Ren Wei <[email protected]> wrote: > From: Haoze Xie <[email protected]> > > The bridge netfilter fake rtable currently lives inside struct > net_bridge and is reattached to bridged packets with > skb_dst_set_noref(). If such a packet is queued to NFQUEUE, > __nf_queue() upgrades that fake dst with skb_dst_force(). > > At that point queued packets can hold a real dst reference even after > bridge teardown starts freeing the backing struct net_bridge storage. > When verdict reinjection later drops the skb, dst_release() can hit the > freed bridge-private fake rtable. > > Fix this by moving the fake rtable out of struct net_bridge and making > bridge_parent_rtable() hand out a referenced dst. This keeps the queued > skb path from holding a pointer into struct net_bridge while keeping the > kludge local to br_netfilter. > > Use rt_dst_alloc() so the fake dst reuses the core IPv4 rtable > lifecycle, and release the bridge device reference during teardown via > dst_dev_put() before dropping the bridge-owned dst reference.
I think AI review is mostly correct: https://sashiko.dev/#/patchset/831936f111e6e1f435f4f6247d07fe6a6624d271.1779680014.git.royenheart%40gmail.com - no need for constant refcount bump - I don't think the ipv4 specific functions can be used safely here.
