From: Ren Wei <n05ec@lzu.edu.cn>
To: bridge@lists.linux.dev, netdev@vger.kernel.org
Cc: razor@blackwall.org, idosch@nvidia.com, fw@strlen.de,
davem@davemloft.net, yuantan098@gmail.com, yifanwucs@gmail.com,
tomapufckgml@gmail.com, bird@lzu.edu.cn, tonanli66@gmail.com,
n05ec@lzu.edu.cn
Subject: [PATCH net 1/1] net: bridge: guard local finish against missing port
Date: Tue, 12 May 2026 12:31:24 +0800 [thread overview]
Message-ID: <ad183a40c4d906f39e03590b371fdcfdffb863c6.1778504155.git.tonanli66@gmail.com> (raw)
In-Reply-To: <cover.1778504155.git.tonanli66@gmail.com>
From: Nan Li <tonanli66@gmail.com>
The bridge local receive path may be deferred by netfilter and resumed
later. By the time br_handle_local_finish() runs, skb->dev may still be
valid while its bridge port association has already been removed.
br_handle_local_finish() unconditionally looks up the bridge port from
skb->dev and dereferences it for source learning. If the port is no
longer attached to the bridge, the lookup returns NULL and the deferred
local receive path can no longer rely on the port state being present.
Skip the learning step when the bridge port lookup fails. In that case
there is no port state left to learn on, so returning early preserves
the normal behavior for existing ports while avoiding access to stale
state.
Fixes: 8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Nan Li <tonanli66@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
net/bridge/br_input.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 2cbae0f9ae1f..5b0d7450de5f 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -247,6 +247,9 @@ static void __br_handle_local_finish(struct sk_buff *skb)
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
u16 vid = 0;
+ if (unlikely(!p))
+ return;
+
/* check if vlan is allowed, to avoid spoofing */
if ((p->flags & BR_LEARNING) &&
nbp_state_should_learn(p) &&
--
2.43.0
next parent reply other threads:[~2026-05-12 4:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1778504155.git.tonanli66@gmail.com>
2026-05-12 4:31 ` Ren Wei [this message]
2026-05-12 8:29 ` [PATCH net 1/1] net: bridge: guard local finish against missing port Nikolay Aleksandrov
2026-05-12 8:57 ` Yuan Tan
2026-05-12 9:03 ` Nikolay Aleksandrov
2026-05-12 9:24 ` Yuan Tan
2026-05-12 9:45 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad183a40c4d906f39e03590b371fdcfdffb863c6.1778504155.git.tonanli66@gmail.com \
--to=n05ec@lzu.edu.cn \
--cc=bird@lzu.edu.cn \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=idosch@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=razor@blackwall.org \
--cc=tomapufckgml@gmail.com \
--cc=tonanli66@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox