[v1,1/9] sysctl: Fixes nf_conntrack_max bounds

Message ID	20250127142014.37834-2-nicolas.bouchinet@clip-os.org (mailing list archive)
State	Changes Requested
Delegated to:	Netdev Maintainers
Headers	show Received: from relay0.mail.gandi.net (relay0.mail.gandi.net [217.70.178.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F79A5672; Mon, 27 Jan 2025 14:20:38 +0000 (UTC) From: nicolas.bouchinet@clip-os.org To: linux-kernel@vger.kernel.org, linux-rdma@vger.kernel.org, linux-scsi@vger.kernel.org, codalist@coda.cs.cmu.edu, linux-nfs@vger.kernel.org, netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org Cc: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>, Joel Granados <j.granados@samsung.com>, Bart Van Assche <bvanassche@acm.org>, Leon Romanovsky <leon@kernel.org>, Zhu Yanjun <yanjun.zhu@linux.dev>, Jason Gunthorpe <jgg@ziepe.ca>, Al Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org> Subject: [PATCH v1 1/9] sysctl: Fixes nf_conntrack_max bounds Date: Mon, 27 Jan 2025 15:19:58 +0100 Message-ID: <20250127142014.37834-2-nicolas.bouchinet@clip-os.org> In-Reply-To: <20250127142014.37834-1-nicolas.bouchinet@clip-os.org> References: <20250127142014.37834-1-nicolas.bouchinet@clip-os.org> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fixes multiple sysctl bound checks \| expand [v1,0/9] Fixes multiple sysctl bound checks [v1,1/9] sysctl: Fixes nf_conntrack_max bounds [v1,2/9] sysctl: Fixes nf_conntrack_expect_max bounds [v1,3/9] sysctl: Fixes gc_thresh bounds [v1,4/9] sysctl: Fixes idmap_cache_timeout bounds [v1,5/9] sysctl: Fixes nsm_local_state bounds [v1,6/9] sysctl/coda: Fixes timeout bounds [v1,7/9] sysctl: Fixes scsi_logging_level bounds [v1,8/9] sysctl/infiniband: Fixes infiniband sysctl bounds [v1,9/9] sysctl: Fixes max-user-freq bounds

Message ID

20250127142014.37834-2-nicolas.bouchinet@clip-os.org (mailing list archive)

State

Changes Requested

Delegated to:

Netdev Maintainers

Headers

From: nicolas.bouchinet@clip-os.org
To: linux-kernel@vger.kernel.org,
	linux-rdma@vger.kernel.org,
	linux-scsi@vger.kernel.org,
	codalist@coda.cs.cmu.edu,
	linux-nfs@vger.kernel.org,
	netdev@vger.kernel.org,
	netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org
Cc: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>,
	Joel Granados <j.granados@samsung.com>,
	Bart Van Assche <bvanassche@acm.org>,
	Leon Romanovsky <leon@kernel.org>,
	Zhu Yanjun <yanjun.zhu@linux.dev>,
	Jason Gunthorpe <jgg@ziepe.ca>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>
Subject: [PATCH v1 1/9] sysctl: Fixes nf_conntrack_max bounds
Date: Mon, 27 Jan 2025 15:19:58 +0100
Message-ID: <20250127142014.37834-2-nicolas.bouchinet@clip-os.org>
In-Reply-To: <20250127142014.37834-1-nicolas.bouchinet@clip-os.org>
References: <20250127142014.37834-1-nicolas.bouchinet@clip-os.org>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fixes multiple sysctl bound checks | expand

Context	Check	Description
netdev/series_format	success	Posting correctly formatted
netdev/tree_selection	success	Guessed tree name to be net-next
netdev/ynl	success	Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/build_tools	success	No tools touched, skip
netdev/cc_maintainers	warning	6 maintainers not CCed: pablo@netfilter.org kadlec@netfilter.org pabeni@redhat.com edumazet@google.com horms@kernel.org kuba@kernel.org
netdev/build_clang	success	Errors and warnings before: 2 this patch: 2
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/deprecated_api	success	None detected
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/build_clang_rust	success	No Rust files in patch. Skipping build
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
netdev/contest	warning	net-next-2025-01-27--18-00 (tests: 770)

Context

Check

Description

netdev/series_format

success

Posting correctly formatted

netdev/tree_selection

success

Guessed tree name to be net-next

netdev/ynl

success

Generated files up to date; no warnings/errors; no diff in generated;

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/build_tools

success

No tools touched, skip

netdev/cc_maintainers

warning

6 maintainers not CCed: pablo@netfilter.org kadlec@netfilter.org pabeni@redhat.com edumazet@google.com horms@kernel.org kuba@kernel.org

netdev/build_clang

success

Errors and warnings before: 2 this patch: 2

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/deprecated_api

success

None detected

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/checkpatch

success

total: 0 errors, 0 warnings, 0 checks, 20 lines checked

netdev/build_clang_rust

success

No Rust files in patch. Skipping build

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

netdev/contest

warning

net-next-2025-01-27--18-00 (tests: 770)

Commit Message

Nicolas Bouchinet Jan. 27, 2025, 2:19 p.m. UTC

From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>

Bound nf_conntrack_max sysctl writings between SYSCTL_ZERO
and SYSCTL_INT_MAX.

The proc_handler has thus been updated to proc_dointvec_minmax.

Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
---
 net/netfilter/nf_conntrack_standalone.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Comments

Pablo Neira Ayuso Jan. 28, 2025, 11 p.m. UTC | #1

Hi,

Please, collapse patch 1/9 and 2/9 and post it to
netfilter-devel@vger.kernel.org targeting at the nf-next tree.

Thanks.

On Mon, Jan 27, 2025 at 03:19:58PM +0100, nicolas.bouchinet@clip-os.org wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> 
> Bound nf_conntrack_max sysctl writings between SYSCTL_ZERO
> and SYSCTL_INT_MAX.
> 
> The proc_handler has thus been updated to proc_dointvec_minmax.
> 
> Signed-off-by: Nicolas Bouchinet <nicolas.bouchinet@ssi.gouv.fr>
> ---
>  net/netfilter/nf_conntrack_standalone.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 7d4f0fa8b609d..40ed3ef9cb22d 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -619,7 +619,9 @@ static struct ctl_table nf_ct_sysctl_table[] = {
>  		.data		= &nf_conntrack_max,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dointvec,
> +		.proc_handler	= proc_dointvec_minmax,
> +		.extra1		= SYSCTL_ZERO,
> +		.extra2		= SYSCTL_INT_MAX,
>  	},
>  	[NF_SYSCTL_CT_COUNT] = {
>  		.procname	= "nf_conntrack_count",
> @@ -948,7 +950,9 @@ static struct ctl_table nf_ct_netfilter_table[] = {
>  		.data		= &nf_conntrack_max,
>  		.maxlen		= sizeof(int),
>  		.mode		= 0644,
> -		.proc_handler	= proc_dointvec,
> +		.proc_handler	= proc_dointvec_minmax,
> +		.extra1		= SYSCTL_ZERO,
> +		.extra2		= SYSCTL_INT_MAX,
>  	},
>  };
>  
> -- 
> 2.48.1
> 
>

diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 7d4f0fa8b609d..40ed3ef9cb22d 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -619,7 +619,9 @@  static struct ctl_table nf_ct_sysctl_table[] = {
 		.data		= &nf_conntrack_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_INT_MAX,
 	},
 	[NF_SYSCTL_CT_COUNT] = {
 		.procname	= "nf_conntrack_count",
@@ -948,7 +950,9 @@  static struct ctl_table nf_ct_netfilter_table[] = {
 		.data		= &nf_conntrack_max,
 		.maxlen		= sizeof(int),
 		.mode		= 0644,
-		.proc_handler	= proc_dointvec,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_INT_MAX,
 	},
 };

[v1,1/9] sysctl: Fixes nf_conntrack_max bounds

Checks

Commit Message

Comments

Patch