[PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group
@ 2026-04-02 14:01 Zijing Yin
  2026-04-03  9:56 ` Ido Schimmel
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Zijing Yin @ 2026-04-02 14:01 UTC (permalink / raw)
  To: netdev
  Cc: bridge, razor, idosch, davem, edumazet, kuba, pabeni, horms,
	nathan, nick.desaulniers+lkml, morbo, justinstitt, petrm,
	linux-kernel, llvm, Zijing Yin

When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
nbp_vlan_group() return NULL (br_private.h stub definitions). The
BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
reaches br_fdb_delete_locals_per_vlan_port() and
br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).

The observed crash is in the delete path, triggered when creating a
bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
via RTM_NEWLINK. The insert helper has the same bug pattern.

  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
  Call Trace:
   br_fdb_toggle_local_vlan_0+0x452/0x4c0
   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
   br_boolopt_toggle net/bridge/br.c:313
   br_boolopt_multi_toggle net/bridge/br.c:364
   br_changelink net/bridge/br_netlink.c:1542
   br_dev_newlink net/bridge/br_netlink.c:1575

Add NULL checks for the vlan group pointer in both helpers, returning
early when there are no VLANs to iterate. This matches the existing
pattern used by other bridge FDB functions such as br_fdb_add() and
br_fdb_delete().

Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
---
Tested on Linux v7.0-rc5 (upstream tag) with clang 20.1.0, KASAN
enabled, CONFIG_BRIDGE_VLAN_FILTERING=n.

Bug independently reproduced with the attached C reproducer
(repro_br_fdb.c). The crash triggers deterministically on the first
run with CONFIG_BRIDGE_VLAN_FILTERING=n on a clang-built kernel.

Exact crash signature from reproduction:

  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
  RIP: 0010:br_fdb_delete_locals_per_vlan+0x72/0x3f0
  Call Trace:
   br_fdb_toggle_local_vlan_0+0x3d/0x1d0
   br_boolopt_toggle+0xba/0x1a0
   br_boolopt_multi_toggle+0x129/0x250
   br_changelink+0x1100/0x1490
   br_dev_newlink+0x115/0x190
   rtnl_newlink+0xe15/0x25c0

Note: gcc 13.3 with the same config optimizes away the NULL dereference
path (UB elimination), so the crash does not trigger on gcc-built
kernels. The code is still incorrect regardless of compiler behavior.

Reproducer (C source): [PASTE_URL_HERE]
Kernel .config:        [PASTE_URL_HERE]

To reproduce: compile the C reproducer with `gcc -static -o repro repro.c`,
run as root on a clang-built kernel. The crash triggers during
br_dev_newlink() -> br_changelink() when the boolopt toggle reaches
br_fdb_delete_locals_per_vlan_port() with a NULL vlan group. Note:
RTM_SETLINK on an existing bridge may not trigger it due to different
code ordering.

 net/bridge/br_fdb.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
index 0501ffcb8..e2c17f620 100644
--- a/net/bridge/br_fdb.c
+++ b/net/bridge/br_fdb.c
@@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br,
 		dev = br->dev;
 	}

+	if (!vg)
+		return;
+
 	list_for_each_entry(v, &vg->vlan_list, vlist)
 		br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid);
 }
@@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br,
 		dev = br->dev;
 	}

+	if (!vg)
+		return 0;
+
 	list_for_each_entry(v, &vg->vlan_list, vlist) {
 		if (!br_vlan_should_use(v))
 			continue;
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group
  2026-04-02 14:01 [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Zijing Yin
@ 2026-04-03  9:56 ` Ido Schimmel
  2026-04-03 14:59 ` Nikolay Aleksandrov
  2026-04-03 22:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Ido Schimmel @ 2026-04-03  9:56 UTC (permalink / raw)
  To: Zijing Yin
  Cc: netdev, bridge, razor, davem, edumazet, kuba, pabeni, horms,
	nathan, nick.desaulniers+lkml, morbo, justinstitt, petrm,
	linux-kernel, llvm

On Thu, Apr 02, 2026 at 07:01:53AM -0700, Zijing Yin wrote:
> When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
> nbp_vlan_group() return NULL (br_private.h stub definitions). The
> BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
> reaches br_fdb_delete_locals_per_vlan_port() and
> br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
> is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).
> 
> The observed crash is in the delete path, triggered when creating a
> bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
> via RTM_NEWLINK. The insert helper has the same bug pattern.
> 
>   Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
>   KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
>   RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
>   Call Trace:
>    br_fdb_toggle_local_vlan_0+0x452/0x4c0
>    br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
>    br_boolopt_toggle net/bridge/br.c:313
>    br_boolopt_multi_toggle net/bridge/br.c:364
>    br_changelink net/bridge/br_netlink.c:1542
>    br_dev_newlink net/bridge/br_netlink.c:1575
> 
> Add NULL checks for the vlan group pointer in both helpers, returning
> early when there are no VLANs to iterate. This matches the existing
> pattern used by other bridge FDB functions such as br_fdb_add() and
> br_fdb_delete().
> 
> Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
> Signed-off-by: Zijing Yin <yzjaurora@gmail.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group
  2026-04-02 14:01 [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Zijing Yin
  2026-04-03  9:56 ` Ido Schimmel
@ 2026-04-03 14:59 ` Nikolay Aleksandrov
  2026-04-03 22:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Nikolay Aleksandrov @ 2026-04-03 14:59 UTC (permalink / raw)
  To: Zijing Yin, netdev
  Cc: bridge, idosch, davem, edumazet, kuba, pabeni, horms, nathan,
	nick.desaulniers+lkml, morbo, justinstitt, petrm, linux-kernel,
	llvm

On 02/04/2026 17:01, Zijing Yin wrote:
> When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
> nbp_vlan_group() return NULL (br_private.h stub definitions). The
> BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
> reaches br_fdb_delete_locals_per_vlan_port() and
> br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
> is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).
> 
> The observed crash is in the delete path, triggered when creating a
> bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
> via RTM_NEWLINK. The insert helper has the same bug pattern.
> 
>    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
>    KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
>    RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
>    Call Trace:
>     br_fdb_toggle_local_vlan_0+0x452/0x4c0
>     br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
>     br_boolopt_toggle net/bridge/br.c:313
>     br_boolopt_multi_toggle net/bridge/br.c:364
>     br_changelink net/bridge/br_netlink.c:1542
>     br_dev_newlink net/bridge/br_netlink.c:1575
> 
> Add NULL checks for the vlan group pointer in both helpers, returning
> early when there are no VLANs to iterate. This matches the existing
> pattern used by other bridge FDB functions such as br_fdb_add() and
> br_fdb_delete().
> 
> Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
> Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
> ---
> Tested on Linux v7.0-rc5 (upstream tag) with clang 20.1.0, KASAN
> enabled, CONFIG_BRIDGE_VLAN_FILTERING=n.
> 
> Bug independently reproduced with the attached C reproducer
> (repro_br_fdb.c). The crash triggers deterministically on the first
> run with CONFIG_BRIDGE_VLAN_FILTERING=n on a clang-built kernel.
> 
> Exact crash signature from reproduction:
> 
>    Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
>    KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
>    RIP: 0010:br_fdb_delete_locals_per_vlan+0x72/0x3f0
>    Call Trace:
>     br_fdb_toggle_local_vlan_0+0x3d/0x1d0
>     br_boolopt_toggle+0xba/0x1a0
>     br_boolopt_multi_toggle+0x129/0x250
>     br_changelink+0x1100/0x1490
>     br_dev_newlink+0x115/0x190
>     rtnl_newlink+0xe15/0x25c0
> 
> Note: gcc 13.3 with the same config optimizes away the NULL dereference
> path (UB elimination), so the crash does not trigger on gcc-built
> kernels. The code is still incorrect regardless of compiler behavior.
> 
> Reproducer (C source): [PASTE_URL_HERE]
> Kernel .config:        [PASTE_URL_HERE]
> 
> To reproduce: compile the C reproducer with `gcc -static -o repro repro.c`,
> run as root on a clang-built kernel. The crash triggers during
> br_dev_newlink() -> br_changelink() when the boolopt toggle reaches
> br_fdb_delete_locals_per_vlan_port() with a NULL vlan group. Note:
> RTM_SETLINK on an existing bridge may not trigger it due to different
> code ordering.
> 
>   net/bridge/br_fdb.c | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c
> index 0501ffcb8..e2c17f620 100644
> --- a/net/bridge/br_fdb.c
> +++ b/net/bridge/br_fdb.c
> @@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct net_bridge *br,
>   		dev = br->dev;
>   	}
>   
> +	if (!vg)
> +		return;
> +
>   	list_for_each_entry(v, &vg->vlan_list, vlist)
>   		br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid);
>   }
> @@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct net_bridge *br,
>   		dev = br->dev;
>   	}
>   
> +	if (!vg)
> +		return 0;
> +
>   	list_for_each_entry(v, &vg->vlan_list, vlist) {
>   		if (!br_vlan_should_use(v))
>   			continue;

Acked-by: Nikolay Aleksandrov <razor@blackwall.org>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group
  2026-04-02 14:01 [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Zijing Yin
  2026-04-03  9:56 ` Ido Schimmel
  2026-04-03 14:59 ` Nikolay Aleksandrov
@ 2026-04-03 22:00 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-03 22:00 UTC (permalink / raw)
  To: Zijing Yin
  Cc: netdev, bridge, razor, idosch, davem, edumazet, kuba, pabeni,
	horms, nathan, nick.desaulniers+lkml, morbo, justinstitt, petrm,
	linux-kernel, llvm

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  2 Apr 2026 07:01:53 -0700 you wrote:
> When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
> nbp_vlan_group() return NULL (br_private.h stub definitions). The
> BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
> reaches br_fdb_delete_locals_per_vlan_port() and
> br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
> is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).
> 
> [...]

Here is the summary with links:
  - [net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group
    https://git.kernel.org/netdev/net/c/1979645e1842

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-04-03 22:00 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-02 14:01 [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Zijing Yin
2026-04-03  9:56 ` Ido Schimmel
2026-04-03 14:59 ` Nikolay Aleksandrov
2026-04-03 22:00 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox