[PATCH 0/2] netfilter: fix NULL ops race in iptable lazy init

Next message: Tristan Madani: "[PATCH 1/2] netfilter: ip_tables: allocate hook ops before making table visible"
Previous message: Maha Maryam Javaid: "[PATCH] staging: media: sh_css_mmu: fix typo in sh_css_mmu.c"
Next in thread: Tristan Madani: "[PATCH 1/2] netfilter: ip_tables: allocate hook ops before making table visible"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tristan Madani

Date: Wed Apr 29 2026 - 13:57:19 EST

From: Tristan Madani <tristan@xxxxxxxxxxxxxxxxxxx>

ipt_register_table() and ip6t_register_table() call xt_register_table()
which adds the new table to the per-netns list, making it visible to
other code paths. Only afterwards do they allocate the per-net copy of
hook ops via kmemdup_array(). This leaves a window where the table is
findable via xt_find_table() but has ops=NULL.

If cleanup_net runs during this window (racing namespace teardown against
lazy table init), ipt_unregister_table_pre_exit() /
ip6t_unregister_table_pre_exit() finds the table and passes the NULL ops
pointer to nf_unregister_net_hooks(), causing a general protection fault.

Fix both ip_tables.c and ip6_tables.c by moving the ops allocation
before xt_register_table(), so the table is never in the list with a
NULL ops pointer.

Tristan Madani (2):
netfilter: ip_tables: allocate hook ops before making table visible
netfilter: ip6_tables: allocate hook ops before making table visible

net/ipv4/netfilter/ip_tables.c | 31 ++++++++++++++++---------------
net/ipv6/netfilter/ip6_tables.c | 28 ++++++++++++++++------------
2 files changed, 32 insertions(+), 27 deletions(-)

--
2.47.3