From: Felix Fietkau Date: Mon, 20 Mar 2023 17:06:23 +0000 (+0100) Subject: kernel: move mediatek flow offload refcount fix and fix a logic error X-Git-Tag: v23.05.0-rc1~740 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=1d8baafc438d9beff25e04550b1f894aab771bfe;p=openwrt%2Fstaging%2Fhauke.git kernel: move mediatek flow offload refcount fix and fix a logic error Move it to pending, since it wasn't actually accepted upstream yet. Fixes potential issues when doing offload between multiple MACs. Signed-off-by: Felix Fietkau --- diff --git a/target/linux/generic/backport-5.15/730-11-v6.3-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch b/target/linux/generic/backport-5.15/730-11-v6.3-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch deleted file mode 100644 index 54e48df444..0000000000 --- a/target/linux/generic/backport-5.15/730-11-v6.3-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Felix Fietkau -Date: Thu, 17 Nov 2022 11:58:21 +0100 -Subject: [PATCH] net: ethernet: mtk_eth_soc: fix flow_offload related refcount - bug - -Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call -flow_block_cb_incref unconditionally, even for a newly allocated cb. -Fixes a use-after-free bug - -Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support") -Signed-off-by: Felix Fietkau ---- - ---- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c -+++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c -@@ -554,6 +554,7 @@ mtk_eth_setup_tc_block(struct net_device - struct mtk_eth *eth = mac->hw; - static LIST_HEAD(block_cb_list); - struct flow_block_cb *block_cb; -+ bool register_block = false; - flow_setup_cb_t *cb; - - if (!eth->soc->offload_version) -@@ -568,16 +569,20 @@ mtk_eth_setup_tc_block(struct net_device - switch (f->command) { - case FLOW_BLOCK_BIND: - block_cb = flow_block_cb_lookup(f->block, cb, dev); -- if (block_cb) { -- flow_block_cb_incref(block_cb); -- return 0; -+ if (!block_cb) { -+ block_cb = flow_block_cb_alloc(cb, dev, dev, NULL); -+ if (IS_ERR(block_cb)) -+ return PTR_ERR(block_cb); -+ -+ register_block = true; - } -- block_cb = flow_block_cb_alloc(cb, dev, dev, NULL); -- if (IS_ERR(block_cb)) -- return PTR_ERR(block_cb); - -- flow_block_cb_add(block_cb, f); -- list_add_tail(&block_cb->driver_list, &block_cb_list); -+ flow_block_cb_incref(block_cb); -+ -+ if (register_block) { -+ flow_block_cb_add(block_cb, f); -+ list_add_tail(&block_cb->driver_list, &block_cb_list); -+ } - return 0; - case FLOW_BLOCK_UNBIND: - block_cb = flow_block_cb_lookup(f->block, cb, dev); diff --git a/target/linux/generic/pending-5.15/735-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch b/target/linux/generic/pending-5.15/735-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch new file mode 100644 index 0000000000..acbdec2159 --- /dev/null +++ b/target/linux/generic/pending-5.15/735-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch @@ -0,0 +1,61 @@ +From: Felix Fietkau +Date: Mon, 20 Mar 2023 15:49:15 +0100 +Subject: [PATCH] net: ethernet: mtk_eth_soc: fix flow_offload related refcount + bug + +Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call +flow_block_cb_incref unconditionally, even for a newly allocated cb. +Fixes a use-after-free bug. Also fix the accidentally inverted refcount +check on unbind. + +Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support") +Signed-off-by: Felix Fietkau +--- + +--- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c ++++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c +@@ -561,6 +561,7 @@ mtk_eth_setup_tc_block(struct net_device + struct mtk_eth *eth = mac->hw; + static LIST_HEAD(block_cb_list); + struct flow_block_cb *block_cb; ++ bool register_block = false; + flow_setup_cb_t *cb; + + if (!eth->soc->offload_version) +@@ -575,23 +576,27 @@ mtk_eth_setup_tc_block(struct net_device + switch (f->command) { + case FLOW_BLOCK_BIND: + block_cb = flow_block_cb_lookup(f->block, cb, dev); +- if (block_cb) { +- flow_block_cb_incref(block_cb); +- return 0; ++ if (!block_cb) { ++ block_cb = flow_block_cb_alloc(cb, dev, dev, NULL); ++ if (IS_ERR(block_cb)) ++ return PTR_ERR(block_cb); ++ ++ register_block = true; + } +- block_cb = flow_block_cb_alloc(cb, dev, dev, NULL); +- if (IS_ERR(block_cb)) +- return PTR_ERR(block_cb); + +- flow_block_cb_add(block_cb, f); +- list_add_tail(&block_cb->driver_list, &block_cb_list); ++ flow_block_cb_incref(block_cb); ++ ++ if (register_block) { ++ flow_block_cb_add(block_cb, f); ++ list_add_tail(&block_cb->driver_list, &block_cb_list); ++ } + return 0; + case FLOW_BLOCK_UNBIND: + block_cb = flow_block_cb_lookup(f->block, cb, dev); + if (!block_cb) + return -ENOENT; + +- if (flow_block_cb_decref(block_cb)) { ++ if (!flow_block_cb_decref(block_cb)) { + flow_block_cb_remove(block_cb, f); + list_del(&block_cb->driver_list); + }