From: Wang Hai wanghai38@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8OWRC CVE: NA
--------
Reserve some fields beforehand for net netfilter framework related structures prone to change.
---------
Signed-off-by: Wang Hai wanghai38@huawei.com Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com --- include/linux/netfilter.h | 9 +++++++++ include/linux/netfilter/ipset/ip_set.h | 7 +++++++ include/linux/netfilter/nfnetlink.h | 5 +++++ include/linux/netfilter_ipv6.h | 3 +++ include/net/netfilter/nf_conntrack.h | 4 ++++ include/net/netns/netfilter.h | 3 +++ 6 files changed, 31 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index d68644b7c299..8be96020e32f 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -16,6 +16,7 @@ #include <linux/netdevice.h> #include <linux/sockptr.h> #include <net/net_namespace.h> +#include <linux/kabi.h>
static inline int NF_DROP_GETERR(int verdict) { @@ -179,6 +180,8 @@ struct nf_sockopt_ops { int (*get)(struct sock *sk, int optval, void __user *user, int *len); /* Use the module struct to lock set/get code in place */ struct module *owner; + + KABI_RESERVE(1) };
/* Function to register/unregister hook points. */ @@ -377,6 +380,8 @@ struct nf_nat_hook { enum nf_nat_manip_type mtype, enum ip_conntrack_dir dir); void (*remove_nat_bysrc)(struct nf_conn *ct); + + KABI_RESERVE(1) };
extern const struct nf_nat_hook __rcu *nf_nat_hook; @@ -464,6 +469,8 @@ struct nf_ct_hook { const struct sk_buff *); void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb); void (*set_closing)(struct nf_conntrack *nfct); + + KABI_RESERVE(1) }; extern const struct nf_ct_hook __rcu *nf_ct_hook;
@@ -479,6 +486,8 @@ struct nfnl_ct_hook { u32 portid, u32 report); void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, s32 off); + + KABI_RESERVE(1) }; extern const struct nfnl_ct_hook __rcu *nfnl_ct_hook;
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index e8c350a3ade1..23395a4393f2 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -16,6 +16,7 @@ #include <linux/vmalloc.h> #include <net/netlink.h> #include <uapi/linux/netfilter/ipset/ip_set.h> +#include <linux/kabi.h>
#define _IP_SET_MODULE_DESC(a, b, c) \ MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) @@ -188,6 +189,8 @@ struct ip_set_type_variant { bool (*same_set)(const struct ip_set *a, const struct ip_set *b); /* Region-locking is used */ bool region_lock; + + KABI_RESERVE(1) };
struct ip_set_region { @@ -234,6 +237,8 @@ struct ip_set_type {
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ struct module *me; + + KABI_RESERVE(1) };
/* register and unregister set type */ @@ -276,6 +281,8 @@ struct ip_set { size_t offset[IPSET_EXT_ID_MAX]; /* The type specific data */ void *data; + + KABI_RESERVE(1) };
static inline void diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index e9a9ab34a7cc..fe320c791949 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -6,6 +6,7 @@ #include <linux/capability.h> #include <net/netlink.h> #include <uapi/linux/netfilter/nfnetlink.h> +#include <linux/kabi.h>
struct nfnl_info { struct net *net; @@ -28,6 +29,8 @@ struct nfnl_callback { const struct nla_policy *policy; enum nfnl_callback_type type; __u16 attr_count; + + KABI_RESERVE(1) };
enum nfnl_abort_action { @@ -46,6 +49,8 @@ struct nfnetlink_subsystem { int (*abort)(struct net *net, struct sk_buff *skb, enum nfnl_abort_action action); bool (*valid_genid)(struct net *net, u32 genid); + + KABI_RESERVE(1) };
int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 7834c0be2831..cbb47065664d 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -9,6 +9,7 @@
#include <uapi/linux/netfilter_ipv6.h> #include <net/tcp.h> +#include <linux/kabi.h>
/* Check for an extension */ static inline int @@ -65,6 +66,8 @@ struct nf_ipv6_ops { const struct nf_bridge_frag_data *data, struct sk_buff *)); #endif + + KABI_RESERVE(1) };
#ifdef CONFIG_NETFILTER diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 4085765c3370..607e930d5b33 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -23,6 +23,7 @@ #include <linux/netfilter/nf_conntrack_proto_gre.h>
#include <net/netfilter/nf_conntrack_tuple.h> +#include <linux/kabi.h>
struct nf_ct_udp { unsigned long stream_ts; @@ -123,6 +124,9 @@ struct nf_conn {
/* Storage reserved for other modules, must be the last member */ union nf_conntrack_proto proto; + + KABI_RESERVE(1) + KABI_RESERVE(2) };
static inline struct nf_conn * diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h index 02bbdc577f8e..ca829559e7ec 100644 --- a/include/net/netns/netfilter.h +++ b/include/net/netns/netfilter.h @@ -3,6 +3,7 @@ #define __NETNS_NETFILTER_H
#include <linux/netfilter_defs.h> +#include <linux/kabi.h>
struct proc_dir_entry; struct nf_logger; @@ -30,5 +31,7 @@ struct netns_nf { #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) unsigned int defrag_ipv6_users; #endif + + KABI_RESERVE(1) }; #endif