From: Florian Westphal <fw@xxxxxxxxx>
[ d209df3e7f7002d9099fdb0f6df0f972b4386a63 ]
[ We hit the trace described in commit message with the
kselftest/nft_trans_stress.sh. This patch diverges from the upstream one
since kernel 4.14 does not have following symbols:
nft_chain_filter_init, nf_tables_flowtable_notifier ]
We must register nfnetlink ops last, as that exposes nf_tables to
userspace. Without this, we could theoretically get nfnetlink request
before net->nft state has been initialized.
Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
[apanyaki: backport to v4.14-stable]
Signed-off-by: Andrew Paniakin <apanyaki@xxxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 345fa29f34b9..241a3032d0e6 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6105,18 +6105,25 @@ static int __init nf_tables_module_init(void)
goto err1;
}
- err = nf_tables_core_module_init();
+ err = register_pernet_subsys(&nf_tables_net_ops);
if (err < 0)
goto err2;
- err = nfnetlink_subsys_register(&nf_tables_subsys);
+ err = nf_tables_core_module_init();
if (err < 0)
goto err3;
+ /* must be last */
+ err = nfnetlink_subsys_register(&nf_tables_subsys);
+ if (err < 0)
+ goto err4;
+
pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@xxxxxxxxx>\n");
- return register_pernet_subsys(&nf_tables_net_ops);
-err3:
+ return err;
+err4:
nf_tables_core_module_exit();
+err3:
+ unregister_pernet_subsys(&nf_tables_net_ops);
err2:
kfree(info);
err1:
--
2.30.2
