This is a note to let you know that I've just added the patch titled
bridge: Check if vlan filtering is enabled only once.
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bridge-check-if-vlan-filtering-is-enabled-only-once.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Sun Oct 12 16:38:53 CEST 2014
From: Vlad Yasevich <vyasevich@xxxxxxxxx>
Date: Fri, 12 Sep 2014 16:26:16 -0400
Subject: bridge: Check if vlan filtering is enabled only once.
From: Vlad Yasevich <vyasevich@xxxxxxxxx>
[ Upstream commit 20adfa1a81af00bf2027644507ad4fa9cd2849cf ]
The bridge code checks if vlan filtering is enabled on both
ingress and egress. When the state flip happens, it
is possible for the bridge to currently be forwarding packets
and forwarding behavior becomes non-deterministic. Bridge
may drop packets on some interfaces, but not others.
This patch solves this by caching the filtered state of the
packet into skb_cb on ingress. The skb_cb is guaranteed to
not be over-written between the time packet entres bridge
forwarding path and the time it leaves it. On egress, we
can then check the cached state to see if we need to
apply filtering information.
Signed-off-by: Vladislav Yasevich <vyasevic@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/bridge/br_private.h | 3 +++
net/bridge/br_vlan.c | 15 +++++++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -302,6 +302,9 @@ struct br_input_skb_cb {
int igmp;
int mrouters_only;
#endif
+#ifdef CONFIG_BRIDGE_VLAN_FILTERING
+ bool vlan_filtered;
+#endif
};
#define BR_INPUT_SKB_CB(__skb) ((struct br_input_skb_cb *)(__skb)->cb)
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -125,7 +125,8 @@ struct sk_buff *br_handle_vlan(struct ne
{
u16 vid;
- if (!br->vlan_enabled)
+ /* If this packet was not filtered at input, let it pass */
+ if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
goto out;
/* Vlan filter table must be configured at this point. The
@@ -163,8 +164,10 @@ bool br_allowed_ingress(struct net_bridg
/* If VLAN filtering is disabled on the bridge, all packets are
* permitted.
*/
- if (!br->vlan_enabled)
+ if (!br->vlan_enabled) {
+ BR_INPUT_SKB_CB(skb)->vlan_filtered = false;
return true;
+ }
/* If there are no vlan in the permitted list, all packets are
* rejected.
@@ -172,6 +175,8 @@ bool br_allowed_ingress(struct net_bridg
if (!v)
goto drop;
+ BR_INPUT_SKB_CB(skb)->vlan_filtered = true;
+
/* If vlan tx offload is disabled on bridge device and frame was
* sent from vlan device on the bridge device, it does not have
* HW accelerated vlan tag.
@@ -228,7 +233,8 @@ bool br_allowed_egress(struct net_bridge
{
u16 vid;
- if (!br->vlan_enabled)
+ /* If this packet was not filtered at input, let it pass */
+ if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
return true;
if (!v)
@@ -247,7 +253,8 @@ bool br_should_learn(struct net_bridge_p
struct net_bridge *br = p->br;
struct net_port_vlans *v;
- if (!br->vlan_enabled)
+ /* If filtering was disabled at input, let it pass. */
+ if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
return true;
v = rcu_dereference(p->vlan_info);
Patches currently in stable-queue which might be from vyasevich@xxxxxxxxx are
queue-3.14/macvtap-fix-race-between-device-delete-and-open.patch
queue-3.14/bridge-fix-br_should_learn-to-check-vlan_enabled.patch
queue-3.14/tg3-work-around-hw-fw-limitations-with-vlan-encapsulated-frames.patch
queue-3.14/bridge-check-if-vlan-filtering-is-enabled-only-once.patch
queue-3.14/tg3-allow-for-recieve-of-full-size-8021ad-frames.patch
queue-3.14/sctp-handle-association-restarts-when-the-socket-is-closed.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html