Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm[EOL][EOL]When send a broadcast packet to a tap device, which was added to a bridge,[EOL]br_nf_local_in() is called to confirm the conntrack. If another conntrack[EOL]with the same hash value is added to the hash table, which can be[EOL]triggered by a normal packet to a non-bridge device, the below warning[EOL]may happen.[EOL][EOL]  ------------[ cut here ]------------[EOL]  WARNING: CPU: 1 PID: 96 at net/bridge/br_netfilter_hooks.c:632 br_nf_local_in+0x168/0x200[EOL]  CPU: 1 UID: 0 PID: 96 Comm: tap_send Not tainted 6.17.0-rc2-dirty #44 PREEMPT(voluntary)[EOL]  RIP: 0010:br_nf_local_in+0x168/0x200[EOL]  Call Trace:[EOL]   <TASK>[EOL]   nf_hook_slow+0x3e/0xf0[EOL]   br_pass_frame_up+0x103/0x180[EOL]   br_handle_frame_finish+0x2de/0x5b0[EOL]   br_nf_hook_thresh+0xc0/0x120[EOL]   br_nf_pre_routing_finish+0x168/0x3a0[EOL]   br_nf_pre_routing+0x237/0x5e0[EOL]   br_handle_frame+0x1ec/0x3c0[EOL]   __netif_receive_skb_core+0x225/0x1210[EOL]   __netif_receive_skb_one_core+0x37/0xa0[EOL]   netif_receive_skb+0x36/0x160[EOL]   tun_get_user+0xa54/0x10c0[EOL]   tun_chr_write_iter+0x65/0xb0[EOL]   vfs_write+0x305/0x410[EOL]   ksys_write+0x60/0xd0[EOL]   do_syscall_64+0xa4/0x260[EOL]   entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]   </TASK>[EOL]  ---[ end trace 0000000000000000 ]---[EOL][EOL]To solve the hash conflict, nf_ct_resolve_clash() try to merge the[EOL]conntracks, and update skb->_nfct. However, br_nf_local_in() still use the[EOL]old ct from local variable 'nfct' after confirm(), which leads to this[EOL]warning.[EOL][EOL]If confirm() does not insert the conntrack entry and return NF_DROP, the[EOL]warning may also occur. There is no need to reserve the WARN_ON_ONCE, just[EOL]remove it.