netfilter: bridge: eb_tables: close module init race

sashiko reports for unrelated patch:
 Does the core ebtables initialization in ebtables.c suffer from a similar race?
 Once nf_register_sockopt() completes, the sockopts are exposed globally.

sockopt has to be registered last, just like in ip/ip6/arptables.

Fixes: 5b53951cfc85 ("netfilter: ebtables: use net_generic infra")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 3578ffbc14aee35af3d28b6a17c40e31bb11fbde..b9f4daac09af36ddddee24900e3f162190a7685b 100644 (file)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2583,19 +2583,20 @@ static int __init ebtables_init(void)
 {
        int ret;
 
-       ret = xt_register_target(&ebt_standard_target);
+       ret = register_pernet_subsys(&ebt_net_ops);
        if (ret < 0)
                return ret;
-       ret = nf_register_sockopt(&ebt_sockopts);
+
+       ret = xt_register_target(&ebt_standard_target);
        if (ret < 0) {
-               xt_unregister_target(&ebt_standard_target);
+               unregister_pernet_subsys(&ebt_net_ops);
                return ret;
        }
 
-       ret = register_pernet_subsys(&ebt_net_ops);
+       ret = nf_register_sockopt(&ebt_sockopts);
        if (ret < 0) {
-               nf_unregister_sockopt(&ebt_sockopts);
                xt_unregister_target(&ebt_standard_target);
+               unregister_pernet_subsys(&ebt_net_ops);
                return ret;
        }