git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Haoze Xie <royenheart@gmail.com>
	Fri, 15 May 2026 03:19:02 +0000 (11:19 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 16 May 2026 11:23:01 +0000 (13:23 +0200)
commit	e196115ec330a18de415bdb9f5071aa9f08e53ce
tree	f2507719115da6f0c81e7962148c392a1f951952	tree \| snapshot
parent	b2870fc21601db9133bc70c48c603b487614fa3b	commit \| diff

netfilter: nf_queue: hold bridge skb->dev while queued

br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge
master before queueing bridge LOCAL_IN packets. NFQUEUE only holds
references on state.in/out and bridge physdevs, so a queued bridge
packet can retain a freed bridge master in skb->dev until reinjection.

When the verdict is reinjected later, br_netif_receive_skb() re-enters
the receive path with skb->dev still pointing at the freed bridge master,
triggering a use-after-free.

Store skb->dev in the queue entry, hold a reference on it for the queue
lifetime, and use the saved device when dropping queued packets during
NETDEV_DOWN handling.

Fixes: ac2863445686 ("netfilter: bridge: add nf_afinfo to enable queuing to userspace")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Haoze Xie <royenheart@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_queue.h		diff \| blob \| blame \| history
net/netfilter/nf_queue.c		diff \| blob \| blame \| history
net/netfilter/nfnetlink_queue.c		diff \| blob \| blame \| history