f3d591ec0edd0b041586d5994a4c4040de9775a9
[openwrt/openwrt.git] /
1 From fad6f73dc4367adb852ce6953f93f12cbb97b894 Mon Sep 17 00:00:00 2001
2 From: Camelia Groza <camelia.groza@nxp.com>
3 Date: Fri, 18 May 2018 10:33:37 +0300
4 Subject: [PATCH] sdk_dpaa: ceetm: avoid use-after-free scenarios
5
6 Once the pfiofo qdiscs are grafted to the netdev queues, they are destroyed
7 by the kernel when required. Remove references to the pfifo qdiscs after
8 grafting, in order to avoid double free scenarios.
9
10 Signed-off-by: Camelia Groza <camelia.groza@nxp.com>
11 ---
12 .../ethernet/freescale/sdk_dpaa/dpaa_eth_ceetm.c | 23 +++++++++++++++++++---
13 1 file changed, 20 insertions(+), 3 deletions(-)
14
15 --- a/drivers/net/ethernet/freescale/sdk_dpaa/dpaa_eth_ceetm.c
16 +++ b/drivers/net/ethernet/freescale/sdk_dpaa/dpaa_eth_ceetm.c
17 @@ -477,7 +477,9 @@ static void ceetm_destroy(struct Qdisc *
18 if (!priv->root.qdiscs)
19 break;
20
21 - /* Remove the pfifo qdiscs */
22 + /* Destroy the pfifo qdiscs in case they haven't been attached
23 + * to the netdev queues yet.
24 + */
25 for (ntx = 0; ntx < dev->num_tx_queues; ntx++)
26 if (priv->root.qdiscs[ntx])
27 qdisc_destroy(priv->root.qdiscs[ntx]);
28 @@ -608,7 +610,16 @@ static int ceetm_init_root(struct Qdisc
29 goto err_init_root;
30 }
31
32 - /* pre-allocate underlying pfifo qdiscs */
33 + /* Pre-allocate underlying pfifo qdiscs.
34 + *
35 + * We want to offload shaping and scheduling decisions to the hardware.
36 + * The pfifo qdiscs will be attached to the netdev queues and will
37 + * guide the traffic from the IP stack down to the driver with minimum
38 + * interference.
39 + *
40 + * The CEETM qdiscs and classes will be crossed when the traffic
41 + * reaches the driver.
42 + */
43 priv->root.qdiscs = kcalloc(dev->num_tx_queues,
44 sizeof(priv->root.qdiscs[0]),
45 GFP_KERNEL);
46 @@ -1280,7 +1291,10 @@ static int ceetm_change(struct Qdisc *sc
47 return ret;
48 }
49
50 -/* Attach the underlying pfifo qdiscs */
51 +/* Graft the underlying pfifo qdiscs to the netdev queues.
52 + * It's safe to remove our references at this point, since the kernel will
53 + * destroy the qdiscs on its own and no cleanup from our part is required.
54 + */
55 static void ceetm_attach(struct Qdisc *sch)
56 {
57 struct net_device *dev = qdisc_dev(sch);
58 @@ -1296,6 +1310,9 @@ static void ceetm_attach(struct Qdisc *s
59 if (old_qdisc)
60 qdisc_destroy(old_qdisc);
61 }
62 +
63 + kfree(priv->root.qdiscs);
64 + priv->root.qdiscs = NULL;
65 }
66
67 static unsigned long ceetm_cls_search(struct Qdisc *sch, u32 handle)