Home Explore Help
Register Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: 5ef783c1b2
Branches Tags
openwrt
/
target
/
linux
/
generic
/
backport-5.15
/
730-11-v6.3-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch

730-11-v6.3-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch 1.6 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 
  1. From: Felix Fietkau <[email protected]>
    2. 

  2. Date: Thu, 17 Nov 2022 11:58:21 +0100
    3. 

  3. Subject: [PATCH] net: ethernet: mtk_eth_soc: fix flow_offload related refcount
    4. 

  4.  bug
    5. 

  5. 

  6. Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call
    7. 

  7. flow_block_cb_incref unconditionally, even for a newly allocated cb.
    8. 

  8. Fixes a use-after-free bug
    9. 

  9. 

  10. Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
    11. 

  11. Signed-off-by: Felix Fietkau <[email protected]>
    12. 

  12. ---
    13. 

  13. 

  14. --- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
    15. 

  15. +++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
    16. 

  16. @@ -554,6 +554,7 @@ mtk_eth_setup_tc_block(struct net_device
    17. 

  17.  	struct mtk_eth *eth = mac->hw;
    18. 

  18.  	static LIST_HEAD(block_cb_list);
    19. 

  19.  	struct flow_block_cb *block_cb;
    20. 

  20. +	bool register_block = false;
    21. 

  21.  	flow_setup_cb_t *cb;
    22. 

  22.  
    23. 

  23.  	if (!eth->soc->offload_version)
    24. 

  24. @@ -568,16 +569,20 @@ mtk_eth_setup_tc_block(struct net_device
    25. 

  25.  	switch (f->command) {
    26. 

  26.  	case FLOW_BLOCK_BIND:
    27. 

  27.  		block_cb = flow_block_cb_lookup(f->block, cb, dev);
    28. 

  28. -		if (block_cb) {
    29. 

  29. -			flow_block_cb_incref(block_cb);
    30. 

  30. -			return 0;
    31. 

  31. +		if (!block_cb) {
    32. 

  32. +			block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
    33. 

  33. +			if (IS_ERR(block_cb))
    34. 

  34. +				return PTR_ERR(block_cb);
    35. 

  35. +
    36. 

  36. +			register_block = true;
    37. 

  37.  		}
    38. 

  38. -		block_cb = flow_block_cb_alloc(cb, dev, dev, NULL);
    39. 

  39. -		if (IS_ERR(block_cb))
    40. 

  40. -			return PTR_ERR(block_cb);
    41. 

  41.  
    42. 

  42. -		flow_block_cb_add(block_cb, f);
    43. 

  43. -		list_add_tail(&block_cb->driver_list, &block_cb_list);
    44. 

  44. +		flow_block_cb_incref(block_cb);
    45. 

  45. +
    46. 

  46. +		if (register_block) {
    47. 

  47. +			flow_block_cb_add(block_cb, f);
    48. 

  48. +			list_add_tail(&block_cb->driver_list, &block_cb_list);
    49. 

  49. +		}
    50. 

  50.  		return 0;
    51. 

  51.  	case FLOW_BLOCK_UNBIND:
    52. 

  52.  		block_cb = flow_block_cb_lookup(f->block, cb, dev);
    53.