Re: [PATCH net v3 1/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ido Schimmel <idosch@idosch.org>
To: Dong Chenchen <dongchenchen2@huawei.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org, jiri@resnulli.us,
	oscmaes92@gmail.com, linux@treblig.org,
	pedro.netdev@dondevamos.com, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, zhangchangzhong@huawei.com
Subject: Re: [PATCH net v3 1/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Date: Wed, 16 Jul 2025 10:04:42 +0300	[thread overview]
Message-ID: <aHdPCpsUUVH-p-mX@shredder> (raw)
In-Reply-To: <20250716034504.2285203-2-dongchenchen2@huawei.com>

On Wed, Jul 16, 2025 at 11:45:03AM +0800, Dong Chenchen wrote:
> Assuming the "rx-vlan-filter" feature is enabled on a net device, the
> 8021q module will automatically add or remove VLAN 0 when the net device
> is put administratively up or down, respectively. There are a couple of
> problems with the above scheme.
> 
> The first problem is a memory leak that can happen if the "rx-vlan-filter"
> feature is disabled while the device is running:
> 
>  # ip link add bond1 up type bond mode 0
>  # ethtool -K bond1 rx-vlan-filter off
>  # ip link del dev bond1
> 
> When the device is put administratively down the "rx-vlan-filter"
> feature is disabled, so the 8021q module will not remove VLAN 0 and the
> memory will be leaked [1].
> 
> Another problem that can happen is that the kernel can automatically
> delete VLAN 0 when the device is put administratively down despite not
> adding it when the device was put administratively up since during that
> time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
> bug_on[2] will be triggered by unregister_vlan_dev() for refcount
> imbalance if toggling filtering during runtime:
> 
> $ ip link add bond0 type bond mode 0
> $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
> $ ethtool -K bond0 rx-vlan-filter off
> $ ifconfig bond0 up
> $ ethtool -K bond0 rx-vlan-filter on
> $ ifconfig bond0 down
> $ ip link del vlan0
> 
> Root cause is as below:
> step1: add vlan0 for real_dev, such as bond, team.
> register_vlan_dev
>     vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
> step2: disable vlan filter feature and enable real_dev
> step3: change filter from 0 to 1
> vlan_device_event
>     vlan_filter_push_vids
>         ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
> step4: real_dev down
> vlan_device_event
>     vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
>         vlan_info_rcu_free //free vlan0
> step5: delete vlan0
> unregister_vlan_dev
>     BUG_ON(!vlan_info); //vlan_info is null
> 
> Fix both problems by noting in the VLAN info whether VLAN 0 was
> automatically added upon NETDEV_UP and based on that decide whether it
> should be deleted upon NETDEV_DOWN, regardless of the state of the
> "rx-vlan-filter" feature.

[...]

> Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
> Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b
> Suggested-by: Ido Schimmel <idosch@idosch.org>
> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

next prev parent reply	other threads:[~2025-07-16  7:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-16  3:45 [PATCH net v3 0/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Dong Chenchen
2025-07-16  3:45 ` [PATCH net v3 1/2] " Dong Chenchen
2025-07-16  7:04   ` Ido Schimmel [this message]
2025-07-16  3:45 ` [PATCH net v3 2/2] selftests: Add test cases for vlan_filter modification " Dong Chenchen
2025-07-17 14:50 ` [PATCH net v3 0/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering " patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aHdPCpsUUVH-p-mX@shredder \
    --to=idosch@idosch.org \
    --cc=davem@davemloft.net \
    --cc=dongchenchen2@huawei.com \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@treblig.org \
    --cc=netdev@vger.kernel.org \
    --cc=oscmaes92@gmail.com \
    --cc=pabeni@redhat.com \
    --cc=pedro.netdev@dondevamos.com \
    --cc=zhangchangzhong@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.