git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 6 May 2026 10:07:19 +0000 (12:07 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 7 May 2026 23:30:17 +0000 (01:30 +0200)
commit	92c603fa07bc0d6a17345de3ad7954730b8de44b
tree	d103a9cd718fb5b58c7822aef531b520b189514c	tree \| snapshot
parent	b7f0544d86d439cb946515d2ef6a0a75e8626710	commit \| diff

netfilter: ebtables: close dangling table module init race

sashiko reported for a related patch:
In modules like iptable_raw.c, [..], if register_pernet_subsys() fails,
the rollback might call kfree(rawtable_ops) before [..]
During this window, could a concurrent userspace process find the globally
visible template, trigger table_init(), [..]

The table init functions must always register the template last.

Otherwise, set/getsockopt can instantiate a table in a namespace
while the required pernet ops (contain the destructor) isn't available.
This change is also required in x_tables, handled in followup change.

Fixes: 87663c39f898 ("netfilter: ebtables: do not hook tables by default")
Reviewed-by: Tristan Madani <tristan@talencesecurity.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/bridge/netfilter/ebtable_broute.c		diff \| blob \| blame \| history
net/bridge/netfilter/ebtable_filter.c		diff \| blob \| blame \| history
net/bridge/netfilter/ebtable_nat.c		diff \| blob \| blame \| history