github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
v7.0
linux/net/bridge
History
Zijing Yin 1979645e18 bridge: guard local VLAN-0 FDB helpers against NULL vlan group 
When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and
nbp_vlan_group() return NULL (br_private.h stub definitions). The
BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and
reaches br_fdb_delete_locals_per_vlan_port() and
br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer
is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist).

The observed crash is in the delete path, triggered when creating a
bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0
via RTM_NEWLINK. The insert helper has the same bug pattern.

  Oops: general protection fault, probably for non-canonical address 0xdffffc0000000056: 0000 [#1] KASAN NOPTI
  KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7]
  RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310
  Call Trace:
   br_fdb_toggle_local_vlan_0+0x452/0x4c0
   br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276
   br_boolopt_toggle net/bridge/br.c:313
   br_boolopt_multi_toggle net/bridge/br.c:364
   br_changelink net/bridge/br_netlink.c:1542
   br_dev_newlink net/bridge/br_netlink.c:1575

Add NULL checks for the vlan group pointer in both helpers, returning
early when there are no VLANs to iterate. This matches the existing
pattern used by other bridge FDB functions such as br_fdb_add() and
br_fdb_delete().

Fixes: 21446c06b4 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_VLAN_0")
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://patch.msgid.link/20260402140153.3925663-1-yzjaurora@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2026-04-03 14:45:51 -07:00
..
netfilter Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_arp_nd_proxy.c bridge: br_nd_send: validate ND option lengths 2026-03-27 20:37:14 -07:00
br_cfm_netlink.c bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
br_cfm.c bridge: cfm: Fix race condition in peer_mep deletion 2026-03-12 18:33:52 -07:00
br_device.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_fdb.c bridge: guard local VLAN-0 FDB helpers against NULL vlan group 2026-04-03 14:45:51 -07:00
br_forward.c net: bridge: fix use-after-free due to MST port state bypass 2025-11-06 07:32:17 -08:00
br_if.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_input.c net: bridge: fix nd_tbl NULL dereference when IPv6 is disabled 2026-03-05 07:52:56 -08:00
br_ioctl.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mdb.c Convert remaining multi-line kmalloc_obj/flex GFP_KERNEL uses 2026-02-22 08:26:33 -08:00
br_mrp_netlink.c bridge: mrp: reject zero test interval to avoid OOM panic 2026-03-31 16:11:24 +02:00
br_mrp_switchdev.c bridge: mrp: Extend br_mrp_switchdev to detect better the errors 2021-02-16 14:47:46 -08:00
br_mrp.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br_mst.c net: bridge: fix MST static key usage 2025-11-06 07:32:17 -08:00
br_multicast_eht.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_multicast.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_netfilter_hooks.c netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm 2025-08-27 11:53:37 +02:00
br_netfilter_ipv6.c net/ipv6: Introduce payload_len helpers 2026-02-06 20:50:03 -08:00
br_netlink_tunnel.c net: bridge: fix an inconsistent indentation 2024-06-05 10:04:47 +01:00
br_netlink.c net: bridge: correct debug message function name in br_fill_ifinfo 2025-10-14 12:13:36 -07:00
br_nf_core.c bridge: netfilter: Fix forwarding of fragmented packets 2025-05-16 16:02:06 -07:00
br_private_cfm.h bridge: cfm: Kernel space implementation of CFM. CCM frame RX added. 2020-10-29 18:39:43 -07:00
br_private_mcast_eht.h net: bridge: multicast: use multicast contexts instead of bridge or port 2021-07-20 05:41:19 -07:00
br_private_mrp.h net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h bridge: always declare tunnel functions 2023-05-17 21:28:58 -07:00
br_private.h bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_stp_bpdu.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
br_stp_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_stp_timer.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
br_stp.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
br_switchdev.c treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
br_sysfs_br.c mm.git review status for linus..mm-nonmm-stable 2026-02-12 12:13:01 -08:00
br_sysfs_if.c net: bridge: use sysfs_emit instead of sprintf 2026-02-03 19:19:42 -08:00
br_vlan_options.c bridge: Check relevant per-VLAN options in VLAN range grouping 2026-02-26 19:24:29 -08:00
br_vlan_tunnel.c bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress 2026-01-04 09:45:35 -08:00
br_vlan.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
br.c net: bridge: Install FDB for bridge MAC on VLAN 0 2025-09-23 17:10:49 -07:00
Kconfig bridge: cfm: Add BRIDGE_CFM to Kconfig. 2020-10-29 18:39:43 -07:00
Makefile net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00