Re: [PATCH net] netfilter: br_netfilter: reread nf_conn from skb after confirm()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Wang Liang <wangliang74@huawei.com>
Cc: pablo@netfilter.org, kadlec@netfilter.org, razor@blackwall.org,
	idosch@nvidia.com, davem@davemloft.net, edumazet@google.com,
	kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
	yuehaibing@huawei.com, zhangchangzhong@huawei.com,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	bridge@lists.linux.dev, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH net] netfilter: br_netfilter: reread nf_conn from skb after confirm()
Date: Wed, 20 Aug 2025 13:31:46 +0200	[thread overview]
Message-ID: <aKWyImI9qxi6GDIF@strlen.de> (raw)
In-Reply-To: <20250820043329.2902014-1-wangliang74@huawei.com>

Wang Liang <wangliang74@huawei.com> wrote:
> Previous commit 2d72afb34065 ("netfilter: nf_conntrack: fix crash due to
> removal of uninitialised entry") move the IPS_CONFIRMED assignment after
> the hash table insertion.

How is that related to this change?
As you write below, the bug came in with 62e7151ae3eb.

> To solve the hash conflict, nf_ct_resolve_clash() try to merge the
> conntracks, and update skb->_nfct. However, br_nf_local_in() still use the
> old ct from local variable 'nfct' after confirm(), which leads to this
> issue. Fix it by rereading nfct from skb.
> 
> Fixes: 62e7151ae3eb ("netfilter: bridge: confirm multicast packets before passing them up the stack")
> Signed-off-by: Wang Liang <wangliang74@huawei.com>
> ---
>  net/bridge/br_netfilter_hooks.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index 94cbe967d1c1..55b1b7dcb609 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -626,6 +626,7 @@ static unsigned int br_nf_local_in(void *priv,
>  		break;
>  	}
>  
> +	nfct = skb_nfct(skb);
>  	ct = container_of(nfct, struct nf_conn, ct_general);
>  	WARN_ON_ONCE(!nf_ct_is_confirmed(ct));

There is a second bug here, confirm can return NF_DROP and
nfct will be NULL.

Can you make this change too? (or something similar)?

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 94cbe967d1c1..69b7b7c7565e 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -619,8 +619,9 @@ static unsigned int br_nf_local_in(void *priv,
        nf_bridge_pull_encap_header(skb);
        ret = ct_hook->confirm(skb);
        switch (ret & NF_VERDICT_MASK) {
+       case NF_DROP:
        case NF_STOLEN:
-               return NF_STOLEN;
+               return ret;


nfct reload seems correct, thanks for catching this.

next prev parent reply	other threads:[~2025-08-20 11:31 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-20  4:33 [PATCH net] netfilter: br_netfilter: reread nf_conn from skb after confirm() Wang Liang
2025-08-20 11:31 ` Florian Westphal [this message]
2025-08-21  1:56   ` Wang Liang
2025-08-21  6:57     ` Florian Westphal
2025-08-22  1:08       ` Wang Liang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:94cbe967d1c dfblob:69b7b7c7565 )
 OR (
bs:"Re: [PATCH net] netfilter: br_netfilter: reread nf_conn from skb after confirm()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aKWyImI9qxi6GDIF@strlen.de \
    --to=fw@strlen.de \
    --cc=bridge@lists.linux.dev \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=idosch@nvidia.com \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=razor@blackwall.org \
    --cc=wangliang74@huawei.com \
    --cc=yuehaibing@huawei.com \
    --cc=zhangchangzhong@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.