From: Florian Westphal <fw@strlen.de>
To: Daniel Gomez <da.gomez@kernel.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Phil Sutter <phil@nwl.cc>,
Nikolay Aleksandrov <razor@blackwall.org>,
Ido Schimmel <idosch@nvidia.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Luis Chamberlain <mcgrof@kernel.org>,
Petr Pavlu <petr.pavlu@suse.com>,
Sami Tolvanen <samitolvanen@google.com>,
Aaron Tomlin <atomlin@atomlin.com>,
Lucas De Marchi <demarchi@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
bridge@lists.linux.dev, netdev@vger.kernel.org,
linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org,
Daniel Gomez <da.gomez@samsung.com>
Subject: Re: [PATCH] netfilter: replace -EEXIST with -EBUSY
Date: Fri, 19 Dec 2025 08:48:27 +0100 [thread overview]
Message-ID: <aUUDRGqMQ_Ss3bDJ@strlen.de> (raw)
In-Reply-To: <20251219-dev-module-init-eexists-netfilter-v1-1-efd3f62412dc@samsung.com>
Daniel Gomez <da.gomez@kernel.org> wrote:
> From: Daniel Gomez <da.gomez@samsung.com>
>
> The -EEXIST error code is reserved by the module loading infrastructure
> to indicate that a module is already loaded. When a module's init
> function returns -EEXIST, userspace tools like kmod interpret this as
> "module already loaded" and treat the operation as successful, returning
> 0 to the user even though the module initialization actually failed.
>
> This follows the precedent set by commit 54416fd76770 ("netfilter:
> conntrack: helper: Replace -EEXIST by -EBUSY") which fixed the same
> issue in nf_conntrack_helper_register().
>
> Affected modules:
> * ebtable_broute ebtable_filter ebtable_nat arptable_filter
> * ip6table_filter ip6table_mangle ip6table_nat ip6table_raw
> * ip6table_security iptable_filter iptable_mangle iptable_nat
> * iptable_raw iptable_security
But this is very different from what 54416fd76770 fixes.
Before 54416fd76770. userspace can make a configuration entry that
prevents and unrelated module from getting loaded but at the same time
it doesn't provide any error to userspace.
All these -EEXIST should not be possible unless the module is
already loaded.
> diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
> index 5697e3949a36..a04fc1757528 100644
> --- a/net/bridge/netfilter/ebtables.c
> +++ b/net/bridge/netfilter/ebtables.c
> @@ -1299,7 +1299,7 @@ int ebt_register_template(const struct ebt_table *t, int (*table_init)(struct ne
> list_for_each_entry(tmpl, &template_tables, list) {
> if (WARN_ON_ONCE(strcmp(t->name, tmpl->name) == 0)) {
> mutex_unlock(&ebt_mutex);
> - return -EEXIST;
> + return -EBUSY;
As you can see from the WARN_ON, this cannot happen unless someone adds a new ebt kernel
table module that tries to register the same name.
> diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
> index 74cef8bf554c..62cf6a30875e 100644
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -89,7 +89,7 @@ int nf_log_register(u_int8_t pf, struct nf_logger *logger)
> if (pf == NFPROTO_UNSPEC) {
> for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) {
> if (rcu_access_pointer(loggers[i][logger->type])) {
> - ret = -EEXIST;
> + ret = -EBUSY;
> goto unlock;
I don't see how this can happen, unless someone adds a new kernel module
that claims the same type as an existing kernel module.
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index 90b7630421c4..48105ea3df15 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -1764,7 +1764,7 @@ EXPORT_SYMBOL_GPL(xt_hook_ops_alloc);
> int xt_register_template(const struct xt_table *table,
> int (*table_init)(struct net *net))
> {
> - int ret = -EEXIST, af = table->af;
> + int ret = -EBUSY, af = table->af;
> struct xt_template *t;
Same, this requires someone adding a new kernel module with clashing
name.
I'll apply this patch but its not related to 54416fd76770 afaics.
next prev parent reply other threads:[~2025-12-19 7:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 5:13 [PATCH] netfilter: replace -EEXIST with -EBUSY Daniel Gomez
2025-12-19 7:48 ` Florian Westphal [this message]
2025-12-19 13:39 ` Daniel Gomez
2025-12-20 19:16 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aUUDRGqMQ_Ss3bDJ@strlen.de \
--to=fw@strlen.de \
--cc=atomlin@atomlin.com \
--cc=bridge@lists.linux.dev \
--cc=coreteam@netfilter.org \
--cc=da.gomez@kernel.org \
--cc=da.gomez@samsung.com \
--cc=davem@davemloft.net \
--cc=demarchi@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-modules@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=petr.pavlu@suse.com \
--cc=phil@nwl.cc \
--cc=razor@blackwall.org \
--cc=samitolvanen@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.