octeontx2-pf: Fix potential use after free in otx2_tc_add_flow()

This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the dereferences before queuing up the free. Fixes: 68fbff68dbea ("octeontx2-pf: Add police action for TC flower") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Reviewed-by: Vadim Fedorenko <vadim.fedorenko@linux.dev> Link: https://patch.msgid.link/aNKCL1jKwK8GRJHh@stanley.mountain Signed-off-by: Paolo Abeni <pabeni@redhat.com>
author: Dan Carpenter <dan.carpenter@linaro.org> 2025-09-23 14:19:11 +0300
committer: Paolo Abeni <pabeni@redhat.com> 2025-09-25 11:04:34 +0200
commit: d9c70e93ec5988ab07ad2a92d9f9d12867f02c56 (patch)
tree: f13a150e7a8c504398dc442f85f38bbaf2e25ce2
parent: 764a47a639c73e8d941cbbb10696a0eb98d10d7b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
index 5f80b23c5335..26a08d2cfbb1 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_tc.c
@@ -1326,7 +1326,6 @@ static int otx2_tc_add_flow(struct otx2_nic *nic,
 
 free_leaf:
 	otx2_tc_del_from_flow_list(flow_cfg, new_node);
-	kfree_rcu(new_node, rcu);
 	if (new_node->is_act_police) {
 		mutex_lock(&nic->mbox.lock);
 
@@ -1346,6 +1345,7 @@ free_leaf:
 
 		mutex_unlock(&nic->mbox.lock);
 	}
+	kfree_rcu(new_node, rcu);
 
 	return rc;
 }
author	Dan Carpenter <dan.carpenter@linaro.org>	2025-09-23 14:19:11 +0300
committer	Paolo Abeni <pabeni@redhat.com>	2025-09-25 11:04:34 +0200
commit	d9c70e93ec5988ab07ad2a92d9f9d12867f02c56 (patch)
tree	f13a150e7a8c504398dc442f85f38bbaf2e25ce2
parent	764a47a639c73e8d941cbbb10696a0eb98d10d7b (diff)