Re: [PATCH net v3 1/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Ido Schimmel <idosch@idosch.org>
To: Dong Chenchen <dongchenchen2@huawei.com>
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, horms@kernel.org, jiri@resnulli.us,
	oscmaes92@gmail.com, linux@treblig.org,
	pedro.netdev@dondevamos.com, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, zhangchangzhong@huawei.com
Subject: Re: [PATCH net v3 1/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime
Date: Wed, 16 Jul 2025 10:04:42 +0300	[thread overview]
Message-ID: <aHdPCpsUUVH-p-mX@shredder> (raw)
In-Reply-To: <20250716034504.2285203-2-dongchenchen2@huawei.com>

On Wed, Jul 16, 2025 at 11:45:03AM +0800, Dong Chenchen wrote:
> Assuming the "rx-vlan-filter" feature is enabled on a net device, the
> 8021q module will automatically add or remove VLAN 0 when the net device
> is put administratively up or down, respectively. There are a couple of
> problems with the above scheme.
> 
> The first problem is a memory leak that can happen if the "rx-vlan-filter"
> feature is disabled while the device is running:
> 
>  # ip link add bond1 up type bond mode 0
>  # ethtool -K bond1 rx-vlan-filter off
>  # ip link del dev bond1
> 
> When the device is put administratively down the "rx-vlan-filter"
> feature is disabled, so the 8021q module will not remove VLAN 0 and the
> memory will be leaked [1].
> 
> Another problem that can happen is that the kernel can automatically
> delete VLAN 0 when the device is put administratively down despite not
> adding it when the device was put administratively up since during that
> time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
> bug_on[2] will be triggered by unregister_vlan_dev() for refcount
> imbalance if toggling filtering during runtime:
> 
> $ ip link add bond0 type bond mode 0
> $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
> $ ethtool -K bond0 rx-vlan-filter off
> $ ifconfig bond0 up
> $ ethtool -K bond0 rx-vlan-filter on
> $ ifconfig bond0 down
> $ ip link del vlan0
> 
> Root cause is as below:
> step1: add vlan0 for real_dev, such as bond, team.
> register_vlan_dev
>     vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
> step2: disable vlan filter feature and enable real_dev
> step3: change filter from 0 to 1
> vlan_device_event
>     vlan_filter_push_vids
>         ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
> step4: real_dev down
> vlan_device_event
>     vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
>         vlan_info_rcu_free //free vlan0
> step5: delete vlan0
> unregister_vlan_dev
>     BUG_ON(!vlan_info); //vlan_info is null
> 
> Fix both problems by noting in the VLAN info whether VLAN 0 was
> automatically added upon NETDEV_UP and based on that decide whether it
> should be deleted upon NETDEV_DOWN, regardless of the state of the
> "rx-vlan-filter" feature.

[...]

> Fixes: ad1afb003939 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
> Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b
> Suggested-by: Ido Schimmel <idosch@idosch.org>
> Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

Reviewed-by: Ido Schimmel <idosch@nvidia.com>

next prev parent reply	other threads:[~2025-07-16  7:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-16  3:45 [PATCH net v3 0/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Dong Chenchen
2025-07-16  3:45 ` [PATCH net v3 1/2] " Dong Chenchen
2025-07-16  7:04   ` Ido Schimmel [this message]
2025-07-16  3:45 ` [PATCH net v3 2/2] selftests: Add test cases for vlan_filter modification " Dong Chenchen
2025-07-17 14:50 ` [PATCH net v3 0/2] net: vlan: fix VLAN 0 refcount imbalance of toggling filtering " patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aHdPCpsUUVH-p-mX@shredder \
    --to=idosch@idosch.org \
    --cc=davem@davemloft.net \
    --cc=dongchenchen2@huawei.com \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jiri@resnulli.us \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@treblig.org \
    --cc=netdev@vger.kernel.org \
    --cc=oscmaes92@gmail.com \
    --cc=pabeni@redhat.com \
    --cc=pedro.netdev@dondevamos.com \
    --cc=zhangchangzhong@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).