Commit ddcc16d8 authored Jul 24, 2021 by Jian Shen Committed by Zheng Zengkai Jul 26, 2021

net: hns3: fix use-after-free issue for hclge_add_fd_entry_common()

mainline inclusion
from mainline-v5.13-rc1
commit 64ff58fa
category: bugfix
bugzilla: 173966
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=64ff58fa3bfcf26bc893ea425a0553b561ca5298



----------------------------------------------------------------------

When new rule state is TO_ADD or ACTIVE, and there is already a
rule with same location in the fd_rule_list, the new rule will
be freed after modifying the old rule. It may cause user-after-free
issue when access rule again in hclge_add_fd_entry_common().

Fixes: fc4243b8 ("net: hns3: refactor flow director configuration")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-by: Yongxin Li <liyongxin1@huawei.com>
Signed-off-by: Junxin Chen <chenjunxin1@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 56d3fddb

drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -6440,8 +6440,8 @@ static int hclge_add_fd_entry_common(struct hclge_dev *hdev,
		goto out;

		rule->state = HCLGE_FD_ACTIVE;
		hclge_update_fd_list(hdev, rule->state, rule->location, rule);
		hdev->fd_active_type = rule->rule_type;
		hclge_update_fd_list(hdev, rule->state, rule->location, rule);

		out:
		spin_unlock_bh(&hdev->fd_rule_lock);