On Tue, Apr 02, 2019 at 12:56:09PM +0000, Rundong Ge wrote: > Problem: > When bridge-nf-call-iptables is enabled, skb_dst(skb) of packets that > in the nfqueue may be a dangling pointer if user delete the bridge. > Because packets go through the br_nf_pre_routing_finish will set the dst > pointer to the br->fake_rtable. But the br struct will be freed > without the reference check for these skbs. > > User impact: > Kernel panic may happen when user delete the bridge if there are > continuous traffics go through the nfqueue. > Here is a panic in my device which using kernel v3.10. This kernel is _very old_. Could you provide the steps to reproduce this issue? Holding the device doesn't seem the way to go to me, we have a of netdevice_notifier that is dropping packets for an interface that is gone in nfnetlink_queue. We also drop packets whenever a hook in gone. So I wonder if this is still a problem in mainline kernels.
