In the vlan_changelink function, a loop is used to parse the nested
attributes IFLA_VLAN_EGRESS_QOS and IFLA_VLAN_INGRESS_QOS in order to
obtain the struct ifla_vlan_qos_mapping. These two nested attributes are
checked in the vlan_validate_qos_map function, which calls
nla_validate_nested_deprecated with the vlan_map_policy.

However, this deprecated validator applies a LIBERAL strictness, allowing
the presence of an attribute with the type IFLA_VLAN_QOS_UNSPEC.
Consequently, the loop in vlan_changelink may parse an attribute of type
IFLA_VLAN_QOS_UNSPEC and believe it carries a payload of
struct ifla_vlan_qos_mapping, which is not necessarily true.

To address this issue and ensure compatibility, this patch introduces two
type checks that skip attributes whose type is not IFLA_VLAN_QOS_MAPPING.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 net/8021q/vlan_netlink.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
index 214532173536..a3b68243fd4b 100644
--- a/net/8021q/vlan_netlink.c
+++ b/net/8021q/vlan_netlink.c
@@ -118,12 +118,16 @@ static int vlan_changelink(struct net_device *dev, struct nlattr *tb[],
 	}
 	if (data[IFLA_VLAN_INGRESS_QOS]) {
 		nla_for_each_nested(attr, data[IFLA_VLAN_INGRESS_QOS], rem) {
+			if (nla_type(attr) != IFLA_VLAN_QOS_MAPPING)
+				continue;
 			m = nla_data(attr);
 			vlan_dev_set_ingress_priority(dev, m->to, m->from);
 		}
 	}
 	if (data[IFLA_VLAN_EGRESS_QOS]) {
 		nla_for_each_nested(attr, data[IFLA_VLAN_EGRESS_QOS], rem) {
+			if (nla_type(attr) != IFLA_VLAN_QOS_MAPPING)
+				continue;
 			m = nla_data(attr);
 			err = vlan_dev_set_egress_priority(dev, m->from, m->to);
 			if (err)
-- 
2.17.1

On Wed, 2024-01-17 at 23:38 +0800, Lin Ma wrote:
> In the vlan_changelink function, a loop is used to parse the nested
> attributes IFLA_VLAN_EGRESS_QOS and IFLA_VLAN_INGRESS_QOS in order to
> obtain the struct ifla_vlan_qos_mapping. These two nested attributes are
> checked in the vlan_validate_qos_map function, which calls
> nla_validate_nested_deprecated with the vlan_map_policy.
> 
> However, this deprecated validator applies a LIBERAL strictness, allowing
> the presence of an attribute with the type IFLA_VLAN_QOS_UNSPEC.
> Consequently, the loop in vlan_changelink may parse an attribute of type
> IFLA_VLAN_QOS_UNSPEC and believe it carries a payload of
> struct ifla_vlan_qos_mapping, which is not necessarily true.
> 
> To address this issue and ensure compatibility, this patch introduces two
> type checks that skip attributes whose type is not IFLA_VLAN_QOS_MAPPING.
> 
> Signed-off-by: Lin Ma <linma@zju.edu.cn>

Why are you targeting net-next? this looks like a fix suitable for
'net' - with a proper fixes tag.

Cheers,

Paolo

Hello Paolo,

> 
> On Wed, 2024-01-17 at 23:38 +0800, Lin Ma wrote:
> > In the vlan_changelink function, a loop is used to parse the nested
> > attributes IFLA_VLAN_EGRESS_QOS and IFLA_VLAN_INGRESS_QOS in order to
> > obtain the struct ifla_vlan_qos_mapping. These two nested attributes are
> > checked in the vlan_validate_qos_map function, which calls
> > nla_validate_nested_deprecated with the vlan_map_policy.
> > 
> > However, this deprecated validator applies a LIBERAL strictness, allowing
> > the presence of an attribute with the type IFLA_VLAN_QOS_UNSPEC.
> > Consequently, the loop in vlan_changelink may parse an attribute of type
> > IFLA_VLAN_QOS_UNSPEC and believe it carries a payload of
> > struct ifla_vlan_qos_mapping, which is not necessarily true.
> > 
> > To address this issue and ensure compatibility, this patch introduces two
> > type checks that skip attributes whose type is not IFLA_VLAN_QOS_MAPPING.
> > 
> > Signed-off-by: Lin Ma <linma@zju.edu.cn>
> 
> Why are you targeting net-next? this looks like a fix suitable for
> 'net' - with a proper fixes tag.
> 

Thanks for your suggestions, sometimes I just mistakenly do the opposite of what I intended to. 

I will send version two with the right tag.

> Cheers,
> 
> Paolo

Thanks
Lin