From: Ido Schimmel <idosch@nvidia.com>
To: Nikolay Aleksandrov <razor@blackwall.org>
Cc: netdev@vger.kernel.org, tobias@waldekranz.com, kuba@kernel.org,
davem@davemloft.net, bridge@lists.linux.dev, pabeni@redhat.com,
edumazet@google.com, horms@kernel.org, petrm@nvidia.com,
syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com
Subject: Re: [PATCH net v2 1/2] net: bridge: fix use-after-free due to MST port state bypass
Date: Wed, 5 Nov 2025 18:59:42 +0200 [thread overview]
Message-ID: <aQuCfmZix1qlbFEZ@shredder> (raw)
In-Reply-To: <20251105111919.1499702-2-razor@blackwall.org>
On Wed, Nov 05, 2025 at 01:19:18PM +0200, Nikolay Aleksandrov wrote:
> syzbot reported[1] a use-after-free when deleting an expired fdb. It is
> due to a race condition between learning still happening and a port being
> deleted, after all its fdbs have been flushed. The port's state has been
> toggled to disabled so no learning should happen at that time, but if we
> have MST enabled, it will bypass the port's state, that together with VLAN
> filtering disabled can lead to fdb learning at a time when it shouldn't
> happen while the port is being deleted. VLAN filtering must be disabled
> because we flush the port VLANs when it's being deleted which will stop
> learning. This fix adds a check for the port's vlan group which is
> initialized to NULL when the port is getting deleted, that avoids the port
> state bypass. When MST is enabled there would be a minimal new overhead
> in the fast-path because the port's vlan group pointer is cache-hot.
>
> [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be
>
> Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode")
> Reported-by: syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/69088ffa.050a0220.29fc44.003d.GAE@google.com/
> Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
next prev parent reply other threads:[~2025-11-05 17:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 11:19 [PATCH net v2 0/2] net: bridge: fix two MST bugs Nikolay Aleksandrov
2025-11-05 11:19 ` [PATCH net v2 1/2] net: bridge: fix use-after-free due to MST port state bypass Nikolay Aleksandrov
2025-11-05 16:59 ` Ido Schimmel [this message]
2025-11-05 11:19 ` [PATCH net v2 2/2] net: bridge: fix MST static key usage Nikolay Aleksandrov
2025-11-05 17:04 ` Ido Schimmel
2025-11-06 15:40 ` [PATCH net v2 0/2] net: bridge: fix two MST bugs patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQuCfmZix1qlbFEZ@shredder \
--to=idosch@nvidia.com \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=petrm@nvidia.com \
--cc=razor@blackwall.org \
--cc=syzbot+dd280197f0f7ab3917be@syzkaller.appspotmail.com \
--cc=tobias@waldekranz.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.