[Bridge] [PATCH] netfilter:bridge: Hold bridge dev for fake_rtable to avoid the dangling pointer
Pablo Neira Ayuso
pablo at netfilter.org
Wed Apr 3 17:44:41 UTC 2019
On Tue, Apr 02, 2019 at 12:56:09PM +0000, Rundong Ge wrote:
> Problem:
> When bridge-nf-call-iptables is enabled, skb_dst(skb) of packets that
> in the nfqueue may be a dangling pointer if user delete the bridge.
> Because packets go through the br_nf_pre_routing_finish will set the dst
> pointer to the br->fake_rtable. But the br struct will be freed
> without the reference check for these skbs.
>
> User impact:
> Kernel panic may happen when user delete the bridge if there are
> continuous traffics go through the nfqueue.
> Here is a panic in my device which using kernel v3.10.
This kernel is _very old_.
Could you provide the steps to reproduce this issue?
Holding the device doesn't seem the way to go to me, we have a of
netdevice_notifier that is dropping packets for an interface that is
gone in nfnetlink_queue. We also drop packets whenever a hook in gone.
So I wonder if this is still a problem in mainline kernels.
More information about the Bridge
mailing list