system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-21 11:38:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/include
History
Vladimir Oltean e1846cff2f net: mscc: ocelot: mark traps with a bool instead of keeping them in a list 
Since the blamed commit, VCAP filters can appear on more than one list.
If their action is "trap", they are chained on ocelot->traps via
filter->trap_list. This is in addition to their normal placement on the
VCAP block->rules list head.

Therefore, when we free a VCAP filter, we must remove it from all lists
it is a member of, including ocelot->traps.

There are at least 2 bugs which are direct consequences of this design
decision.

First is the incorrect usage of list_empty(), meant to denote whether
"filter" is chained into ocelot->traps via filter->trap_list.
This does not do the correct thing, because list_empty() checks whether
"head->next == head", but in our case, head->next == head->prev == NULL.
So we dereference NULL pointers and die when we call list_del().

Second is the fact that not all places that should remove the filter
from ocelot->traps do so. One example is ocelot_vcap_block_remove_filter(),
which is where we have the main kfree(filter). By keeping freed filters
in ocelot->traps we end up in a use-after-free in
felix_update_trapping_destinations().

Attempting to fix all the buggy patterns is a whack-a-mole game which
makes the driver unmaintainable. Actually this is what the previous
patch version attempted to do:
https://patchwork.kernel.org/project/netdevbpf/patch/20220503115728.834457-3-vladimir.oltean@nxp.com/

but it introduced another set of bugs, because there are other places in
which create VCAP filters, not just ocelot_vcap_filter_create():

- ocelot_trap_add()
- felix_tag_8021q_vlan_add_rx()
- felix_tag_8021q_vlan_add_tx()

Relying on the convention that all those code paths must call
INIT_LIST_HEAD(&filter->trap_list) is not going to scale.

So let's do what should have been done in the first place and keep a
bool in struct ocelot_vcap_filter which denotes whether we are looking
at a trapping rule or not. Iterating now happens over the main VCAP IS2
block->rules. The advantage is that we no longer risk having stale
references to a freed filter, since it is only present in that list.

Fixes: e42bd4ed09 ("net: mscc: ocelot: keep traps in a list")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-05-05 19:15:14 -07:00
..
acpi ACPI: bus: Eliminate acpi_bus_get_device() 2022-04-05 19:49:26 +02:00
asm-generic bug: Have __warn() prototype defined unconditionally 2022-04-26 10:59:57 +02:00
clocksource
crypto
drm
dt-bindings dt-bindings: clk: mpfs: add defines for two new clocks 2022-04-22 18:40:15 -07:00
keys
kunit
kvm
linux net: Fix features skip in for_each_netdev_feature() 2022-05-05 18:25:57 -07:00
math-emu
media
memory memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode 2022-04-21 17:00:24 +02:00
misc
net secure_seq: use the 64 bits of the siphash for port offset calculation 2022-05-04 19:22:20 -07:00
pcmcia
ras mm/memory-failure.c: fix race with changing page compound again 2022-03-22 15:57:07 -07:00
rdma
scsi scsi: iscsi: Fix NOP handling during conn recovery 2022-04-11 22:09:35 -04:00
soc net: mscc: ocelot: mark traps with a bool instead of keeping them in a list 2022-05-05 19:15:14 -07:00
sound ASoC: Fixes for v5.18 2022-04-19 17:26:01 +02:00
target
trace NFSD bug fixes for 5.18-rc: 2022-04-12 14:23:19 -10:00
uapi ARM: 2022-05-01 11:49:32 -07:00
vdso
video
xen