[{"id":3684703,"web_url":"http://patchwork.ozlabs.org/comment/3684703/","msgid":"","list_archive_url":null,"date":"2026-04-30T13:27:07","subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Tristan Madani wrote:\n> ipt_register_table() adds the table to the per-netns list via\n> xt_register_table() before assigning the per-net ops copy to\n> new_table->ops. If cleanup_net runs during this window,\n> ipt_unregister_table_pre_exit() finds the table via xt_find_table()\n> and passes the NULL ops pointer to nf_unregister_net_hooks(), causing\n> a general protection fault.\n> \n> Guard against this by checking table->ops before calling\n> nf_unregister_net_hooks(). If ops is NULL the table is still being\n> set up; the register path will either complete and register the hooks\n> normally, or fail and clean up via __ipt_unregister_table().\n\nIs there a reproducer for this bug?\n\nThis explanation makes little sense to me.\nIf netns is being destroyed, then there should be no more requests\nto set/getsockopt.\n\nIs this perhaps about aggressive rmmod + parallel set/getsockopt calls?\nThat would make more sense, but this needs a different fix.\n\nI'm working on a new unreg scheme to avoid rmmod racing with concurrent\ncalls into iptables set/getsockopts.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12334-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5w2J28N7z1yHZ\n\tfor ; Thu, 30 Apr 2026 23:27:20 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 59A1B3010275\n\tfor ; Thu, 30 Apr 2026 13:27:14 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 20C944266B3;\n\tThu, 30 Apr 2026 13:27:13 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id EF61240F8CF;\n\tThu, 30 Apr 2026 13:27:10 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 903A960981; Thu, 30 Apr 2026 15:27:08 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777555632; cv=none;\n b=Fr5fYBHXN6m0NlDypQfbm6ylM9NmdcdgI+m6beRFWuiP1fyO+0Kgia088Wss+s4lkIAnOhaV/jTO9k/FfqmS4uKZu5dqXnEkxzu0bCIcnW1lumsYpBXBBFeEF++74o8pqXfIjPEaq9n7Xtvg62iqiHkX8VjR2xD/zljUjAcz3f8=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777555632; c=relaxed/simple;\n\tbh=3dgeUzkiEX83s7h+MF13V8GO4MSQo/ZEe5yLBlN4o54=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Sw1mHsa+ki1JjHOee7WQcnlTJfU9SSv3bxUH4HtJarV9egm1TlaRLU9bIQXcznF1vCKrsOV3q2qDneAfV9BG973Xd+J4DN17wURH3R3Y4CVcpVzsOGwERzOEMulQAt2X57esSYm8Iw+pjEAXrzM8BG677z6muhmOeXoajeDpZ7g=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Thu, 30 Apr 2026 15:27:07 +0200","From":"Florian Westphal ","To":"Tristan Madani ","Cc":"Pablo Neira Ayuso , Phil Sutter ,\n\tnetfilter-devel@vger.kernel.org, netdev@vger.kernel.org,\n\tstable@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","Message-ID":"","References":"<20260429175613.1459342-1-tristmd@gmail.com>\n <177750472539.3004201.15967003942391945312@talencesecurity.com>\n <177750474339.3016150.13196470704394042910@talencesecurity.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<177750474339.3016150.13196470704394042910@talencesecurity.com>"}},{"id":3684958,"web_url":"http://patchwork.ozlabs.org/comment/3684958/","msgid":"<177758578919.118018.11758358602621428742@gmail.com>","list_archive_url":null,"date":"2026-04-30T21:49:49","subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","submitter":{"id":93179,"url":"http://patchwork.ozlabs.org/api/people/93179/","name":"Tristan Madani","email":"tristmd@gmail.com"},"content":"Florian Westphal wrote:\n> Is there a reproducer for this bug?\n\nSyzkaller hit it under failslab. The race is between the lazy\ninit path in ipt_register_table() and cleanup_net(). The table\nbecomes visible via xt_register_table() before ops is assigned,\nso pre_exit can find it with NULL ops.\n\nCleaned crash log:\n\n Oops: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN NOPTI\n KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]\n CPU: 1 UID: 0 PID: 604 Comm: kworker/u8:19 Tainted: G E 6.14.11 #1\n Workqueue: netns cleanup_net\n RIP: 0010:nf_unregister_net_hook net/netfilter/core.c:531 [inline]\n RIP: 0010:nf_unregister_net_hooks+0xbc/0x150 net/netfilter/core.c:613\n Call Trace:\n \n ipt_unregister_table_pre_exit+0x8a/0xc0 net/ipv4/netfilter/ip_tables.c:1814\n iptable_mangle_net_pre_exit+0x21/0x30 net/ipv4/netfilter/iptable_mangle.c:99\n ops_pre_exit_list net/core/net_namespace.c:162 [inline]\n cleanup_net+0x4b9/0xbe0 net/core/net_namespace.c:632\n process_one_work+0x98f/0x1750 kernel/workqueue.c:3238\n worker_thread+0x679/0xf50 kernel/workqueue.c:3402\n kthread+0x3f0/0x7e0 kernel/kthread.c:464\n ret_from_fork+0x60/0x90 arch/x86/kernel/process.c:153\n \n\n> I'm working on a new unreg scheme to avoid rmmod racing with\n> concurrent calls into iptables set/getsockopts.\n\nThat sounds like a different issue (rmmod vs sockopt). This one\nis init vs cleanup_net -- the NULL ops window exists regardless\nof the unreg scheme. V2 is a minimal guard for that.\n\nThanks,\nTristan","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=CIeUjj3n;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.232.135.74; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12357-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"CIeUjj3n\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.128.51","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org [172.232.135.74])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g67BV4Blwz1yGq\n\tfor ; Fri, 01 May 2026 07:50:10 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 6693E300C0D1\n\tfor ; Thu, 30 Apr 2026 21:50:06 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id D448639EF37;\n\tThu, 30 Apr 2026 21:50:01 +0000 (UTC)","from mail-wm1-f51.google.com (mail-wm1-f51.google.com\n [209.85.128.51])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id AEE8E36605A\n\tfor ; Thu, 30 Apr 2026 21:49:57 +0000 (UTC)","by mail-wm1-f51.google.com with SMTP id\n 5b1f17b1804b1-4891f625344so15451895e9.0\n for ;\n Thu, 30 Apr 2026 14:49:57 -0700 (PDT)","from kali (88-173-4-42.subs.proxad.net. [88.173.4.42])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a8eb55be7sm2654625e9.19.2026.04.30.14.49.54\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 14:49:54 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777585800; cv=none;\n b=hZsJnD3JSI9QXpE76H7BgiWc291Nvi6NJrUJVmkRBVK5FGWkoxf4ha5F7nGtndtVfBeG6YhI/auEjRbMpCbWwgcS2u5weeLIg3cuM6iqL59pajiZyUnIXBw36CKRYcL20y71PRzbVfzvwwpZtbGxFDZqOVMBFJPycUB0Z5IDVYU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777585800; c=relaxed/simple;\n\tbh=85tk5QsJ9uyjCVoVZBAl1BfLHBLBZIfxn5vihRLucTM=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t Content-Type:MIME-Version;\n b=X58TphrFxwykMjdq81hIy5L28Cf6aNiFqX3nV3EEDCM2oUiS2lISGqOjspZR54EpHA/ceBVUYadSB8u/d1EpfK7NzQrshV2BQFKlpg9GIqG4xghg4UZPtoxK77q37Jw/FNf1x6vMW+E3FM8bigmyAjECc/lO4iRQECLdiBdGSHs=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=CIeUjj3n; arc=none smtp.client-ip=209.85.128.51","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777585795; x=1778190595;\n darn=vger.kernel.org;\n h=mime-version:content-transfer-encoding:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=co7aAOg5SysfklO7pgS2h74n35b039IvIzPWl7cCjfc=;\n b=CIeUjj3nCpEgA/zFx6LaFJLEDQpAnDz5HROpJ/A6b4WxragTW/tGTfNLNIyRyGgRxt\n 2Qp3CJoLJAFXdqJedBoYx1t5v+EfFe1Y/PdJC4Gv56G9wCMETQp9EsaWw7ki5rKvMlbc\n xHQimS+0hEkPYJM3rQtWc53rHnb81PgBdKKzGle66RwccEHPx1miyurWzvABKJiOBnsc\n hqfWz/3W/dkJGaB3jT2jGfUudUrLb/RADufOudsSKi5PvnbXxArwptVZisb32Ys5YiWB\n 219U4MIOjyRpgXyouIIFqZftPLOGDA5Ezkc/22SPFQh0xAo5xU6I/PlGm2cAJVoeoVgB\n TXtQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777585795; x=1778190595;\n h=mime-version:content-transfer-encoding:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=co7aAOg5SysfklO7pgS2h74n35b039IvIzPWl7cCjfc=;\n b=tZ0tuoN7fUmRfa0QCAgjahTwZP077nIY+gEj0Ouej1T0qPFfQ/5KvtQM1W2ZqIyVR0\n sUGphmLUdSr/H6VsFyr4EOsV7tzvQzK5gFRQQOUH/B2xMnSxi5+QCY8cGBpL2eF5He7K\n JQKf+t7UL1tV3OcYbrAYRBbcehLcAd9fSijDk9lpc1KqQ/RiJ9PYeBowTUACHBxVaZSO\n ZnRDQ5aDWIZ8/1Xf1xF6B4YqJlWckYoKkfucIaOY3SJEOeo+dB2w2TXg8ihreKWSqSNE\n wfHm3bvNBQOzOjFFEZAPkyV15yRJp5S+XfYVpqL31mvjhsPeKLpWhe+t0+DKslEMGGFw\n 4cOA==","X-Forwarded-Encrypted":"i=1;\n AFNElJ+rZ/cNj9KnUdCPuzwbvcD2ONR81vpBKPMrFY7rLj8yDYVvxXXtMgwtsgNr5SP/zpLLcB7sAATNWbz1rXdK8GM=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxorXzY1xcFDFXE5zEUDuSNRzGc7kjQQM+EACGw3ZtfWirUYbfV\n\tsX9uAts4+3+E5zkZV1nvgVmJIE2+DQNA9VJ4vZPNnsnrBL+Zp3qMguA=","X-Gm-Gg":"AeBDietoJJpbQan50oEbBFxP0FDfyny0Dw2/sQh9ruWGDCgfpd8zrDqV37KJ33TsY3O\n\tPowgMSnvK/W/q0JzO4RGGdeM5EX/A1Ak6Ly2huAhWFKFz8FgFjFHEYv1E5iPDD/gnQhLz0hBEsm\n\taJQD5Wck4gGCvTjWztB36LeG43QKV1J8Hv+0Bdam98Ez8Aogd0B2j30lMVN51G2OrovbWQIoOfM\n\tSulCOqeqik6mj4P2RjF2l47mPCrXo4TMLBnoTtzE3NKgq4hvMZ9Yaj4IY0hSRL7eerqiKoC9ETm\n\taOndVizROT+eTTUShwOu1nb93ctPUhszQK/b/hsnnL7n7gj0t3Yco3kTijDTL22i/FPFf+hDHvQ\n\tgadoHnkoW8BrXM/R3wzHeJqZdYjyjsAzQ38aZZJ9mTvDfupc3N51aZk0djIczL42Gm52sPlDDEr\n\tbQ9Gyoo59gIPmElzpeJz6Xt1Q1iBu8z3CHWqYLvzdklYE=","X-Received":"by 2002:a05:600c:4f52:b0:489:32b:ac0b with SMTP id\n 5b1f17b1804b1-48a85e684a8mr63270095e9.6.1777585795291;\n Thu, 30 Apr 2026 14:49:55 -0700 (PDT)","From":"Tristan Madani ","To":"fw@strlen.de","Cc":"pablo@netfilter.org, phil@nwl.cc, netfilter-devel@vger.kernel.org,\n netdev@vger.kernel.org, stable@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","Date":"Thu, 30 Apr 2026 21:49:49 -0000","Message-ID":"<177758578919.118018.11758358602621428742@gmail.com>","In-Reply-To":"","References":"<20260429175613.1459342-1-tristmd@gmail.com>\n <177750472539.3004201.15967003942391945312@talencesecurity.com>\n <177750474339.3016150.13196470704394042910@talencesecurity.com>\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"quoted-printable","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0"}},{"id":3684966,"web_url":"http://patchwork.ozlabs.org/comment/3684966/","msgid":"","list_archive_url":null,"date":"2026-04-30T22:16:15","subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Tristan Madani wrote:\n> Florian Westphal wrote:\n> > Is there a reproducer for this bug?\n> \n> Syzkaller hit it under failslab. The race is between the lazy\n> init path in ipt_register_table() and cleanup_net(). The table\n> becomes visible via xt_register_table() before ops is assigned,\n> so pre_exit can find it with NULL ops.\n\nIf we have races between a thread calling ipt_register_table and\nthe netns cleanup path there is nothing we could ever do to fix it:\nwe are tearing down a live network namespace.\n\nSomething else must be going on.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12358-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g67mw6jMrz1yHZ\n\tfor ; Fri, 01 May 2026 08:16:32 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 1D8DC30360AB\n\tfor ; Thu, 30 Apr 2026 22:16:21 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 43F5E3A3830;\n\tThu, 30 Apr 2026 22:16:20 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 2867A382360;\n\tThu, 30 Apr 2026 22:16:18 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid CA00160640; Fri, 01 May 2026 00:16:15 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777587379; cv=none;\n b=byk7lHKPwCUISewdIAW9r53CYyDklsGRGFwTYY1bnSUXvC9Nd16UVvVt4AQOKvk+JB9ukZX11drcKydR8O7GGlIZJ+KXSqXUlgxt9o7Q6OZOMwM6ZUHB86Jy1xR0AOGYJqVNOeZz3stmr0jy9jFMiWK+xhwuuUz8SiGIw+2+3Ew=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777587379; c=relaxed/simple;\n\tbh=4QmRf+byhHEBKFCnvv8uaksqD8g1nZ8oagGd4fIeWh4=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=SQ0CjzoF1UDHIjYzwVhnKWttbGdGN54eA6r+hsbJ9dDXNDjtDyCXUM/aXx3b5bZtQoUsKYBh2sagE7XQZ41e11ZSDsd9GYeaeUZewihrhHFWfZ+eNP3LTnO2fPM+tKQEZtddVKSZyQMQ1LqV/aR//tyeN8em2pt6NDN0/X/kwH8=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Fri, 1 May 2026 00:16:15 +0200","From":"Florian Westphal ","To":"Tristan Madani ","Cc":"pablo@netfilter.org, phil@nwl.cc, netfilter-devel@vger.kernel.org,\n\tnetdev@vger.kernel.org, stable@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org","Subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","Message-ID":"","References":"<20260429175613.1459342-1-tristmd@gmail.com>\n <177750472539.3004201.15967003942391945312@talencesecurity.com>\n <177750474339.3016150.13196470704394042910@talencesecurity.com>\n \n <177758578919.118018.11758358602621428742@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<177758578919.118018.11758358602621428742@gmail.com>"}},{"id":3685224,"web_url":"http://patchwork.ozlabs.org/comment/3685224/","msgid":"<177766806589.1898033.5646188235412407059@gmail.com>","list_archive_url":null,"date":"2026-05-01T20:41:05","subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","submitter":{"id":93179,"url":"http://patchwork.ozlabs.org/api/people/93179/","name":"Tristan Madani","email":"tristmd@gmail.com"},"content":"On Thu, 1 May 2026 Florian Westphal wrote:\n> If we have races between a thread calling ipt_register_table\n> and the netns cleanup path there is nothing we could ever do to\n> fix it: we are tearing down a live network namespace.\n> Something else must be going on.\n\nI agree, this one is unusual. I tried multiple PoC approaches\nwithout success -- all I have is the syzkaller crash I shared,\nno reliable reproducer. Syzkaller itself could not minimize it\neither.\n\nThat said, the crash is real -- KASAN shows ops=NULL in\npre_exit during cleanup_net -- so something is reaching that\npath. The V2 guard handles it regardless of the root cause:\nif ops is NULL in pre_exit, we should not pass it to\nnf_unregister_net_hooks.\n\nI will share any PoC/repro if I get one.\n\nThanks,\nTristan","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=qEi8ltVY;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12386-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"qEi8ltVY\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.221.44","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6jct4Gb6z23gj\n\tfor ; Sat, 02 May 2026 06:41:34 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 5D599301E6C2\n\tfor ; Fri, 1 May 2026 20:41:12 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 9B34842317B;\n\tFri, 1 May 2026 20:41:10 +0000 (UTC)","from mail-wr1-f44.google.com (mail-wr1-f44.google.com\n [209.85.221.44])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 001472367DF\n\tfor ; Fri, 1 May 2026 20:41:08 +0000 (UTC)","by mail-wr1-f44.google.com with SMTP id\n ffacd0b85a97d-44a5174670eso610578f8f.1\n for ;\n Fri, 01 May 2026 13:41:08 -0700 (PDT)","from debian ([2001:41d0:303:db6b::])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-44a986aa3a5sm7882383f8f.26.2026.05.01.13.41.06\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 01 May 2026 13:41:06 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777668070; cv=none;\n b=Pe7S5RCHYfBREe82wPAmps8G09Zj1hfp1UzW/63ousZx9yQmsoN5hksF/TW/yefjhXpLq5D5h2Pvcz9LlyI6AhR4h1cbPw4J1YQmDMelXc+Ej8tvtFlb1S1foNmZ60ssKzqHbC81TeFx2kJStELpJ+Gujti7858jVmAqIWkmffU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777668070; c=relaxed/simple;\n\tbh=VAGwlkfOhO8vq5+QQLvGj7XDBS7ATS4VX2eI2mgwUus=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t Content-Type:MIME-Version;\n b=sfAGsgMSGnyS+Ag2BL84B2MX2c6y80Sz1StDi+4ns9potvBkIPXEsoqJ1BOgDcErckcw4ezXClmPYP/ugaTgUI69uYoQeM0EJvB3qFNaUp5ktUUzlRkLM9+qWZmEltErtgoIO4quWsbjA23/DpOf62R6+CTlLHBGzi6yUue8ZAo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=qEi8ltVY; arc=none smtp.client-ip=209.85.221.44","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=gmail.com; s=20251104; t=1777668067; x=1778272867;\n darn=vger.kernel.org;\n h=mime-version:content-transfer-encoding:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=VAGwlkfOhO8vq5+QQLvGj7XDBS7ATS4VX2eI2mgwUus=;\n b=qEi8ltVY5FPEkzaV0Cs9mYwRsvjaa8SVo60MZY0QFhFnG6FzppCD07Ig8oFLUFCBbH\n puGD2nsRT7C5GnHb//5Az6G1obFAXi/gAlcuPX8h9ntj0DNsW1CZeuKAALjO/Hhvac9t\n FmBk6RXdOlM0X+r/1iwngpC8pEKFe3FcIgyaoOwCO1ZGBj1EEZ9zl+Hz4AKfVdVllvM5\n qpXddun6F14obLU40djU92xYXpovRtbDpeaj2SYRk/FcztH1pkcPdosmgEDdi+YQ5mWx\n hHx/qpD1IQIGBBInApPHgk5mPsFY6kuiyqmAWxbbfBETeq3dCSihVsbftqa28pXx+Y1/\n a6KQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777668067; x=1778272867;\n h=mime-version:content-transfer-encoding:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from\n :to:cc:subject:date:message-id:reply-to;\n bh=VAGwlkfOhO8vq5+QQLvGj7XDBS7ATS4VX2eI2mgwUus=;\n b=p6NbchbjypRWDF1Ph5dJ3DAytqwjgcz2rNvpforA7FyimC3YFoiF+ehNsJwgrFs4uT\n 7O3Y/NIi/LopeFmQS9cuF3ucxySL6nVmT3EUyGrvqpNgORKTmHJzNSQIDQxRRGTRr3Cy\n HgqbFYK0FRZpYZQjz4zxRN+KOpRAN+xWg68HRR4U4L0M2rFO1Y5jZ8RDohtiXrYI+Swr\n OJpRB8kHXu2Ltr55jFZrpvGM4ONGhTp7mKQrR1t+YPshv2hIX/R0npAj6ZrC56ybe+v6\n W6dvyRADrNyW+Xba8QXz2FRYJh9qy23PMyeOfRC3IQ711vnDAapWCFzCCIMvMmMQrKO5\n D3Yw==","X-Forwarded-Encrypted":"i=1;\n AFNElJ9nX3lMraLXrp503kyTqfUKhOOoTJRzehTvGNfB9eNTzdSOS11R+/VCFjUVkRtDuryhr0HWiI2bR9nuypatgMI=@vger.kernel.org","X-Gm-Message-State":"AOJu0YxXcY6Xu2qp5XUNELZBciO3HqXMc4sxdEYtLt/Ca/PiI5Alk2fW\n\tXZU6qEUqz960Jn2sxsh/vzACQD23qTjlG+DdLkkwQag2LdC8EB055RQ=","X-Gm-Gg":"AeBDiev12+GGukCi4YbhM6PYq8dhgOSM22rw2Yh7+V5cv6W8iEbK6Q8/o76X67n5lIt\n\tFvZWupIB4mK617ptKCFb3YQ7MNw/4rBXyus8DMPENBFwNKCGLYtqUVxxzPK0sJB/sYRdrZyb1Ub\n\t7twBLswCNfypsF9e+wJkg8G1h69TAXy4MhmbANeXMVWz8s+XiguQyvXDzO0kpX7CYqgsvtIIxdD\n\tJmLCWNCNc52GE4Akz681umautjPet3qvdtauAZejpsQKZEWisMUHQpP8SPvDRjFmuTVVOUyBsNq\n\tsyTJEHoqeEuJ9lEb2Frv7O5iJxcclvQGMul4syUmASmi5Be9GGVOWS2F/ivZ/Bu00ruLtRON1YB\n\t+zQcYY7DfMv4tKLw4cq6Brqk64+yiSXCgrfbeKljC7zREpyQAXDqasxEI6cgRiT0p8MUYOUQrzt\n\tKX0kXNNfoJvOo=","X-Received":"by 2002:a05:6000:2383:b0:43d:c95c:4259 with SMTP id\n ffacd0b85a97d-44bb5b4e054mr1421092f8f.30.1777668067195;\n Fri, 01 May 2026 13:41:07 -0700 (PDT)","From":"Tristan Madani ","To":"Florian Westphal ","Cc":"Pablo Neira Ayuso , Phil Sutter ,\n netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,\n stable@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","Date":"Fri, 01 May 2026 20:41:05 -0000","Message-ID":"<177766806589.1898033.5646188235412407059@gmail.com>","In-Reply-To":"","References":"<20260429175613.1459342-1-tristmd@gmail.com>\n <177750472539.3004201.15967003942391945312@talencesecurity.com>\n <177750474339.3016150.13196470704394042910@talencesecurity.com>\n \n <177758578919.118018.11758358602621428742@gmail.com>\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"7bit","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0"}},{"id":3685232,"web_url":"http://patchwork.ozlabs.org/comment/3685232/","msgid":"","list_archive_url":null,"date":"2026-05-01T22:00:25","subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Tristan Madani wrote:\n> That said, the crash is real -- KASAN shows ops=NULL in\n> pre_exit during cleanup_net -- so something is reaching that\n> path. The V2 guard handles it regardless of the root cause:\n> if ops is NULL in pre_exit, we should not pass it to\n> nf_unregister_net_hooks.\n> \n> I will share any PoC/repro if I get one.\n\nThanks. I have a patch series that should close all\nraces, I need to retest it tomorrow and then I'll post it\nso sashiko, syzbot etc. can have a go at it.\n\nI found a few other problems in the general area so it should\nbe a good improvement over the current state of affairs.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12387-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g6lNf7495z1yHZ\n\tfor ; Sat, 02 May 2026 08:01:06 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 6915A301F5D0\n\tfor ; Fri, 1 May 2026 22:00:37 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id ED86636C9ED;\n\tFri, 1 May 2026 22:00:35 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id C80E02FB965;\n\tFri, 1 May 2026 22:00:33 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 9517360336; Sat, 02 May 2026 00:00:25 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777672835; cv=none;\n b=Ka0iYgL/5ZxEmRCTmizzL4vcm4yG9ASnDpUoMwuHiauw0/9QgAy/OFVMH9Xt0SlhvHy+UR57mEzsAyk5CnrBhaqoK1GWl56GnQTsSBYiNFlw/seacwHrxRne8yYnrCv5vjApQLZo+wzgxoWMsVosrucKRCoQhty3d9Lcf/vuO08=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777672835; c=relaxed/simple;\n\tbh=w4nAVOy5K74SvvvY92z9vLikKdGbXsoynE3ExfazCkk=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=ifF/oLOjRHjgMs/P9ZOD4ystVPc1O9TYj+bfApNSsAytMoXYzZ59VKj5yGBy0l1cpRNhCoeDwOnn0RBc1efK2EZ2EYRG84xmmy2ePKpBiLc13Z1SQ1/CA+BRjlsWnTo+A6C96SYDswUO0EU3DEGLg43GojF4AJiv1IZTErnvTwc=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Sat, 2 May 2026 00:00:25 +0200","From":"Florian Westphal ","To":"Tristan Madani ","Cc":"Pablo Neira Ayuso , Phil Sutter ,\n\tnetfilter-devel@vger.kernel.org, netdev@vger.kernel.org,\n\tstable@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH v2 1/2] netfilter: ip_tables: guard\n ipt_unregister_table_pre_exit against NULL ops","Message-ID":"","References":"<20260429175613.1459342-1-tristmd@gmail.com>\n <177750472539.3004201.15967003942391945312@talencesecurity.com>\n <177750474339.3016150.13196470704394042910@talencesecurity.com>\n \n <177758578919.118018.11758358602621428742@gmail.com>\n \n <177766806589.1898033.5646188235412407059@gmail.com>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<177766806589.1898033.5646188235412407059@gmail.com>"}}]