Message ID | tencent_7962673263816B802001C50C5EE77D0DF405@qq.com (mailing list archive) |
---|---|
State | Accepted |
Commit | db1b4bedb9b97c6d34b03d03815147c04fffe8b4 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() | expand |
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Sat, 10 Aug 2024 13:26:51 +0800 you wrote: > From: Zheng Zhang <everything411@qq.com> > > When there are multiple ap interfaces on one band and with WED on, > turning the interface down will cause a kernel panic on MT798X. > > Previously, cb_priv was freed in mtk_wed_setup_tc_block() without > marking NULL,and mtk_wed_setup_tc_block_cb() didn't check the value, too. > > [...] Here is the summary with links: - net: ethernet: mtk_wed: fix use-after-free panic in mtk_wed_setup_tc_block_cb() https://git.kernel.org/netdev/net/c/db1b4bedb9b9 You are awesome, thank you!
diff --git a/drivers/net/ethernet/mediatek/mtk_wed.c b/drivers/net/ethernet/mediatek/mtk_wed.c index 61334a71058c..68c49df80f43 100644 --- a/drivers/net/ethernet/mediatek/mtk_wed.c +++ b/drivers/net/ethernet/mediatek/mtk_wed.c @@ -2666,14 +2666,15 @@ mtk_wed_setup_tc_block_cb(enum tc_setup_type type, void *type_data, void *cb_pri { struct mtk_wed_flow_block_priv *priv = cb_priv; struct flow_cls_offload *cls = type_data; - struct mtk_wed_hw *hw = priv->hw; + struct mtk_wed_hw *hw = NULL; - if (!tc_can_offload(priv->dev)) + if (!priv || !tc_can_offload(priv->dev)) return -EOPNOTSUPP; if (type != TC_SETUP_CLSFLOWER) return -EOPNOTSUPP; + hw = priv->hw; return mtk_flow_offload_cmd(hw->eth, cls, hw->index); } @@ -2729,6 +2730,7 @@ mtk_wed_setup_tc_block(struct mtk_wed_hw *hw, struct net_device *dev, flow_block_cb_remove(block_cb, f); list_del(&block_cb->driver_list); kfree(block_cb->cb_priv); + block_cb->cb_priv = NULL; } return 0; default: