Patch "mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mlxsw-spectrum_acl_tcam-fix-possible-use-after-free-.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2a32829fcb6c507483dfbe861238dbd9822b69cd
Author: Ido Schimmel <idosch@xxxxxxxxxx>
Date:   Mon Apr 22 17:25:57 2024 +0200

    mlxsw: spectrum_acl_tcam: Fix possible use-after-free during rehash
    
    [ Upstream commit 54225988889931467a9b55fdbef534079b665519 ]
    
    The rehash delayed work migrates filters from one region to another
    according to the number of available credits.
    
    The migrated from region is destroyed at the end of the work if the
    number of credits is non-negative as the assumption is that this is
    indicative of migration being complete. This assumption is incorrect as
    a non-negative number of credits can also be the result of a failed
    migration.
    
    The destruction of a region that still has filters referencing it can
    result in a use-after-free [1].
    
    Fix by not destroying the region if migration failed.
    
    [1]
    BUG: KASAN: slab-use-after-free in mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
    Read of size 8 at addr ffff8881735319e8 by task kworker/0:31/3858
    
    CPU: 0 PID: 3858 Comm: kworker/0:31 Tainted: G        W          6.9.0-rc2-custom-00782-gf2275c2157d8 #5
    Hardware name: Mellanox Technologies Ltd. MSN3700/VMOD0005, BIOS 5.11 01/06/2019
    Workqueue: mlxsw_core mlxsw_sp_acl_tcam_vregion_rehash_work
    Call Trace:
     <TASK>
     dump_stack_lvl+0xc6/0x120
     print_report+0xce/0x670
     kasan_report+0xd7/0x110
     mlxsw_sp_acl_ctcam_region_entry_remove+0x21d/0x230
     mlxsw_sp_acl_ctcam_entry_del+0x2e/0x70
     mlxsw_sp_acl_atcam_entry_del+0x81/0x210
     mlxsw_sp_acl_tcam_vchunk_migrate_all+0x3cd/0xb50
     mlxsw_sp_acl_tcam_vregion_rehash_work+0x157/0x1300
     process_one_work+0x8eb/0x19b0
     worker_thread+0x6c9/0xf70
     kthread+0x2c9/0x3b0
     ret_from_fork+0x4d/0x80
     ret_from_fork_asm+0x1a/0x30
     </TASK>
    
    Allocated by task 174:
     kasan_save_stack+0x33/0x60
     kasan_save_track+0x14/0x30
     __kasan_kmalloc+0x8f/0xa0
     __kmalloc+0x19c/0x360
     mlxsw_sp_acl_tcam_region_create+0xdf/0x9c0
     mlxsw_sp_acl_tcam_vregion_rehash_work+0x954/0x1300
     process_one_work+0x8eb/0x19b0
     worker_thread+0x6c9/0xf70
     kthread+0x2c9/0x3b0
     ret_from_fork+0x4d/0x80
     ret_from_fork_asm+0x1a/0x30
    
    Freed by task 7:
     kasan_save_stack+0x33/0x60
     kasan_save_track+0x14/0x30
     kasan_save_free_info+0x3b/0x60
     poison_slab_object+0x102/0x170
     __kasan_slab_free+0x14/0x30
     kfree+0xc1/0x290
     mlxsw_sp_acl_tcam_region_destroy+0x272/0x310
     mlxsw_sp_acl_tcam_vregion_rehash_work+0x731/0x1300
     process_one_work+0x8eb/0x19b0
     worker_thread+0x6c9/0xf70
     kthread+0x2c9/0x3b0
     ret_from_fork+0x4d/0x80
     ret_from_fork_asm+0x1a/0x30
    
    Fixes: c9c9af91f1d9 ("mlxsw: spectrum_acl: Allow to interrupt/continue rehash work")
    Signed-off-by: Ido Schimmel <idosch@xxxxxxxxxx>
    Tested-by: Alexander Zubkov <green@xxxxxxxxxx>
    Reviewed-by: Petr Machata <petrm@xxxxxxxxxx>
    Signed-off-by: Petr Machata <petrm@xxxxxxxxxx>
    Reviewed-by: Simon Horman <horms@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/3e412b5659ec2310c5c615760dfe5eac18dd7ebd.1713797103.git.petrm@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
index 8cbce127d231d..44c750e1025ac 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_tcam.c
@@ -1548,6 +1548,7 @@ mlxsw_sp_acl_tcam_vregion_rehash(struct mlxsw_sp *mlxsw_sp,
 						ctx, credits);
 	if (err) {
 		dev_err(mlxsw_sp->bus_info->dev, "Failed to migrate vregion\n");
+		return;
 	}
 
 	if (*credits >= 0)




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux