linux/include/soc
Vladimir Oltean e1846cff2f net: mscc: ocelot: mark traps with a bool instead of keeping them in a list
Since the blamed commit, VCAP filters can appear on more than one list.
If their action is "trap", they are chained on ocelot->traps via
filter->trap_list. This is in addition to their normal placement on the
VCAP block->rules list head.

Therefore, when we free a VCAP filter, we must remove it from all lists
it is a member of, including ocelot->traps.

There are at least 2 bugs which are direct consequences of this design
decision.

First is the incorrect usage of list_empty(), meant to denote whether
"filter" is chained into ocelot->traps via filter->trap_list.
This does not do the correct thing, because list_empty() checks whether
"head->next == head", but in our case, head->next == head->prev == NULL.
So we dereference NULL pointers and die when we call list_del().

Second is the fact that not all places that should remove the filter
from ocelot->traps do so. One example is ocelot_vcap_block_remove_filter(),
which is where we have the main kfree(filter). By keeping freed filters
in ocelot->traps we end up in a use-after-free in
felix_update_trapping_destinations().

Attempting to fix all the buggy patterns is a whack-a-mole game which
makes the driver unmaintainable. Actually this is what the previous
patch version attempted to do:
https://patchwork.kernel.org/project/netdevbpf/patch/20220503115728.834457-3-vladimir.oltean@nxp.com/

but it introduced another set of bugs, because there are other places in
which create VCAP filters, not just ocelot_vcap_filter_create():

- ocelot_trap_add()
- felix_tag_8021q_vlan_add_rx()
- felix_tag_8021q_vlan_add_tx()

Relying on the convention that all those code paths must call
INIT_LIST_HEAD(&filter->trap_list) is not going to scale.

So let's do what should have been done in the first place and keep a
bool in struct ocelot_vcap_filter which denotes whether we are looking
at a trapping rule or not. Iterating now happens over the main VCAP IS2
block->rules. The advantage is that we no longer risk having stale
references to a freed filter, since it is only present in that list.

Fixes: e42bd4ed09 ("net: mscc: ocelot: keep traps in a list")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-05-05 19:15:14 -07:00
..
arc clocksource/drivers/arc_timer: Eliminate redefined macro error 2021-10-16 22:15:01 +02:00
at91 ARM: at91: PM: add cpu idle support for sama7g5 2022-02-25 12:36:25 +01:00
bcm2835 firmware: raspberrypi: Add RPI_FIRMWARE_NOTIFY_DISPLAY_DONE 2022-01-11 13:16:10 +01:00
canaan clk: Add RISC-V Canaan Kendryte K210 clock driver 2021-02-22 17:51:04 -08:00
fsl soc: fsl: Replace kernel.h with the necessary inclusions 2022-02-18 17:11:17 -06:00
imx ARM: imx: Initialize SoC ID on i.MX50 2021-05-13 15:42:21 +08:00
mediatek media: memory: mtk-smi: Get rid of mtk_smi_larb_get/put 2022-01-28 15:30:21 +01:00
microchip soc: add microchip polarfire soc system controller 2022-02-25 12:50:59 +01:00
mscc net: mscc: ocelot: mark traps with a bool instead of keeping them in a list 2022-05-05 19:15:14 -07:00
qcom soc: qcom: spm: Implement support for SAWv4.1, SDM630/660 L2 AVS 2021-09-21 17:41:48 -05:00
rockchip treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 288 2019-06-05 17:36:37 +02:00
sa1100 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
sifive riscv: move sifive_l2_cache.h to include/soc 2020-01-12 10:12:44 -08:00
tegra soc/tegra: bpmp: cleanup double word in comment 2022-02-25 14:10:09 +01:00