On Tue, May 12, 2026 at 03:57:25PM +0800, Ren Wei wrote: > From: Haoze Xie > > br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge > master before queueing bridge LOCAL_IN packets. NFQUEUE only holds > references on state.in/out and bridge physdevs, so a queued bridge > packet can retain a freed bridge master in skb->dev until reinjection. > > When the verdict is reinjected later, br_netif_receive_skb() re-enters > the receive path with skb->dev still pointing at the freed bridge master, > triggering a use-after-free. > > Store skb->dev in the queue entry for bridge builds, hold a reference on > it for the queue lifetime, and use the saved device when dropping queued > packets during NETDEV_DOWN handling. > > Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace") > Cc: stable@kernel.org > Reported-by: Yuan Tan > Reported-by: Yifan Wu > Reported-by: Juefei Pu > Reported-by: Xin Liu > Tested-by: Haoze Xie > Signed-off-by: Haoze Xie > Signed-off-by: Ren Wei > --- > include/net/netfilter/nf_queue.h | 1 + > net/netfilter/nf_queue.c | 5 +++++ > net/netfilter/nfnetlink_queue.c | 3 +++ > 3 files changed, 9 insertions(+) > > diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h > index d17035d14d96..1e7eb8e85932 100644 > --- a/include/net/netfilter/nf_queue.h > +++ b/include/net/netfilter/nf_queue.h > @@ -17,6 +17,7 @@ struct nf_queue_entry { > unsigned int id; > unsigned int hook_index; /* index in hook_entries->hook[] */ > #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) > + struct net_device *skb_dev; patch is not correct, this is only fixing it for br_netfilter. > struct net_device *physin; > struct net_device *physout; > #endif Maybe normalize this special case with this patch instead? I will propose it to the bridge maintainer. It is strange that skb->dev != indev. I have to take a second look, but I don't a usecase where skb->dev is used in the netfilter tree can could break.