target/linux/generic/pending-5.15/735-net-ethernet-mtk_eth_soc-fix-flow_offload-related-re.patch

   1 From: Felix Fietkau <nbd@nbd.name>
   2 Date: Mon, 20 Mar 2023 15:49:15 +0100
   3 Subject: [PATCH] net: ethernet: mtk_eth_soc: fix flow_offload related refcount
   4  bug
   5
   6 Since we call flow_block_cb_decref on FLOW_BLOCK_UNBIND, we need to call
   7 flow_block_cb_incref unconditionally, even for a newly allocated cb.
   8 Fixes a use-after-free bug. Also fix the accidentally inverted refcount
   9 check on unbind.
  10
  11 Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support")
  12 Signed-off-by: Felix Fietkau <nbd@nbd.name>
  13 ---
  14
  15 --- a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
  16 +++ b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c
  17 @@ -584,6 +584,7 @@ mtk_eth_setup_tc_block(struct net_device
  18                 if (IS_ERR(block_cb))
  19                         return PTR_ERR(block_cb);
  20
  21 +               flow_block_cb_incref(block_cb);
  22                 flow_block_cb_add(block_cb, f);
  23                 list_add_tail(&block_cb->driver_list, &block_cb_list);
  24                 return 0;
  25 @@ -592,7 +593,7 @@ mtk_eth_setup_tc_block(struct net_device
  26                 if (!block_cb)
  27                         return -ENOENT;
  28
  29 -               if (flow_block_cb_decref(block_cb)) {
  30 +               if (!flow_block_cb_decref(block_cb)) {
  31                         flow_block_cb_remove(block_cb, f);
  32                         list_del(&block_cb->driver_list);
  33                 }