Re: [PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops

Next message: James Clark: "Re: [PATCH v2] perf sched stats: Fix segmentation faults in diff mode"
Previous message: Ben Hoff: "Re: [PATCH v5] media: pci: add AVMatrix HWS capture driver"
In reply to: Tristan Madani: "[PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops"
Next in thread: Tristan Madani: "Re: [PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Thu Apr 30 2026 - 09:28:40 EST

Tristan Madani <tristmd@xxxxxxxxx> wrote:
> ipt_register_table() adds the table to the per-netns list via
> xt_register_table() before assigning the per-net ops copy to
> new_table->ops. If cleanup_net runs during this window,
> ipt_unregister_table_pre_exit() finds the table via xt_find_table()
> and passes the NULL ops pointer to nf_unregister_net_hooks(), causing
> a general protection fault.
>
> Guard against this by checking table->ops before calling
> nf_unregister_net_hooks(). If ops is NULL the table is still being
> set up; the register path will either complete and register the hooks
> normally, or fail and clean up via __ipt_unregister_table().

Is there a reproducer for this bug?

This explanation makes little sense to me.
If netns is being destroyed, then there should be no more requests
to set/getsockopt.

Is this perhaps about aggressive rmmod + parallel set/getsockopt calls?
That would make more sense, but this needs a different fix.

I'm working on a new unreg scheme to avoid rmmod racing with concurrent
calls into iptables set/getsockopts.