[PATCH v2 0/2] netfilter: fix NULL ops dereference in iptable lazy init

Next message: Tristan Madani: "[PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops"
Previous message: Jakub Kicinski: "Re: [syzbot] [net?] WARNING: ODEBUG bug in lane_ioctl (3)"
In reply to: Tristan Madani: "Re: [PATCH 0/2] netfilter: fix NULL ops race in iptable lazy init"
Next in thread: Tristan Madani: "[PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 29 2026 - 19:18:59 EST

v1 moved the ops allocation before xt_register_table(), but as Phil
Sutter pointed out, new_table->ops is still assigned after the table
becomes visible via list_add() inside xt_register_table(). The race
window was reduced but not eliminated.

v2 takes a different approach: guard the pre_exit path against a NULL
ops pointer. If cleanup_net races against lazy table init and finds the
table before ops has been assigned, it simply skips the
nf_unregister_net_hooks() call. The register path will either complete
normally or fail and clean up via __ipt_unregister_table().

v1: https://lore.kernel.org/netdev/20260429175613.1459342-1-tristmd@xxxxxxxxx/

Tristan Madani (2):
netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops
netfilter: ip6_tables: guard ip6t_unregister_table_pre_exit against NULL ops

net/ipv4/netfilter/ip_tables.c | 2 +-
net/ipv6/netfilter/ip6_tables.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)