| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aHdPCpsUUVH-p-mX@shredder>
Date: Wed, 16 Jul 2025 10:04:42 +0300
From: Ido Schimmel <idosch@...sch.org>
To: Dong Chenchen <dongchenchen2@...wei.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, horms@...nel.org, jiri@...nulli.us,
oscmaes92@...il.com, linux@...blig.org, pedro.netdev@...devamos.com,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
zhangchangzhong@...wei.com
Subject: Re: [PATCH net v3 1/2] net: vlan: fix VLAN 0 refcount imbalance of
toggling filtering during runtime
On Wed, Jul 16, 2025 at 11:45:03AM +0800, Dong Chenchen wrote:
> Assuming the "rx-vlan-filter" feature is enabled on a net device, the
> 8021q module will automatically add or remove VLAN 0 when the net device
> is put administratively up or down, respectively. There are a couple of
> problems with the above scheme.
>
> The first problem is a memory leak that can happen if the "rx-vlan-filter"
> feature is disabled while the device is running:
>
> # ip link add bond1 up type bond mode 0
> # ethtool -K bond1 rx-vlan-filter off
> # ip link del dev bond1
>
> When the device is put administratively down the "rx-vlan-filter"
> feature is disabled, so the 8021q module will not remove VLAN 0 and the
> memory will be leaked [1].
>
> Another problem that can happen is that the kernel can automatically
> delete VLAN 0 when the device is put administratively down despite not
> adding it when the device was put administratively up since during that
> time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
> bug_on[2] will be triggered by unregister_vlan_dev() for refcount
> imbalance if toggling filtering during runtime:
>
> $ ip link add bond0 type bond mode 0
> $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
> $ ethtool -K bond0 rx-vlan-filter off
> $ ifconfig bond0 up
> $ ethtool -K bond0 rx-vlan-filter on
> $ ifconfig bond0 down
> $ ip link del vlan0
>
> Root cause is as below:
> step1: add vlan0 for real_dev, such as bond, team.
> register_vlan_dev
> vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
> step2: disable vlan filter feature and enable real_dev
> step3: change filter from 0 to 1
> vlan_device_event
> vlan_filter_push_vids
> ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
> step4: real_dev down
> vlan_device_event
> vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
> vlan_info_rcu_free //free vlan0
> step5: delete vlan0
> unregister_vlan_dev
> BUG_ON(!vlan_info); //vlan_info is null
>
> Fix both problems by noting in the VLAN info whether VLAN 0 was
> automatically added upon NETDEV_UP and based on that decide whether it
> should be deleted upon NETDEV_DOWN, regardless of the state of the
> "rx-vlan-filter" feature.
[...]
> Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
> Reported-by: syzbot+a8b046e462915c65b10b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b
> Suggested-by: Ido Schimmel <idosch@...sch.org>
> Signed-off-by: Dong Chenchen <dongchenchen2@...wei.com>
Reviewed-by: Ido Schimmel <idosch@...dia.com>
Powered by blists - more mailing lists