diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2024-11-26 11:59:06 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-12-14 19:54:20 +0100 |
| commit | 7064a6daa4a700a298fe3aee11dea296bfe59fc4 (patch) | |
| tree | 8254a986f034da5874025923f9306ee1116fa906 /net/netfilter | |
| parent | ab9916321c95f5280b72b4c5055e269f98627efe (diff) | |
| download | linux-7064a6daa4a700a298fe3aee11dea296bfe59fc4.tar.gz linux-7064a6daa4a700a298fe3aee11dea296bfe59fc4.tar.bz2 linux-7064a6daa4a700a298fe3aee11dea296bfe59fc4.zip | |
netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level
[ Upstream commit b7529880cb961d515642ce63f9d7570869bbbdc3 ]
cgroup maximum depth is INT_MAX by default, there is a cgroup toggle to
restrict this maximum depth to a more reasonable value not to harm
performance. Remove unnecessary WARN_ON_ONCE which is reachable from
userspace.
Fixes: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces")
Reported-by: syzbot+57bac0866ddd99fe47c0@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nft_socket.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c index 4148df6d6a47..2d33674e9e5e 100644 --- a/net/netfilter/nft_socket.c +++ b/net/netfilter/nft_socket.c @@ -68,7 +68,7 @@ static noinline int nft_socket_cgroup_subtree_level(void) cgroup_put(cgrp); - if (WARN_ON_ONCE(level > 255)) + if (level > 255) return -ERANGE; if (WARN_ON_ONCE(level < 0)) |