Commit 9ced9346 authored by Jianbo Liu's avatar Jianbo Liu Committed by Dong Chenchen
Browse files

net/mlx5e: Skip restore TC rules for vport rep without loaded flag 

stable inclusion
from stable-v6.6.70
commit 3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBID2C
CVE: CVE-2024-57801

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3e45dd1622a2c1a83c11bf42fdd8c1810123d6c0



--------------------------------

[ Upstream commit 5a03b368562a7ff5f5f1f63b5adf8309cbdbd5be ]

During driver unload, unregister_netdev is called after unloading
vport rep. So, the mlx5e_rep_priv is already freed while trying to get
rpriv->netdev, or walk rpriv->tc_ht, which results in use-after-free.
So add the checking to make sure access the data of vport rep which is
still loaded.

Fixes: d1569537 ("net/mlx5e: Modify and restore TC rules for IPSec TX rules")
Signed-off-by: default avatarJianbo Liu <jianbol@nvidia.com>
Reviewed-by: default avatarSaeed Mahameed <saeedm@nvidia.com>
Signed-off-by: default avatarTariq Toukan <tariqt@nvidia.com>
Link: https://patch.msgid.link/20241220081505.1286093-4-tariqt@nvidia.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarDong Chenchen <dongchenchen2@huawei.com>
parent 01e57e5f

drivers/net/ethernet/mellanox/mlx5/core/esw/ipsec_fs.c

+3 −3
Original line number Diff line number Diff line
@@ -150,11 +150,11 @@ void mlx5_esw_ipsec_restore_dest_uplink(struct mlx5_core_dev *mdev) 
	unsigned long i;

	int err;



	xa_for_each(&esw->offloads.vport_reps, i, rep) {

		rpriv = rep->rep_data[REP_ETH].priv;

		if (!rpriv || !rpriv->netdev)

	mlx5_esw_for_each_rep(esw, i, rep) {

		if (atomic_read(&rep->rep_data[REP_ETH].state) != REP_LOADED)

			continue;



		rpriv = rep->rep_data[REP_ETH].priv;

		rhashtable_walk_enter(&rpriv->tc_ht, &iter);

		rhashtable_walk_start(&iter);

		while ((flow = rhashtable_walk_next(&iter)) != NULL) {

drivers/net/ethernet/mellanox/mlx5/core/eswitch.h

+3 −0
Original line number Diff line number Diff line
@@ -713,6 +713,9 @@ void mlx5e_tc_clean_fdb_peer_flows(struct mlx5_eswitch *esw); 
			  MLX5_CAP_GEN_2((esw->dev), ec_vf_vport_base) +\

			  (last) - 1)



#define mlx5_esw_for_each_rep(esw, i, rep) \

	xa_for_each(&((esw)->offloads.vport_reps), i, rep)



struct mlx5_eswitch *__must_check

mlx5_devlink_eswitch_get(struct devlink *devlink);

drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c

+0 −3
Original line number Diff line number Diff line
@@ -52,9 +52,6 @@ 
#include "lag/lag.h"

#include "en/tc/post_meter.h"



#define mlx5_esw_for_each_rep(esw, i, rep) \

	xa_for_each(&((esw)->offloads.vport_reps), i, rep)



/* There are two match-all miss flows, one for unicast dst mac and

 * one for multicast.

 */