linux-toradex.git - Linux kernel for Apalis and Colibri modules

diff options

author	Haoze Xie <royenheart@gmail.com>	2026-05-15 11:19:02 +0800
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2026-05-16 13:23:01 +0200
commit	e196115ec330a18de415bdb9f5071aa9f08e53ce (patch)
tree	f2507719115da6f0c81e7962148c392a1f951952 /include/net/ip_vs.h
parent	b2870fc21601db9133bc70c48c603b487614fa3b (diff)

netfilter: nf_queue: hold bridge skb->dev while queued

br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge master before queueing bridge LOCAL_IN packets. NFQUEUE only holds references on state.in/out and bridge physdevs, so a queued bridge packet can retain a freed bridge master in skb->dev until reinjection. When the verdict is reinjected later, br_netif_receive_skb() re-enters the receive path with skb->dev still pointing at the freed bridge master, triggering a use-after-free. Store skb->dev in the queue entry, hold a reference on it for the queue lifetime, and use the saved device when dropping queued packets during NETDEV_DOWN handling. Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace") Cc: stable@kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Yifan Wu <yifanwucs@gmail.com> Reported-by: Juefei Pu <tomapufckgml@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Signed-off-by: Haoze Xie <royenheart@gmail.com> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Diffstat (limited to 'include/net/ip_vs.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: