[PATCH net] net: hsr: remove VLAN filters from slave devices on port deletion

[Zijing Yin <yzjaurora@gmail.com>]

While fuzzing with a customized syzkaller, I hit a WARNING in netdevsim's
nsim_destroy(): a netdevsim port is freed while it still has a VLAN RX
filter installed (a bit left set in ns->vlan.ctag):

  WARNING: drivers/net/netdevsim/netdev.c:1205 at nsim_destroy+0x340/0x590, CPU#0: kworker/u4:5/49
  Workqueue: netns cleanup_net
  RIP: 0010:nsim_destroy+0x340/0x590
  Call Trace:
   <TASK>
   __nsim_dev_port_del+0x11d/0x1e0
   nsim_dev_reload_destroy+0x27d/0x490
   nsim_dev_reload_down+0x8e/0xc0
   devlink_reload+0x16f/0x810
   devlink_pernet_pre_exit+0x18c/0x370
   ops_undo_list+0x13a/0x8e0
   cleanup_net+0x491/0x660
   process_scheduled_works+0x8ff/0x1350
   worker_thread+0x9b8/0xed0
   kthread+0x359/0x440
   ret_from_fork+0x3bc/0x820
   </TASK>

It is triggered by creating an HSR device on top of a netdevsim port and
then tearing down the network namespace while the netdevsim port is still
an HSR slave. The reproducer is listed below.

The netdevsim port should have no VLAN filter left by the time it is
destroyed. It has one because of the way HSR manages VLAN filtering on
its slaves.

HSR offloads VLAN CTAG filtering to its slave devices: it advertises
NETIF_F_HW_VLAN_CTAG_FILTER and forwards every ndo_vlan_rx_add_vid() and
ndo_vlan_rx_kill_vid() to each slave by calling vlan_vid_add() or
vlan_vid_del() on it (hsr_ndo_vlan_rx_add_vid(), net/hsr/hsr_device.c).
Because the master advertises that feature, the 8021q core also installs
VID 0 on it (vlan_vid0_add(), net/8021q/vlan.c), and HSR mirrors that
onto every slave as well, so a netdevsim slave ends up carrying a VLAN
filter even when the user configured no VLAN.

HSR drops those propagated filters only from hsr_ndo_vlan_rx_kill_vid(),
which walks the slave ports that are currently attached. hsr_del_port()
detaches a slave without removing them. When a slave is removed - here
netdevsim is destroyed by the devlink reload on namespace exit while it
is still an HSR slave - the filter HSR installed is never deleted, leaks
on the slave, and trips netdevsim's destroy-time leak check.

Remove the propagated VLAN filters when a slave port is deleted, the
same way bonding and team do in their slave-release paths (see the
vlan_vids_del_by_dev() callers in drivers/net/bonding/bond_main.c and
drivers/net/team/team_core.c). The HSR_PT_SLAVE_A / HSR_PT_SLAVE_B guard
mirrors hsr_ndo_vlan_rx_add_vid(), which never propagates VIDs to the
master or interlink ports. It is also safe in the normal teardown order
(master brought down first): the master's VLAN list is already empty by
then, so vlan_vids_del_by_dev() does nothing.

Fixes: 1a8a63a5305e ("net: hsr: Add VLAN CTAG filter support")
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
---
Reproducer: https://pastebin.com/raw/V5PY9jue

 net/hsr/hsr_slave.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/hsr/hsr_slave.c b/net/hsr/hsr_slave.c
index d9af9e65f..157533aaf 100644
--- a/net/hsr/hsr_slave.c
+++ b/net/hsr/hsr_slave.c
@@ -237,6 +237,9 @@ void hsr_del_port(struct hsr_port *port)
 	list_del_rcu(&port->port_list);
 
 	if (port != master) {
+		if (port->type == HSR_PT_SLAVE_A ||
+		    port->type == HSR_PT_SLAVE_B)
+			vlan_vids_del_by_dev(port->dev, master->dev);
 		netdev_update_features(master->dev);
 		dev_set_mtu(master->dev, hsr_get_max_mtu(hsr));
 		netdev_rx_handler_unregister(port->dev);
-- 
2.43.0