3.16.62-rc1 review patch. If anyone has any objections, please let me know.
------------------ From: Florian Westphal <[email protected]> commit d209df3e7f7002d9099fdb0f6df0f972b4386a63 upstream. We must register nfnetlink ops last, as that exposes nf_tables to userspace. Without this, we could theoretically get nfnetlink request before net->nft state has been initialized. Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support") Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> [bwh: Backported to 3.16: - We don't call nft_chain_filter_{init,fini}() or {,un}register_netdevice_notifier() - Adjust context] Signed-off-by: Ben Hutchings <[email protected]> --- --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4042,6 +4042,10 @@ static int __init nf_tables_module_init( { int err; + err = register_pernet_subsys(&nf_tables_net_ops); + if (err < 0) + return err; + info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS, GFP_KERNEL); if (info == NULL) { @@ -4053,17 +4057,19 @@ static int __init nf_tables_module_init( if (err < 0) goto err2; + /* must be last */ err = nfnetlink_subsys_register(&nf_tables_subsys); if (err < 0) goto err3; pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <[email protected]>\n"); - return register_pernet_subsys(&nf_tables_net_ops); + return err; err3: nf_tables_core_module_exit(); err2: kfree(info); err1: + unregister_pernet_subsys(&nf_tables_net_ops); return err; }
