Received: by 2002:ab2:3141:0:b0:1ed:23cc:44d1 with SMTP id i1csp140119lqg;
        Fri, 1 Mar 2024 00:06:36 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCX888OLfbjupvmaFIYaEx90mOv/G3THBZCwWysOFZ8fik2x5TCakTafbuNbdU2vA1DsM1FjqLdEMsGZ5gPOGxEtL+Ch4CsOWNy2zsj4mg==
X-Google-Smtp-Source: AGHT+IF+oYQf44dSAQGCSHApFDsDJRciYQ0/WbTFrZUNcuWSJzrKN1Y4bjChZEcKLM06rBg+JHWf
X-Received: by 2002:a05:6a00:ccb:b0:6e5:a910:c814 with SMTP id b11-20020a056a000ccb00b006e5a910c814mr1381528pfv.10.1709280395845;
        Fri, 01 Mar 2024 00:06:35 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709280395; cv=pass;
        d=google.com; s=arc-20160816;
        b=VvBW4yLJvTQ4LhFTPC10B4UVsOuJ14auCTuG6eWmyYmxBgmuFbgZSy4SRVoh0cSR5R
         7vXuvERjfzPn/m0aH/h0+vQ4fC1oQu5jIl3ITQJuMlRaNSN3Qm87gLusLiwY1E22ZeQb
         +LusJp8hiYASEzfSS+hxTBc6B72T+iXc4h1KcpK7jreNvyAwrga9wX7pl99jDPdHo+Oo
         KQrwgF9dTafFqmJ69H4ZJAwjyXFm+IrGDsGHfbcn+uzLixFXmKAE8+/VPEZSZS/QiZN2
         jY0JMgwDN9SgnQGwZNl2aTq7DCk0RHRUGFmYEm8RR58twtdcy16f3LUHhfPwMIE9+87H
         DC8g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=tRDg/JVMYs+OcnaZjipKyW12I6CORNqwsgGpCHW1f98=;
        fh=XDpHrGypMQdTH7CcLHvDQCichdVQfXHrk0PYvIiMRvw=;
        b=j/8W65BZwHMB9t32FhBJEk8qyah/JV76svaZhwVsx/aMLXG07dUASz2uTgaEcVgxeA
         vEyIKGpw5woZdmsK9XwCuVBGpTRU095cRuoHIgwWXXjKCrE/BRg2qnwMXvS2YU01nXSO
         LK3KTke4GkvqjcTmvDoNasPJxLbNiQm7qiK9q+1g5h+d9sZR38c7OrV/k0HWIYTdWbV8
         0wU6yaYtMmptAH2utYcu2YL6JOQ+k6m6wZ/FgrYwjHK+qxeTdCNjdpy9pdDrxOFX5wsd
         IpZ04j13PqKl+vH1MUZ9cAz16DjQT78DbEU5dhtzHmt62+StL7nF/gYgb0xRS00DRl7I
         YSCw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@microchip.com header.s=mchp header.b=mZSWsqbI;
       arc=pass (i=1 spf=pass spfdomain=microchip.com dkim=pass dkdomain=microchip.com dmarc=pass fromdomain=microchip.com);
       spf=pass (google.com: domain of linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=microchip.com
Return-Path: <linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id dr18-20020a056a020fd200b005dc49182879si3185592pgb.409.2024.03.01.00.06.35
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 Mar 2024 00:06:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@microchip.com header.s=mchp header.b=mZSWsqbI;
       arc=pass (i=1 spf=pass spfdomain=microchip.com dkim=pass dkdomain=microchip.com dmarc=pass fromdomain=microchip.com);
       spf=pass (google.com: domain of linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88046-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=QUARANTINE sp=REJECT dis=NONE) header.from=microchip.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 1A5A6B2366E
	for <linux.lists.archive@gmail.com>; Fri,  1 Mar 2024 08:06:31 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 191BC69D19;
	Fri,  1 Mar 2024 08:06:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=microchip.com header.i=@microchip.com header.b="mZSWsqbI"
Received: from esa.microchip.iphmx.com (esa.microchip.iphmx.com [68.232.153.233])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EFE996930E;
	Fri,  1 Mar 2024 08:06:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=68.232.153.233
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709280379; cv=none; b=fDRcopBhw7rBkJfKFvOXNZZz8RHgEyeSDIG0/0MX05iuRhgHXP8nhSaeam4a9c1ylEX1o+ZPPCAr0mCoL0xTk7H5P1FdfKnvOB9oiyefn474tDu06D0qvmooWNjYDcaXLGYkogBuWnLEB7CZmpMD/CpdOb9g0DBZD3jV01JuWMA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709280379; c=relaxed/simple;
	bh=yI37i87UqneOzVmTClYz+I31zKh2W/A+wihChWmk0Kk=;
	h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=ddGvE1SkM8WztxgUmaREEPAj+kGUmY4reYNkLThiTJSSClM1BI6/64iU9/3z0c+sl2WA/PHQ61FqjhQJQblyolf2SYIU3ZUueJh+woecBSMLQ4skrXNsE3T2pjQtTfJmjU0M5rEfPLvpfXTNpauTNb14rX+bZaZKpoaZgSeqJ0o=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=microchip.com; spf=pass smtp.mailfrom=microchip.com; dkim=pass (2048-bit key) header.d=microchip.com header.i=@microchip.com header.b=mZSWsqbI; arc=none smtp.client-ip=68.232.153.233
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=microchip.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=microchip.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=microchip.com; i=@microchip.com; q=dns/txt; s=mchp;
  t=1709280377; x=1740816377;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=yI37i87UqneOzVmTClYz+I31zKh2W/A+wihChWmk0Kk=;
  b=mZSWsqbI/Upxee9fzIGcrL2jQO5mBjMhO4ItNufEUUXs/7Z6zvLMiPAf
   3pZpWg37+MBXeJWB3TFXDfRyZkDqpe60gTGTr3RQ8oXCuKtz+YIdg+ei6
   ALdy9qVtaaow9T/G/uT/KGglu/XPx+WR6I43X8xg7fbdrcjGEpjIG7lo1
   JAGnyaw72B/u5oj+MoEJq2RFMq6dFq4/XACfDcvBEFhL+3u5/2s2EytC2
   j75b3eCMVT7TVlSsmXBChOpmg7/x+qnaUHIOB3dV3MC4y2hULOt2uBuSk
   RFsbBn8CbDGt9lCIxeCVeLozTqpvxlVE7qsJzDou2pErWaxlt7xrT3tQ3
   w==;
X-CSE-ConnectionGUID: KhfOYgZRQh2P8hw7PiCldA==
X-CSE-MsgGUID: 1AUvhw2rQpqUKBk3Czq4Hg==
X-IronPort-AV: E=Sophos;i="6.06,195,1705388400"; 
   d="scan'208";a="18668063"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO email.microchip.com) ([170.129.1.10])
  by esa1.microchip.iphmx.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 01 Mar 2024 01:06:15 -0700
Received: from chn-vm-ex04.mchp-main.com (10.10.85.152) by
 chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2507.35; Fri, 1 Mar 2024 01:06:14 -0700
Received: from DEN-DL-M31836.microsemi.net (10.10.85.11) by
 chn-vm-ex04.mchp-main.com (10.10.85.152) with Microsoft SMTP Server id
 15.1.2507.35 via Frontend Transport; Fri, 1 Mar 2024 01:06:12 -0700
From: Horatiu Vultur <horatiu.vultur@microchip.com>
To: <davem@davemloft.net>, <edumazet@google.com>, <kuba@kernel.org>,
	<pabeni@redhat.com>, <lars.povlsen@microchip.com>,
	<Steen.Hegelund@microchip.com>, <daniel.machon@microchip.com>,
	<UNGLinuxDriver@microchip.com>, <bjarni.jonasson@microchip.com>
CC: <netdev@vger.kernel.org>, <linux-arm-kernel@lists.infradead.org>,
	<linux-kernel@vger.kernel.org>, Horatiu Vultur <horatiu.vultur@microchip.com>
Subject: [PATCH net] net: sparx5: Fix use after free inside sparx5_del_mact_entry
Date: Fri, 1 Mar 2024 09:06:08 +0100
Message-ID: <20240301080608.3053468-1-horatiu.vultur@microchip.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Based on the static analyzis of the code it looks like when an entry
from the MAC table was removed, the entry was still used after being
freed. More precise the vid of the mac_entry was used after calling
devm_kfree on the mac_entry.
The fix consists in first using the vid of the mac_entry to delete the
entry from the HW and after that to free it.

Fixes: b37a1bae742f ("net: sparx5: add mactable support")
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
---
 drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
index 4af285918ea2a..75868b3f548ec 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_mactable.c
@@ -347,10 +347,10 @@ int sparx5_del_mact_entry(struct sparx5 *sparx5,
 				 list) {
 		if ((vid == 0 || mact_entry->vid == vid) &&
 		    ether_addr_equal(addr, mact_entry->mac)) {
+			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
+
 			list_del(&mact_entry->list);
 			devm_kfree(sparx5->dev, mact_entry);
-
-			sparx5_mact_forget(sparx5, addr, mact_entry->vid);
 		}
 	}
 	mutex_unlock(&sparx5->mact_lock);
-- 
2.34.1