From: Daniel Gomez da.gomez@samsung.com
[ Upstream commit 2bafeb8d2f380c3a81d98bd7b78b854b564f9cd4 ]
The -EEXIST error code is reserved by the module loading infrastructure to indicate that a module is already loaded. When a module's init function returns -EEXIST, userspace tools like kmod interpret this as "module already loaded" and treat the operation as successful, returning 0 to the user even though the module initialization actually failed.
Replace -EEXIST with -EBUSY to ensure correct error reporting in the module initialization path.
Affected modules: * ebtable_broute ebtable_filter ebtable_nat arptable_filter * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw * ip6table_security iptable_filter iptable_mangle iptable_nat * iptable_raw iptable_security
Signed-off-by: Daniel Gomez da.gomez@samsung.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
## Commit Analysis: netfilter: replace -EEXIST with -EBUSY
### 1. COMMIT MESSAGE ANALYSIS
The commit explains a subtle but important bug in error reporting: - When module initialization returns `-EEXIST`, the kernel module loading infrastructure (kmod) interprets this as "module already loaded" - kmod then returns **success (0)** to userspace, even though the module initialization actually **failed** - This creates a silent failure condition where users believe operations succeeded when they didn't
Keywords: "error reporting", "failed" - this is a bug fix, not a feature.
### 2. CODE CHANGE ANALYSIS
The changes are trivial and identical across three files:
**net/bridge/netfilter/ebtables.c** (`ebt_register_template()`): ```c - return -EEXIST; + return -EBUSY; ```
**net/netfilter/nf_log.c** (`nf_log_register()`): ```c - ret = -EEXIST; + ret = -EBUSY; ```
**net/netfilter/x_tables.c** (`xt_register_template()`): ```c - int ret = -EEXIST, af = table->af; + int ret = -EBUSY, af = table->af; ```
All three functions are registration routines called during module initialization for netfilter tables. When a duplicate name/type is detected, they were returning `-EEXIST`, which gets misinterpreted by kmod.
### 3. CLASSIFICATION
**Bug fix**: Corrects error code semantics. No new functionality, no behavior change beyond proper error reporting.
The `-EBUSY` error code is semantically appropriate ("resource is busy/in use") and is not intercepted specially by the module loading infrastructure.
### 4. SCOPE AND RISK ASSESSMENT
- **Lines changed**: ~6 actual code changes - **Files affected**: 3 files in netfilter subsystem - **Complexity**: Trivial - only changing error code constants - **Risk**: Extremely low - no logic changes at all
The only conceivable concern would be if userspace depended on `-EEXIST`, but: 1. These are internal kernel registration functions 2. The duplicate condition should never occur in normal operation (note the `WARN_ON_ONCE`) 3. The current behavior is **wrong** - it reports success on failure
### 5. USER IMPACT
**High impact bug**: - Affects all netfilter/iptables users when module initialization fails - Security implications: Users may believe their firewall tables loaded successfully when they didn't - Affected modules include: `iptable_filter`, `iptable_nat`, `ip6table_filter`, `ebtable_filter`, etc. - core firewall components
This is exactly the kind of silent failure that can cause security issues in production.
### 6. STABILITY INDICATORS
- Signed-off-by: Florian Westphal (netfilter maintainer) - indicates proper review - The fix is self-evidently correct - Clear problem description in commit message
### 7. DEPENDENCY CHECK
- No dependencies on other commits - The affected code (netfilter table registration) exists in all stable kernel trees - These are long-standing, mature functions
### Summary
| Criterion | Assessment | |-----------|------------| | Fixes real bug? | ✅ Yes - silent failure condition | | Obviously correct? | ✅ Yes - trivial error code change | | Small and contained? | ✅ Yes - 6 lines across 3 files | | Security relevant? | ✅ Yes - firewall may silently fail to load | | Risk of regression? | ✅ Minimal - no logic changes | | Dependencies? | ✅ None - self-contained |
This commit fixes incorrect error semantics that cause userspace tools to report success when module initialization fails. The fix is trivial (changing error codes), affects widely-used firewall code, has potential security implications (users may not know their firewall failed), and carries virtually zero regression risk. It meets all stable kernel criteria.
**YES**
net/bridge/netfilter/ebtables.c | 2 +- net/netfilter/nf_log.c | 4 ++-- net/netfilter/x_tables.c | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5697e3949a365..a04fc17575289 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne list_for_each_entry(tmpl, &template_tables, list) { if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) { mutex_unlock(&ebt_mutex); - return -EEXIST; + return -EBUSY; } }
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 74cef8bf554c5..62cf6a30875e3 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) if (pf == NFPROTO_UNSPEC) { for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) { if (rcu_access_pointer(loggers[i][logger->type])) { - ret = -EEXIST; + ret = -EBUSY; goto unlock; } } @@ -97,7 +97,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger) rcu_assign_pointer(loggers[i][logger->type], logger); } else { if (rcu_access_pointer(loggers[pf][logger->type])) { - ret = -EEXIST; + ret = -EBUSY; goto unlock; } rcu_assign_pointer(loggers[pf][logger->type], logger); diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c index 90b7630421c44..48105ea3df152 100644 --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1764,7 +1764,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc); int xt_register_template(const struct xt_table *table, int (*table_init)(struct net *net)) { - int ret = -EEXIST, af = table->af; + int ret = -EBUSY, af = table->af; struct xt_template *t;
mutex_lock(&xt[af].mutex);