3 files changed, 5 insertions, 4 deletions

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index d756af559977..ace67a549b30 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -449,7 +449,6 @@ enum nft_chain_flags {
  *
  *      @rules: list of rules in the chain
  *      @list: used internally
- *      @net: net namespace that this chain belongs to
  *      @table: table that this chain belongs to
  *      @handle: chain handle
  *      @use: number of jump references to this chain
@@ -460,7 +459,6 @@ enum nft_chain_flags {
 struct nft_chain {
         struct list_head                rules;
         struct list_head                list;
-        struct net                      *net;
         struct nft_table                *table;
         u64                             handle;
         u32                             use;
@@ -512,6 +510,7 @@ struct nft_stats {
  *      struct nft_base_chain - nf_tables base chain
  *
  *      @ops: netfilter hook ops
+ *      @pnet: net namespace that this chain belongs to
  *      @type: chain type
  *      @policy: default policy
  *      @stats: per-cpu chain stats
@@ -519,6 +518,7 @@ struct nft_stats {
  */
 struct nft_base_chain {
         struct nf_hook_ops              ops[NFT_HOOK_OPS_MAX];
+        possible_net_t                  pnet;
         const struct nf_chain_type      *type;
         u8                              policy;
         struct nft_stats __percpu       *stats;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 363a39a6c286..0b969b66cb77 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1354,6 +1354,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                         rcu_assign_pointer(basechain->stats, stats);
                 }
 
+                write_pnet(&basechain->pnet, net);
                 basechain->type = type;
                 chain = &basechain->chain;
 
@@ -1381,7 +1382,6 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
 
         INIT_LIST_HEAD(&chain->rules);
         chain->handle = nf_tables_alloc_handle(table);
-        chain->net = net;
         chain->table = table;
         nla_strlcpy(chain->name, name, NFT_CHAIN_MAXNAMELEN);
 
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 77165bf023f3..4c921a302cfd 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -112,6 +112,7 @@ unsigned int
 nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
 {
         const struct nft_chain *chain = ops->priv, *basechain = chain;
+        const struct net *net = read_pnet(&nft_base_chain(basechain)->pnet);
         const struct nft_rule *rule;
         const struct nft_expr *expr, *last;
         struct nft_data data[NFT_REG_MAX + 1];
@@ -123,7 +124,7 @@ nft_do_chain(struct nft_pktinfo *pkt, const struct nf_hook_ops *ops)
          * Cache cursor to avoid problems in case that the cursor is updated
          * while traversing the ruleset.
          */
-        unsigned int gencursor = ACCESS_ONCE(chain->net->nft.gencursor);
+        unsigned int gencursor = ACCESS_ONCE(net->nft.gencursor);
 
 do_chain:
         rulenum = 0;