lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 23 Sep 2020 21:27:36 -0700
From:   Florian Fainelli <>
To:     Vladimir Oltean <>
Cc:     Vladimir Oltean <>,
        "" <>,
        Andrew Lunn <>,
        Vivien Didelot <>,
        "David S. Miller" <>,
        Jakub Kicinski <>,
        open list <>,
        "" <>
Subject: Re: [PATCH net-next v3 1/2] net: dsa: untag the bridge pvid from rx

On 9/23/2020 4:08 PM, Vladimir Oltean wrote:
> On Wed, Sep 23, 2020 at 03:59:46PM -0700, Florian Fainelli wrote:
>> On 9/23/20 3:58 PM, Vladimir Oltean wrote:
>>> On Wed, Sep 23, 2020 at 03:54:59PM -0700, Florian Fainelli wrote:
>>>> Not having much luck with using  __vlan_find_dev_deep_rcu() for a reason
>>>> I don't understand we trip over the proto value being neither of the two
>>>> support Ethertype and hit the BUG().
>>>> +       upper_dev = __vlan_find_dev_deep_rcu(br, htons(proto), vid);
>>>> +       if (upper_dev)
>>>> +               return skb;
>>>> Any ideas?
>>> Damn...
>>> Yes, of course, the skb->protocol is still ETH_P_XDSA which is where
>>> eth_type_trans() on the master left it.
>> proto was obtained from br_vlan_get_proto() a few lines above, and
>> br_vlan_get_proto() just returns br->vlan_proto which defaults to
>> htons(ETH_P_8021Q) from br_vlan_init().
>> This is not skb->protocol that we are looking at AFAICT.
> Ok, my mistake. So what is the value of proto in vlan_proto_idx when it
> fails? To me, the call path looks pretty pass-through for vlan_proto.

At the time we crash the proto value is indeed ETH_P_XDSA, but it is not 
because of the __vlan_find_dev_deep_rcu() call as I was mislead by the 
traces I was looking it (on ARMv7 the LR was pointing not where I was 
expecting it to), it is because of the following call trace:

   -> __netif_receive_skb_list_core
     -> __netif_receive_skb_core
       -> vlan_do_receive()

That function does use skb->vlan_proto to determine the VLAN group, at 
that point we have not set it but we did inherit skb->protocol instead 
which is ETH_P_XDSA.

The following does work though, tested with both br0 and a br0.1 upper:

+       upper_dev = __vlan_find_dev_deep_rcu(br, htons(proto), vid);
+       if (upper_dev) {
+               skb->vlan_proto = vlan_dev_vlan_proto(upper_dev);
+               return skb;

I should have re-tested v2 and v3 with a bridge upper but I did not 
otherwise I would have caught that. If that sounds acceptable to you as 
well, I will submit that tomorrow.

Let me know what you think about the 802.1Q upper of a physical switch 
port in the other email.

Powered by blists - more mailing lists