From: David Dull <monderasdor@gmail.com>
To: longman@redhat.com
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
lvs-devel@vger.kernel.org, linux-sched@vger.kernel.org,
kuba@kernel.org, pabeni@redhat.com, horms@kernel.org,
David Dull <monderasdor@gmail.com>
Subject: Re: [PATCH net] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path
Date: Tue, 24 Mar 2026 20:51:09 +0200 [thread overview]
Message-ID: <20260324185110.1651-1-monderasdor@gmail.com> (raw)
Hi Hyunwoo,
I reviewed the change and the reasoning looks correct to me.
nfqnl_recv_verdict() dequeues the entry using find_dequeue_entry(), which transfers ownership of the nf_queue_entry to this function. After that point the function becomes responsible for either reinjecting or freeing the entry.
In the PF_BRIDGE path the code calls nfqa_parse_bridge() to parse the VLAN attributes coming from userspace. If the attribute set is malformed (for example NFQA_VLAN present but NFQA_VLAN_TCI missing), nfqa_parse_bridge() returns an error. Before this patch, the function would return immediately in that situation.
Because the entry had already been dequeued, returning directly means the nf_queue_entry object and its associated sk_buff are never released. That also leaves any held references such as net_device and struct net references alive. If a userspace program repeatedly sends malformed verdict messages, this path could leak queue entries and eventually exhaust kernel memory.
Your change fixes this by calling nfqnl_reinject(entry, NF_DROP) before returning. This matches the error handling pattern used elsewhere in the file: once the entry is owned by the verdict handler, it must be reinjected or dropped so the resources are released correctly.
So the logic now becomes:
1. dequeue the entry
2. attempt bridge attribute parsing
3. if parsing fails, explicitly drop the packet via nfqnl_reinject()
4. return the error to the caller
That ensures the queue entry and skb are properly handled even in the malformed attribute case.
The Fixes tag also makes sense since the leak path was introduced when bridge verdict handling started using NFQA_VLAN/NFQA_L2HDR.
Overall the change is small, consistent with the existing reinjection model, and addresses a clear ownership leak in the error path.
Reviewed by : David Dull
next reply other threads:[~2026-03-24 18:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-24 18:51 David Dull [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-03-07 17:24 [PATCH net] netfilter: nfnetlink_queue: fix entry leak in bridge verdict error path Hyunwoo Kim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260324185110.1651-1-monderasdor@gmail.com \
--to=monderasdor@gmail.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sched@vger.kernel.org \
--cc=longman@redhat.com \
--cc=lvs-devel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox