]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
net: dsa: mxl862xx: fix use-after-free of DSA ports in crc_err_work
authorDaniel Golle <daniel@makrotopia.org>
Fri, 19 Jun 2026 03:40:14 +0000 (04:40 +0100)
committerJakub Kicinski <kuba@kernel.org>
Thu, 25 Jun 2026 00:51:11 +0000 (17:51 -0700)
commitbcb3b8314611ed9cb4ff4bff484ef9b154fd1b83
tree3bc0d4b5f8cbd7b26ea0ae9b64adb9e08706eb08
parent6b3f7af57881f6d6250c6dcc4d910fe8e855a607
net: dsa: mxl862xx: fix use-after-free of DSA ports in crc_err_work

Upon an MDIO CRC error mxl862xx_crc_err_work_fn() walks the DSA ports
and closes the CPU port conduits:

dsa_switch_for_each_cpu_port(dp, priv->ds)
dev_close(dp->conduit);

mxl862xx_remove() unregisters the switch before cancelling this work:

set_bit(MXL862XX_FLAG_WORK_STOPPED, &priv->flags);
cancel_delayed_work_sync(&priv->stats_work);
dsa_unregister_switch(ds);
mxl862xx_host_shutdown(priv);

dsa_unregister_switch() frees the dsa_port objects. If a CRC error
schedules the work during teardown it can run after the ports have been
freed and dereference freed memory.

Guard the port walk with MXL862XX_FLAG_WORK_STOPPED, which is already set
before dsa_unregister_switch(). DSA tears the ports down under
rtnl_lock(), so checking the flag under rtnl_lock() means the work either
runs before teardown and sees valid ports, or runs afterwards, observes
the flag and skips the walk. This mirrors the host_flood_work handler,
which skips torn-down ports under rtnl_lock().

Link: https://sashiko.dev/#/patchset/cover.1780968180.git.daniel%40makrotopia.org?part=2
Fixes: a319d0c8c8ce ("net: dsa: mxl862xx: add CRC for MDIO communication")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Link: https://patch.msgid.link/5e55169926c02f2b914e5ada529d7453b943cda4.1781702256.git.daniel@makrotopia.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/net/dsa/mxl862xx/mxl862xx-host.c