linux/net/bridge
Pavel Tikhomirov 9874808878 netfilter: bridge: replace physindev with physinif in nf_bridge_info
An skb can be added to a neigh->arp_queue while waiting for an arp
reply. Where original skb's skb->dev can be different to neigh's
neigh->dev. For instance in case of bridging dnated skb from one veth to
another, the skb would be added to a neigh->arp_queue of the bridge.

As skb->dev can be reset back to nf_bridge->physindev and used, and as
there is no explicit mechanism that prevents this physindev from been
freed under us (for instance neigh_flush_dev doesn't cleanup skbs from
different device's neigh queue) we can crash on e.g. this stack:

arp_process
  neigh_update
    skb = __skb_dequeue(&neigh->arp_queue)
      neigh_resolve_output(..., skb)
        ...
          br_nf_dev_xmit
            br_nf_pre_routing_finish_bridge_slow
              skb->dev = nf_bridge->physindev
              br_handle_frame_finish

Let's use plain ifindex instead of net_device link. To peek into the
original net_device we will use dev_get_by_index_rcu(). Thus either we
get device and are safe to use it or we don't get it and drop skb.

Fixes: c4e70a87d9 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-01-17 12:02:49 +01:00
..
netfilter netfilter: nf_conntrack_bridge: initialize err to 0 2023-11-14 16:16:21 +01:00
br_arp_nd_proxy.c bridge: Add per-{Port, VLAN} neighbor suppression data path support 2023-04-21 08:25:50 +01:00
br_cfm_netlink.c bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
br_cfm.c bridge: cfm: remove redundant return 2021-06-22 10:35:15 -07:00
br_device.c bridge: mdb: Add MDB bulk deletion support 2023-12-20 11:27:20 +00:00
br_fdb.c net: bridge: Track and limit dynamically learned FDB entries 2023-10-17 17:39:01 -07:00
br_forward.c net: bridge: use DEV_STATS_INC() 2023-09-19 13:35:15 +02:00
br_if.c net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode 2023-07-03 09:11:34 +01:00
br_input.c bridge: mcast: Rename MDB entry get function 2023-10-27 10:51:41 +01:00
br_ioctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2021-12-31 14:35:40 +00:00
br_mdb.c bridge: mdb: Add MDB bulk deletion support 2023-12-20 11:27:20 +00:00
br_mrp_netlink.c bridge: mrp: Use hlist_head instead of list_head for mrp 2020-11-09 16:42:12 -08:00
br_mrp_switchdev.c bridge: mrp: Extend br_mrp_switchdev to detect better the errors 2021-02-16 14:47:46 -08:00
br_mrp.c net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_mst.c net: bridge: mst: Add helper to query a port's MST state 2022-03-17 16:49:58 -07:00
br_multicast_eht.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
br_multicast.c bridge: mcast: Rename MDB entry get function 2023-10-27 10:51:41 +01:00
br_netfilter_hooks.c netfilter: bridge: replace physindev with physinif in nf_bridge_info 2024-01-17 12:02:49 +01:00
br_netfilter_ipv6.c netfilter: bridge: replace physindev with physinif in nf_bridge_info 2024-01-17 12:02:49 +01:00
br_netlink_tunnel.c net: bridge: Set strict_start_type at two policies 2023-02-06 08:48:25 +00:00
br_netlink.c net: bridge: Set strict_start_type for br_policy 2023-10-17 17:39:02 -07:00
br_nf_core.c net: dst: Switch to rcuref_t reference counting 2023-03-28 18:52:28 -07:00
br_private_cfm.h bridge: cfm: Kernel space implementation of CFM. CCM frame RX added. 2020-10-29 18:39:43 -07:00
br_private_mcast_eht.h net: bridge: multicast: use multicast contexts instead of bridge or port 2021-07-20 05:41:19 -07:00
br_private_mrp.h net: bridge: mrp: Update the Test frames for MRA 2021-06-28 15:46:10 -07:00
br_private_stp.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_private_tunnel.h bridge: always declare tunnel functions 2023-05-17 21:28:58 -07:00
br_private.h bridge: mdb: Add MDB bulk deletion support 2023-12-20 11:27:20 +00:00
br_stp_bpdu.c net: bridge: add STP xstats 2019-12-14 20:02:36 -08:00
br_stp_if.c net: use eth_hw_addr_set() 2021-10-02 14:18:25 +01:00
br_stp_timer.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
br_stp.c net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00
br_switchdev.c net: switchdev: Add a helper to replay objects on a bridge port 2023-07-21 08:54:03 +01:00
br_sysfs_br.c bridge: Fix flushing of dynamic FDB entries 2022-11-02 20:47:09 -07:00
br_sysfs_if.c bridge: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:30 -07:00
br_vlan_options.c bridge: vlan: Allow setting VLAN neighbor suppression state 2023-04-21 08:25:50 +01:00
br_vlan_tunnel.c bridge: Add backup nexthop ID support 2023-07-19 10:53:49 +01:00
br_vlan.c bridge: vlan: Allow setting VLAN neighbor suppression state 2023-04-21 08:25:50 +01:00
br.c net: bridge: fill in MODULE_DESCRIPTION() 2023-10-27 11:16:44 +01:00
Kconfig bridge: cfm: Add BRIDGE_CFM to Kconfig. 2020-10-29 18:39:43 -07:00
Makefile net: bridge: mst: Multiple Spanning Tree (MST) mode 2022-03-17 16:49:57 -07:00