netfilter: nf_tables: fix register ordering

[ d209df3e7f7002d9099fdb0f6df0f972b4386a63 ]

[ We hit the trace described in commit message with the
kselftest/nft_trans_stress.sh. This patch diverges from the upstream one
since kernel 4.14 does not have following symbols:
nft_chain_filter_init, nf_tables_flowtable_notifier ]

We must register nfnetlink ops last, as that exposes nf_tables to
userspace.  Without this, we could theoretically get nfnetlink request
before net->nft state has been initialized.

Fixes: 99633ab29b213 ("netfilter: nf_tables: complete net namespace support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[apanyaki: backport to v4.14-stable]
Signed-off-by: Andrew Paniakin <apanyaki@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 345fa29f34b9ce651f1ab8503615a8d1463fd442..241a3032d0e66c7a40613b84c1101f24f4e0ba7c 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6105,18 +6105,25 @@ static int __init nf_tables_module_init(void)
                goto err1;
        }
 
-       err = nf_tables_core_module_init();
+       err = register_pernet_subsys(&nf_tables_net_ops);
        if (err < 0)
                goto err2;
 
-       err = nfnetlink_subsys_register(&nf_tables_subsys);
+       err = nf_tables_core_module_init();
        if (err < 0)
                goto err3;
 
+       /* must be last */
+       err = nfnetlink_subsys_register(&nf_tables_subsys);
+       if (err < 0)
+               goto err4;
+
        pr_info("nf_tables: (c) 2007-2009 Patrick McHardy <kaber@trash.net>\n");
-       return register_pernet_subsys(&nf_tables_net_ops);
-err3:
+       return err;
+err4:
        nf_tables_core_module_exit();
+err3:
+       unregister_pernet_subsys(&nf_tables_net_ops);
 err2:
        kfree(info);
 err1: