[PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry
@ 2024-03-01  8:06 Horatiu Vultur
  2024-03-04 15:50 ` Simon Horman
  2024-03-05  4:50 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Horatiu Vultur @ 2024-03-01  8:06 UTC (permalink / raw)
  To: davem, edumazet, kuba, pabeni, lars.povlsen, Steen.Hegelund,
	daniel.machon, UNGLinuxDriver, bjarni.jonasson
  Cc: netdev, linux-arm-kernel, linux-kernel, Horatiu Vultur

Based on the static analyzis of the code it looks like when an entry
from the MAC table was removed, the entry was still used after being
freed. More precise the vid of the mac_entry was used after calling
devm_kfree on the mac_entry.
The fix consists in first using the vid of the mac_entry to delete the
entry from the HW and after that to free it.

Fixes: b37a1bae742f ("net: sparx5: add mactable support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
---
 drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
index 4af285918ea2a..75868b3f548ec 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
@@ -347,10 +347,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5,
 				 list) {
 		if ((vid == 0 || mact_entry->vid == vid) &&
 		    ether_addr_equal(addr, mact_entry->mac)) {
+			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
+
 			list_del(&mact_entry->list);
 			devm_kfree(sparx5->dev, mact_entry);
-
-			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
 		}
 	}
 	mutex_unlock(&sparx5->mact_lock);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry
  2024-03-01  8:06 [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry Horatiu Vultur
@ 2024-03-04 15:50 ` Simon Horman
  2024-03-05  4:50 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Simon Horman @ 2024-03-04 15:50 UTC (permalink / raw)
  To: Horatiu Vultur
  Cc: davem, edumazet, kuba, pabeni, lars.povlsen, Steen.Hegelund,
	daniel.machon, UNGLinuxDriver, bjarni.jonasson, netdev,
	linux-arm-kernel, linux-kernel

On Fri, Mar 01, 2024 at 09:06:08AM +0100, Horatiu Vultur wrote:
> Based on the static analyzis of the code it looks like when an entry
> from the MAC table was removed, the entry was still used after being
> freed. More precise the vid of the mac_entry was used after calling
> devm_kfree on the mac_entry.
> The fix consists in first using the vid of the mac_entry to delete the
> entry from the HW and after that to free it.
> 
> Fixes: b37a1bae742f ("net: sparx5: add mactable support")
> Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>

Reviewed-by: Simon Horman <horms@kernel.org>


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry
  2024-03-01  8:06 [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry Horatiu Vultur
  2024-03-04 15:50 ` Simon Horman
@ 2024-03-05  4:50 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-03-05  4:50 UTC (permalink / raw)
  To: Horatiu Vultur
  Cc: davem, edumazet, kuba, pabeni, lars.povlsen, Steen.Hegelund,
	daniel.machon, UNGLinuxDriver, bjarni.jonasson, netdev,
	linux-arm-kernel, linux-kernel

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Fri, 1 Mar 2024 09:06:08 +0100 you wrote:
> Based on the static analyzis of the code it looks like when an entry
> from the MAC table was removed, the entry was still used after being
> freed. More precise the vid of the mac_entry was used after calling
> devm_kfree on the mac_entry.
> The fix consists in first using the vid of the mac_entry to delete the
> entry from the HW and after that to free it.
> 
> [...]

Here is the summary with links:
  - [net] net: sparx5: Fix use after free inside sparx5_del_mact_entry
    https://git.kernel.org/netdev/net/c/89d72d4125e9

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2024-03-05  4:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-01  8:06 [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry Horatiu Vultur
2024-03-04 15:50 ` Simon Horman
2024-03-05  4:50 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).