa_tree_free(), which is called at >tree teardown time. > >There were problems with connecting to a switch tree as a whole, so this >got reworked to connecting to individual switches within the tree. In >this process, tag_ops->disconnect(ds) was made to be called only from >switch.c (cross-chip notifiers emitted as a result of dynamic tag proto >changes), but the normal driver teardown code path wasn't replaced with >anything. > >Solve this problem by adding a function that does the opposite of >dsa_switch_setup_tag_protocol(), which is called from the equivalent >spot in dsa_switch_teardown(). The positioning here also ensures that we >won't have any use-after-free in tagging protocol (*rcv) ops, since the >teardown sequence is as follows: > >dsa_tree_teardown >-> dsa_tree_teardown_master > -> dsa_master_teardown > -> unsets master->dsa_ptr, making no further packets match the > ETH_P_XDSA packet type handler >-> dsa_tree_teardown_ports > -> dsa_port_teardown > -> dsa_slave_destroy > -> unregisters DSA net devices, there is even a synchronize_net() > in unregister_netdevice_many() >-> dsa_tree_teardown_switches > -> dsa_switch_teardown > -> dsa_switch_teardown_tag_protocol > -> finally frees the tagger-owned storage > >Fixes: 7f2973149c22 ("net: dsa: make tagging protocols connect to individual switches from a tree") >Signed-off-by: Vladimir Oltean Reviewed-by: Saeed Mahameed