diff mbox series

[net,v1,1/1] netfilter: nf_reject: Fix build error when CONFIG_BRIDGE_NETFILTER=n

Message ID 20240906145513.567781-1-andriy.shevchenko@linux.intel.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series [net,v1,1/1] netfilter: nf_reject: Fix build error when CONFIG_BRIDGE_NETFILTER=n | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 16 this patch: 16
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 14 of 14 maintainers
netdev/build_clang success Errors and warnings before: 16 this patch: 16
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 16 this patch: 16
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-09-07--06-00 (tests: 722)

Commit Message

Andy Shevchenko Sept. 6, 2024, 2:55 p.m. UTC 
In some cases (CONFIG_BRIDGE_NETFILTER=n) the pointer to IP header
is set but not used, it prevents kernel builds with clang, `make W=1`
and CONFIG_WERROR=y:

ipv6: split nf_send_reset6() in smaller functions
netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions

net/ipv4/netfilter/nf_reject_ipv4.c:243:16: error: variable 'niph' set but not used [-Werror,-Wunused-but-set-variable]
  243 |         struct iphdr *niph;
      |                       ^
net/ipv6/netfilter/nf_reject_ipv6.c:286:18: error: variable 'ip6h' set but not used [-Werror,-Wunused-but-set-variable]
  286 |         struct ipv6hdr *ip6h;
      |                         ^

Fix these by marking respective variables with __maybe_unused as it
seems more complicated to address that in a better way due to ifdeffery.

Fixes: 8bfcdf6671b1 ("netfilter: nf_reject_ipv6: split nf_send_reset6() in smaller functions")
Fixes: 052b9498eea5 ("netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 +-
 net/ipv6/netfilter/nf_reject_ipv6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Simon Horman Sept. 7, 2024, 1:48 p.m. UTC | #1 
On Fri, Sep 06, 2024 at 05:55:13PM +0300, Andy Shevchenko wrote:
> In some cases (CONFIG_BRIDGE_NETFILTER=n) the pointer to IP header
> is set but not used, it prevents kernel builds with clang, `make W=1`
> and CONFIG_WERROR=y:
> 
> ipv6: split nf_send_reset6() in smaller functions
> netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions
> 
> net/ipv4/netfilter/nf_reject_ipv4.c:243:16: error: variable 'niph' set but not used [-Werror,-Wunused-but-set-variable]
>   243 |         struct iphdr *niph;
>       |                       ^
> net/ipv6/netfilter/nf_reject_ipv6.c:286:18: error: variable 'ip6h' set but not used [-Werror,-Wunused-but-set-variable]
>   286 |         struct ipv6hdr *ip6h;
>       |                         ^
> 
> Fix these by marking respective variables with __maybe_unused as it
> seems more complicated to address that in a better way due to ifdeffery.
> 
> Fixes: 8bfcdf6671b1 ("netfilter: nf_reject_ipv6: split nf_send_reset6() in smaller functions")
> Fixes: 052b9498eea5 ("netfilter: nf_reject_ipv4: split nf_send_reset() in smaller functions")

Hi Andy,

As mentioned in relation to another similar patch,
I'm not sure that resolution of W=1 warnings are fixes.

> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
> ---
>  net/ipv4/netfilter/nf_reject_ipv4.c | 2 +-
>  net/ipv6/netfilter/nf_reject_ipv6.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)

> 
> diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
> index 04504b2b51df..0af42494ac66 100644
> --- a/net/ipv4/netfilter/nf_reject_ipv4.c
> +++ b/net/ipv4/netfilter/nf_reject_ipv4.c
> @@ -240,7 +240,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
>  		   int hook)
>  {
>  	struct sk_buff *nskb;
> -	struct iphdr *niph;
> +	struct iphdr *niph __maybe_unused;
>  	const struct tcphdr *oth;
>  	struct tcphdr _oth;
>  

Possibly it is broken for some reason - like reading nskb too late -
but I wonder if rather than annotating niph it's scope can be reduced
to the code that is only compiled if CONFIG_BRIDGE_NETFILTER is enabled.

This also addreses what appears to be an assingment of niph without
the value being used - the first assingment.

E.g., for the ipv4 case (compile tested only!):

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 04504b2b51df..87fd945a0d27 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -239,9 +239,8 @@ static int nf_reject_fill_skb_dst(struct sk_buff *skb_in)
 void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 		   int hook)
 {
-	struct sk_buff *nskb;
-	struct iphdr *niph;
 	const struct tcphdr *oth;
+	struct sk_buff *nskb;
 	struct tcphdr _oth;
 
 	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
@@ -266,14 +265,12 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
 
 	skb_reserve(nskb, LL_MAX_HEADER);
-	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
-				   ip4_dst_hoplimit(skb_dst(nskb)));
+	nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
+			    ip4_dst_hoplimit(skb_dst(nskb)));
 	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
 	if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC))
 		goto free_nskb;
 
-	niph = ip_hdr(nskb);
-
 	/* "Never happens" */
 	if (nskb->len > dst_mtu(skb_dst(nskb)))
 		goto free_nskb;
@@ -290,6 +287,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 	 */
 	if (nf_bridge_info_exists(oldskb)) {
 		struct ethhdr *oeth = eth_hdr(oldskb);
+		struct iphdr *niph = ip_hdr(nskb);
 		struct net_device *br_indev;
 
 		br_indev = nf_bridge_get_physindev(oldskb, net);
Andy Shevchenko Sept. 9, 2024, 9:44 a.m. UTC | #2 
On Sat, Sep 07, 2024 at 02:48:37PM +0100, Simon Horman wrote:
> On Fri, Sep 06, 2024 at 05:55:13PM +0300, Andy Shevchenko wrote:

> As mentioned in relation to another similar patch,
> I'm not sure that resolution of W=1 warnings are fixes.

Up to you, I consider they as fixes as I'm pretty much annoyed each release to
have disable CONFIG_WERROR. But I got your point.

...

> Possibly it is broken for some reason - like reading nskb too late -
> but I wonder if rather than annotating niph it's scope can be reduced
> to the code that is only compiled if CONFIG_BRIDGE_NETFILTER is enabled.
> 
> This also addreses what appears to be an assingment of niph without
> the value being used - the first assingment.
> 
> E.g., for the ipv4 case (compile tested only!):

Please, submit a formal patch, I'm not so familiar with the guts of networking
core to be able to produce anything better than I already did.

Consider this as
Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

Thank you!
Pablo Neira Ayuso Sept. 15, 2024, 9:22 p.m. UTC | #3 
Hi Simon,

This proposed update to address this compile time warning LGTM.

Would you submit it?

Thanks.

On Sat, Sep 07, 2024 at 02:48:37PM +0100, Simon Horman wrote:
[...]
> diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
> index 04504b2b51df..87fd945a0d27 100644
> --- a/net/ipv4/netfilter/nf_reject_ipv4.c
> +++ b/net/ipv4/netfilter/nf_reject_ipv4.c
> @@ -239,9 +239,8 @@ static int nf_reject_fill_skb_dst(struct sk_buff *skb_in)
>  void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
>  		   int hook)
>  {
> -	struct sk_buff *nskb;
> -	struct iphdr *niph;
>  	const struct tcphdr *oth;
> +	struct sk_buff *nskb;
>  	struct tcphdr _oth;
>  
>  	oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
> @@ -266,14 +265,12 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
>  	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
>  
>  	skb_reserve(nskb, LL_MAX_HEADER);
> -	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
> -				   ip4_dst_hoplimit(skb_dst(nskb)));
> +	nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
> +			    ip4_dst_hoplimit(skb_dst(nskb)));
>  	nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
>  	if (ip_route_me_harder(net, sk, nskb, RTN_UNSPEC))
>  		goto free_nskb;
>  
> -	niph = ip_hdr(nskb);
> -
>  	/* "Never happens" */
>  	if (nskb->len > dst_mtu(skb_dst(nskb)))
>  		goto free_nskb;
> @@ -290,6 +287,7 @@ void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
>  	 */
>  	if (nf_bridge_info_exists(oldskb)) {
>  		struct ethhdr *oeth = eth_hdr(oldskb);
> +		struct iphdr *niph = ip_hdr(nskb);
>  		struct net_device *br_indev;
>  
>  		br_indev = nf_bridge_get_physindev(oldskb, net);
Simon Horman Sept. 16, 2024, 7:32 a.m. UTC | #4 
On Sun, Sep 15, 2024 at 11:22:02PM +0200, Pablo Neira Ayuso wrote:
> Hi Simon,
> 
> This proposed update to address this compile time warning LGTM.
> 
> Would you submit it?

Hi Pablo,

Yes, it is on my todo list for today.
Sorry for not getting to it sooner.

I plan to post a patch for this to nf-next.
But let me know if you prefer a patch for nf, net,
or some other course of action.
Simon Horman Sept. 16, 2024, 9:52 a.m. UTC | #5 
On Mon, Sep 16, 2024 at 08:32:01AM +0100, Simon Horman wrote:
> On Sun, Sep 15, 2024 at 11:22:02PM +0200, Pablo Neira Ayuso wrote:
> > Hi Simon,
> > 
> > This proposed update to address this compile time warning LGTM.
> > 
> > Would you submit it?
> 
> Hi Pablo,
> 
> Yes, it is on my todo list for today.
> Sorry for not getting to it sooner.
> 
> I plan to post a patch for this to nf-next.
> But let me know if you prefer a patch for nf, net,
> or some other course of action.

Patch posted here:
- [PATCH nf-next] netfilter: nf_reject: Fix build warning when CONFIG_BRIDGE_NETFILTER=n
  https://lore.kernel.org/netfilter-devel/20240916-nf-reject-v1-1-24b6dd651c83@kernel.org/
diff mbox series

Patch

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index 04504b2b51df..0af42494ac66 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -240,7 +240,7 @@  void nf_send_reset(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 		   int hook)
 {
 	struct sk_buff *nskb;
-	struct iphdr *niph;
+	struct iphdr *niph __maybe_unused;
 	const struct tcphdr *oth;
 	struct tcphdr _oth;
 
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index dedee264b8f6..f5ed4e779b72 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -283,7 +283,7 @@  void nf_send_reset6(struct net *net, struct sock *sk, struct sk_buff *oldskb,
 	const struct tcphdr *otcph;
 	unsigned int otcplen, hh_len;
 	const struct ipv6hdr *oip6h = ipv6_hdr(oldskb);
-	struct ipv6hdr *ip6h;
+	struct ipv6hdr *ip6h __maybe_unused;
 	struct dst_entry *dst = NULL;
 	struct flowi6 fl6;