Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2237950/?format=api
{ "id": 2237950, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2237950/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org>", "date": "2026-05-13T16:40:28", "name": "[net,v3] net: neigh: Reallocate headroom if necessary in neigh_hh_bridge()", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "3133dd2797e7de9cc9a1da420e0528182dd3a4e3", "submitter": { "id": 76007, "url": "http://patchwork.ozlabs.org/api/1.1/people/76007/?format=api", "name": "Lorenzo Bianconi", "email": "lorenzo@kernel.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org/mbox/", "series": [ { "id": 504190, "url": "http://patchwork.ozlabs.org/api/1.1/series/504190/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=504190", "date": "2026-05-13T16:40:28", "name": "[net,v3] net: neigh: Reallocate headroom if necessary in neigh_hh_bridge()", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/504190/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2237950/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2237950/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-12584-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=uahZPtUP;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12584-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"uahZPtUP\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201" ], "Received": [ "from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gFztg2Y17z1yHW\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 14 May 2026 02:48:43 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id A0E9930B44A1\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 13 May 2026 16:40:57 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 59AA148C8A5;\n\tWed, 13 May 2026 16:40:55 +0000 (UTC)", "from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E9C8B4CA29D;\n\tWed, 13 May 2026 16:40:52 +0000 (UTC)", "by smtp.kernel.org (Postfix) with ESMTPSA id DF613C19425;\n\tWed, 13 May 2026 16:40:51 +0000 (UTC)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778690453; cv=none;\n b=qA8ePr67ccy1BEmKexwUtxJh6p7XKx57sLxq1FrI3El8ikomXRrKpuTFD45Umt2Qd8j217ngyql0KCSddnibc2xbKsEZo/M0XDxTnTvvvp93NGNvhWwDeOEg2xbusbQkA/bgF0daoo9oaFXnedhd6HEGy/2rX/h51HBVihFYKpA=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778690453; c=relaxed/simple;\n\tbh=zBlHezx28sXKBgs5kNKrgJYnLj4x1HWO1CxcRnfklxM=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;\n b=hpZ6BLaTt5CyTFfTNd+j5yZs1Z/El8SDrV4QF9xpdSRAWRDrvp1RyDgSE4Z5qpdUWLL2QKT2iXjt0xYs3ZRis2nBKSkIuYtCoKR3nf6pK0LyQUEYyC3BvSy3o2TjJChH2XS0sSwZJ2WimCBAehK6ohhQ/T5xdhGp5aTokrjj4uY=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=uahZPtUP; arc=none smtp.client-ip=10.30.226.201", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1778690452;\n\tbh=zBlHezx28sXKBgs5kNKrgJYnLj4x1HWO1CxcRnfklxM=;\n\th=From:Date:Subject:To:Cc:From;\n\tb=uahZPtUPYVUxLgITDeh9MG+oU0HhABozDR4k/oufmilRjTMPnlpu9kCadQu/mjmV0\n\t XBBA2CchvsWOFngLzHAabAC+ABQHLyOd+6bH/1E70iT0fH4NHbqZqpn94i85azgPDx\n\t l+3BRQpd0/55tCA3qKknYVaD/qSrqsLSY7QT7XUub4ychIW3U6BKSQPEUfOtusZHcU\n\t g7KvaxEG7T2DZGVWesvtZoB+MfbWlocVxZXdsq9UINhUL77JEOjhPg4Xum6LRT5bZx\n\t j6sndS/rBMob8nqtmDxs1gcUOexZbwu8zQ8bofDVdr34HF6j8is2GNKtn24iFEcMyS\n\t 1LHw+/PsMZM2w==", "From": "Lorenzo Bianconi <lorenzo@kernel.org>", "Date": "Wed, 13 May 2026 18:40:28 +0200", "Subject": "[PATCH net v3] net: neigh: Reallocate headroom if necessary in\n neigh_hh_bridge()", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=\"utf-8\"", "Content-Transfer-Encoding": "7bit", "Message-Id": "<20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org>", "X-B4-Tracking": "v=1; b=H4sIAAAAAAAC/4XNwQ6CMAwG4FchPTvDxhjgyfcwhoxRWKMZZiOLh\n vDuLjvpwXj8/7ZfNwjoCQOcig08Rgq0uBSqQwHGajcjozFlEKVQZV22zE3MIc22t7YfPI1pY6I\n n6/TQNDWiqIyCdPzwmOoMX8DhCtdUWgrr4l/5WeR59M+NnHGmuVRSqnbsBJ5v6B3ej4ufsxnFh\n 8P5T0ckx8hOSdPoZminL2ff9zfjE6B8CgEAAA==", "X-Change-ID": "20260508-nf-neigh_hh_bridge-fix-9ab775ee23c6", "To": "\"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,\n Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n Phil Sutter <phil@nwl.cc>, Nikolay Aleksandrov <razor@blackwall.org>,\n Ido Schimmel <idosch@nvidia.com>, Bart De Schuymer <bdschuym@pandora.be>,\n Patrick McHardy <kaber@trash.net>", "Cc": "netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,\n coreteam@netfilter.org, bridge@lists.linux.dev,\n Lorenzo Bianconi <lorenzo@kernel.org>", "X-Mailer": "b4 0.14.3" }, "content": "neigh_hh_bridge() assumes the skb always has sufficient headroom to copy\nthe aligned L2 header. This assumption can trigger the crash reported\nbelow using the following netfilter setup:\n\n$modprobe br_netfilter\n$sysctl -w net.bridge.bridge-nf-call-iptables=1\n\n$root@OpenWrt:~# nft list ruleset\ntable ip nat {\n chain prerouting {\n type nat hook prerouting priority dstnat; policy accept;\n ip daddr 192.168.83.123 dnat to 192.168.83.120\n }\n}\n\n- iperf3 client (192.168.83.119) --> bridge (192.168.83.118) --> iperf3 server (192.168.83.120)\n\nthe iperf3 client is sending packet for 192.168.83.123 to the bridge device.\n\n[ 1579.036575] Unable to handle kernel write to read-only memory at virtual address ffffff8004d76ffe\n[ 1579.045482] Mem abort info:\n[ 1579.048273] ESR = 0x000000009600004f\n[ 1579.052024] EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1579.057363] SET = 0, FnV = 0\n[ 1579.060417] EA = 0, S1PTW = 0\n[ 1579.063550] FSC = 0x0f: level 3 permission fault\n[ 1579.068345] Data abort info:\n[ 1579.071224] ISV = 0, ISS = 0x0000004f, ISS2 = 0x00000000\n[ 1579.076720] CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[ 1579.081770] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1579.087092] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000080dc4000\n[ 1579.093794] [ffffff8004d76ffe] pgd=180000009ffff003, p4d=180000009ffff003, pud=180000009ffff003, pmd=180000009ffe3003, pte=0060000084d76787\n[ 1579.106343] Internal error: Oops: 000000009600004f [#1] SMP\n[ 1579.193824] CPU: 0 UID: 0 PID: 235 Comm: napi/qdma_eth-3 Tainted: G O 6.12.57 #0\n[ 1579.202614] Tainted: [O]=OOT_MODULE\n[ 1579.206102] Hardware name: Airoha AN7581 Evaluation Board (DT)\n[ 1579.211929] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1579.218889] pc : br_nf_pre_routing_finish_bridge+0x1ac/0xcc8 [br_netfilter]\n[ 1579.225859] lr : br_nf_pre_routing_finish_bridge+0x18c/0xcc8 [br_netfilter]\n[ 1579.232822] sp : ffffffc0817cba20\n[ 1579.236128] x29: ffffffc0817cba20 x28: 0000000000000000 x27: ffffff8002b89000\n[ 1579.243273] x26: ffffff8004d7700e x25: 0000000000000008 x24: 0000000000000000\n[ 1579.250416] x23: ffffffc08179d4c0 x22: 0000000000000000 x21: ffffffc08179d4c0\n[ 1579.257561] x20: ffffff8004d9b800 x19: ffffff8015010000 x18: 0000000000000014\n[ 1579.264704] x17: ffffffbf9e930000 x16: ffffffc0817c8000 x15: 0000000000000070\n[ 1579.271848] x14: 0000000000000080 x13: 0000000000000001 x12: 0000000000000000\n[ 1579.278993] x11: ffffffc0798caae0 x10: ffffff8014db6fd8 x9 : 0000000000000000\n[ 1579.286136] x8 : 0000000000000003 x7 : ffffffc08171f628 x6 : 000000001a3b83d3\n[ 1579.293281] x5 : 0000000000000000 x4 : 1beb76f22fee0000 x3 : ffffff8004d7700e\n[ 1579.300425] x2 : 0000000000000000 x1 : ffffff8004d9b8bc x0 : ffffff80026ed000\n[ 1579.307570] Call trace:\n[ 1579.310018] br_nf_pre_routing_finish_bridge+0x1ac/0xcc8 [br_netfilter]\n[ 1579.316632] br_nf_hook_thresh+0xd4/0x14bc [br_netfilter]\n[ 1579.322032] br_nf_hook_thresh+0x250/0x14bc [br_netfilter]\n[ 1579.327517] br_nf_hook_thresh+0x76c/0x14bc [br_netfilter]\n[ 1579.333003] br_handle_frame+0x180/0x480\n[ 1579.336935] __netif_receive_skb_core.constprop.0+0x540/0xf40\n[ 1579.342682] __netif_receive_skb_one_core+0x28/0x50\n[ 1579.347561] process_backlog+0x98/0x1e0\n[ 1579.351398] __napi_poll+0x34/0x1c4\n[ 1579.354887] net_rx_action+0x178/0x330\n[ 1579.358638] handle_softirqs+0x108/0x2d4\n[ 1579.362560] __do_softirq+0x10/0x18\n[ 1579.366051] ____do_softirq+0xc/0x20\n[ 1579.369627] call_on_irq_stack+0x30/0x4c\n[ 1579.373550] do_softirq_own_stack+0x18/0x20\n[ 1579.377734] do_softirq+0x4c/0x60\n[ 1579.381050] __local_bh_enable_ip+0x88/0x98\n[ 1579.385234] napi_threaded_poll_loop+0x188/0x21c\n[ 1579.389853] napi_threaded_poll+0x70/0x80\n[ 1579.393863] kthread+0xd8/0xdc\n[ 1579.396918] ret_from_fork+0x10/0x20\n[ 1579.400499] Code: 88dffc22 3707ffc2 f9406663 f9406684 (f81f0064)\n[ 1579.406589] ---[ end trace 0000000000000000 ]---\n[ 1579.411209] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n[ 1579.418083] SMP: stopping secondary CPUs\n[ 1579.422012] Kernel Offset: disabled\n\nFix the issue reallocating the skb headroom if necessary in neigh_hh_bridge routine.\n\nFixes: e179e6322ac33 (\"netfilter: bridge-netfilter: Fix MAC header handling with IP DNAT\")\nSigned-off-by: Lorenzo Bianconi <lorenzo@kernel.org>\n---\nChanges in v3:\n- Run skb_cow_head() instead of skb_expand_head() in neigh_hh_bridge()\n- Link to v2: https://lore.kernel.org/r/20260511-nf-neigh_hh_bridge-fix-v2-1-c4964c7a7b8f@kernel.org\n\nChanges in v2:\n- Fix neighbour reference count leak\n- Run skb_expand_head() even for cloned/shared skbs.\n- Link to v1: https://lore.kernel.org/r/20260508-nf-neigh_hh_bridge-fix-v1-1-a1464468d92e@kernel.org\n---\n include/net/neighbour.h | 8 ++++++--\n net/bridge/br_netfilter_hooks.c | 8 +++++++-\n 2 files changed, 13 insertions(+), 3 deletions(-)\n\n\n---\nbase-commit: f5b2772d14884f4be9e718644f1203d4d0e6f0d6\nchange-id: 20260508-nf-neigh_hh_bridge-fix-9ab775ee23c6\n\nBest regards,", "diff": "diff --git a/include/net/neighbour.h b/include/net/neighbour.h\nindex 2dfee6d4258a..8860cc2175fc 100644\n--- a/include/net/neighbour.h\n+++ b/include/net/neighbour.h\n@@ -489,11 +489,15 @@ static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)\n #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)\n static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb)\n {\n-\tunsigned int seq, hh_alen;\n+\tunsigned int seq, hh_alen = HH_DATA_ALIGN(ETH_HLEN);\n+\tint err;\n+\n+\terr = skb_cow_head(skb, hh_alen);\n+\tif (err)\n+\t\treturn err;\n \n \tdo {\n \t\tseq = read_seqbegin(&hh->hh_lock);\n-\t\thh_alen = HH_DATA_ALIGN(ETH_HLEN);\n \t\tmemcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);\n \t} while (read_seqretry(&hh->hh_lock, seq));\n \treturn 0;\ndiff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c\nindex 0ab1c94db4b9..cea2352900e9 100644\n--- a/net/bridge/br_netfilter_hooks.c\n+++ b/net/bridge/br_netfilter_hooks.c\n@@ -297,7 +297,13 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_\n \t\t\t\tgoto free_skb;\n \t\t\t}\n \n-\t\t\tneigh_hh_bridge(&neigh->hh, skb);\n+\t\t\tret = neigh_hh_bridge(&neigh->hh, skb);\n+\t\t\tif (ret) {\n+\t\t\t\tneigh_release(neigh);\n+\t\t\t\tkfree_skb(skb);\n+\t\t\t\treturn ret;\n+\t\t\t}\n+\n \t\t\tskb->dev = br_indev;\n \n \t\t\tret = br_handle_frame_finish(net, sk, skb);\n", "prefixes": [ "net", "v3" ] }