[{"id":3683334,"web_url":"http://patchwork.ozlabs.org/comment/3683334/","msgid":"","list_archive_url":null,"date":"2026-04-28T10:01:59","subject":"Re: [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use\n on failed nf_nat_init()","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Tue, Apr 28, 2026 at 11:09:17AM +0200, Mathias Krause wrote:\n> We ran into below KASAN splat, which is mostly uninteresting, beside\n> for having nf_nat_register_fn() in the call chain as a cause for the\n> offending access:\n> \n> ==================================================================\n> BUG: KASAN: slab-out-of-bounds in nf_nat_register_fn+0x5f9/0x640\n> Read of size 8 at addr ffff890031e54c20 by task iptables/9510\n> \n> CPU: 0 UID: 0 PID: 9510 Comm: iptables Not tainted 6.18.18-grsec-full-20260320181326 #1 PREEMPT(voluntary)\n> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014\n> Call Trace:\n> \n> […] dump_stack_lvl+0xee/0x160 ffff88004117eeb8\n> […] print_report+0x6e/0x640 ffff88004117eee0\n> […] ? __phys_addr+0x8e/0x140 ffff88004117eef0\n> […] ? kasan_addr_to_slab+0x51/0xe0 ffff88004117ef08\n> […] ? complete_report_info+0xec/0x1c0 ffff88004117ef20\n> […] ? nf_nat_register_fn+0x5f9/0x640 ffff88004117ef48\n> […] kasan_report+0xbc/0x140 ffff88004117ef50\n> […] ? nf_nat_register_fn+0x5f9/0x640 ffff88004117ef90\n> […] nf_nat_register_fn+0x5f9/0x640 ffff88004117eff8\n> […] ? nf_nat_icmp_reply_translation+0x6e0/0x6e0 ffff88004117f070\n> […] nf_tables_register_hook.part.0+0xa0/0x220 ffff88004117f080\n> […] nf_tables_addchain.constprop.0+0x1054/0x1fc0 ffff88004117f0b8\n> […] ? nft_chain_lookup.part.0+0x4ce/0xac0 ffff88004117f130\n> […] ? nf_tables_abort+0x3d80/0x3d80 ffff88004117f190\n> […] ? nf_tables_dumpreset_obj+0x100/0x100 ffff88004117f1c8\n> […] ? nft_table_lookup.part.0+0x255/0x300 ffff88004117f310\n> […] ? nf_tables_newchain+0x21a4/0x2fa0 ffff88004117f358\n> […] nf_tables_newchain+0x21a4/0x2fa0 ffff88004117f360\n> […] ? nf_tables_addchain.constprop.0+0x1fc0/0x1fc0 ffff88004117f458\n> […] ? nla_get_range_signed+0x4a0/0x4a0 ffff88004117f488\n> […] ? lock_acquire+0x16f/0x320 ffff88004117f490\n> […] ? find_held_lock+0x3b/0xe0 ffff88004117f4b0\n> […] ? __nla_parse+0x45/0x80 ffff88004117f500\n> […] nfnetlink_rcv_batch+0xbca/0x19a0 ffff88004117f550\n> […] ? nfnetlink_net_exit_batch+0x120/0x120 ffff88004117f618\n> […] ? __sanitizer_cov_trace_switch+0x63/0xe0 ffff88004117f720\n> […] ? gr_acl_handle_mmap+0x1c4/0x320 ffff88004117f7c0\n> […] ? nla_get_range_signed+0x4a0/0x4a0 ffff88004117f7e8\n> […] ? gr_is_capable+0x6f/0xe0 ffff88004117f830\n> […] ? __nla_parse+0x45/0x80 ffff88004117f860\n> […] ? skb_pull+0x103/0x1a0 ffff88004117f880\n> […] nfnetlink_rcv+0x3db/0x4a0 ffff88004117f8b0\n> […] ? nfnetlink_rcv_batch+0x19a0/0x19a0 ffff88004117f8d8\n> […] ? netlink_lookup+0xe2/0x240 ffff88004117f900\n> […] netlink_unicast+0x74b/0xb00 ffff88004117f930\n> […] ? netlink_attachskb+0xb20/0xb20 ffff88004117f980\n> […] ? __check_object_size+0x3e/0xaa0 ffff88004117f998\n> […] ? security_netlink_send+0x51/0x160 ffff88004117f9c8\n> […] netlink_sendmsg+0xa03/0x1200 ffff88004117f9f8\n> […] ? netlink_unicast+0xb00/0xb00 ffff88004117fa70\n> […] ? netlink_unicast+0xb00/0xb00 ffff88004117fac8\n> […] ? ____sys_sendmsg+0xe2a/0x1040 ffff88004117faf8\n> […] ____sys_sendmsg+0xe2a/0x1040 ffff88004117fb00\n> […] ? kernel_recvmsg+0x300/0x300 ffff88004117fb60\n> […] ? reacquire_held_locks+0xe9/0x260 ffff88004117fbc8\n> […] ___sys_sendmsg+0x138/0x200 ffff88004117fbf8\n> […] ? do_recvmmsg+0x7e0/0x7e0 ffff88004117fc30\n> […] ? lockdep_hardirqs_on_prepare+0x101/0x1e0 ffff88004117fc50\n> […] ? lock_acquire+0x16f/0x320 ffff88004117fd20\n> […] ? lock_acquire+0x16f/0x320 ffff88004117fd58\n> […] ? find_held_lock+0x3b/0xe0 ffff88004117fd70\n> […] __sys_sendmsg+0x17a/0x260 ffff88004117fdc8\n> […] ? __sys_sendmsg_sock+0x80/0x80 ffff88004117fdf0\n> […] ? syscall_trace_enter+0x15e/0x2c0 ffff88004117fe98\n> […] do_syscall_64+0x7d/0x400 ffff88004117fec8\n> […] entry_SYSCALL_64_safe_stack+0x4a/0x60 ffff88004117fef8\n> \n> ==================================================================\n> \n> The out-of-bounds report, though, is a red herring as it is for an\n> access that shouldn't have happened in the first place.\n> \n> When nf_nat_init() fails to register its BPF kfuncs, it'll unwind and,\n> among others, call unregister_pernet_subsys() to deregister its per-net\n> ops. This makes the previously allocated net id available for reuse by\n> the next caller of register_pernet_subsys(), in our case, synproxy.\n> However, 'nat_net_id' will still hold the previously allocated value.\n> \n> If nf_nat.o gets build as a module, all this doesn't matter. A failed\n> initialization routine makes the module fail to load and any dependent\n> module won't be able to load either. However, if nf_nat.o is built-in,\n> a failing init won't /completely/ make its functionality unavailable to\n> dependent modules, namely the code and static data is still there, free\n> to be called by modules like nft_chain_nat.ko.\n> \n> Case in point, nft_chain_nat registers hooks that'll call into nf_nat\n> which, in our case, failed to initialize and therefore won't have a\n> valid net id nor related net_nat object any more.\n> \n> Code in nf_nat, namely nf_nat_register_fn() and nf_nat_unregister_fn(),\n> still making use of the reallocated net id, lead to a type confusion as\n> the call to net_generic() will no longer return memory belonging to an\n> object suited to fit 'struct nat_net' but 'struct synproxy_net' instead.\n> The latter is only 24 bytes on 64-bit systems, much smaller than struct\n> nat_net which is 176 bytes, perfectly explaining the OOB KASAN report.\n> \n> Detect and handle a failed nf_nat_init() by testing the 'nf_nat_hook'\n> pointer which will be reset to NULL on initialization errors to prevent\n> the usage of an invalid nat_net pointer.\n> \n> As this check is only needed when nf_nat.o is built-in, guard it by\n> '#ifndef MODULE...'.\n> \n> Fixes: cbc1dd5b659f (\"netfilter: nf_nat: Fix possible memory leak in nf_nat_init()\")\n> Signed-off-by: Mathias Krause \n> ---\n> net/netfilter/nf_nat_core.c | 10 ++++++++++\n> 1 file changed, 10 insertions(+)\n> \n> diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c\n> index 3b5434e4ec9c..76a150b9d418 100644\n> --- a/net/netfilter/nf_nat_core.c\n> +++ b/net/netfilter/nf_nat_core.c\n> @@ -1187,6 +1187,16 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,\n> \tstruct nf_hook_ops *nat_ops;\n> \tint i, ret;\n> \n> +#ifndef MODULE\n> +\t/* If nf_nat_core is built-in and nf_nat_init() fails, dependent\n> +\t * modules like nft_chain_nat.ko may still call this function.\n> +\t * However, nat_net would be invalid, likely pointing to some other\n> +\t * per-net structure.\n\nHm, if nf_nat_init() fails, then nft_chain_nat should fail to load.\n\nMaybe there is a different way to validate this dependency?\n\n> +\t */\n> +\tif (WARN_ON_ONCE(!nf_nat_hook))\n> +\t\treturn -EOPNOTSUPP;\n> +#endif\n> +\n> \tif (WARN_ON_ONCE(pf >= ARRAY_SIZE(nat_net->nat_proto_net)))\n> \t\treturn -EINVAL;\n> \n> -- \n> 2.47.3\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=vZ+vV/f/;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12247-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"vZ+vV/f/\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4bb30Nj8z1yHX\n\tfor ; Tue, 28 Apr 2026 20:02:39 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 5E812301BA7C\n\tfor ; Tue, 28 Apr 2026 10:02:13 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id CBD703E274A;\n\tTue, 28 Apr 2026 10:02:09 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 5689B3E276B;\n\tTue, 28 Apr 2026 10:02:05 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id EF79060254;\n\tTue, 28 Apr 2026 12:02:01 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777370529; cv=none;\n b=PWd254C5aHad+gZcZw3/QfUvioEHybQ5txMkzZtsfrUju2OStek0jrIaRqaVblTTv1s9pGxbUjE7Cyzh5CtenzMdNgeGFoqKlCz8fehZDkMuukFPu5p3RqzVF0rgZjr0ciQRRNT6P+jC51LcgjJKHDS11JzBgBcYhu7CM6fV33I=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777370529; c=relaxed/simple;\n\tbh=7wZnek3T2WzkDUClNEn0Q4evHVM7o6mrY/FfK1YGXAs=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=EcwXk62Smy6N+veuvBpW0D20QncBq/vvs6C4QqGEAeUbCwIFgOBv92Oo3ay9UuFZqaN4JuiTSfpmXgt5FFL90izsISUNlUjP+AdiPfwgM5BEVzwylyGWfEB1q7eh6E3SYW/5qH745fzUtkrMRVH4cml8/1/wECGOjXNfPyKvmGs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=vZ+vV/f/; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777370522;\n\tbh=mX1aKSwyKUDAIurw50IRSKGuAlkO8nsP16/ASR0ldxs=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=vZ+vV/f/JRxh0cPRGa3wlOvfVbLbtsfxjccG0rLLOfkFly+ptt3Hr2F08V7vcuJtT\n\t Bi0Pf+eDbdOxgxv+MQiFSGOAqeOfBvvwNgsBU1tHuy9jU866+0p1iaGscWN0SOkRZs\n\t EhXE++jtayzlJt701JfwctW4Lzp/dWNw3ZvDFh5oD1vdNqzA73xalIp4IE235lFXeA\n\t Xhj4iEmbhVopTbpWNdl/z1q4f0nUEal3n7lp0ymDiQSSvqeyZOTGn47xG26KsfGEy7\n\t VJc+NDuOng9gTbNohkziirJf7igXPXzGtzJZiu6a0qlSH3Rc2vUq6FSl4KBHLwzyni\n\t IwvG20crSREsg==","Date":"Tue, 28 Apr 2026 12:01:59 +0200","From":"Pablo Neira Ayuso ","To":"Mathias Krause ","Cc":"netfilter-devel@vger.kernel.org, Florian Westphal ,\n\tnetdev@vger.kernel.org","Subject":"Re: [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use\n on failed nf_nat_init()","Message-ID":"","References":"<20260428090917.3851366-1-minipli@grsecurity.net>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","Content-Transfer-Encoding":"8bit","In-Reply-To":"<20260428090917.3851366-1-minipli@grsecurity.net>"}},{"id":3683412,"web_url":"http://patchwork.ozlabs.org/comment/3683412/","msgid":"<91091356-7e7d-4664-bd20-67c70f23e655@grsecurity.net>","list_archive_url":null,"date":"2026-04-28T11:48:02","subject":"Re: [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use\n on failed nf_nat_init()","submitter":{"id":85569,"url":"http://patchwork.ozlabs.org/api/people/85569/","name":"Mathias Krause","email":"minipli@grsecurity.net"},"content":"On 28.04.26 12:01, Pablo Neira Ayuso wrote:\n> On Tue, Apr 28, 2026 at 11:09:17AM +0200, Mathias Krause wrote:\n>> --- a/net/netfilter/nf_nat_core.c\n>> +++ b/net/netfilter/nf_nat_core.c\n>> @@ -1187,6 +1187,16 @@ int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,\n>> \tstruct nf_hook_ops *nat_ops;\n>> \tint i, ret;\n>> \n>> +#ifndef MODULE\n>> +\t/* If nf_nat_core is built-in and nf_nat_init() fails, dependent\n>> +\t * modules like nft_chain_nat.ko may still call this function.\n>> +\t * However, nat_net would be invalid, likely pointing to some other\n>> +\t * per-net structure.\n> \n> Hm, if nf_nat_init() fails, then nft_chain_nat should fail to load.\n\nIf nf_nat is a module, that is the case, yes. However, the failing case\nhad it built-in (CONFIG_NF_NAT=y) and there's little the kernel can do\nwhen some init function fails -- the code and data will still be part of\nvmlinux.\n\n> \n> Maybe there is a different way to validate this dependency?\n\nYeah, maybe. Maybe move the 'nf_nat_hook != NULL' test to\nnft_chain_nat_init()? It's exported already, so this should work --\nassuming the respective init functions get called in the right order\n(nf_nat_init() first, then nft_chain_nat_init()). But that should be the\ncase, even if both are built-in, according to the order in\nnet/netfilter/Makefile.\n\nIt's a little fragile, though. In case the link order changes one day,\nthe test would lead to a false positive, making nft_chain_nat fail for\nthe wrong reason.\n\nAlso, I'm uncertain if the link order is really that deterministic wrt.\ninit functions for LTO builds?\n\nMathias\n\n> \n>> +\t */\n>> +\tif (WARN_ON_ONCE(!nf_nat_hook))\n>> +\t\treturn -EOPNOTSUPP;\n>> +#endif\n>> +\n>> \tif (WARN_ON_ONCE(pf >= ARRAY_SIZE(nat_net->nat_proto_net)))\n>> \t\treturn -EINVAL;\n>> \n>> -- \n>> 2.47.3\n>>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12253-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.221.54","smtp.subspace.kernel.org;\n dmarc=fail (p=none dis=none) header.from=grsecurity.net","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=opensrcsec.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4f8Z15BLz1xrS\n\tfor ; Tue, 28 Apr 2026 21:58:22 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id EA4293154AC1\n\tfor ; Tue, 28 Apr 2026 11:48:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 36BBA3F1643;\n\tTue, 28 Apr 2026 11:48:23 +0000 (UTC)","from mail-wr1-f54.google.com (mail-wr1-f54.google.com\n [209.85.221.54])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 608673E7150\n\tfor ; Tue, 28 Apr 2026 11:48:21 +0000 (UTC)","by mail-wr1-f54.google.com with SMTP id\n ffacd0b85a97d-445795cf6f1so1029261f8f.1\n for ;\n Tue, 28 Apr 2026 04:48:21 -0700 (PDT)","from ?IPV6:2003:fa:af26:200:51a:ef03:a698:a1fc?\n (p200300faaf260200051aef03a698a1fc.dip0.t-ipconnect.de.\n [2003:fa:af26:200:51a:ef03:a698:a1fc])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-4464004edc8sm5904206f8f.37.2026.04.28.04.48.18\n (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);\n Tue, 28 Apr 2026 04:48:18 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777376902; cv=none;\n b=EGghmmheZqVzKp/snH7u+kIgyalZna8SSEdpLdm/wYKm4TJZhM8LDWFYgjb4n0YOlN+zOdlL6x5fOpXcm54hfDNQFmbUjqxnyhoxDdPjaM/FZlOLI8jl/rZQO7zg4oZvEgO5Z4YlCDuRUHvfF5h2sD65s9qSZKfmFSWuywA9QYY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777376902; c=relaxed/simple;\n\tbh=fo44eK1mjgu6SPlhUzz68aZT76S6cce0j6kpZs41AeY=;\n\th=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From:\n\t In-Reply-To:Content-Type;\n b=iWrYJuJCx0w5ydBBu+EF80EFOdiNjKVT71MgMTeowK5g6/nKTqVn9FTcmZPi+h0CGrrc6DBl4DJFFSrhiv1xJJLfdemL5by9ynMlgxoYKya4Utx76LUKPaxbC9K9lWg1/SSpksgMITotWOD2ZaX1oXP8NMwR1J7LDeHIwPxnGr4=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=fail (p=none dis=none) header.from=grsecurity.net;\n spf=pass smtp.mailfrom=opensrcsec.com; arc=none smtp.client-ip=209.85.221.54","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777376900; x=1777981700;\n h=content-transfer-encoding:in-reply-to:autocrypt:from\n :content-language:references:cc:to:subject:user-agent:mime-version\n :date:message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=bTsNAjrH0UFxRflQYVr5GW5Csd6A2n7L+wVJmLEWCYw=;\n b=sk91q5/WBJIe83eEZQab9fhBkeckWLEDiqFDTgqGRf6TpOUBBSf3208uP78J8RyxYM\n OR0rRvv8x+3Hxuo8pYbPRHqV1cQ5nmEtO1QQ0dvhyckhQKjbaIGWg9wbNZ/HPkLnuBLn\n ztBOGwYtoIUgD2z1aTnDywZCg9N0Ddj9F+2lYroa9mvVudQpnrpeVq+P6ueLftkgTCyo\n IRBZQ2NwGn86mnAOs1Hf3At7z/C7smPrg9gmm31lM+T5xE888IVL0wFrK5zcMZiFjHfN\n wFceCGveUV50MUIb0qutpiq8rc3LzEwcqxNK9FZ4Pcfn2/IBf6npc6OB12u3PngQXwCH\n DRlQ==","X-Gm-Message-State":"AOJu0Yz7pxNfgD12bWJT2aT5y6X1PTr/hp9pR4f9F0LBC7NybuZTExDC\n\trUHaJRpl2FPegBuWqYPiLFs30jk3rjgUHvQYiLXUIoc+yvhDmurJYcXnDTdmnm+hbs0=","X-Gm-Gg":"AeBDieu/KU/0dg5L7NHPotA87fGGHlrakYwksoUCJVe2uf/38iWs7wcX6mW3AtkxMBm\n\tG9dCRgWA9H3ihxf4h/LB+7p/eGwSEPhmf9N+RHB46F5ER4E93eBjLssQEj0ZDC4WQser0SSOkDm\n\ta4XJHOSP27KJUtSEGQFvQJOPddtzbTyxi6KCzH5hbRZ2mvhiOZdxIJ3sUhpHxpss24qhDFd1Tjh\n\tOe8yR5BUUrznVRNWqzjpMo9ZUgAxYkTTANOSQXbB8btEs9t5VMY87rqr4Lze595jlW+Shmxl66e\n\toj/d8kayMq2cT+3e1SSmEitqOSPQC7mlOdf2KPqKqgh1KzPiLX52/ONk4GNw/aMrpdfaBtrAJoA\n\tU8jOSQlHVShWsrNUORP8tSu5zo5Kw26d4DyOMlmmX8kInE/0Dq7JtnKR7033oXxUSMV10fMLpfD\n\t05c2jklcFUN9360U0tG6wYXyZTtiX5n5Rh538XYU2QEpVP4qTUHTpeDcltQswcbFK/64+zL30HF\n\t3jI6OjTxJzYSjO66aeicyTZgQCEN8nhGj5/zok0JCQHorqYgQaxAGFD1CM6ab4ArfI=","X-Received":"by 2002:a05:6000:18a4:b0:43d:7e11:1b72 with SMTP id\n ffacd0b85a97d-44648f28e43mr5118800f8f.9.1777376899427;\n Tue, 28 Apr 2026 04:48:19 -0700 (PDT)","Message-ID":"<91091356-7e7d-4664-bd20-67c70f23e655@grsecurity.net>","Date":"Tue, 28 Apr 2026 13:48:02 +0200","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","User-Agent":"Mozilla Thunderbird","Subject":"Re: [PATCH net] netfilter: nf_nat: avoid invalid nat_net pointer use\n on failed nf_nat_init()","To":"Pablo Neira Ayuso ","Cc":"netfilter-devel@vger.kernel.org, Florian Westphal ,\n netdev@vger.kernel.org","References":"<20260428090917.3851366-1-minipli@grsecurity.net>\n ","Content-Language":"en-US, de-DE","From":"Mathias Krause ","Autocrypt":"addr=minipli@grsecurity.net; keydata=\n xsDNBF4u6F8BDAC1kCIyATzlCiDBMrbHoxLywJSUJT9pTbH9MIQIUW8K1m2Ney7a0MTKWQXp\n 64/YTQNzekOmta1eZFQ3jqv+iSzfPR/xrDrOKSPrw710nVLC8WL993DrCfG9tm4z3faBPHjp\n zfXBIOuVxObXqhFGvH12vUAAgbPvCp9wwynS1QD6RNUNjnnAxh3SNMxLJbMofyyq5bWK/FVX\n 897HLrg9bs12d9b48DkzAQYxcRUNfL9VZlKq1fRbMY9jAhXTV6lcgKxGEJAVqXqOxN8DgZdU\n aj7sMH8GKf3zqYLDvndTDgqqmQe/RF/hAYO+pg7yY1UXpXRlVWcWP7swp8OnfwcJ+PiuNc7E\n gyK2QEY3z5luqFfyQ7308bsawvQcFjiwg+0aPgWawJ422WG8bILV5ylC8y6xqYUeSKv/KTM1\n 4zq2vq3Wow63Cd/qyWo6S4IVaEdfdGKVkUFn6FihJD/GxnDJkYJThwBYJpFAqJLj7FtDEiFz\n LXAkv0VBedKwHeBaOAVH6QEAEQEAAc0nTWF0aGlhcyBLcmF1c2UgPG1pbmlwbGlAZ3JzZWN1\n cml0eS5uZXQ+wsERBBMBCgA7AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEd7J359B9\n wKgGsB94J4hPxYYBGYYFAmBbH/cCGQEACgkQJ4hPxYYBGYaX/gv/WYhaehD88XjpEO+yC6x7\n bNWQbk7ea+m82fU2x/x6A9L4DN/BXIxqlONzk3ehvW3wt1hcHeF43q1M/z6IthtxSRi059RO\n SarzX3xfXC1pc5YMgCozgE0VRkxH4KXcijLyFFjanXe0HzlnmpIJB6zTT2jgI70q0FvbRpgc\n rs3VKSFb+yud17KSSN/ir1W2LZPK6er6actK03L92A+jaw+F8fJ9kJZfhWDbXNtEE0+94bMa\n cdDWTaZfy6XJviO3ymVe3vBnSDakVE0HwLyIKvfAEok+YzuSYm1Nbd2T0UxgSUZHYlrUUH0y\n tVxjEFyA+iJRSdm0rbAvzpwau5FOgxRQDa9GXH6ie6/ke2EuZc3STNS6EBciJm1qJ7xb2DTf\n SNyOiWdvop+eQZoznJJte931pxkRaGwV+JXDM10jGTfyV7KT9751xdn6b6QjQANTgNnGP3qs\n TO5oU3KukRHgDcivzp6CWb0X/WtKy0Y/54bTJvI0e5KsAz/0iwH19IB0vpYLzsDNBF4u6F8B\n DADwcu4TPgD5aRHLuyGtNUdhP9fqhXxUBA7MMeQIY1kLYshkleBpuOpgTO/ikkQiFdg13yIv\n q69q/feicsjaveIEe7hUI9lbWcB9HKgVXW3SCLXBMjhCGCNLsWQsw26gRxDy62UXRCTCT3iR\n qHP82dxPdNwXuOFG7IzoGBMm3vZbBeKn0pYYWz2MbTeyRHn+ZubNHqM0cv5gh0FWsQxrg1ss\n pnhcd+qgoynfuWAhrPD2YtNB7s1Vyfk3OzmL7DkSDI4+SzS56cnl9Q4mmnsVh9eyae74pv5w\n kJXy3grazD1lLp+Fq60Iilc09FtWKOg/2JlGD6ZreSnECLrawMPTnHQZEIBHx/VLsoyCFMmO\n 5P6gU0a9sQWG3F2MLwjnQ5yDPS4IRvLB0aCu+zRfx6mz1zYbcVToVxQqWsz2HTqlP2ZE5cdy\n BGrQZUkKkNH7oQYXAQyZh42WJo6UFesaRAPc3KCOCFAsDXz19cc9l6uvHnSo/OAazf/RKtTE\n 0xGB6mQN34UAEQEAAcLA9gQYAQoAIAIbDBYhBHeyd+fQfcCoBrAfeCeIT8WGARmGBQJeORkW\n AAoJECeIT8WGARmGXtgL/jM4NXaPxaIptPG6XnVWxhAocjk4GyoUx14nhqxHmFi84DmHUpMz\n 8P0AEACQ8eJb3MwfkGIiauoBLGMX2NroXcBQTi8gwT/4u4Gsmtv6P27Isn0hrY7hu7AfgvnK\n owfBV796EQo4i26ZgfSPng6w7hzCR+6V2ypdzdW8xXZlvA1D+gLHr1VGFA/ZCXvVcN1lQvIo\n S9yXo17bgy+/Xxi2YZGXf9AZ9C+g/EvPgmKrUPuKi7ATNqloBaN7S2UBJH6nhv618bsPgPqR\n SV11brVF8s5yMiG67WsogYl/gC2XCj5qDVjQhs1uGgSc9LLVdiKHaTMuft5gSR9hS5sMb/cL\n zz3lozuC5nsm1nIbY62mR25Kikx7N6uL7TAZQWazURzVRe1xq2MqcF+18JTDdjzn53PEbg7L\n VeNDGqQ5lJk+rATW2VAy8zasP2/aqCPmSjlCogC6vgCot9mj+lmMkRUxspxCHDEms13K41tH\n RzDVkdgPJkL/NFTKZHo5foFXNi89kA==","In-Reply-To":"","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"7bit"}}]