{"id":2230381,"url":"http://patchwork.ozlabs.org/api/1.1/covers/2230381/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/cover/20260429175613.1459342-1-tristmd@gmail.com/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260429175613.1459342-1-tristmd@gmail.com>","date":"2026-04-29T17:56:10","name":"[0/2] netfilter: fix NULL ops race in iptable lazy init","submitter":{"id":93179,"url":"http://patchwork.ozlabs.org/api/1.1/people/93179/?format=json","name":"Tristan Madani","email":"tristmd@gmail.com"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/cover/20260429175613.1459342-1-tristmd@gmail.com/mbox/","series":[{"id":502119,"url":"http://patchwork.ozlabs.org/api/1.1/series/502119/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=502119","date":"2026-04-29T17:56:10","name":"netfilter: fix NULL ops race in iptable lazy init","version":1,"mbox":"http://patchwork.ozlabs.org/series/502119/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/covers/2230381/comments/","headers":{"Return-Path":"\n <netfilter-devel+bounces-12301-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20251104 header.b=TUoc0w6z;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12301-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=\"TUoc0w6z\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=209.85.221.50","smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmail.com"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5Q3P4rhgz1xqf\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 03:56:33 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id A9F5F3025170\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 17:56:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 73ABD41325C;\n\tWed, 29 Apr 2026 17:56:18 +0000 (UTC)","from mail-wr1-f50.google.com (mail-wr1-f50.google.com\n [209.85.221.50])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6874538CFF1\n\tfor <netfilter-devel@vger.kernel.org>; Wed, 29 Apr 2026 17:56:16 +0000 (UTC)","by mail-wr1-f50.google.com with SMTP id\n ffacd0b85a97d-43fe608cb92so48063f8f.2\n        for <netfilter-devel@vger.kernel.org>;\n Wed, 29 Apr 2026 10:56:16 -0700 (PDT)","from debian.. ([2001:41d0:303:db6b::])\n        by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-447b3d48517sm6183750f8f.5.2026.04.29.10.56.13\n        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n        Wed, 29 Apr 2026 10:56:13 -0700 (PDT)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777485377; cv=none;\n b=egAkwHJ2VDnRa7LMz6w/xY76fCtuPOnJy+kUPaQRHHLhNYBc0lnRfH9nvyRPIiFt4EHz74p9TInoQmQPwW+eNOo6GE4A4uHnlp/QRNcMoNtJWXSU7zQRUD2gIjzf3btcNgjV1R6QGbGU4FosMQuhrNyj938hxP80YMRKGNTjCmc=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777485377; c=relaxed/simple;\n\tbh=3OxTu4QNmh4FcfaWOckhLbkPnokTjOz1m2MKBETIPtI=;\n\th=From:To:Cc:Subject:Date:Message-ID:MIME-Version;\n b=DoI9P9hoV+lk8JV0RUlhi++C3q55shYLihpNgBdBMgIriopzEPMkE39SzNllwxzJM+hcpq03EbSwn8cl8JpVdIR3KVEKVFdbIZbbDefqHdbx+kDf+F0M4kit1MfcQgUNujyLGrZLVHOYaW1+1f8QgO5HZwbDzDveoBzmXW9Pg30=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=none dis=none) header.from=gmail.com;\n spf=pass smtp.mailfrom=gmail.com;\n dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com\n header.b=TUoc0w6z; arc=none smtp.client-ip=209.85.221.50","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=gmail.com; s=20251104; t=1777485375; x=1778090175;\n darn=vger.kernel.org;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:from:to:cc:subject:date:message-id:reply-to;\n        bh=r4NsrOL1q9Am89S8Z+OaW8+HqXPWLvbAymgwFLwuQBI=;\n        b=TUoc0w6z/793eup5Y2+Wx9TN1zDZbPFz7ps9hUwk1FFnuKRsVcFPeL+2Gq8TFj89xb\n         7Skqkqp11WXWfyvxwc5pt52RHGC0dZLWcwch9vNGyG4875Z+B/wyt9li1PAtEMgabhX2\n         NAZURJLcsimuTEDpkjqf4u+CE231mnvJGzJBVSK6Lg9KcJck9Il4jsOXaFuZ9LInqSCe\n         zJWqpPTf6ZIbfuCglXtkTCD2xaLMo3D+gOFzvPhMhx6XwGIJjDlNbJDFyu4yG1fGYpm1\n         /AUJxiXGWdnk2TS1xCTzSN9l5Lk0i9gSlOZbQHCgZzLJ6292xcU5CEItS1RBXWvh3iwc\n         HJYQ==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n        d=1e100.net; s=20251104; t=1777485375; x=1778090175;\n        h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n         :message-id:reply-to;\n        bh=r4NsrOL1q9Am89S8Z+OaW8+HqXPWLvbAymgwFLwuQBI=;\n        b=DhArQ+ZicPo4i9xZ2QxQqkCG4Vb/LerV1ov+7mV4l8a/c7IFoFADPd2EwY/owidv4A\n         /NUuH0HMPM4enI+9QTbjhjxFmT6KfaC8VePFZPrDvxoB9cRhwHGa9no5/rOfhOGqFm/q\n         6Aki8M1J16vs1fsQB7ZnGfCvlXldV0D0wsTy/KoF1lL1EVgIohB9F3LeTnAnNBiqbLTj\n         r89rNTsaoi51Y2Q9mdznUp3dSqJthUBFagTE1u153L4/E71wdu3uScL0gI1hH7cltjvV\n         aLeyXzPXMYQ+A1190AdQlbwqFTriGzFdo97ZSHhdC2LxY5xjD2weANzyH/PIu70wOzgs\n         2yiQ==","X-Forwarded-Encrypted":"i=1;\n AFNElJ8yY+j3SyAwqAcndlRIG+/X0nF711IwwmUpSRtDNVIhyLbBNcfdWbGBaz8tf5ttrVENOeHIo7WBWLnMqLsjYh8=@vger.kernel.org","X-Gm-Message-State":"AOJu0Yyf/DFqp8vrOKwPVEYFyCy42JcJOV3jJ9Rkw/K8MPaHWTB8A+X/\n\tkwCKMcQg2IkAN64JeH3+F95g6Xse3DEkmNo902NHWU+yIla4Kw9qgDU=","X-Gm-Gg":"AeBDieubqcsy8Dbpp/rnmpRlmGkrIwL2zOz27Mt6Ztt3JBPYlULBAc4y6+dysYMNhth\n\t5BW09xhhJl0+vSds4sPjxusHYVR5DoRETnqG0Lujg6VXtzFmQA5Sa9VYPOwYkIhXTvL7jPD9ssA\n\tkg6NPRW+5JensYZwIAv81vah/aTvQTddSax+TMd2I4Ip6flh0TZjE5C0yepyvPvVIGgzgTHc0nG\n\tErRIgg2peMw2+ob3APyLT9G8NJUPURgeg1USX9ryXoLJEZ6+M0WkiyfDxKnHRCVUfUxDoN5tkz4\n\tGVwEGn7uoQFA1l7Bni+5qXHNtUi9L9WY3Gl9ZHQMZu9qVqD8dBBYktlv1PPGEchDGEYOjRWc5cP\n\tVmEEPcNkqRS6KsGwtJSJbPmVCG/1LZbqiIvBobk364PjAc+glaz3d1pDerM1nuOdugM6GbLMCck\n\tsjRt4=","X-Received":"by 2002:a05:6000:2305:b0:441:3144:efc5 with SMTP id\n ffacd0b85a97d-4464a1682b5mr16117702f8f.42.1777485374554;\n        Wed, 29 Apr 2026 10:56:14 -0700 (PDT)","From":"Tristan Madani <tristmd@gmail.com>","To":"Pablo Neira Ayuso <pablo@netfilter.org>","Cc":"Florian Westphal <fw@strlen.de>,\n\tPhil Sutter <phil@nwl.cc>,\n\tnetfilter-devel@vger.kernel.org,\n\tnetdev@vger.kernel.org,\n\tstable@vger.kernel.org,\n\tlinux-kernel@vger.kernel.org,\n\tTristan Madani <tristan@talencesecurity.com>","Subject":"[PATCH 0/2] netfilter: fix NULL ops race in iptable lazy init","Date":"Wed, 29 Apr 2026 17:56:10 +0000","Message-ID":"<20260429175613.1459342-1-tristmd@gmail.com>","X-Mailer":"git-send-email 2.47.3","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"From: Tristan Madani <tristan@talencesecurity.com>\n\nipt_register_table() and ip6t_register_table() call xt_register_table()\nwhich adds the new table to the per-netns list, making it visible to\nother code paths.  Only afterwards do they allocate the per-net copy of\nhook ops via kmemdup_array().  This leaves a window where the table is\nfindable via xt_find_table() but has ops=NULL.\n\nIf cleanup_net runs during this window (racing namespace teardown against\nlazy table init), ipt_unregister_table_pre_exit() /\nip6t_unregister_table_pre_exit() finds the table and passes the NULL ops\npointer to nf_unregister_net_hooks(), causing a general protection fault.\n\nFix both ip_tables.c and ip6_tables.c by moving the ops allocation\nbefore xt_register_table(), so the table is never in the list with a\nNULL ops pointer.\n\nTristan Madani (2):\n  netfilter: ip_tables: allocate hook ops before making table visible\n  netfilter: ip6_tables: allocate hook ops before making table visible\n\n net/ipv4/netfilter/ip_tables.c  | 31 ++++++++++++++++---------------\n net/ipv6/netfilter/ip6_tables.c | 28 ++++++++++++++++------------\n 2 files changed, 32 insertions(+), 27 deletions(-)"}