Linux Kernel VLAN Filtering Vulnerability Leading to Memory Leak and Reference Count Imbalance

A vulnerability in the Linux kernel's handling of VLAN 0 filtering can cause a memory leak and a reference count imbalance. When the 'rx-vlan-filter' feature is disabled on a network device, the 8021q module fails to remove VLAN 0 when the device is taken down, leading to a memory leak. Conversely, if the feature is enabled and the device is brought down, VLAN 0 may be removed without being added back when the device is reactivated, causing a reference count issue that triggers a kernel bug. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can lead to a memory leak and a reference count imbalance, causing a kernel bug due to an invalid memory operation.

Reproduction

To reproduce this vulnerability, create a bond interface and disable the 'rx-vlan-filter' feature. Then, add a VLAN 0 interface linked to the bond. After bringing the bond interface up, re-enable the 'rx-vlan-filter' feature. When the bond interface is taken down, VLAN 0 will be removed, but the reference count will not be properly managed, leading to a null pointer dereference or a kernel bug on unregistering the VLAN device.