Re: [PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops

Next message: Dexuan Cui: "RE: [PATCH] Drivers: hv: vmbus: Improve the logc of reserving fb_mmio on Gen2 VMs"
Previous message: Rosen Penev: "[PATCH] platform/x86: panasonic-laptop: simplify allocation of sinf"
In reply to: Tristan Madani: "Re: [PATCH v2 1/2] netfilter: ip_tables: guard ipt_unregister_table_pre_exit against NULL ops"
Next in thread: Tristan Madani: "[PATCH v2 2/2] netfilter: ip6_tables: guard ip6t_unregister_table_pre_exit against NULL ops"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Florian Westphal

Date: Thu Apr 30 2026 - 18:16:27 EST

Tristan Madani <tristmd@xxxxxxxxx> wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > Is there a reproducer for this bug?
>
> Syzkaller hit it under failslab. The race is between the lazy
> init path in ipt_register_table() and cleanup_net(). The table
> becomes visible via xt_register_table() before ops is assigned,
> so pre_exit can find it with NULL ops.

If we have races between a thread calling ipt_register_table and
the netns cleanup path there is nothing we could ever do to fix it:
we are tearing down a live network namespace.

Something else must be going on.