Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b44492af authored by Arnd Bergmann's avatar Arnd Bergmann Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables_offload: avoid excessive stack usage 



The nft_offload_ctx structure is much too large to put on the
stack:

net/netfilter/nf_tables_offload.c:31:23: error: stack frame size of 1200 bytes in function 'nft_flow_rule_create' [-Werror,-Wframe-larger-than=]

Use dynamic allocation here, as we do elsewhere in the same
function.

Fixes: c9626a2c ("netfilter: nf_tables: add hardware offload support")
Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent b74ae961

net/netfilter/nf_tables_offload.c

+13 −7
Original line number Diff line number Diff line
@@ -30,11 +30,7 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) 


struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)

{

	struct nft_offload_ctx ctx = {

		.dep	= {

			.type	= NFT_OFFLOAD_DEP_UNSPEC,

		},

	};

	struct nft_offload_ctx *ctx;

	struct nft_flow_rule *flow;

	int num_actions = 0, err;

	struct nft_expr *expr;
@@ -52,21 +48,31 @@ struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule) 
		return ERR_PTR(-ENOMEM);



	expr = nft_expr_first(rule);



	ctx = kzalloc(sizeof(struct nft_offload_ctx), GFP_KERNEL);

	if (!ctx) {

		err = -ENOMEM;

		goto err_out;

	}

	ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;



	while (expr->ops && expr != nft_expr_last(rule)) {

		if (!expr->ops->offload) {

			err = -EOPNOTSUPP;

			goto err_out;

		}

		err = expr->ops->offload(&ctx, flow, expr);

		err = expr->ops->offload(ctx, flow, expr);

		if (err < 0)

			goto err_out;



		expr = nft_expr_next(expr);

	}

	flow->proto = ctx.dep.l3num;

	flow->proto = ctx->dep.l3num;

	kfree(ctx);



	return flow;

err_out:

	kfree(ctx);

	nft_flow_rule_destroy(flow);



	return ERR_PTR(err);