OpenCloudOS-Kernel/net/ipv4/netfilter
Pavel Tikhomirov 9325e3188a netfilter: bridge: replace physindev with physinif in nf_bridge_info
[ Upstream commit 9874808878d9eed407e3977fd11fee49de1e1d86 ]

An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.

As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:

arp_process
  neigh_update
    skb = __skb_dequeue(&neigh->arp_queue)
      neigh_resolve_output(..., skb)
        ...
          br_nf_dev_xmit
            br_nf_pre_routing_finish_bridge_slow
              skb->dev = nf_bridge->physindev
              br_handle_frame_finish

Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.

Fixes: c4e70a87d9 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-01-25 15:35:59 -08:00
..
Kconfig netfilter: ip_tables: remove clusterip target 2023-01-18 13:05:24 +01:00
Makefile netfilter: ip_tables: remove clusterip target 2023-01-18 13:05:24 +01:00
arp_tables.c netfilter: x_tables: fix percpu counter block leak on error path when creating new netns 2023-02-22 10:11:27 +01:00
arpt_mangle.c netfilter: ipv4: prefer skb_ensure_writable 2019-05-31 18:02:46 +02:00
arptable_filter.c netfilter: arp_tables: allow use of arpt_do_table as hookfn 2021-10-14 23:06:53 +02:00
ip_tables.c xtables: move icmp/icmpv6 logic to xt_tcpudp 2023-03-22 21:48:59 +01:00
ipt_ECN.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
ipt_REJECT.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
ipt_SYNPROXY.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
ipt_ah.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ipt_rpfilter.c netfilter: rpfilter/fib: Set ->flowic_uid correctly for user namespaces. 2022-10-19 08:46:48 +02:00
iptable_filter.c netfilter: iptables: allow use of ipt_do_table as hookfn 2021-10-14 23:06:53 +02:00
iptable_mangle.c netfilter: iptables: allow use of ipt_do_table as hookfn 2021-10-14 23:06:53 +02:00
iptable_nat.c netfilter: iptables: allow use of ipt_do_table as hookfn 2021-10-14 23:06:53 +02:00
iptable_raw.c netfilter: iptables: allow use of ipt_do_table as hookfn 2021-10-14 23:06:53 +02:00
iptable_security.c netfilter: iptables: allow use of ipt_do_table as hookfn 2021-10-14 23:06:53 +02:00
nf_defrag_ipv4.c inet: move inet->nodefrag to inet->inet_flags 2023-08-16 11:09:17 +01:00
nf_dup_ipv4.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
nf_nat_h323.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_pptp.c netfilter: conntrack: pptp: use single option structure 2022-02-04 06:30:28 +01:00
nf_nat_snmp_basic.asn1 netfilter: nf_nat_snmp_basic: use asn1 decoder library 2018-01-19 13:59:07 +01:00
nf_nat_snmp_basic_main.c netfilter: ipv4: prefer skb_ensure_writable 2019-05-31 18:02:46 +02:00
nf_reject_ipv4.c netfilter: bridge: replace physindev with physinif in nf_bridge_info 2024-01-25 15:35:59 -08:00
nf_socket_ipv4.c tcp: Access &tcp_hashinfo via net. 2022-09-20 10:21:49 -07:00
nf_tproxy_ipv4.c netfilter: tproxy: fix deadlock due to missing BH disable 2023-03-06 12:09:48 +01:00
nft_dup_ipv4.c netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters 2022-11-15 10:46:34 +01:00
nft_fib_ipv4.c netfilter: rpfilter/fib: clean up some inconsistent indenting 2022-11-15 10:53:18 +01:00
nft_reject_ipv4.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00