bridge: drop netfilter fake rtable unconditionally

Andreas reports kernel oops during rmmod of the br_netfilter module. Hannes debugged the oops down to a NULL rt6info->rt6i_indev. Problem is that br_netfilter has the nasty concept of adding a fake rtable to skb->dst; this happens in a br_netfilter prerouting hook. A second hook (in bridge LOCAL_IN) is supposed to remove these again before the skb is handed up the stack. However, on module unload hooks get unregistered which means an skb could traverse the prerouting hook that attaches the fake_rtable, while the 'fake rtable remove' hook gets removed from the hooklist immediately after. Fixes: 34666d467cbf1e2e3c7 ("netfilter: bridge: move br_netfilter out of the core") Reported-by: Andreas Karis <akaris@redhat.com> Debugged-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Florian Westphal <fw@strlen.de> 2017-03-13 12:38:17 -0400
committer: David S. Miller <davem@davemloft.net> 2017-03-13 16:01:10 -0400
commit: a13b2082ece95247779b9995c4e91b4246bed023 (patch)
tree: e561267a6154a99ad18ddf59bab6ce0e584347ac
parent: 79e49503efe53a8c51d8b695bedc8a346c5e4a87 (diff)
2 files changed, 1 insertions, 21 deletions
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 236f34244dbe..013f2290bfa5 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -30,6 +30,7 @@ EXPORT_SYMBOL(br_should_route_hook);
 static int
 br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
+        br_drop_fake_rtable(skb);
        return netif_receive_skb(skb);
 }
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 95087e6e8258..fa87fbd62bb7 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -521,21 +521,6 @@ static unsigned int br_nf_pre_routing(void *priv,
 }
-/* PF_BRIDGE/LOCAL_IN ************************************************/
-/* The packet is locally destined, which requires a real
- * dst_entry, so detach the fake one.  On the way up, the
- * packet would pass through PRE_ROUTING again (which already
- * took place when the packet entered the bridge), but we
- * register an IPv4 PRE_ROUTING 'sabotage' hook that will
- * prevent this from happening. */
-static unsigned int br_nf_local_in(void *priv,
-                                   struct sk_buff *skb,
-                                   const struct nf_hook_state *state)
-{
-        br_drop_fake_rtable(skb);
-        return NF_ACCEPT;
-}
 /* PF_BRIDGE/FORWARD *************************************************/
 static int br_nf_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
@@ -908,12 +893,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
                .priority = NF_BR_PRI_BRNF,
        },
        {
-                .hook = br_nf_local_in,
-                .pf = NFPROTO_BRIDGE,
-                .hooknum = NF_BR_LOCAL_IN,
-                .priority = NF_BR_PRI_BRNF,
-        },
-        {
                .hook = br_nf_forward_ip,
                .pf = NFPROTO_BRIDGE,
                .hooknum = NF_BR_FORWARD,
author	Florian Westphal <fw@strlen.de>	2017-03-13 12:38:17 -0400
committer	David S. Miller <davem@davemloft.net>	2017-03-13 16:01:10 -0400
commit	a13b2082ece95247779b9995c4e91b4246bed023 (patch)
tree	e561267a6154a99ad18ddf59bab6ce0e584347ac
parent	79e49503efe53a8c51d8b695bedc8a346c5e4a87 (diff)

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 236f34244dbe..013f2290bfa5 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c
@@ -30,6 +30,7 @@ EXPORT_SYMBOL(br_should_route_hook);
30	static int	30	static int
31	br_netif_receive_skb(struct net net, struct sock sk, struct sk_buff *skb)	31	br_netif_receive_skb(struct net net, struct sock sk, struct sk_buff *skb)
32	{	32	{
		33	br_drop_fake_rtable(skb);
33	return netif_receive_skb(skb);	34	return netif_receive_skb(skb);
34	}	35	}
35		36


diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 95087e6e8258..fa87fbd62bb7 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c
@@ -521,21 +521,6 @@ static unsigned int br_nf_pre_routing(void *priv,
521	}	521	}
522		522
523		523
524	/* PF_BRIDGE/LOCAL_IN ************************************************/
525	/* The packet is locally destined, which requires a real
526	* dst_entry, so detach the fake one. On the way up, the
527	* packet would pass through PRE_ROUTING again (which already
528	* took place when the packet entered the bridge), but we
529	* register an IPv4 PRE_ROUTING 'sabotage' hook that will
530	* prevent this from happening. */
531	static unsigned int br_nf_local_in(void *priv,
532	struct sk_buff *skb,
533	const struct nf_hook_state *state)
534	{
535	br_drop_fake_rtable(skb);
536	return NF_ACCEPT;
537	}
538
539	/* PF_BRIDGE/FORWARD *************************************************/	524	/* PF_BRIDGE/FORWARD *************************************************/
540	static int br_nf_forward_finish(struct net net, struct sock sk, struct sk_buff *skb)	525	static int br_nf_forward_finish(struct net net, struct sock sk, struct sk_buff *skb)
541	{	526	{
@@ -908,12 +893,6 @@ static struct nf_hook_ops br_nf_ops[] __read_mostly = {
908	.priority = NF_BR_PRI_BRNF,	893	.priority = NF_BR_PRI_BRNF,
909	},	894	},
910	{	895	{
911	.hook = br_nf_local_in,
912	.pf = NFPROTO_BRIDGE,
913	.hooknum = NF_BR_LOCAL_IN,
914	.priority = NF_BR_PRI_BRNF,
915	},
916	{
917	.hook = br_nf_forward_ip,	896	.hook = br_nf_forward_ip,
918	.pf = NFPROTO_BRIDGE,	897	.pf = NFPROTO_BRIDGE,
919	.hooknum = NF_BR_FORWARD,	898	.hooknum = NF_BR_FORWARD,