From patchwork Thu Aug 2 19:44:40 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 952953 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=strlen.de Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41hLJZ0HdQz9s5c for ; Fri, 3 Aug 2018 05:46:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731927AbeHBVii (ORCPT ); Thu, 2 Aug 2018 17:38:38 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:55328 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729772AbeHBVii (ORCPT ); Thu, 2 Aug 2018 17:38:38 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.89) (envelope-from ) id 1flJXu-0006e5-6Y; Thu, 02 Aug 2018 21:46:02 +0200 From: Florian Westphal To: Cc: Florian Westphal Subject: [PATCH nf 1/2] netfilter: nf_tables: fix register ordering Date: Thu, 2 Aug 2018 21:44:40 +0200 Message-Id: <20180802194441.7441-2-fw@strlen.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20180802194441.7441-1-fw@strlen.de> References: <20180802194441.7441-1-fw@strlen.de> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org We must register nfnetlink ops last, as that exposes nf_tables to userspace. Without this, we could theoretically get nfnetlink request before net->nft state has been initialized. Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support") Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f5745e4c6513..b0ddc7897ca8 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -7202,31 +7202,45 @@ static int __init nf_tables_module_init(void) { int err; - nft_chain_filter_init(); + err = register_pernet_subsys(&nf_tables_net_ops); + if (err < 0) + return err; - info = kmalloc_array(NFT_RULE_MAXEXPRS, sizeof(struct nft_expr_info), - GFP_KERNEL); - if (info == NULL) { - err = -ENOMEM; + err = nft_chain_filter_init(); + if (err < 0) goto err1; - } err = nf_tables_core_module_init(); if (err < 0) goto err2; - err = nfnetlink_subsys_register(&nf_tables_subsys); + err = register_netdevice_notifier(&nf_tables_flowtable_notifier); if (err < 0) goto err3; - register_netdevice_notifier(&nf_tables_flowtable_notifier); + info = kmalloc_array(NFT_RULE_MAXEXPRS, sizeof(struct nft_expr_info), + GFP_KERNEL); + if (info == NULL) { + err = -ENOMEM; + goto err4; + } + + /* must be last */ + err = nfnetlink_subsys_register(&nf_tables_subsys); + if (err < 0) { + kfree(info); + goto err4; + } - return register_pernet_subsys(&nf_tables_net_ops); + return err; +err4: + unregister_netdevice_notifier(&nf_tables_flowtable_notifier); err3: nf_tables_core_module_exit(); err2: - kfree(info); + nft_chain_filter_fini(); err1: + unregister_pernet_subsys(&nf_tables_net_ops); return err; }