iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

net: mscc: ocelot: fix use-after-free in ocelot_vlan_del()

Browse Source 
ocelot_vlan_member_del() will free the struct ocelot_bridge_vlan, so if
this is the same as the port's pvid_vlan which we access afterwards,
what we're accessing is freed memory.

Fix the bug by determining whether to clear ocelot_port->pvid_vlan prior
to calling ocelot_vlan_member_del().

Fixes: d4004422f6f9 ("net: mscc: ocelot: track the port pvid using a pointer")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Vladimir Oltean 2022-02-15 01:42:00 +02:00 committed by David S. Miller
parent 9ceaf6f76b
commit ef57640575
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/net/ethernet/mscc/ocelot.c
View File

@ -549,14 +549,18 @@ EXPORT_SYMBOL(ocelot_vlan_add);
int ocelot_vlan_del(struct ocelot *ocelot, int port, u16 vid) int ocelot_vlan_del(struct ocelot *ocelot, int port, u16 vid)
{ {
struct ocelot_port *ocelot_port = ocelot->ports[port]; struct ocelot_port *ocelot_port = ocelot->ports[port];
bool del_pvid = false;
int err; int err;
if (ocelot_port->pvid_vlan && ocelot_port->pvid_vlan->vid == vid)
del_pvid = true;
err = ocelot_vlan_member_del(ocelot, port, vid); err = ocelot_vlan_member_del(ocelot, port, vid);
if (err) if (err)
return err; return err;
/* Ingress */ /* Ingress */
if (ocelot_port->pvid_vlan && ocelot_port->pvid_vlan->vid == vid) if (del_pvid)
ocelot_port_set_pvid(ocelot, port, NULL); ocelot_port_set_pvid(ocelot, port, NULL);
/* Egress */ /* Egress */