From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Ren Wei <n05ec@lzu.edu.cn>,
netfilter-devel@vger.kernel.org, phil@nwl.cc,
stephane.ml.bryant@gmail.com, yuantan098@gmail.com,
yifanwucs@gmail.com, tomapufckgml@gmail.com, bird@lzu.edu.cn,
royenheart@gmail.com
Subject: Re: [PATCH nf 1/1] netfilter: nf_queue: hold bridge skb->dev while queued
Date: Tue, 12 May 2026 13:29:20 +0200 [thread overview]
Message-ID: <agMPEMOLSj_RGFfz@strlen.de> (raw)
In-Reply-To: <agMN7WfUC7Xmc2cj@chamomile>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Tue, May 12, 2026 at 03:57:25PM +0800, Ren Wei wrote:
> > From: Haoze Xie <royenheart@gmail.com>
> >
> > br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
> > master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
> > references on state.in/out and bridge physdevs, so a queued bridge
> > packet can retain a freed bridge master in skb->dev until reinjection.
> >
> > When the verdict is reinjected later, br_netif_receive_skb() re-enters
> > the receive path with skb->dev still pointing at the freed bridge master,
> > triggering a use-after-free.
> >
> > Store skb->dev in the queue entry for bridge builds, hold a reference on
> > it for the queue lifetime, and use the saved device when dropping queued
> > packets during NETDEV_DOWN handling.
>
> Next attempt: Maybe hold reference on skb->dev...
> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
> index a6c81c04b3a5..26a4db5e17d4 100644
> --- a/net/netfilter/nf_queue.c
> +++ b/net/netfilter/nf_queue.c
> @@ -66,6 +66,7 @@ static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
> if (state->sk)
> nf_queue_sock_put(state->sk);
>
> + dev_put(entry->skb->dev);
> #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
> dev_put(entry->physin);
> dev_put(entry->physout);
> @@ -104,6 +105,7 @@ bool nf_queue_entry_get_refs(struct nf_queue_entry *entry)
>
> dev_hold(state->in);
> dev_hold(state->out);
> + dev_hold(entry->skb->dev);
We should also extend
net/netfilter/nfnetlink_queue.c:dev_cmp() to consider skb->dev, if set.
And I think skb->dev can be NULL here in output path.
prev parent reply other threads:[~2026-05-12 11:29 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1778493188.git.royenheart@gmail.com>
2026-05-12 7:57 ` [PATCH nf 1/1] netfilter: nf_queue: hold bridge skb->dev while queued Ren Wei
2026-05-12 10:33 ` Pablo Neira Ayuso
2026-05-12 11:03 ` Pablo Neira Ayuso
2026-05-12 11:24 ` Pablo Neira Ayuso
2026-05-12 11:29 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agMPEMOLSj_RGFfz@strlen.de \
--to=fw@strlen.de \
--cc=bird@lzu.edu.cn \
--cc=n05ec@lzu.edu.cn \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=phil@nwl.cc \
--cc=royenheart@gmail.com \
--cc=stephane.ml.bryant@gmail.com \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.