From c8caaa7875dd79f4e257e369ed801a530975048c Mon Sep 17 00:00:00 2001 From: Tobias Waldekranz Date: Mon, 29 Sep 2025 14:53:32 +0800 Subject: [PATCH] net: dsa: Avoid cross-chip syncing of VLAN filtering mainline inclusion from mainline-v5.18-rc1 commit 108dc8741c203e9d6ce4e973367f1bac20c7192b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP4I5 CVE: CVE-2022-49234 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=108dc8741c203e9d6ce4e973367f1bac20c7192b -------------------------------- Changes to VLAN filtering are not applicable to cross-chip notifications. On a system like this: .-----. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-' '-1-2-' '-1-2-' Before this change, upon sw1p1 leaving a bridge, a call to dsa_port_vlan_filtering would also be made to sw2p1 and sw3p1. In this scenario: .---------. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-3-4-' '-1-2-' '-1-2-' When sw1p4 would leave a bridge, dsa_port_vlan_filtering would be called for sw2 and sw3 with a non-existing port - leading to array out-of-bounds accesses and crashes on mv88e6xxx. Fixes: d371b7c92d19 ("net: dsa: Unset vlan_filtering when ports leave the bridge") Signed-off-by: Tobias Waldekranz Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Conflicts: net/dsa/switch.c [381a730182f1, 58adf9dcb15b not merged.] Signed-off-by: Yuan Can --- net/dsa/switch.c | 60 +++++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 29 deletions(-) diff --git a/net/dsa/switch.c b/net/dsa/switch.c index a44035872cff..2d8a1f7ee565 100644 --- a/net/dsa/switch.c +++ b/net/dsa/switch.c @@ -121,37 +121,39 @@ static int dsa_switch_bridge_leave(struct dsa_switch *ds, info->sw_index, info->port, info->br); - /* If the bridge was vlan_filtering, the bridge core doesn't trigger an - * event for changing vlan_filtering setting upon slave ports leaving - * it. That is a good thing, because that lets us handle it and also - * handle the case where the switch's vlan_filtering setting is global - * (not per port). When that happens, the correct moment to trigger the - * vlan_filtering callback is only when the last port left this bridge. - */ - if (unset_vlan_filtering && ds->vlan_filtering_is_global) { - for (i = 0; i < ds->num_ports; i++) { - if (i == info->port) - continue; - if (dsa_to_port(ds, i)->bridge_dev == info->br) { - unset_vlan_filtering = false; - break; + if (ds->dst->index == info->tree_index && ds->index == info->sw_index) { + /* If the bridge was vlan_filtering, the bridge core doesn't trigger an + * event for changing vlan_filtering setting upon slave ports leaving + * it. That is a good thing, because that lets us handle it and also + * handle the case where the switch's vlan_filtering setting is global + * (not per port). When that happens, the correct moment to trigger the + * vlan_filtering callback is only when the last port left this bridge. + */ + if (unset_vlan_filtering && ds->vlan_filtering_is_global) { + for (i = 0; i < ds->num_ports; i++) { + if (i == info->port) + continue; + if (dsa_to_port(ds, i)->bridge_dev == info->br) { + unset_vlan_filtering = false; + break; + } } } - } - if (unset_vlan_filtering) { - struct switchdev_trans trans; - - trans.ph_prepare = true; - err = dsa_port_vlan_filtering(dsa_to_port(ds, info->port), - false, &trans); - if (err && err != EOPNOTSUPP) - return err; - - trans.ph_prepare = false; - err = dsa_port_vlan_filtering(dsa_to_port(ds, info->port), - false, &trans); - if (err && err != EOPNOTSUPP) - return err; + if (unset_vlan_filtering) { + struct switchdev_trans trans; + + trans.ph_prepare = true; + err = dsa_port_vlan_filtering(dsa_to_port(ds, info->port), + false, &trans); + if (err && err != EOPNOTSUPP) + return err; + + trans.ph_prepare = false; + err = dsa_port_vlan_filtering(dsa_to_port(ds, info->port), + false, &trans); + if (err && err != EOPNOTSUPP) + return err; + } } return 0; } -- Gitee