Patch "net: sparx5: Fix use after free inside sparx5_del_mact_entry" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 8 Mar 2024 12:03:49 -0500

This is a note to let you know that I've just added the patch titled

    net: sparx5: Fix use after free inside sparx5_del_mact_entry

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-sparx5-fix-use-after-free-inside-sparx5_del_mact.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6fb2ff843cc6d7b46d6ae3af070415bdbf6f5841
Author: Horatiu Vultur <horatiu.vultur@xxxxxxxxxxxxx>
Date:   Fri Mar 1 09:06:08 2024 +0100

    net: sparx5: Fix use after free inside sparx5_del_mact_entry
    
    [ Upstream commit 89d72d4125e94aa3c2140fedd97ce07ba9e37674 ]
    
    Based on the static analyzis of the code it looks like when an entry
    from the MAC table was removed, the entry was still used after being
    freed. More precise the vid of the mac_entry was used after calling
    devm_kfree on the mac_entry.
    The fix consists in first using the vid of the mac_entry to delete the
    entry from the HW and after that to free it.
    
    Fixes: b37a1bae742f ("net: sparx5: add mactable support")
    Signed-off-by: Horatiu Vultur <horatiu.vultur@xxxxxxxxxxxxx>
    Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240301080608.3053468-1-horatiu.vultur@xxxxxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
index 4af285918ea2a..75868b3f548ec 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
@@ -347,10 +347,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5,
 				 list) {
 		if ((vid == 0 || mact_entry->vid == vid) &&
 		    ether_addr_equal(addr, mact_entry->mac)) {
+			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
+
 			list_del(&mact_entry->list);
 			devm_kfree(sparx5->dev, mact_entry);
-
-			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
 		}
 	}
 	mutex_unlock(&sparx5->mact_lock);







