CC: [email protected] CC: [email protected] BCC: [email protected] CC: [email protected] TO: Florian Westphal <[email protected]>
tree: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git testing head: 4456ac35299c131e2ac26b4dc025b257d810277b commit: 11b2910d788799e8c68df305994260fd79a61e10 [9/12] netfilter: add bpf base hook program generator :::::: branch date: 2 days ago :::::: commit date: 2 days ago config: x86_64-randconfig-c007 (https://download.01.org/0day-ci/archive/20220521/[email protected]/config) compiler: clang version 15.0.0 (https://github.com/llvm/llvm-project e00cbbec06c08dc616a0d52a20f678b8fbd4e304) reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git/commit/?id=11b2910d788799e8c68df305994260fd79a61e10 git remote add netfilter-nf-next git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git git fetch --no-tags netfilter-nf-next testing git checkout 11b2910d788799e8c68df305994260fd79a61e10 # save the config file COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=x86_64 clang-analyzer If you fix the issue, kindly add following tag where applicable Reported-by: kernel test robot <[email protected]> clang-analyzer warnings: (new ones prefixed by >>) ^~~~~~~ drivers/nvdimm/region_devs.c:444:8: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 rc = sprintf(buf, "\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:459:8: warning: Call to function 'sprintf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] rc = sprintf(buf, "%s\n", dev_name(nd_region->dax_seed)); ^~~~~~~ drivers/nvdimm/region_devs.c:459:8: note: Call to function 'sprintf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 rc = sprintf(buf, "%s\n", dev_name(nd_region->dax_seed)); ^~~~~~~ drivers/nvdimm/region_devs.c:461:8: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] rc = sprintf(buf, "\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:461:8: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 rc = sprintf(buf, "\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:473:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%d\n", nd_region->ro); ^~~~~~~ drivers/nvdimm/region_devs.c:473:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%d\n", nd_region->ro); ^~~~~~~ drivers/nvdimm/region_devs.c:503:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%#lx\n", nd_region->align); ^~~~~~~ drivers/nvdimm/region_devs.c:503:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%#lx\n", nd_region->align); ^~~~~~~ drivers/nvdimm/region_devs.c:568:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%#llx\n", nd_region->ndr_start); ^~~~~~~ drivers/nvdimm/region_devs.c:568:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%#llx\n", nd_region->ndr_start); ^~~~~~~ drivers/nvdimm/region_devs.c:578:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "cpu_cache\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:578:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "cpu_cache\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:580:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "memory_controller\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:580:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "memory_controller\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:582:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:582:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "\n"); ^~~~~~~ drivers/nvdimm/region_devs.c:671:9: warning: Call to function 'sprintf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%s,%llu,%llu,%d\n", dev_name(&nvdimm->dev), ^~~~~~~ drivers/nvdimm/region_devs.c:671:9: note: Call to function 'sprintf' is insecure as it does not provide bounding of the memory buffer or security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%s,%llu,%llu,%d\n", dev_name(&nvdimm->dev), ^~~~~~~ Suppressed 50 warnings (50 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 37 warnings generated. Suppressed 37 warnings (37 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 49 warnings generated. Suppressed 49 warnings (49 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 78 warnings generated. net/ethtool/stats.c:122:2: warning: Call to function 'memset' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memset_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] memset(&data->stats, 0xff, sizeof(data->stats)); ^ include/linux/fortify-string.h:288:25: note: expanded from macro 'memset' #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/fortify-string.h:281:2: note: expanded from macro '__fortify_memset_chk' __underlying_memset(p, c, __fortify_size); \ ^~~~~~~~~~~~~~~~~~~ include/linux/fortify-string.h:47:29: note: expanded from macro '__underlying_memset' #define __underlying_memset __builtin_memset ^~~~~~~~~~~~~~~~ net/ethtool/stats.c:122:2: note: Call to function 'memset' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'memset_s' in case of C11 memset(&data->stats, 0xff, sizeof(data->stats)); ^ include/linux/fortify-string.h:288:25: note: expanded from macro 'memset' #define memset(p, c, s) __fortify_memset_chk(p, c, s, \ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/linux/fortify-string.h:281:2: note: expanded from macro '__fortify_memset_chk' __underlying_memset(p, c, __fortify_size); \ ^~~~~~~~~~~~~~~~~~~ include/linux/fortify-string.h:47:29: note: expanded from macro '__underlying_memset' #define __underlying_memset __builtin_memset ^~~~~~~~~~~~~~~~ Suppressed 77 warnings (77 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 77 warnings generated. Suppressed 77 warnings (77 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 77 warnings generated. Suppressed 77 warnings (77 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 111 warnings generated. >> net/netfilter/core.c:183:2: warning: Value stored to 'hook_bpf_prog' is >> never read [clang-analyzer-deadcode.DeadStores] hook_bpf_prog = nf_hook_bpf_create(new); ^ ~~~~~~~~~~~~~~~~~~~~~~~ net/netfilter/core.c:183:2: note: Value stored to 'hook_bpf_prog' is never read hook_bpf_prog = nf_hook_bpf_create(new); ^ ~~~~~~~~~~~~~~~~~~~~~~~ Suppressed 110 warnings (108 in non-user code, 2 with check filters). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 96 warnings generated. net/netfilter/nf_log.c:226:3: warning: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] vsnprintf(prefix, sizeof(prefix), fmt, args); ^~~~~~~~~ net/netfilter/nf_log.c:226:3: note: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 vsnprintf(prefix, sizeof(prefix), fmt, args); ^~~~~~~~~ net/netfilter/nf_log.c:250:3: warning: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] vsnprintf(prefix, sizeof(prefix), fmt, args); ^~~~~~~~~ net/netfilter/nf_log.c:250:3: note: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 vsnprintf(prefix, sizeof(prefix), fmt, args); ^~~~~~~~~ net/netfilter/nf_log.c:273:9: warning: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args); ^~~~~~~~~ net/netfilter/nf_log.c:273:9: note: Call to function 'vsnprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'vsnprintf_s' in case of C11 len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args); ^~~~~~~~~ net/netfilter/nf_log.c:318:14: warning: Value stored to 'net' during its initialization is never read [clang-analyzer-deadcode.DeadStores] struct net *net = seq_file_net(seq); ^~~ ~~~~~~~~~~~~~~~~~ net/netfilter/nf_log.c:318:14: note: Value stored to 'net' during its initialization is never read struct net *net = seq_file_net(seq); ^~~ ~~~~~~~~~~~~~~~~~ net/netfilter/nf_log.c:330:14: warning: Value stored to 'net' during its initialization is never read [clang-analyzer-deadcode.DeadStores] struct net *net = seq_file_net(s); ^~~ ~~~~~~~~~~~~~~~ net/netfilter/nf_log.c:330:14: note: Value stored to 'net' during its initialization is never read struct net *net = seq_file_net(s); ^~~ ~~~~~~~~~~~~~~~ net/netfilter/nf_log.c:470:4: warning: Call to function 'snprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'snprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] snprintf(nf_log_sysctl_fnames[i], ^~~~~~~~ net/netfilter/nf_log.c:470:4: note: Call to function 'snprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'snprintf_s' in case of C11 snprintf(nf_log_sysctl_fnames[i], ^~~~~~~~ Suppressed 90 warnings (90 in non-user code). Use -header-filter=.* to display errors from all non-system headers. Use -system-headers to display errors from system headers as well. 60 warnings generated. drivers/hwmon/f71882fg.c:1382:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%d\n", speed); ^~~~~~~ drivers/hwmon/f71882fg.c:1382:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%d\n", speed); ^~~~~~~ drivers/hwmon/f71882fg.c:1391:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%d\n", speed); ^~~~~~~ drivers/hwmon/f71882fg.c:1391:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%d\n", speed); ^~~~~~~ drivers/hwmon/f71882fg.c:1424:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "1\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1424:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "1\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1426:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "0\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1426:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "0\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1460:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "1\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1460:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "1\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1462:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "0\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1462:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "0\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1471:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%d\n", data->in[nr] * 8); ^~~~~~~ drivers/hwmon/f71882fg.c:1471:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%d\n", data->in[nr] * 8); ^~~~~~~ drivers/hwmon/f71882fg.c:1479:9: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "%d\n", data->in1_max * 8); ^~~~~~~ drivers/hwmon/f71882fg.c:1479:9: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "%d\n", data->in1_max * 8); ^~~~~~~ drivers/hwmon/f71882fg.c:1514:10: warning: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 [clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling] return sprintf(buf, "1\n"); ^~~~~~~ drivers/hwmon/f71882fg.c:1514:10: note: Call to function 'sprintf' is insecure as it does not provide security checks introduced in the C11 standard. Replace with analogous functions that support length arguments or provides boundary checks such as 'sprintf_s' in case of C11 return sprintf(buf, "1\n"); vim +/hook_bpf_prog +183 net/netfilter/core.c 960632ece6949b Aaron Conole 2017-08-24 123 960632ece6949b Aaron Conole 2017-08-24 124 static struct nf_hook_entries * 960632ece6949b Aaron Conole 2017-08-24 125 nf_hook_entries_grow(const struct nf_hook_entries *old, 960632ece6949b Aaron Conole 2017-08-24 126 const struct nf_hook_ops *reg) 960632ece6949b Aaron Conole 2017-08-24 127 { 960632ece6949b Aaron Conole 2017-08-24 128 unsigned int i, alloc_entries, nhooks, old_entries; 960632ece6949b Aaron Conole 2017-08-24 129 struct nf_hook_ops **orig_ops = NULL; 11b2910d788799 Florian Westphal 2021-06-28 130 struct bpf_prog *hook_bpf_prog; 960632ece6949b Aaron Conole 2017-08-24 131 struct nf_hook_ops **new_ops; 960632ece6949b Aaron Conole 2017-08-24 132 struct nf_hook_entries *new; 960632ece6949b Aaron Conole 2017-08-24 133 bool inserted = false; 960632ece6949b Aaron Conole 2017-08-24 134 960632ece6949b Aaron Conole 2017-08-24 135 alloc_entries = 1; 960632ece6949b Aaron Conole 2017-08-24 136 old_entries = old ? old->num_hook_entries : 0; 960632ece6949b Aaron Conole 2017-08-24 137 960632ece6949b Aaron Conole 2017-08-24 138 if (old) { 960632ece6949b Aaron Conole 2017-08-24 139 orig_ops = nf_hook_entries_get_hook_ops(old); 960632ece6949b Aaron Conole 2017-08-24 140 960632ece6949b Aaron Conole 2017-08-24 141 for (i = 0; i < old_entries; i++) { 960632ece6949b Aaron Conole 2017-08-24 142 if (orig_ops[i] != &dummy_ops) 960632ece6949b Aaron Conole 2017-08-24 143 alloc_entries++; 960632ece6949b Aaron Conole 2017-08-24 144 } 960632ece6949b Aaron Conole 2017-08-24 145 } 960632ece6949b Aaron Conole 2017-08-24 146 960632ece6949b Aaron Conole 2017-08-24 147 if (alloc_entries > MAX_HOOK_COUNT) 960632ece6949b Aaron Conole 2017-08-24 148 return ERR_PTR(-E2BIG); 960632ece6949b Aaron Conole 2017-08-24 149 960632ece6949b Aaron Conole 2017-08-24 150 new = allocate_hook_entries_size(alloc_entries); 960632ece6949b Aaron Conole 2017-08-24 151 if (!new) 960632ece6949b Aaron Conole 2017-08-24 152 return ERR_PTR(-ENOMEM); 960632ece6949b Aaron Conole 2017-08-24 153 960632ece6949b Aaron Conole 2017-08-24 154 new_ops = nf_hook_entries_get_hook_ops(new); 960632ece6949b Aaron Conole 2017-08-24 155 960632ece6949b Aaron Conole 2017-08-24 156 i = 0; 960632ece6949b Aaron Conole 2017-08-24 157 nhooks = 0; 960632ece6949b Aaron Conole 2017-08-24 158 while (i < old_entries) { 960632ece6949b Aaron Conole 2017-08-24 159 if (orig_ops[i] == &dummy_ops) { 960632ece6949b Aaron Conole 2017-08-24 160 ++i; 960632ece6949b Aaron Conole 2017-08-24 161 continue; 960632ece6949b Aaron Conole 2017-08-24 162 } f92b40a8b2645a Florian Westphal 2017-12-08 163 960632ece6949b Aaron Conole 2017-08-24 164 if (inserted || reg->priority > orig_ops[i]->priority) { 960632ece6949b Aaron Conole 2017-08-24 165 new_ops[nhooks] = (void *)orig_ops[i]; 960632ece6949b Aaron Conole 2017-08-24 166 new->hooks[nhooks] = old->hooks[i]; 960632ece6949b Aaron Conole 2017-08-24 167 i++; 960632ece6949b Aaron Conole 2017-08-24 168 } else { 960632ece6949b Aaron Conole 2017-08-24 169 new_ops[nhooks] = (void *)reg; 960632ece6949b Aaron Conole 2017-08-24 170 new->hooks[nhooks].hook = reg->hook; 960632ece6949b Aaron Conole 2017-08-24 171 new->hooks[nhooks].priv = reg->priv; 960632ece6949b Aaron Conole 2017-08-24 172 inserted = true; 960632ece6949b Aaron Conole 2017-08-24 173 } 960632ece6949b Aaron Conole 2017-08-24 174 nhooks++; 960632ece6949b Aaron Conole 2017-08-24 175 } 960632ece6949b Aaron Conole 2017-08-24 176 960632ece6949b Aaron Conole 2017-08-24 177 if (!inserted) { 960632ece6949b Aaron Conole 2017-08-24 178 new_ops[nhooks] = (void *)reg; 960632ece6949b Aaron Conole 2017-08-24 179 new->hooks[nhooks].hook = reg->hook; 960632ece6949b Aaron Conole 2017-08-24 180 new->hooks[nhooks].priv = reg->priv; 960632ece6949b Aaron Conole 2017-08-24 181 } 960632ece6949b Aaron Conole 2017-08-24 182 11b2910d788799 Florian Westphal 2021-06-28 @183 hook_bpf_prog = nf_hook_bpf_create(new); 11b2910d788799 Florian Westphal 2021-06-28 184 11b2910d788799 Florian Westphal 2021-06-28 185 /* allocate_hook_entries_size() pre-inits ->hook_prog 11b2910d788799 Florian Westphal 2021-06-28 186 * to a fallback program that calls nf_hook_slow(). 11b2910d788799 Florian Westphal 2021-06-28 187 * 11b2910d788799 Florian Westphal 2021-06-28 188 * Alternatively we could have nf_hook_entries_grow() 11b2910d788799 Florian Westphal 2021-06-28 189 * return an error here. 11b2910d788799 Florian Westphal 2021-06-28 190 */ 11b2910d788799 Florian Westphal 2021-06-28 191 #if IS_ENABLED(CONFIG_NF_HOOK_BPF) 11b2910d788799 Florian Westphal 2021-06-28 192 if (hook_bpf_prog) { 11b2910d788799 Florian Westphal 2021-06-28 193 struct bpf_prog *old_prog = NULL; 11b2910d788799 Florian Westphal 2021-06-28 194 11b2910d788799 Florian Westphal 2021-06-28 195 new->hook_prog = hook_bpf_prog; 11b2910d788799 Florian Westphal 2021-06-28 196 11b2910d788799 Florian Westphal 2021-06-28 197 if (old) 11b2910d788799 Florian Westphal 2021-06-28 198 old_prog = old->hook_prog; 11b2910d788799 Florian Westphal 2021-06-28 199 11b2910d788799 Florian Westphal 2021-06-28 200 nf_hook_bpf_change_prog(BPF_DISPATCHER_PTR(nf_hook_base), 11b2910d788799 Florian Westphal 2021-06-28 201 old_prog, hook_bpf_prog); 11b2910d788799 Florian Westphal 2021-06-28 202 } 11b2910d788799 Florian Westphal 2021-06-28 203 #endif 960632ece6949b Aaron Conole 2017-08-24 204 return new; 960632ece6949b Aaron Conole 2017-08-24 205 } 960632ece6949b Aaron Conole 2017-08-24 206 -- 0-DAY CI Kernel Test Service https://01.org/lkp _______________________________________________ kbuild mailing list -- [email protected] To unsubscribe send an email to [email protected]
