Re: [PATCH 0/2] netfilter: fix NULL ops race in iptable lazy init

Next message: Linus Torvalds: "Re: [PATCH v3 04/19] VFS: use wait_var_event for waiting in d_alloc_parallel()"
Previous message: Johannes Thumshirn: "Re: [PATCH] scsi: advansys: drop ISA_DMA_API remnants"
In reply to: Phil Sutter: "Re: [PATCH 0/2] netfilter: fix NULL ops race in iptable lazy init"
Next in thread: Tristan Madani: " [PATCH v2 0/2] netfilter: fix NULL ops dereference in iptable lazy init"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 29 2026 - 17:07:19 EST

On Wed, 30 Apr 2026 Phil Sutter wrote:
> Is this true? Your patch moves the ops allocation, but new_table->ops is
> still assigned after xt_register_table() has returned. AIUI, the race
> window is just reduced, not eliminated.

You are right -- I missed that new_table->ops is assigned after
xt_register_table() returns. The table becomes visible via list_add()
inside xt_register_table(), but the ops pointer is still NULL at that
point. Moving the allocation alone does not close the window.

We cannot assign ops before xt_register_table() because we need the
returned new_table pointer to set ops[i].priv.

Would a V2 that guards the pre_exit path instead be acceptable?
Something like:

void ipt_unregister_table_pre_exit(struct net *net, const char *name)
{
struct xt_table *table = xt_find_table(net, NFPROTO_IPV4, name);

if (table && table->ops)
nf_unregister_net_hooks(net, table->ops,
hweight32(table->valid_hooks));
}

This way cleanup_net simply skips the table if ops has not been assigned
yet. The register path will either complete and call
nf_register_net_hooks() normally, or fail and clean up via
__ipt_unregister_table().

Thanks,
Tristan