mirror of
https://github.com/torvalds/linux
synced 2024-10-03 18:00:50 +00:00
netfilter: nf_tables_offload: avoid excessive stack usage
The nft_offload_ctx structure is much too large to put on the
stack:
net/netfilter/nf_tables_offload.c:31:23: error: stack frame size of 1200 bytes in function 'nft_flow_rule_create' [-Werror,-Wframe-larger-than=]
Use dynamic allocation here, as we do elsewhere in the same
function.
Fixes: c9626a2cbd
("netfilter: nf_tables: add hardware offload support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
b74ae9618b
commit
b44492afd2
|
@ -30,11 +30,7 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
|
||||||
|
|
||||||
struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
|
struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
|
||||||
{
|
{
|
||||||
struct nft_offload_ctx ctx = {
|
struct nft_offload_ctx *ctx;
|
||||||
.dep = {
|
|
||||||
.type = NFT_OFFLOAD_DEP_UNSPEC,
|
|
||||||
},
|
|
||||||
};
|
|
||||||
struct nft_flow_rule *flow;
|
struct nft_flow_rule *flow;
|
||||||
int num_actions = 0, err;
|
int num_actions = 0, err;
|
||||||
struct nft_expr *expr;
|
struct nft_expr *expr;
|
||||||
|
@ -52,21 +48,31 @@ struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
|
||||||
return ERR_PTR(-ENOMEM);
|
return ERR_PTR(-ENOMEM);
|
||||||
|
|
||||||
expr = nft_expr_first(rule);
|
expr = nft_expr_first(rule);
|
||||||
|
|
||||||
|
ctx = kzalloc(sizeof(struct nft_offload_ctx), GFP_KERNEL);
|
||||||
|
if (!ctx) {
|
||||||
|
err = -ENOMEM;
|
||||||
|
goto err_out;
|
||||||
|
}
|
||||||
|
ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
|
||||||
|
|
||||||
while (expr->ops && expr != nft_expr_last(rule)) {
|
while (expr->ops && expr != nft_expr_last(rule)) {
|
||||||
if (!expr->ops->offload) {
|
if (!expr->ops->offload) {
|
||||||
err = -EOPNOTSUPP;
|
err = -EOPNOTSUPP;
|
||||||
goto err_out;
|
goto err_out;
|
||||||
}
|
}
|
||||||
err = expr->ops->offload(&ctx, flow, expr);
|
err = expr->ops->offload(ctx, flow, expr);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
goto err_out;
|
goto err_out;
|
||||||
|
|
||||||
expr = nft_expr_next(expr);
|
expr = nft_expr_next(expr);
|
||||||
}
|
}
|
||||||
flow->proto = ctx.dep.l3num;
|
flow->proto = ctx->dep.l3num;
|
||||||
|
kfree(ctx);
|
||||||
|
|
||||||
return flow;
|
return flow;
|
||||||
err_out:
|
err_out:
|
||||||
|
kfree(ctx);
|
||||||
nft_flow_rule_destroy(flow);
|
nft_flow_rule_destroy(flow);
|
||||||
|
|
||||||
return ERR_PTR(err);
|
return ERR_PTR(err);
|
||||||
|
|
Loading…
Reference in a new issue