On Wed, Nov 05, 2025 at 01:19:18PM +0200, Nikolay Aleksandrov wrote: > syzbot reported[1] a use-after-free when deleting an expired fdb. It is > due to a race condition between learning still happening and a port being > deleted, after all its fdbs have been flushed. The port's state has been > toggled to disabled so no learning should happen at that time, but if we > have MST enabled, it will bypass the port's state, that together with VLAN > filtering disabled can lead to fdb learning at a time when it shouldn't > happen while the port is being deleted. VLAN filtering must be disabled > because we flush the port VLANs when it's being deleted which will stop > learning. This fix adds a check for the port's vlan group which is > initialized to NULL when the port is getting deleted, that avoids the port > state bypass. When MST is enabled there would be a minimal new overhead > in the fast-path because the port's vlan group pointer is cache-hot. > > [1] https://syzkaller.appspot.com/bug?extid=dd280197f0f7ab3917be > > Fixes: ec7328b59176 ("net: bridge: mst: Multiple Spanning Tree (MST) mode") > Reported-by: [email protected] > Closes: > https://lore.kernel.org/netdev/[email protected]/ > Signed-off-by: Nikolay Aleksandrov <[email protected]>
Reviewed-by: Ido Schimmel <[email protected]>
