mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-08-05 16:54:27 +00:00
579d4f9ca9
Assuming the "rx-vlan-filter" feature is enabled on a net device, the
8021q module will automatically add or remove VLAN 0 when the net device
is put administratively up or down, respectively. There are a couple of
problems with the above scheme.
The first problem is a memory leak that can happen if the "rx-vlan-filter"
feature is disabled while the device is running:
# ip link add bond1 up type bond mode 0
# ethtool -K bond1 rx-vlan-filter off
# ip link del dev bond1
When the device is put administratively down the "rx-vlan-filter"
feature is disabled, so the 8021q module will not remove VLAN 0 and the
memory will be leaked [1].
Another problem that can happen is that the kernel can automatically
delete VLAN 0 when the device is put administratively down despite not
adding it when the device was put administratively up since during that
time the "rx-vlan-filter" feature was disabled. null-ptr-unref or
bug_on[2] will be triggered by unregister_vlan_dev() for refcount
imbalance if toggling filtering during runtime:
$ ip link add bond0 type bond mode 0
$ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q
$ ethtool -K bond0 rx-vlan-filter off
$ ifconfig bond0 up
$ ethtool -K bond0 rx-vlan-filter on
$ ifconfig bond0 down
$ ip link del vlan0
Root cause is as below:
step1: add vlan0 for real_dev, such as bond, team.
register_vlan_dev
vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1
step2: disable vlan filter feature and enable real_dev
step3: change filter from 0 to 1
vlan_device_event
vlan_filter_push_vids
ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0
step4: real_dev down
vlan_device_event
vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0
vlan_info_rcu_free //free vlan0
step5: delete vlan0
unregister_vlan_dev
BUG_ON(!vlan_info); //vlan_info is null
Fix both problems by noting in the VLAN info whether VLAN 0 was
automatically added upon NETDEV_UP and based on that decide whether it
should be deleted upon NETDEV_DOWN, regardless of the state of the
"rx-vlan-filter" feature.
[1]
unreferenced object 0xffff8880068e3100 (size 256):
comm "ip", pid 384, jiffies 4296130254
hex dump (first 32 bytes):
00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace (crc 81ce31fa):
__kmalloc_cache_noprof+0x2b5/0x340
vlan_vid_add+0x434/0x940
vlan_device_event.cold+0x75/0xa8
notifier_call_chain+0xca/0x150
__dev_notify_flags+0xe3/0x250
rtnl_configure_link+0x193/0x260
rtnl_newlink_create+0x383/0x8e0
__rtnl_newlink+0x22c/0xa40
rtnl_newlink+0x627/0xb00
rtnetlink_rcv_msg+0x6fb/0xb70
netlink_rcv_skb+0x11f/0x350
netlink_unicast+0x426/0x710
netlink_sendmsg+0x75a/0xc20
__sock_sendmsg+0xc1/0x150
____sys_sendmsg+0x5aa/0x7b0
___sys_sendmsg+0xfc/0x180
[2]
kernel BUG at net/8021q/vlan.c:99!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1))
RSP: 0018:ffff88810badf310 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a
RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8
RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80
R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000
R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e
FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0
Call Trace:
<TASK>
rtnl_dellink (net/core/rtnetlink.c:3511 net/core/rtnetlink.c:3553)
rtnetlink_rcv_msg (net/core/rtnetlink.c:6945)
netlink_rcv_skb (net/netlink/af_netlink.c:2535)
netlink_unicast (net/netlink/af_netlink.c:1314 net/netlink/af_netlink.c:1339)
netlink_sendmsg (net/netlink/af_netlink.c:1883)
____sys_sendmsg (net/socket.c:712 net/socket.c:727 net/socket.c:2566)
___sys_sendmsg (net/socket.c:2622)
__sys_sendmsg (net/socket.c:2652)
do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
Fixes: ad1afb0039 ("vlan_dev: VLAN 0 should be treated as "no vlan tag" (802.1p packet)")
Reported-by: syzbot+a8b046e462915c65b10b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a8b046e462915c65b10b
Suggested-by: Ido Schimmel <idosch@idosch.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250716034504.2285203-2-dongchenchen2@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
207 lines
6.3 KiB
C
207 lines
6.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __BEN_VLAN_802_1Q_INC__
|
|
#define __BEN_VLAN_802_1Q_INC__
|
|
|
|
#include <linux/if_vlan.h>
|
|
#include <linux/u64_stats_sync.h>
|
|
#include <linux/list.h>
|
|
|
|
/* if this changes, algorithm will have to be reworked because this
|
|
* depends on completely exhausting the VLAN identifier space. Thus
|
|
* it gives constant time look-up, but in many cases it wastes memory.
|
|
*/
|
|
#define VLAN_GROUP_ARRAY_SPLIT_PARTS 8
|
|
#define VLAN_GROUP_ARRAY_PART_LEN (VLAN_N_VID/VLAN_GROUP_ARRAY_SPLIT_PARTS)
|
|
|
|
enum vlan_protos {
|
|
VLAN_PROTO_8021Q = 0,
|
|
VLAN_PROTO_8021AD,
|
|
VLAN_PROTO_NUM,
|
|
};
|
|
|
|
struct vlan_group {
|
|
unsigned int nr_vlan_devs;
|
|
struct hlist_node hlist; /* linked list */
|
|
struct net_device **vlan_devices_arrays[VLAN_PROTO_NUM]
|
|
[VLAN_GROUP_ARRAY_SPLIT_PARTS];
|
|
};
|
|
|
|
struct vlan_info {
|
|
struct net_device *real_dev; /* The ethernet(like) device
|
|
* the vlan is attached to.
|
|
*/
|
|
struct vlan_group grp;
|
|
struct list_head vid_list;
|
|
unsigned int nr_vids;
|
|
bool auto_vid0;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
static inline int vlan_proto_idx(__be16 proto)
|
|
{
|
|
switch (proto) {
|
|
case htons(ETH_P_8021Q):
|
|
return VLAN_PROTO_8021Q;
|
|
case htons(ETH_P_8021AD):
|
|
return VLAN_PROTO_8021AD;
|
|
default:
|
|
WARN(1, "invalid VLAN protocol: 0x%04x\n", ntohs(proto));
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
static inline struct net_device *__vlan_group_get_device(struct vlan_group *vg,
|
|
unsigned int pidx,
|
|
u16 vlan_id)
|
|
{
|
|
struct net_device **array;
|
|
|
|
array = vg->vlan_devices_arrays[pidx]
|
|
[vlan_id / VLAN_GROUP_ARRAY_PART_LEN];
|
|
|
|
/* paired with smp_wmb() in vlan_group_prealloc_vid() */
|
|
smp_rmb();
|
|
|
|
return array ? array[vlan_id % VLAN_GROUP_ARRAY_PART_LEN] : NULL;
|
|
}
|
|
|
|
static inline struct net_device *vlan_group_get_device(struct vlan_group *vg,
|
|
__be16 vlan_proto,
|
|
u16 vlan_id)
|
|
{
|
|
int pidx = vlan_proto_idx(vlan_proto);
|
|
|
|
if (pidx < 0)
|
|
return NULL;
|
|
|
|
return __vlan_group_get_device(vg, pidx, vlan_id);
|
|
}
|
|
|
|
static inline void vlan_group_set_device(struct vlan_group *vg,
|
|
__be16 vlan_proto, u16 vlan_id,
|
|
struct net_device *dev)
|
|
{
|
|
int pidx = vlan_proto_idx(vlan_proto);
|
|
struct net_device **array;
|
|
|
|
if (!vg || pidx < 0)
|
|
return;
|
|
array = vg->vlan_devices_arrays[pidx]
|
|
[vlan_id / VLAN_GROUP_ARRAY_PART_LEN];
|
|
array[vlan_id % VLAN_GROUP_ARRAY_PART_LEN] = dev;
|
|
}
|
|
|
|
/* Must be invoked with rcu_read_lock or with RTNL. */
|
|
static inline struct net_device *vlan_find_dev(struct net_device *real_dev,
|
|
__be16 vlan_proto, u16 vlan_id)
|
|
{
|
|
struct vlan_info *vlan_info = rcu_dereference_rtnl(real_dev->vlan_info);
|
|
|
|
if (vlan_info)
|
|
return vlan_group_get_device(&vlan_info->grp,
|
|
vlan_proto, vlan_id);
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static inline netdev_features_t vlan_tnl_features(struct net_device *real_dev)
|
|
{
|
|
netdev_features_t ret;
|
|
|
|
ret = real_dev->hw_enc_features &
|
|
(NETIF_F_CSUM_MASK | NETIF_F_GSO_SOFTWARE |
|
|
NETIF_F_GSO_ENCAP_ALL);
|
|
|
|
if ((ret & NETIF_F_GSO_ENCAP_ALL) && (ret & NETIF_F_CSUM_MASK))
|
|
return (ret & ~NETIF_F_CSUM_MASK) | NETIF_F_HW_CSUM;
|
|
return 0;
|
|
}
|
|
|
|
#define vlan_group_for_each_dev(grp, i, dev) \
|
|
for ((i) = 0; i < VLAN_PROTO_NUM * VLAN_N_VID; i++) \
|
|
if (((dev) = __vlan_group_get_device((grp), (i) / VLAN_N_VID, \
|
|
(i) % VLAN_N_VID)))
|
|
|
|
int vlan_filter_push_vids(struct vlan_info *vlan_info, __be16 proto);
|
|
void vlan_filter_drop_vids(struct vlan_info *vlan_info, __be16 proto);
|
|
|
|
/* found in vlan_dev.c */
|
|
void vlan_dev_set_ingress_priority(const struct net_device *dev,
|
|
u32 skb_prio, u16 vlan_prio);
|
|
int vlan_dev_set_egress_priority(const struct net_device *dev,
|
|
u32 skb_prio, u16 vlan_prio);
|
|
void vlan_dev_free_egress_priority(const struct net_device *dev);
|
|
int vlan_dev_change_flags(const struct net_device *dev, u32 flag, u32 mask);
|
|
void vlan_dev_get_realdev_name(const struct net_device *dev, char *result,
|
|
size_t size);
|
|
|
|
int vlan_check_real_dev(struct net_device *real_dev,
|
|
__be16 protocol, u16 vlan_id,
|
|
struct netlink_ext_ack *extack);
|
|
void vlan_setup(struct net_device *dev);
|
|
int register_vlan_dev(struct net_device *dev, struct netlink_ext_ack *extack);
|
|
void unregister_vlan_dev(struct net_device *dev, struct list_head *head);
|
|
bool vlan_dev_inherit_address(struct net_device *dev,
|
|
struct net_device *real_dev);
|
|
|
|
static inline u32 vlan_get_ingress_priority(struct net_device *dev,
|
|
u16 vlan_tci)
|
|
{
|
|
struct vlan_dev_priv *vip = vlan_dev_priv(dev);
|
|
|
|
return vip->ingress_priority_map[(vlan_tci >> VLAN_PRIO_SHIFT) & 0x7];
|
|
}
|
|
|
|
#ifdef CONFIG_VLAN_8021Q_GVRP
|
|
int vlan_gvrp_request_join(const struct net_device *dev);
|
|
void vlan_gvrp_request_leave(const struct net_device *dev);
|
|
int vlan_gvrp_init_applicant(struct net_device *dev);
|
|
void vlan_gvrp_uninit_applicant(struct net_device *dev);
|
|
int vlan_gvrp_init(void);
|
|
void vlan_gvrp_uninit(void);
|
|
#else
|
|
static inline int vlan_gvrp_request_join(const struct net_device *dev) { return 0; }
|
|
static inline void vlan_gvrp_request_leave(const struct net_device *dev) {}
|
|
static inline int vlan_gvrp_init_applicant(struct net_device *dev) { return 0; }
|
|
static inline void vlan_gvrp_uninit_applicant(struct net_device *dev) {}
|
|
static inline int vlan_gvrp_init(void) { return 0; }
|
|
static inline void vlan_gvrp_uninit(void) {}
|
|
#endif
|
|
|
|
#ifdef CONFIG_VLAN_8021Q_MVRP
|
|
int vlan_mvrp_request_join(const struct net_device *dev);
|
|
void vlan_mvrp_request_leave(const struct net_device *dev);
|
|
int vlan_mvrp_init_applicant(struct net_device *dev);
|
|
void vlan_mvrp_uninit_applicant(struct net_device *dev);
|
|
int vlan_mvrp_init(void);
|
|
void vlan_mvrp_uninit(void);
|
|
#else
|
|
static inline int vlan_mvrp_request_join(const struct net_device *dev) { return 0; }
|
|
static inline void vlan_mvrp_request_leave(const struct net_device *dev) {}
|
|
static inline int vlan_mvrp_init_applicant(struct net_device *dev) { return 0; }
|
|
static inline void vlan_mvrp_uninit_applicant(struct net_device *dev) {}
|
|
static inline int vlan_mvrp_init(void) { return 0; }
|
|
static inline void vlan_mvrp_uninit(void) {}
|
|
#endif
|
|
|
|
extern const char vlan_fullname[];
|
|
extern const char vlan_version[];
|
|
int vlan_netlink_init(void);
|
|
void vlan_netlink_fini(void);
|
|
|
|
extern struct rtnl_link_ops vlan_link_ops;
|
|
|
|
extern unsigned int vlan_net_id;
|
|
|
|
struct proc_dir_entry;
|
|
|
|
struct vlan_net {
|
|
/* /proc/net/vlan */
|
|
struct proc_dir_entry *proc_vlan_dir;
|
|
/* /proc/net/vlan/config */
|
|
struct proc_dir_entry *proc_vlan_conf;
|
|
/* Determines interface naming scheme. */
|
|
unsigned short name_type;
|
|
};
|
|
|
|
#endif /* !(__BEN_VLAN_802_1Q_INC__) */
|