netfilter: Update to register_net_sysctl_sz

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Move from register_net_sysctl to register_net_sysctl_sz for all the
netfilter related files. Do this while making sure to mirror the NULL
assignments with a table_size of zero for the unprivileged users.

We need to move to the new function in preparation for when we change
SIZE_MAX to ARRAY_SIZE() in the register_net_sysctl macro. Failing to do
so would erroneously allow ARRAY_SIZE() to be called on a pointer. We
hold off the SIZE_MAX to ARRAY_SIZE change until we have migrated all
the relevant net sysctl registering functions to register_net_sysctl_sz
in subsequent commits.

Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Joel Granados <j.granados@samsung.com>
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>

authored by

Joel Granados and committed by

Luis Chamberlain 2 years ago 385a5dc9 7737e46d

+31 -14

7 changed files

expand all

net

bridge

br_netfilter_hooks.c

ipv6

netfilter

nf_conntrack_reasm.c

netfilter

ipvs

ip_vs_ctl.c

ip_vs_lblc.c

ip_vs_lblcr.c

nf_conntrack_standalone.c

nf_log.c

+2 -1

net/bridge/br_netfilter_hooks.c

··· 1135 1135 1136 1136 br_netfilter_sysctl_default(brnet); 1137 1137 1138 - brnet->ctl_hdr = register_net_sysctl(net, "net/bridge", table); 1138 + brnet->ctl_hdr = register_net_sysctl_sz(net, "net/bridge", table, 1139 + ARRAY_SIZE(brnf_table)); 1139 1140 if (!brnet->ctl_hdr) { 1140 1141 if (!net_eq(net, &init_net)) 1141 1142 kfree(table);

+2 -1

net/ipv6/netfilter/nf_conntrack_reasm.c

··· 87 87 table[2].data = &nf_frag->fqdir->high_thresh; 88 88 table[2].extra1 = &nf_frag->fqdir->low_thresh; 89 89 90 - hdr = register_net_sysctl(net, "net/netfilter", table); 90 + hdr = register_net_sysctl_sz(net, "net/netfilter", table, 91 + ARRAY_SIZE(nf_ct_frag6_sysctl_table)); 91 92 if (hdr == NULL) 92 93 goto err_reg; 93 94

+6 -2

net/netfilter/ipvs/ip_vs_ctl.c

··· 4266 4266 struct net *net = ipvs->net; 4267 4267 struct ctl_table *tbl; 4268 4268 int idx, ret; 4269 + size_t ctl_table_size = ARRAY_SIZE(vs_vars); 4269 4270 4270 4271 atomic_set(&ipvs->dropentry, 0); 4271 4272 spin_lock_init(&ipvs->dropentry_lock); ··· 4283 4282 return -ENOMEM; 4284 4283 4285 4284 /* Don't export sysctls to unprivileged users */ 4286 - if (net->user_ns != &init_user_ns) 4285 + if (net->user_ns != &init_user_ns) { 4287 4286 tbl[0].procname = NULL; 4287 + ctl_table_size = 0; 4288 + } 4288 4289 } else 4289 4290 tbl = vs_vars; 4290 4291 /* Initialize sysctl defaults */ ··· 4356 4353 #endif 4357 4354 4358 4355 ret = -ENOMEM; 4359 - ipvs->sysctl_hdr = register_net_sysctl(net, "net/ipv4/vs", tbl); 4356 + ipvs->sysctl_hdr = register_net_sysctl_sz(net, "net/ipv4/vs", tbl, 4357 + ctl_table_size); 4360 4358 if (!ipvs->sysctl_hdr) 4361 4359 goto err; 4362 4360 ipvs->sysctl_tbl = tbl;

+7 -3

net/netfilter/ipvs/ip_vs_lblc.c

··· 550 550 static int __net_init __ip_vs_lblc_init(struct net *net) 551 551 { 552 552 struct netns_ipvs *ipvs = net_ipvs(net); 553 + size_t vars_table_size = ARRAY_SIZE(vs_vars_table); 553 554 554 555 if (!ipvs) 555 556 return -ENOENT; ··· 563 562 return -ENOMEM; 564 563 565 564 /* Don't export sysctls to unprivileged users */ 566 - if (net->user_ns != &init_user_ns) 565 + if (net->user_ns != &init_user_ns) { 567 566 ipvs->lblc_ctl_table[0].procname = NULL; 567 + vars_table_size = 0; 568 + } 568 569 569 570 } else 570 571 ipvs->lblc_ctl_table = vs_vars_table; 571 572 ipvs->sysctl_lblc_expiration = DEFAULT_EXPIRATION; 572 573 ipvs->lblc_ctl_table[0].data = &ipvs->sysctl_lblc_expiration; 573 574 574 - ipvs->lblc_ctl_header = 575 - register_net_sysctl(net, "net/ipv4/vs", ipvs->lblc_ctl_table); 575 + ipvs->lblc_ctl_header = register_net_sysctl_sz(net, "net/ipv4/vs", 576 + ipvs->lblc_ctl_table, 577 + vars_table_size); 576 578 if (!ipvs->lblc_ctl_header) { 577 579 if (!net_eq(net, &init_net)) 578 580 kfree(ipvs->lblc_ctl_table);

+7 -3

net/netfilter/ipvs/ip_vs_lblcr.c

··· 736 736 static int __net_init __ip_vs_lblcr_init(struct net *net) 737 737 { 738 738 struct netns_ipvs *ipvs = net_ipvs(net); 739 + size_t vars_table_size = ARRAY_SIZE(vs_vars_table); 739 740 740 741 if (!ipvs) 741 742 return -ENOENT; ··· 749 748 return -ENOMEM; 750 749 751 750 /* Don't export sysctls to unprivileged users */ 752 - if (net->user_ns != &init_user_ns) 751 + if (net->user_ns != &init_user_ns) { 753 752 ipvs->lblcr_ctl_table[0].procname = NULL; 753 + vars_table_size = 0; 754 + } 754 755 } else 755 756 ipvs->lblcr_ctl_table = vs_vars_table; 756 757 ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION; 757 758 ipvs->lblcr_ctl_table[0].data = &ipvs->sysctl_lblcr_expiration; 758 759 759 - ipvs->lblcr_ctl_header = 760 - register_net_sysctl(net, "net/ipv4/vs", ipvs->lblcr_ctl_table); 760 + ipvs->lblcr_ctl_header = register_net_sysctl_sz(net, "net/ipv4/vs", 761 + ipvs->lblcr_ctl_table, 762 + vars_table_size); 761 763 if (!ipvs->lblcr_ctl_header) { 762 764 if (!net_eq(net, &init_net)) 763 765 kfree(ipvs->lblcr_ctl_table);

+3 -1

net/netfilter/nf_conntrack_standalone.c

··· 1106 1106 table[NF_SYSCTL_CT_BUCKETS].mode = 0444; 1107 1107 } 1108 1108 1109 - cnet->sysctl_header = register_net_sysctl(net, "net/netfilter", table); 1109 + cnet->sysctl_header = register_net_sysctl_sz(net, "net/netfilter", 1110 + table, 1111 + ARRAY_SIZE(nf_ct_sysctl_table)); 1110 1112 if (!cnet->sysctl_header) 1111 1113 goto out_unregister_netfilter; 1112 1114

+4 -3

net/netfilter/nf_log.c

··· 487 487 for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) 488 488 table[i].extra2 = net; 489 489 490 - net->nf.nf_log_dir_header = register_net_sysctl(net, 491 - "net/netfilter/nf_log", 492 - table); 490 + net->nf.nf_log_dir_header = register_net_sysctl_sz(net, 491 + "net/netfilter/nf_log", 492 + table, 493 + ARRAY_SIZE(nf_log_sysctl_table)); 493 494 if (!net->nf.nf_log_dir_header) 494 495 goto err_reg; 495 496