diff options
| author |   Daniel Borkmann <dborkman@redhat.com> | 2014-05-23 18:43:58 +0200 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2014-05-23 16:48:05 -0400 |
| commit | b1fcd35cf53553a0a3ef949b05106d921446abc3 (patch) | |
| tree | 4784eb248a9705f2eae7dcb10968497f0559499f /net/netfilter | |
| parent | net: filter: remove DL macro (diff) | |
| download | linux-dev-b1fcd35cf53553a0a3ef949b05106d921446abc3.tar.xz linux-dev-b1fcd35cf53553a0a3ef949b05106d921446abc3.zip | |
net: filter: let unattached filters use sock_fprog_kern
The sk_unattached_filter_create() API is used by BPF filters that
are not directly attached or related to sockets, and are used in
team, ptp, xt_bpf, cls_bpf, etc. As such all users do their own
internal managment of obtaining filter blocks and thus already
have them in kernel memory and set up before calling into
sk_unattached_filter_create(). As a result, due to __user annotation
in sock_fprog, sparse triggers false positives (incorrect type in
assignment [different address space]) when filters are set up before
passing them to sk_unattached_filter_create(). Therefore, let
sk_unattached_filter_create() API use sock_fprog_kern to overcome
this issue.
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/xt_bpf.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/netfilter/xt_bpf.c b/net/netfilter/xt_bpf.c index 12d4da8e6c77..bbffdbdaf603 100644 --- a/net/netfilter/xt_bpf.c +++ b/net/netfilter/xt_bpf.c @@ -23,10 +23,11 @@ MODULE_ALIAS("ip6t_bpf"); static int bpf_mt_check(const struct xt_mtchk_param *par) { struct xt_bpf_info *info = par->matchinfo; - struct sock_fprog program; + struct sock_fprog_kern program; program.len = info->bpf_program_num_elem; - program.filter = (struct sock_filter __user *) info->bpf_program; + program.filter = info->bpf_program; + if (sk_unattached_filter_create(&info->filter, &program)) { pr_info("bpf: check failed: parse error\n"); return -EINVAL; |