<html><head><meta name="color-scheme" content="light dark"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">From: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Date: Tue, 12 Apr 2022 12:24:19 +0300
Subject: [PATCH] net: ethernet: mtk_eth_soc: use after free in
 __mtk_ppe_check_skb()

The __mtk_foe_entry_clear() function frees "entry" so we have to use
the _safe() version of hlist_for_each_entry() to prevent a use after
free.

Fixes: 33fc42de3327 ("net: ethernet: mtk_eth_soc: support creating mac address based offload entries")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
---

--- a/drivers/net/ethernet/mediatek/mtk_ppe.c
+++ b/drivers/net/ethernet/mediatek/mtk_ppe.c
@@ -600,6 +600,7 @@ void __mtk_ppe_check_skb(struct mtk_ppe
 	struct mtk_foe_entry *hwe = &amp;ppe-&gt;foe_table[hash];
 	struct mtk_flow_entry *entry;
 	struct mtk_foe_bridge key = {};
+	struct hlist_node *n;
 	struct ethhdr *eh;
 	bool found = false;
 	u8 *tag;
@@ -609,7 +610,7 @@ void __mtk_ppe_check_skb(struct mtk_ppe
 	if (FIELD_GET(MTK_FOE_IB1_STATE, hwe-&gt;ib1) == MTK_FOE_STATE_BIND)
 		goto out;
 
-	hlist_for_each_entry(entry, head, list) {
+	hlist_for_each_entry_safe(entry, n, head, list) {
 		if (entry-&gt;type == MTK_FLOW_TYPE_L2_SUBFLOW) {
 			if (unlikely(FIELD_GET(MTK_FOE_IB1_STATE, hwe-&gt;ib1) ==
 				     MTK_FOE_STATE_BIND))
</pre></body></html>