From nobody Sun Jun 14 11:26:49 2026 Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 071A238AC91 for ; Thu, 2 Apr 2026 14:02:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.41 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775138569; cv=none; b=KjhzGuyshHsS/rco/bcWlFcfD/+2Z6mwCOYbOZM80kLggVZfYRsOcKnaJjO7VfKG6tzEXhlQT1fyL3gaAFOb7PP/e1Skcnpal3UATy8WRs7OZRi0bZ5mzPywCsZMi44rypzP3bn3m4OyaczVSQGZ0orW3Q5xh09I/Vrq6dDVfA8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775138569; c=relaxed/simple; bh=QuDJlFmHBgvStEeocMY+izf+6lwz4dximZB3hxaYZr4=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=M1ZAnSe8gUEyycv4OuN7wry3lwzaB4/f8J2RQe6lrynMemMwL9lGR6SRZdcbRkR+6zP5TgjLH2fPKJrHUuwek/lgRjMqNNQVtC3CijmuF7YjNWEGu5y/ECfCJg8gikuBQjHvzGnzWBuDUyYmFXJZJI5EYhjaPkwF77LKl6aZpnU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=DwjJTO40; arc=none smtp.client-ip=209.85.128.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="DwjJTO40" Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-4853a5ffc05so1928145e9.0 for ; Thu, 02 Apr 2026 07:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775138566; x=1775743366; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=fjebN745cPTznKlBAtXhIYhg+ckfnG5/mIokgKeD9ZM=; b=DwjJTO40oMQ1s5uPBjD7/eYHiiYqyfyfVSAVPMvAlJJkHy3YOYWDr1YNPLf72aoIcC MCcGVupMCzLXXfhoLaegWlqy7nTaR4yiI3Ha8F3HhC2Gh1oAmXzrCSnsRO/yJq67XBLs NgBMFGs00PCft7Bd699PSVsCsdIt/TMd+nOKS4bqewhzoNUZutnx6ZMJ07/59tBAbqiB DNvO8U9F2mF6JbIY0LXDPhDCOqieP4SIt+DUTOuJF+mUNXwM8Wj68HF63aCK+DURTMRS /N2g0RJUW6kwax1dhq3X3xKk3Wx5ReuplW655mWfjVKybbBJh5hcpL0tovojxZIaISn1 noQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775138566; x=1775743366; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=fjebN745cPTznKlBAtXhIYhg+ckfnG5/mIokgKeD9ZM=; b=ERh3FTFVkSR3IMXQy/kfQjqaSmalsuFW+RitANYgSnHWBvsk8HunzcYDu11S5ujIki v76fwOsnYgjSERRSDJ/lmbtAMyYyDFCx13dE4AmerZBSHGSyelzDTKyl6LoCjVlY9kGE Qtyqc27rwD9VEKWf0PWbBsaLLmOQurtIBn7eN3V9PuDIRq74aRYgdjdbu+a1G5SFaiI8 NwfpUWtikF7weLUJWFU6pMJw1FjvZ7sPEKOddV65sRRrKg9lmASclkopTfCt2S2hmYvv RqX3x/VhoT/SXJZd4FdEgKUiGgtxEalAAie7b261oeAiU17HzGr03Zn1QN0Uo5Mlud5p c8Dw== X-Forwarded-Encrypted: i=1; AJvYcCWNk8YrVe+Tc10wWYFkJ9H1TERTAdAdjPoTw1+epZZMB2xmSNOYrSfaTiLOIErxCIWLRhgCVXvfDE2MMBI=@vger.kernel.org X-Gm-Message-State: AOJu0YzLL8ONWDgQaQWMprIa4evUeWna47cY2yobqjB1mXN0Ciy9fnFx tVegzNFWijq8TQPWJEaFkA1/a+SIWCWSVMoZyhCb8hjADCNV+++2KX/s X-Gm-Gg: ATEYQzyAWY4zDzLkp8eZ8BPTtcB9xtnOIOJCXiPNG+X3CNTZ1nQwlrm/SZ26MZLzaDT vC0/f5SaOpUUEq1oebSChEkH6d1Qt65sIjgKMrRi84FDg61voFIH2DNP0gwHImJvdFMduCLMGCk 25bDEWIrnJwaS8Owxo4bNDuh5OsonO0em08Ngtr9FIeXe6fkujDQB7Kgx71VByxa4kKjm/5NsjN hLksUKDh0xQthinDEmV95ECbvuxFqPxpe8iM/XekuTxBCydGhi/ZqhKUZJqhOyMNM9YUevO9tJv YN2W9Wy1lNNdGylxRMETNoLjsqmjz+qMxlrnR86e30ZFR+t6wFIWKLjhLpcTLBfhXE3Rr82wGVn wSsKkMKeutacHa7vTXOMwGh04Tkz08YNxkwHgLdRAmKmsrOnpqIynmkH6Y4JvJ0Hby9XGv/zcND JNkkU3jE4Hu8xpsGPxB1xMQUoeuz/e2XsBQM4M8DJEA9tQU6Gegh8RN6STKCT02WuTXEjQ7ehjf 6lgMik= X-Received: by 2002:a05:600c:474f:b0:485:3fc3:e8e9 with SMTP id 5b1f17b1804b1-48883592bf9mr79660525e9.3.1775138566110; Thu, 02 Apr 2026 07:02:46 -0700 (PDT) Received: from ast-epyc4.inf.ethz.ch (ast-epyc4.inf.ethz.ch. [129.132.161.179]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-43d1e1fe0b0sm7683269f8f.0.2026.04.02.07.02.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 02 Apr 2026 07:02:45 -0700 (PDT) From: Zijing Yin To: netdev@vger.kernel.org Cc: bridge@lists.linux.dev, razor@blackwall.org, idosch@nvidia.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, nathan@kernel.org, nick.desaulniers+lkml@gmail.com, morbo@google.com, justinstitt@google.com, petrm@nvidia.com, linux-kernel@vger.kernel.org, llvm@lists.linux.dev, Zijing Yin Subject: [PATCH net] bridge: guard local VLAN-0 FDB helpers against NULL vlan group Date: Thu, 2 Apr 2026 07:01:53 -0700 Message-ID: <20260402140153.3925663-1-yzjaurora@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When CONFIG_BRIDGE_VLAN_FILTERING is not set, br_vlan_group() and nbp_vlan_group() return NULL (br_private.h stub definitions). The BR_BOOLOPT_FDB_LOCAL_VLAN_0 toggle code is compiled unconditionally and reaches br_fdb_delete_locals_per_vlan_port() and br_fdb_insert_locals_per_vlan_port(), where the NULL vlan group pointer is dereferenced via list_for_each_entry(v, &vg->vlan_list, vlist). The observed crash is in the delete path, triggered when creating a bridge with IFLA_BR_MULTI_BOOLOPT containing BR_BOOLOPT_FDB_LOCAL_VLAN_0 via RTM_NEWLINK. The insert helper has the same bug pattern. Oops: general protection fault, probably for non-canonical address 0xdfff= fc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x2b9/0x310 Call Trace: br_fdb_toggle_local_vlan_0+0x452/0x4c0 br_toggle_fdb_local_vlan_0+0x31/0x80 net/bridge/br.c:276 br_boolopt_toggle net/bridge/br.c:313 br_boolopt_multi_toggle net/bridge/br.c:364 br_changelink net/bridge/br_netlink.c:1542 br_dev_newlink net/bridge/br_netlink.c:1575 Add NULL checks for the vlan group pointer in both helpers, returning early when there are no VLANs to iterate. This matches the existing pattern used by other bridge FDB functions such as br_fdb_add() and br_fdb_delete(). Fixes: 21446c06b441 ("net: bridge: Introduce UAPI for BR_BOOLOPT_FDB_LOCAL_= VLAN_0") Signed-off-by: Zijing Yin Acked-by: Nikolay Aleksandrov Reviewed-by: Ido Schimmel --- Tested on Linux v7.0-rc5 (upstream tag) with clang 20.1.0, KASAN enabled, CONFIG_BRIDGE_VLAN_FILTERING=3Dn. Bug independently reproduced with the attached C reproducer (repro_br_fdb.c). The crash triggers deterministically on the first run with CONFIG_BRIDGE_VLAN_FILTERING=3Dn on a clang-built kernel. Exact crash signature from reproduction: Oops: general protection fault, probably for non-canonical address 0xdfff= fc0000000056: 0000 [#1] KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000002b0-0x00000000000002b7] RIP: 0010:br_fdb_delete_locals_per_vlan+0x72/0x3f0 Call Trace: br_fdb_toggle_local_vlan_0+0x3d/0x1d0 br_boolopt_toggle+0xba/0x1a0 br_boolopt_multi_toggle+0x129/0x250 br_changelink+0x1100/0x1490 br_dev_newlink+0x115/0x190 rtnl_newlink+0xe15/0x25c0 Note: gcc 13.3 with the same config optimizes away the NULL dereference path (UB elimination), so the crash does not trigger on gcc-built kernels. The code is still incorrect regardless of compiler behavior. Reproducer (C source): [PASTE_URL_HERE] Kernel .config: [PASTE_URL_HERE] To reproduce: compile the C reproducer with `gcc -static -o repro repro.c`, run as root on a clang-built kernel. The crash triggers during br_dev_newlink() -> br_changelink() when the boolopt toggle reaches br_fdb_delete_locals_per_vlan_port() with a NULL vlan group. Note: RTM_SETLINK on an existing bridge may not trigger it due to different code ordering. net/bridge/br_fdb.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index 0501ffcb8..e2c17f620 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c @@ -597,6 +597,9 @@ static void br_fdb_delete_locals_per_vlan_port(struct n= et_bridge *br, dev =3D br->dev; } =20 + if (!vg) + return; + list_for_each_entry(v, &vg->vlan_list, vlist) br_fdb_find_delete_local(br, p, dev->dev_addr, v->vid); } @@ -630,6 +633,9 @@ static int br_fdb_insert_locals_per_vlan_port(struct ne= t_bridge *br, dev =3D br->dev; } =20 + if (!vg) + return 0; + list_for_each_entry(v, &vg->vlan_list, vlist) { if (!br_vlan_should_use(v)) continue; --=20 2.43.0