Re: [PATCH] netfilter:bridge: Hold bridge dev for fake_rtable to avoid the dangling pointer

From: Pablo Neira Ayuso
Date: Wed Apr 03 2019 - 13:44:49 EST

Next message: Jacek Anaszewski: "Re: [PATCH 3/4] mfd: ti-lmu: Remove LM3532 backlight driver references"
Previous message: Kees Cook: "Re: [PATCH] kernel/sysctl.c: fix out of bounds access in fs.file-max"
In reply to: Rundong Ge: "[PATCH] netfilter:bridge: Hold bridge dev for fake_rtable to avoid the dangling pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 02, 2019 at 12:56:09PM +0000, Rundong Ge wrote:
> Problem:
> When bridge-nf-call-iptables is enabled, skb_dst(skb) of packets that
> in the nfqueue may be a dangling pointer if user delete the bridge.
> Because packets go through the br_nf_pre_routing_finish will set the dst
> pointer to the br->fake_rtable. But the br struct will be freed
> without the reference check for these skbs.
>
> User impact:
> Kernel panic may happen when user delete the bridge if there are
> continuous traffics go through the nfqueue.
> Here is a panic in my device which using kernel v3.10.

This kernel is _very old_.

Could you provide the steps to reproduce this issue?

Holding the device doesn't seem the way to go to me, we have a of
netdevice_notifier that is dropping packets for an interface that is
gone in nfnetlink_queue. We also drop packets whenever a hook in gone.

So I wonder if this is still a problem in mainline kernels.

Next message: Jacek Anaszewski: "Re: [PATCH 3/4] mfd: ti-lmu: Remove LM3532 backlight driver references"
Previous message: Kees Cook: "Re: [PATCH] kernel/sysctl.c: fix out of bounds access in fs.file-max"
In reply to: Rundong Ge: "[PATCH] netfilter:bridge: Hold bridge dev for fake_rtable to avoid the dangling pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]