3.16.62-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit d209df3e7f7002d9099fdb0f6df0f972b4386a63 upstream.
We must register nfnetlink ops last, as that exposes nf_tables to userspace. Without this, we could theoretically get nfnetlink request before net->nft state has been initialized.
Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support") Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org [bwh: Backported to 3.16: - We don't call nft_chain_filter_{init,fini}() or {,un}register_netdevice_notifier() - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -4042,6 +4042,10 @@ static int __init nf_tables_module_init( { int err;
+ err = register_pernet_subsys(&nf_tables_net_ops); + if (err < 0) + return err; + info = kmalloc(sizeof(struct nft_expr_info) * NFT_RULE_MAXEXPRS, GFP_KERNEL); if (info == NULL) { @@ -4053,17 +4057,19 @@ static int __init nf_tables_module_init( if (err < 0) goto err2;
+ /* must be last */ err = nfnetlink_subsys_register(&nf_tables_subsys); if (err < 0) goto err3;
pr_info("nf_tables: (c) 2007-2009 Patrick McHardy kaber@trash.net\n"); - return register_pernet_subsys(&nf_tables_net_ops); + return err; err3: nf_tables_core_module_exit(); err2: kfree(info); err1: + unregister_pernet_subsys(&nf_tables_net_ops); return err; }