Commit d9c70e93 authored Sep 23, 2025 by Dan Carpenter Committed by Paolo Abeni Sep 25, 2025

octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()



This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node"
and then dereferences it on the next line.  Two lines later, we take
a mutex so I don't think this is an RCU safe region.  Re-order it to do
the dereferences before queuing up the free.

Fixes: 68fbff68 ("octeontx2-pf: Add police action for TC flower")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev>
Link: https://patch.msgid.link/aNKCL1jKwK8GRJHh@stanley.mountain


Signed-off-by: Paolo Abeni <pabeni@redhat.com>

parent 764a47a6

drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1326,7 +1326,6 @@ static int otx2_tc_add_flow(struct otx2_nic *nic,

		free_leaf:
		otx2_tc_del_from_flow_list(flow_cfg, new_node);
		kfree_rcu(new_node, rcu);
		if (new_node->is_act_police) {
		mutex_lock(&nic->mbox.lock);

		@@ -1346,6 +1345,7 @@ static int otx2_tc_add_flow(struct otx2_nic *nic,

		mutex_unlock(&nic->mbox.lock);
		}
		kfree_rcu(new_node, rcu);

		return rc;
		}