Code processing skb from neigh->arp_queue can access its nf_bridge->physindev, which can already be freed, leading to crash. So, as Florian suggests, we can put physinif on nf_bridge and peek into the original device with dev_get_by_index_rcu(), so that we can be sure that device is not freed under us. This is a second attempt to fix this issue, first attempt: "neighbour: purge nf_bridged skb from foreign device neigh" https://lore.kernel.org/netdev/20240108085232.95437-1-ptikhomirov@xxxxxxxxxxxxx/ v3: resend it to proper lists and recipients Pavel Tikhomirov (4): netfilter: nfnetlink_log: use proper helper for fetching physinif netfilter: nf_queue: remove excess nf_bridge variable netfilter: propagate net to nf_bridge_get_physindev netfilter: bridge: replace physindev with physinif in nf_bridge_info include/linux/netfilter_bridge.h | 6 ++-- include/linux/skbuff.h | 2 +- net/bridge/br_netfilter_hooks.c | 42 +++++++++++++++++----- net/bridge/br_netfilter_ipv6.c | 14 +++++--- net/ipv4/netfilter/nf_reject_ipv4.c | 9 +++-- net/ipv6/netfilter/nf_reject_ipv6.c | 11 ++++-- net/netfilter/ipset/ip_set_hash_netiface.c | 8 ++--- net/netfilter/nf_log_syslog.c | 13 +++---- net/netfilter/nf_queue.c | 6 ++-- net/netfilter/nfnetlink_log.c | 8 ++--- net/netfilter/xt_physdev.c | 2 +- 11 files changed, 80 insertions(+), 41 deletions(-) -- 2.43.0
