Re: [PATCH nf 1/1] netfilter: nf_queue: hold bridge skb->dev while queued

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Tue, May 12, 2026 at 12:33:37PM +0200, Pablo Neira Ayuso wrote:
> On Tue, May 12, 2026 at 03:57:25PM +0800, Ren Wei wrote:
> > From: Haoze Xie <royenheart@gmail.com>
> > 
> > br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
> > master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
> > references on state.in/out and bridge physdevs, so a queued bridge
> > packet can retain a freed bridge master in skb->dev until reinjection.
> > 
> > When the verdict is reinjected later, br_netif_receive_skb() re-enters
> > the receive path with skb->dev still pointing at the freed bridge master,
> > triggering a use-after-free.
> > 
> > Store skb->dev in the queue entry for bridge builds, hold a reference on
> > it for the queue lifetime, and use the saved device when dropping queued
> > packets during NETDEV_DOWN handling.
> > 
> > Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace")
> > Cc: stable@kernel.org
> > Reported-by: Yuan Tan <yuantan098@gmail.com>
> > Reported-by: Yifan Wu <yifanwucs@gmail.com>
> > Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> > Reported-by: Xin Liu <bird@lzu.edu.cn>
> > Tested-by: Haoze Xie <royenheart@gmail.com>
> > Signed-off-by: Haoze Xie <royenheart@gmail.com>
> > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> > ---
> >  include/net/netfilter/nf_queue.h | 1 +
> >  net/netfilter/nf_queue.c         | 5 +++++
> >  net/netfilter/nfnetlink_queue.c  | 3 +++
> >  3 files changed, 9 insertions(+)
> > 
> > diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h
> > index d17035d14d96..1e7eb8e85932 100644
> > --- a/include/net/netfilter/nf_queue.h
> > +++ b/include/net/netfilter/nf_queue.h
> > @@ -17,6 +17,7 @@ struct nf_queue_entry {
> >  	unsigned int		id;
> >  	unsigned int		hook_index;	/* index in hook_entries->hook[] */
> >  #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
> > +	struct net_device	*skb_dev;
> 
> patch is not correct, this is only fixing it for br_netfilter.
> 
> >  	struct net_device	*physin;
> >  	struct net_device	*physout;
> >  #endif
> 
> Maybe normalize this special case with this patch instead? I will
> propose it to the bridge maintainer.
> 
> It is strange that skb->dev != indev.
> 
> I have to take a second look, but I don't a usecase where skb->dev is
> used in the netfilter tree can could break.

Scratch this proposal, it also breaks.