diff options
| author |   Florian Westphal <fw@strlen.de> | 2017-03-13 17:38:17 +0100 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2017-03-13 13:01:10 -0700 |
| commit | a13b2082ece95247779b9995c4e91b4246bed023 (patch) | |
| tree | e561267a6154a99ad18ddf59bab6ce0e584347ac /net/bridge/br_input.c | |
| parent | ipv6: avoid write to a possibly cloned skb (diff) | |
| download | linux-dev-a13b2082ece95247779b9995c4e91b4246bed023.tar.xz linux-dev-a13b2082ece95247779b9995c4e91b4246bed023.zip | |
bridge: drop netfilter fake rtable unconditionally
Andreas reports kernel oops during rmmod of the br_netfilter module.
Hannes debugged the oops down to a NULL rt6info->rt6i_indev.
Problem is that br_netfilter has the nasty concept of adding a fake
rtable to skb->dst; this happens in a br_netfilter prerouting hook.
A second hook (in bridge LOCAL_IN) is supposed to remove these again
before the skb is handed up the stack.
However, on module unload hooks get unregistered which means an
skb could traverse the prerouting hook that attaches the fake_rtable,
while the 'fake rtable remove' hook gets removed from the hooklist
immediately after.
Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core")
Reported-by: Andreas Karis <akaris@redhat.com>
Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge/br_input.c')
| -rw-r--r-- | net/bridge/br_input.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 236f34244dbe..013f2290bfa5 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -30,6 +30,7 @@ EXPORT_SYMBOL(br_should_route_hook); static int br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb) { + br_drop_fake_rtable(skb); return netif_receive_skb(skb); } |