In the Linux kernel, the following vulnerability has been resolved:
net: dsa: felix: suppress non-changes to the tagging protocol
The way in which dsatreechangetagproto() works is that when dsatreenotify() fails, it doesn't know whether the operation failed mid way in a multi-switch tree, or it failed for a single-switch tree. So even though drivers need to fail cleanly in ds->ops->changetagprotocol(), DSA will still call dsatreenotify() again, to restore the old tag protocol for potential switches in the tree where the change did succeeed (before failing for others).
This means for the felix driver that if we report an error in felixchangetagprotocol(), we'll get another call where protoops == oldprotoops. If we proceed to act upon that, we may do unexpected things. For example, we will call dsatag8021qregister() twice in a row, without any dsatag8021qunregister() in between. Then we will actually call dsatag8021qunregister() via oldproto_ops->teardown, which (if it manages to run at all, after walking through corrupted data structures) will leave the ports inoperational anyway.
The bug can be readily reproduced if we force an error while in tag_8021q mode; this crashes the kernel.
echo ocelot-8021q > /sys/class/net/eno2/dsa/tagging echo edsa > /sys/class/net/eno2/dsa/tagging # -EPROTONOSUPPORT
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000014 Call trace: vcapentryget+0x24/0x124 ocelotvcapfilterdel+0x198/0x270 felixtag8021qvlandel+0xd4/0x21c dsaswitchtag8021qvlandel+0x168/0x2cc dsaswitchevent+0x68/0x1170 dsatreenotify+0x14/0x34 dsaporttag8021qvlandel+0x84/0x110 dsatag8021qunregister+0x15c/0x1c0 felixtag8021qteardown+0x16c/0x180 felixchangetagprotocol+0x1bc/0x230 dsaswitchevent+0x14c/0x1170 dsatreechangetagproto+0x118/0x1c0