| Message ID | 20240426-jag-sysctl_remset_net-v5-6-e3b12f6111a6@samsung.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v5,1/8] net: Remove the now superfluous sentinel elements from ctl_table array | expand |
Hello, On Fri, 26 Apr 2024, Joel Granados via B4 Relay wrote: > From: Joel Granados <j.granados@samsung.com> > > This commit comes at the tail end of a greater effort to remove the > empty elements at the end of the ctl_table arrays (sentinels) which will > reduce the overall build time size of the kernel and run time memory > bloat by ~64 bytes per sentinel (further information Link : > https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/) > > * Remove sentinel elements from ctl_table structs > * Remove instances where an array element is zeroed out to make it look > like a sentinel. This is not longer needed and is safe after commit > c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added > the array size to the ctl_table registration > * Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the > sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL > * Remove extra element in ctl_table arrays declarations > > Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama > Signed-off-by: Joel Granados <j.granados@samsung.com> > --- > net/bridge/br_netfilter_hooks.c | 1 - > net/ipv6/netfilter/nf_conntrack_reasm.c | 1 - > net/netfilter/ipvs/ip_vs_ctl.c | 5 +---- > net/netfilter/ipvs/ip_vs_lblc.c | 5 +---- > net/netfilter/ipvs/ip_vs_lblcr.c | 5 +---- > net/netfilter/nf_conntrack_standalone.c | 6 +----- > net/netfilter/nf_log.c | 3 +-- > 7 files changed, 5 insertions(+), 21 deletions(-) ... > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 143a341bbc0a..50b5dbe40eb8 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c ... > @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) > return -ENOMEM; > > /* Don't export sysctls to unprivileged users */ > - if (net->user_ns != &init_user_ns) { > - tbl[0].procname = NULL; > + if (net->user_ns != &init_user_ns) > ctl_table_size = 0; > - } > } else > tbl = vs_vars; > /* Initialize sysctl defaults */ We are in process of changing this code (not in trees yet): https://marc.info/?t=171345219600002&r=1&w=2 As I'm not sure which patch will win, the end result should be this single if-block/hunk to be removed. Regards -- Julian Anastasov <ja@ssi.bg>
On Fri, Apr 26, 2024 at 03:09:45PM +0300, Julian Anastasov wrote: > > Hello, > > On Fri, 26 Apr 2024, Joel Granados via B4 Relay wrote: > > > From: Joel Granados <j.granados@samsung.com> > > > > This commit comes at the tail end of a greater effort to remove the > > empty elements at the end of the ctl_table arrays (sentinels) which will > > reduce the overall build time size of the kernel and run time memory > > bloat by ~64 bytes per sentinel (further information Link : > > https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/) > > > > * Remove sentinel elements from ctl_table structs > > * Remove instances where an array element is zeroed out to make it look > > like a sentinel. This is not longer needed and is safe after commit > > c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added > > the array size to the ctl_table registration > > * Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the > > sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL > > * Remove extra element in ctl_table arrays declarations > > > > Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama > > Signed-off-by: Joel Granados <j.granados@samsung.com> > > --- > > net/bridge/br_netfilter_hooks.c | 1 - > > net/ipv6/netfilter/nf_conntrack_reasm.c | 1 - > > net/netfilter/ipvs/ip_vs_ctl.c | 5 +---- > > net/netfilter/ipvs/ip_vs_lblc.c | 5 +---- > > net/netfilter/ipvs/ip_vs_lblcr.c | 5 +---- > > net/netfilter/nf_conntrack_standalone.c | 6 +----- > > net/netfilter/nf_log.c | 3 +-- > > 7 files changed, 5 insertions(+), 21 deletions(-) > > ... > > > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > > index 143a341bbc0a..50b5dbe40eb8 100644 > > --- a/net/netfilter/ipvs/ip_vs_ctl.c > > +++ b/net/netfilter/ipvs/ip_vs_ctl.c > > ... > > > @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) > > return -ENOMEM; > > > > /* Don't export sysctls to unprivileged users */ > > - if (net->user_ns != &init_user_ns) { > > - tbl[0].procname = NULL; > > + if (net->user_ns != &init_user_ns) > > ctl_table_size = 0; > > - } > > } else > > tbl = vs_vars; > > /* Initialize sysctl defaults */ > > We are in process of changing this code (not in trees yet): > > https://marc.info/?t=171345219600002&r=1&w=2 > > As I'm not sure which patch will win, the end result should > be this single if-block/hunk to be removed. Thx for the heads up. I have made a note of it in case this set ends up being after yours. > > Regards > > -- > Julian Anastasov <ja@ssi.bg> >
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 35e10c5a766d..d31f57ffe985 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -1219,7 +1219,6 @@ static struct ctl_table brnf_table[] = { .mode = 0644, .proc_handler = brnf_sysctl_call_tables, }, - { } }; static inline void br_netfilter_sysctl_default(struct brnf_net *brnf) diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index 1a51a44571c3..8531750ec081 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c @@ -62,7 +62,6 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = { .mode = 0644, .proc_handler = proc_doulongvec_minmax, }, - { } }; static int nf_ct_frag6_sysctl_register(struct net *net) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 143a341bbc0a..50b5dbe40eb8 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -2263,7 +2263,6 @@ static struct ctl_table vs_vars[] = { .proc_handler = proc_dointvec, }, #endif - { } }; #endif @@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs) return -ENOMEM; /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) { - tbl[0].procname = NULL; + if (net->user_ns != &init_user_ns) ctl_table_size = 0; - } } else tbl = vs_vars; /* Initialize sysctl defaults */ diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c index 8ceec7a2fa8f..2423513d701d 100644 --- a/net/netfilter/ipvs/ip_vs_lblc.c +++ b/net/netfilter/ipvs/ip_vs_lblc.c @@ -123,7 +123,6 @@ static struct ctl_table vs_vars_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies, }, - { } }; #endif @@ -563,10 +562,8 @@ static int __net_init __ip_vs_lblc_init(struct net *net) return -ENOMEM; /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) { - ipvs->lblc_ctl_table[0].procname = NULL; + if (net->user_ns != &init_user_ns) vars_table_size = 0; - } } else ipvs->lblc_ctl_table = vs_vars_table; diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c index 0fb64707213f..cdb1d4bf6761 100644 --- a/net/netfilter/ipvs/ip_vs_lblcr.c +++ b/net/netfilter/ipvs/ip_vs_lblcr.c @@ -294,7 +294,6 @@ static struct ctl_table vs_vars_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies, }, - { } }; #endif @@ -749,10 +748,8 @@ static int __net_init __ip_vs_lblcr_init(struct net *net) return -ENOMEM; /* Don't export sysctls to unprivileged users */ - if (net->user_ns != &init_user_ns) { - ipvs->lblcr_ctl_table[0].procname = NULL; + if (net->user_ns != &init_user_ns) vars_table_size = 0; - } } else ipvs->lblcr_ctl_table = vs_vars_table; ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 0ee98ce5b816..2f226cfb32d0 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -616,11 +616,9 @@ enum nf_ct_sysctl_index { NF_SYSCTL_CT_LWTUNNEL, #endif - __NF_SYSCTL_CT_LAST_SYSCTL, + NF_SYSCTL_CT_LAST_SYSCTL, }; -#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1) - static struct ctl_table nf_ct_sysctl_table[] = { [NF_SYSCTL_CT_MAX] = { .procname = "nf_conntrack_max", @@ -957,7 +955,6 @@ static struct ctl_table nf_ct_sysctl_table[] = { .proc_handler = nf_hooks_lwtunnel_sysctl_handler, }, #endif - {} }; static struct ctl_table nf_ct_netfilter_table[] = { @@ -968,7 +965,6 @@ static struct ctl_table nf_ct_netfilter_table[] = { .mode = 0644, .proc_handler = proc_dointvec, }, - { } }; static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net, diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 370f8231385c..d42ba733496b 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -395,7 +395,7 @@ static const struct seq_operations nflog_seq_ops = { #ifdef CONFIG_SYSCTL static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3]; -static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1]; +static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO]; static struct ctl_table_header *nf_log_sysctl_fhdr; static struct ctl_table nf_log_sysctl_ftable[] = { @@ -406,7 +406,6 @@ static struct ctl_table nf_log_sysctl_ftable[] = { .mode = 0644, .proc_handler = proc_dointvec, }, - { } }; static int nf_log_proc_dostring(struct ctl_table *table, int write,