From: Nikolay Aleksandrov <nikolay@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 3 Dec 2019 16:48:06 +0200
> We have an interesting memory leak in the bridge when it is being
> unregistered and is a slave to a master device which would change the
> mac of its slaves on unregister (e.g. bond, team). This is a very
> unusual setup but we do end up leaking 1 fdb entry because
> dev_set_mac_address() would cause the bridge to insert the new mac address
> into its table after all fdbs are flushed, i.e. after dellink() on the
> bridge has finished and we call NETDEV_UNREGISTER the bond/team would
> release it and will call dev_set_mac_address() to restore its original
> address and that in turn will add an fdb in the bridge.
> One fix is to check for the bridge dev's reg_state in its
> ndo_set_mac_address callback and return an error if the bridge is not in
> NETREG_REGISTERED.
>
> Easy steps to reproduce:
> 1. add bond in mode != A/B
> 2. add any slave to the bond
> 3. add bridge dev as a slave to the bond
> 4. destroy the bridge device
>
> Trace:
> unreferenced object 0xffff888035c4d080 (size 128):
...
> Fixes: 43598813386f ("bridge: add local MAC address to forwarding table (v2)")
> Reported-by: syzbot+2add91c08eb181fea1bf@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Nikolay Aleksandrov <nikolay@xxxxxxxxxxxxxxxxxxx>
Looks good, applied and queued up for -stable.
Thanks.
