This is a note to let you know that I've just added the patch titled
netfilter: nf_tables: fix register ordering
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nf_tables-fix-register-ordering.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable-owner@xxxxxxxxxxxxxxx Sat May 27 16:08:14 2023
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Sat, 27 May 2023 18:08:11 +0200
Subject: netfilter: nf_tables: fix register ordering
To: netfilter-devel@xxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, sashal@xxxxxxxxxx
Message-ID: <20230527160811.67779-12-pablo@xxxxxxxxxxxxx>
From: Florian Westphal <fw@xxxxxxxxx>
[ d209df3e7f7002d9099fdb0f6df0f972b4386a63 ]
[ We hit the trace described in commit message with the
kselftest/nft_trans_stress.sh. This patch diverges from the upstream one
since kernel 4.14 does not have following symbols:
nft_chain_filter_init, nf_tables_flowtable_notifier ]
We must register nfnetlink ops last, as that exposes nf_tables to
userspace. Without this, we could theoretically get nfnetlink request
before net->nft state has been initialized.
Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support")
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
[apanyaki: backport to v4.14-stable]
Signed-off-by: Andrew Paniakin <apanyaki@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6105,18 +6105,25 @@ static int __init nf_tables_module_init(
goto err1;
}
- err = nf_tables_core_module_init();
+ err = register_pernet_subsys(&nf_tables_net_ops);
if (err < 0)
goto err2;
- err = nfnetlink_subsys_register(&nf_tables_subsys);
+ err = nf_tables_core_module_init();
if (err < 0)
goto err3;
+ /* must be last */
+ err = nfnetlink_subsys_register(&nf_tables_subsys);
+ if (err < 0)
+ goto err4;
+
pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@xxxxxxxxx>\n");
- return register_pernet_subsys(&nf_tables_net_ops);
-err3:
+ return err;
+err4:
nf_tables_core_module_exit();
+err3:
+ unregister_pernet_subsys(&nf_tables_net_ops);
err2:
kfree(info);
err1:
Patches currently in stable-queue which might be from stable-owner@xxxxxxxxxxxxxxx are
queue-4.14/netfilter-nftables-add-nft_parse_register_load-and-use-it.patch
queue-4.14/netfilter-nftables-add-nft_parse_register_store-and-use-it.patch
queue-4.14/netfilter-nf_tables-fix-register-ordering.patch
queue-4.14/netfilter-nftables-statify-nft_parse_register.patch
queue-4.14/netfilter-nf_tables-validate-registers-coming-from-userspace.patch
queue-4.14/netfilter-nft_dynset-do-not-reject-set-updates-with-nft_set_eval.patch
queue-4.14/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch
queue-4.14/netfilter-nf_tables-stricter-validation-of-element-data.patch
queue-4.14/netfilter-nf_tables-add-nft_setelem_parse_key.patch
queue-4.14/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch
queue-4.14/netfilter-nf_tables-allow-up-to-64-bytes-in-the-set-element-data-area.patch
