{"id":2237950,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2237950/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org>","date":"2026-05-13T16:40:28","name":"[net,v3] net: neigh: Reallocate headroom if necessary in neigh_hh_bridge()","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3133dd2797e7de9cc9a1da420e0528182dd3a4e3","submitter":{"id":76007,"url":"http://patchwork.ozlabs.org/api/1.1/people/76007/?format=json","name":"Lorenzo Bianconi","email":"lorenzo@kernel.org"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org/mbox/","series":[{"id":504190,"url":"http://patchwork.ozlabs.org/api/1.1/series/504190/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=504190","date":"2026-05-13T16:40:28","name":"[net,v3] net: neigh: Reallocate headroom if necessary in neigh_hh_bridge()","version":3,"mbox":"http://patchwork.ozlabs.org/series/504190/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2237950/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2237950/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12584-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=uahZPtUP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12584-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"uahZPtUP\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gFztg2Y17z1yHW\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 14 May 2026 02:48:43 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id A0E9930B44A1\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 13 May 2026 16:40:57 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 59AA148C8A5;\n\tWed, 13 May 2026 16:40:55 +0000 (UTC)","from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id E9C8B4CA29D;\n\tWed, 13 May 2026 16:40:52 +0000 (UTC)","by smtp.kernel.org (Postfix) with ESMTPSA id DF613C19425;\n\tWed, 13 May 2026 16:40:51 +0000 (UTC)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1778690453; cv=none;\n b=qA8ePr67ccy1BEmKexwUtxJh6p7XKx57sLxq1FrI3El8ikomXRrKpuTFD45Umt2Qd8j217ngyql0KCSddnibc2xbKsEZo/M0XDxTnTvvvp93NGNvhWwDeOEg2xbusbQkA/bgF0daoo9oaFXnedhd6HEGy/2rX/h51HBVihFYKpA=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1778690453; c=relaxed/simple;\n\tbh=zBlHezx28sXKBgs5kNKrgJYnLj4x1HWO1CxcRnfklxM=;\n\th=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc;\n b=hpZ6BLaTt5CyTFfTNd+j5yZs1Z/El8SDrV4QF9xpdSRAWRDrvp1RyDgSE4Z5qpdUWLL2QKT2iXjt0xYs3ZRis2nBKSkIuYtCoKR3nf6pK0LyQUEYyC3BvSy3o2TjJChH2XS0sSwZJ2WimCBAehK6ohhQ/T5xdhGp5aTokrjj4uY=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=uahZPtUP; arc=none smtp.client-ip=10.30.226.201","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1778690452;\n\tbh=zBlHezx28sXKBgs5kNKrgJYnLj4x1HWO1CxcRnfklxM=;\n\th=From:Date:Subject:To:Cc:From;\n\tb=uahZPtUPYVUxLgITDeh9MG+oU0HhABozDR4k/oufmilRjTMPnlpu9kCadQu/mjmV0\n\t XBBA2CchvsWOFngLzHAabAC+ABQHLyOd+6bH/1E70iT0fH4NHbqZqpn94i85azgPDx\n\t l+3BRQpd0/55tCA3qKknYVaD/qSrqsLSY7QT7XUub4ychIW3U6BKSQPEUfOtusZHcU\n\t g7KvaxEG7T2DZGVWesvtZoB+MfbWlocVxZXdsq9UINhUL77JEOjhPg4Xum6LRT5bZx\n\t j6sndS/rBMob8nqtmDxs1gcUOexZbwu8zQ8bofDVdr34HF6j8is2GNKtn24iFEcMyS\n\t 1LHw+/PsMZM2w==","From":"Lorenzo Bianconi <lorenzo@kernel.org>","Date":"Wed, 13 May 2026 18:40:28 +0200","Subject":"[PATCH net v3] net: neigh: Reallocate headroom if necessary in\n neigh_hh_bridge()","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"7bit","Message-Id":"<20260513-nf-neigh_hh_bridge-fix-v3-1-8ec9353c0909@kernel.org>","X-B4-Tracking":"v=1; b=H4sIAAAAAAAC/4XNwQ6CMAwG4FchPTvDxhjgyfcwhoxRWKMZZiOLh\n vDuLjvpwXj8/7ZfNwjoCQOcig08Rgq0uBSqQwHGajcjozFlEKVQZV22zE3MIc22t7YfPI1pY6I\n n6/TQNDWiqIyCdPzwmOoMX8DhCtdUWgrr4l/5WeR59M+NnHGmuVRSqnbsBJ5v6B3ej4ufsxnFh\n 8P5T0ckx8hOSdPoZminL2ff9zfjE6B8CgEAAA==","X-Change-ID":"20260508-nf-neigh_hh_bridge-fix-9ab775ee23c6","To":"\"David S. Miller\" <davem@davemloft.net>,\n Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,\n Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,\n Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n Phil Sutter <phil@nwl.cc>, Nikolay Aleksandrov <razor@blackwall.org>,\n Ido Schimmel <idosch@nvidia.com>, Bart De Schuymer <bdschuym@pandora.be>,\n Patrick McHardy <kaber@trash.net>","Cc":"netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,\n coreteam@netfilter.org, bridge@lists.linux.dev,\n Lorenzo Bianconi <lorenzo@kernel.org>","X-Mailer":"b4 0.14.3"},"content":"neigh_hh_bridge() assumes the skb always has sufficient headroom to copy\nthe aligned  L2 header. This assumption can trigger the crash reported\nbelow using the following netfilter setup:\n\n$modprobe br_netfilter\n$sysctl -w net.bridge.bridge-nf-call-iptables=1\n\n$root@OpenWrt:~# nft list ruleset\ntable ip nat {\n        chain prerouting {\n                type nat hook prerouting priority dstnat; policy accept;\n                ip daddr 192.168.83.123 dnat to 192.168.83.120\n        }\n}\n\n- iperf3 client (192.168.83.119) --> bridge (192.168.83.118) --> iperf3 server (192.168.83.120)\n\nthe iperf3 client is sending packet for 192.168.83.123 to the bridge device.\n\n[ 1579.036575] Unable to handle kernel write to read-only memory at virtual address ffffff8004d76ffe\n[ 1579.045482] Mem abort info:\n[ 1579.048273]   ESR = 0x000000009600004f\n[ 1579.052024]   EC = 0x25: DABT (current EL), IL = 32 bits\n[ 1579.057363]   SET = 0, FnV = 0\n[ 1579.060417]   EA = 0, S1PTW = 0\n[ 1579.063550]   FSC = 0x0f: level 3 permission fault\n[ 1579.068345] Data abort info:\n[ 1579.071224]   ISV = 0, ISS = 0x0000004f, ISS2 = 0x00000000\n[ 1579.076720]   CM = 0, WnR = 1, TnD = 0, TagAccess = 0\n[ 1579.081770]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\n[ 1579.087092] swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000080dc4000\n[ 1579.093794] [ffffff8004d76ffe] pgd=180000009ffff003, p4d=180000009ffff003, pud=180000009ffff003, pmd=180000009ffe3003, pte=0060000084d76787\n[ 1579.106343] Internal error: Oops: 000000009600004f [#1] SMP\n[ 1579.193824] CPU: 0 UID: 0 PID: 235 Comm: napi/qdma_eth-3 Tainted: G           O       6.12.57 #0\n[ 1579.202614] Tainted: [O]=OOT_MODULE\n[ 1579.206102] Hardware name: Airoha AN7581 Evaluation Board (DT)\n[ 1579.211929] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[ 1579.218889] pc : br_nf_pre_routing_finish_bridge+0x1ac/0xcc8 [br_netfilter]\n[ 1579.225859] lr : br_nf_pre_routing_finish_bridge+0x18c/0xcc8 [br_netfilter]\n[ 1579.232822] sp : ffffffc0817cba20\n[ 1579.236128] x29: ffffffc0817cba20 x28: 0000000000000000 x27: ffffff8002b89000\n[ 1579.243273] x26: ffffff8004d7700e x25: 0000000000000008 x24: 0000000000000000\n[ 1579.250416] x23: ffffffc08179d4c0 x22: 0000000000000000 x21: ffffffc08179d4c0\n[ 1579.257561] x20: ffffff8004d9b800 x19: ffffff8015010000 x18: 0000000000000014\n[ 1579.264704] x17: ffffffbf9e930000 x16: ffffffc0817c8000 x15: 0000000000000070\n[ 1579.271848] x14: 0000000000000080 x13: 0000000000000001 x12: 0000000000000000\n[ 1579.278993] x11: ffffffc0798caae0 x10: ffffff8014db6fd8 x9 : 0000000000000000\n[ 1579.286136] x8 : 0000000000000003 x7 : ffffffc08171f628 x6 : 000000001a3b83d3\n[ 1579.293281] x5 : 0000000000000000 x4 : 1beb76f22fee0000 x3 : ffffff8004d7700e\n[ 1579.300425] x2 : 0000000000000000 x1 : ffffff8004d9b8bc x0 : ffffff80026ed000\n[ 1579.307570] Call trace:\n[ 1579.310018]  br_nf_pre_routing_finish_bridge+0x1ac/0xcc8 [br_netfilter]\n[ 1579.316632]  br_nf_hook_thresh+0xd4/0x14bc [br_netfilter]\n[ 1579.322032]  br_nf_hook_thresh+0x250/0x14bc [br_netfilter]\n[ 1579.327517]  br_nf_hook_thresh+0x76c/0x14bc [br_netfilter]\n[ 1579.333003]  br_handle_frame+0x180/0x480\n[ 1579.336935]  __netif_receive_skb_core.constprop.0+0x540/0xf40\n[ 1579.342682]  __netif_receive_skb_one_core+0x28/0x50\n[ 1579.347561]  process_backlog+0x98/0x1e0\n[ 1579.351398]  __napi_poll+0x34/0x1c4\n[ 1579.354887]  net_rx_action+0x178/0x330\n[ 1579.358638]  handle_softirqs+0x108/0x2d4\n[ 1579.362560]  __do_softirq+0x10/0x18\n[ 1579.366051]  ____do_softirq+0xc/0x20\n[ 1579.369627]  call_on_irq_stack+0x30/0x4c\n[ 1579.373550]  do_softirq_own_stack+0x18/0x20\n[ 1579.377734]  do_softirq+0x4c/0x60\n[ 1579.381050]  __local_bh_enable_ip+0x88/0x98\n[ 1579.385234]  napi_threaded_poll_loop+0x188/0x21c\n[ 1579.389853]  napi_threaded_poll+0x70/0x80\n[ 1579.393863]  kthread+0xd8/0xdc\n[ 1579.396918]  ret_from_fork+0x10/0x20\n[ 1579.400499] Code: 88dffc22 3707ffc2 f9406663 f9406684 (f81f0064)\n[ 1579.406589] ---[ end trace 0000000000000000 ]---\n[ 1579.411209] Kernel panic - not syncing: Oops: Fatal exception in interrupt\n[ 1579.418083] SMP: stopping secondary CPUs\n[ 1579.422012] Kernel Offset: disabled\n\nFix the issue reallocating the skb headroom if necessary in neigh_hh_bridge routine.\n\nFixes: e179e6322ac33 (\"netfilter: bridge-netfilter: Fix MAC header handling with IP DNAT\")\nSigned-off-by: Lorenzo Bianconi <lorenzo@kernel.org>\n---\nChanges in v3:\n- Run skb_cow_head() instead of skb_expand_head() in neigh_hh_bridge()\n- Link to v2: https://lore.kernel.org/r/20260511-nf-neigh_hh_bridge-fix-v2-1-c4964c7a7b8f@kernel.org\n\nChanges in v2:\n- Fix neighbour reference count leak\n- Run skb_expand_head() even for cloned/shared skbs.\n- Link to v1: https://lore.kernel.org/r/20260508-nf-neigh_hh_bridge-fix-v1-1-a1464468d92e@kernel.org\n---\n include/net/neighbour.h         | 8 ++++++--\n net/bridge/br_netfilter_hooks.c | 8 +++++++-\n 2 files changed, 13 insertions(+), 3 deletions(-)\n\n\n---\nbase-commit: f5b2772d14884f4be9e718644f1203d4d0e6f0d6\nchange-id: 20260508-nf-neigh_hh_bridge-fix-9ab775ee23c6\n\nBest regards,","diff":"diff --git a/include/net/neighbour.h b/include/net/neighbour.h\nindex 2dfee6d4258a..8860cc2175fc 100644\n--- a/include/net/neighbour.h\n+++ b/include/net/neighbour.h\n@@ -489,11 +489,15 @@ static inline int neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)\n #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)\n static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb)\n {\n-\tunsigned int seq, hh_alen;\n+\tunsigned int seq, hh_alen = HH_DATA_ALIGN(ETH_HLEN);\n+\tint err;\n+\n+\terr = skb_cow_head(skb, hh_alen);\n+\tif (err)\n+\t\treturn err;\n \n \tdo {\n \t\tseq = read_seqbegin(&hh->hh_lock);\n-\t\thh_alen = HH_DATA_ALIGN(ETH_HLEN);\n \t\tmemcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);\n \t} while (read_seqretry(&hh->hh_lock, seq));\n \treturn 0;\ndiff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c\nindex 0ab1c94db4b9..cea2352900e9 100644\n--- a/net/bridge/br_netfilter_hooks.c\n+++ b/net/bridge/br_netfilter_hooks.c\n@@ -297,7 +297,13 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_\n \t\t\t\tgoto free_skb;\n \t\t\t}\n \n-\t\t\tneigh_hh_bridge(&neigh->hh, skb);\n+\t\t\tret = neigh_hh_bridge(&neigh->hh, skb);\n+\t\t\tif (ret) {\n+\t\t\t\tneigh_release(neigh);\n+\t\t\t\tkfree_skb(skb);\n+\t\t\t\treturn ret;\n+\t\t\t}\n+\n \t\t\tskb->dev = br_indev;\n \n \t\t\tret = br_handle_frame_finish(net, sk, skb);\n","prefixes":["net","v3"]}