Pavel Tikhomirov 9874808878 netfilter: bridge: replace physindev with physinif in nf_bridge_info ... An skb can be added to a neigh->arp_queue while waiting for an arp reply. Where original skb's skb->dev can be different to neigh's neigh->dev. For instance in case of bridging dnated skb from one veth to another, the skb would be added to a neigh->arp_queue of the bridge. As skb->dev can be reset back to nf_bridge->physindev and used, and as there is no explicit mechanism that prevents this physindev from been freed under us (for instance neigh_flush_dev doesn't cleanup skbs from different device's neigh queue) we can crash on e.g. this stack: arp_process neigh_update skb = __skb_dequeue(&neigh->arp_queue) neigh_resolve_output(..., skb) ... br_nf_dev_xmit br_nf_pre_routing_finish_bridge_slow skb->dev = nf_bridge->physindev br_handle_frame_finish Let's use plain ifindex instead of net_device link. To peek into the original net_device we will use dev_get_by_index_rcu(). Thus either we get device and are safe to use it or we don't get it and drop skb. Fixes: c4e70a87d9 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c") Suggested-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>		2024-01-17 12:02:49 +01:00
..
ip6_tables.c	xtables: move icmp/icmpv6 logic to xt_tcpudp	2023-03-22 21:48:59 +01:00
ip6t_ah.c	netfilter: ip6tables: Remove redundant null checks	2020-07-29 20:39:43 +02:00
ip6t_eui64.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
ip6t_frag.c	netfilter: ip6tables: Remove redundant null checks	2020-07-29 20:39:43 +02:00
ip6t_hbh.c	netfilter: ip6tables: Remove redundant null checks	2020-07-29 20:39:43 +02:00
ip6t_ipv6header.c	netfilter: move inline nf_ip6_ext_hdr() function to a more appropriate header.	2019-09-13 12:34:09 +02:00
ip6t_mh.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
ip6t_NPT.c	netfilter: ip6t_NPT: rewrite addresses in ICMPv6 original packet	2020-08-28 19:18:48 +02:00
ip6t_REJECT.c	netfilter: use actual socket sk for REJECT action	2020-12-01 14:33:55 +01:00
ip6t_rpfilter.c	netfilter: ip6t_rpfilter: Fix regression with VRF interfaces	2023-02-22 00:22:20 +01:00
ip6t_rt.c	netfilter: ip6t_rt: fix rt0_hdr parsing in rt_mt6	2021-10-14 23:08:35 +02:00
ip6t_srh.c
ip6t_SYNPROXY.c	netfilter: Add MODULE_DESCRIPTION entries to kernel modules	2020-06-25 00:50:31 +02:00
ip6table_filter.c	netfilter: ip6tables: allow use of ip6t_do_table as hookfn	2021-10-14 23:06:53 +02:00
ip6table_mangle.c	netfilter: xt_mangle: only check verdict part of return value	2023-10-18 10:26:43 +02:00
ip6table_nat.c	netfilter: add missing module descriptions	2023-11-08 13:52:32 +01:00
ip6table_raw.c	netfilter: add missing module descriptions	2023-11-08 13:52:32 +01:00
ip6table_security.c	netfilter: ip6tables: allow use of ip6t_do_table as hookfn	2021-10-14 23:06:53 +02:00
Kconfig	netfilter: Remove flowtable relics	2022-01-27 00:00:20 +01:00
Makefile	netfilter: Remove flowtable relics	2022-01-27 00:00:20 +01:00
nf_conntrack_reasm.c	netfilter: Update to register_net_sysctl_sz	2023-08-15 15:26:17 -07:00
nf_defrag_ipv6_hooks.c	netfilter: add missing module descriptions	2023-11-08 13:52:32 +01:00
nf_dup_ipv6.c	netfilter: drop bridge nf reset from nf_reset	2019-10-01 18:42:15 +02:00
nf_reject_ipv6.c	netfilter: bridge: replace physindev with physinif in nf_bridge_info	2024-01-17 12:02:49 +01:00
nf_socket_ipv6.c	tcp: Access &tcp_hashinfo via net.	2022-09-20 10:21:49 -07:00
nf_tproxy_ipv6.c	netfilter: tproxy: fix deadlock due to missing BH disable	2023-03-06 12:09:48 +01:00
nft_dup_ipv6.c	netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters	2022-11-15 10:46:34 +01:00
nft_fib_ipv6.c	netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces.	2022-10-19 08:46:48 +02:00
nft_reject_ipv6.c	netfilter: nf_tables: do not reduce read-only expressions	2022-03-20 00:29:46 +01:00