Re: [PATCH v2] sysctl: treewide: constify ctl_table_header::ctl_table_arg
From: Kees Cook
Date: Thu Apr 18 2024 - 13:33:46 EST
On Thu, Apr 18, 2024 at 11:40:08AM +0200, Thomas Weißschuh wrote:
> To be able to constify instances of struct ctl_tables it is necessary to
> remove ways through which non-const versions are exposed from the
> sysctl core.
> One of these is the ctl_table_arg member of struct ctl_table_header.
>
> Constify this reference as a prerequisite for the full constification of
> struct ctl_table instances.
> No functional change.
>
> Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx>
> ---
> Changes in v2:
> - Add link to original monolithic series
> - Send to all maintainers again
> - Link to v1: https://lore.kernel.org/r/20240322-sysctl-const-table-arg-v1-1-88436d34961b@xxxxxxxxxxxxxx
> ---
> This is a standalone version of PATCH 11 from my original const-sysctl
> series at
> https://lore.kernel.org/lkml/20231204-const-sysctl-v2-0-7a5060b11447@xxxxxxxxxxxxxx/
>
> It is based upon the branch constfy of
> https://git.kernel.org/pub/scm/linux/kernel/git/sysctl/sysctl.git/
>
> This patch is meant to be applied through the sysctl tree.
>
> It was implemented by manually searching for "ctl_table_arg"
> throughout the tree and inspecing each found site.
>
> If somebody comes up with a cocciscript for this, I'll be happy to use
> that.
My simple attempt doesn't find any additional instances:
@constify@
identifier VAR;
expression EXP;
@@
- struct ctl_table *VAR;
+ const struct ctl_table *VAR;
...
VAR = (EXP)->ctl_table_arg
it actually misses a few. :P
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> ---
> drivers/net/vrf.c | 2 +-
> include/linux/sysctl.h | 2 +-
> ipc/ipc_sysctl.c | 2 +-
> ipc/mq_sysctl.c | 2 +-
> kernel/ucount.c | 2 +-
> net/ax25/sysctl_net_ax25.c | 2 +-
> net/bridge/br_netfilter_hooks.c | 2 +-
> net/core/sysctl_net_core.c | 2 +-
> net/ieee802154/6lowpan/reassembly.c | 2 +-
> net/ipv4/devinet.c | 2 +-
> net/ipv4/ip_fragment.c | 2 +-
> net/ipv4/route.c | 2 +-
> net/ipv4/sysctl_net_ipv4.c | 2 +-
> net/ipv4/xfrm4_policy.c | 2 +-
> net/ipv6/addrconf.c | 2 +-
> net/ipv6/netfilter/nf_conntrack_reasm.c | 2 +-
> net/ipv6/reassembly.c | 2 +-
> net/ipv6/sysctl_net_ipv6.c | 6 +++---
> net/ipv6/xfrm6_policy.c | 2 +-
> net/mpls/af_mpls.c | 4 ++--
> net/mptcp/ctrl.c | 2 +-
> net/netfilter/nf_conntrack_standalone.c | 2 +-
> net/netfilter/nf_log.c | 2 +-
> net/sctp/sysctl.c | 2 +-
> net/smc/smc_sysctl.c | 2 +-
> net/unix/sysctl_net_unix.c | 2 +-
> net/xfrm/xfrm_sysctl.c | 2 +-
> 27 files changed, 30 insertions(+), 30 deletions(-)
>
> diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
> index bb95ce43cd97..66f8542f3b18 100644
> --- a/drivers/net/vrf.c
> +++ b/drivers/net/vrf.c
> @@ -1971,7 +1971,7 @@ static int vrf_netns_init_sysctl(struct net *net, struct netns_vrf *nn_vrf)
> static void vrf_netns_exit_sysctl(struct net *net)
> {
> struct netns_vrf *nn_vrf = net_generic(net, vrf_net_id);
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = nn_vrf->ctl_hdr->ctl_table_arg;
> unregister_net_sysctl_table(nn_vrf->ctl_hdr);
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 47bd28ffa88f..09db2f2e6488 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -171,7 +171,7 @@ struct ctl_table_header {
> struct rcu_head rcu;
> };
> struct completion *unregistering;
> - struct ctl_table *ctl_table_arg;
> + const struct ctl_table *ctl_table_arg;
> struct ctl_table_root *root;
> struct ctl_table_set *set;
> struct ctl_dir *parent;
> diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
> index 19b2a67aef40..113452038303 100644
> --- a/ipc/ipc_sysctl.c
> +++ b/ipc/ipc_sysctl.c
> @@ -305,7 +305,7 @@ bool setup_ipc_sysctls(struct ipc_namespace *ns)
>
> void retire_ipc_sysctls(struct ipc_namespace *ns)
> {
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = ns->ipc_sysctls->ctl_table_arg;
> unregister_sysctl_table(ns->ipc_sysctls);
> diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
> index 43c0825da9e8..068e7d5aa42b 100644
> --- a/ipc/mq_sysctl.c
> +++ b/ipc/mq_sysctl.c
> @@ -159,7 +159,7 @@ bool setup_mq_sysctls(struct ipc_namespace *ns)
>
> void retire_mq_sysctls(struct ipc_namespace *ns)
> {
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = ns->mq_sysctls->ctl_table_arg;
> unregister_sysctl_table(ns->mq_sysctls);
> diff --git a/kernel/ucount.c b/kernel/ucount.c
> index 90300840256b..366a2c1971f5 100644
> --- a/kernel/ucount.c
> +++ b/kernel/ucount.c
> @@ -119,7 +119,7 @@ bool setup_userns_sysctls(struct user_namespace *ns)
> void retire_userns_sysctls(struct user_namespace *ns)
> {
> #ifdef CONFIG_SYSCTL
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = ns->sysctls->ctl_table_arg;
> unregister_sysctl_table(ns->sysctls);
> diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
> index db66e11e7fe8..e0128dc9def3 100644
> --- a/net/ax25/sysctl_net_ax25.c
> +++ b/net/ax25/sysctl_net_ax25.c
> @@ -171,7 +171,7 @@ int ax25_register_dev_sysctl(ax25_dev *ax25_dev)
> void ax25_unregister_dev_sysctl(ax25_dev *ax25_dev)
> {
> struct ctl_table_header *header = ax25_dev->sysheader;
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> if (header) {
> ax25_dev->sysheader = NULL;
> diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
> index 35e10c5a766d..a09118c56c7d 100644
> --- a/net/bridge/br_netfilter_hooks.c
> +++ b/net/bridge/br_netfilter_hooks.c
> @@ -1268,7 +1268,7 @@ static int br_netfilter_sysctl_init_net(struct net *net)
> static void br_netfilter_sysctl_exit_net(struct net *net,
> struct brnf_net *brnet)
> {
> - struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
> + const struct ctl_table *table = brnet->ctl_hdr->ctl_table_arg;
>
> unregister_net_sysctl_table(brnet->ctl_hdr);
> if (!net_eq(net, &init_net))
> diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
> index 6973dda3abda..903ab4a51c17 100644
> --- a/net/core/sysctl_net_core.c
> +++ b/net/core/sysctl_net_core.c
> @@ -743,7 +743,7 @@ static __net_init int sysctl_core_net_init(struct net *net)
>
> static __net_exit void sysctl_core_net_exit(struct net *net)
> {
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = net->core.sysctl_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->core.sysctl_hdr);
> diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
> index 6dd960ec558c..2a983cf450da 100644
> --- a/net/ieee802154/6lowpan/reassembly.c
> +++ b/net/ieee802154/6lowpan/reassembly.c
> @@ -399,7 +399,7 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
>
> static void __net_exit lowpan_frags_ns_sysctl_unregister(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
> struct netns_ieee802154_lowpan *ieee802154_lowpan =
> net_ieee802154_lowpan(net);
>
> diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
> index 7a437f0d4190..7592f242336b 100644
> --- a/net/ipv4/devinet.c
> +++ b/net/ipv4/devinet.c
> @@ -2749,7 +2749,7 @@ static __net_init int devinet_init_net(struct net *net)
> static __net_exit void devinet_exit_net(struct net *net)
> {
> #ifdef CONFIG_SYSCTL
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = net->ipv4.forw_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->ipv4.forw_hdr);
> diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
> index a4941f53b523..6b9285fd6f06 100644
> --- a/net/ipv4/ip_fragment.c
> +++ b/net/ipv4/ip_fragment.c
> @@ -632,7 +632,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
>
> static void __net_exit ip4_frags_ns_ctl_unregister(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->ipv4.frags_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->ipv4.frags_hdr);
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index c8f76f56dc16..af30b5942ba4 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -3590,7 +3590,7 @@ static __net_init int sysctl_route_net_init(struct net *net)
>
> static __net_exit void sysctl_route_net_exit(struct net *net)
> {
> - struct ctl_table *tbl;
> + const struct ctl_table *tbl;
>
> tbl = net->ipv4.route_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->ipv4.route_hdr);
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 7e4f16a7dcc1..ce5d19978a26 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -1554,7 +1554,7 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
>
> static __net_exit void ipv4_sysctl_exit_net(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> kfree(net->ipv4.sysctl_local_reserved_ports);
> table = net->ipv4.ipv4_hdr->ctl_table_arg;
> diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
> index c33bca2c3841..1dda59e0aeab 100644
> --- a/net/ipv4/xfrm4_policy.c
> +++ b/net/ipv4/xfrm4_policy.c
> @@ -186,7 +186,7 @@ static __net_init int xfrm4_net_sysctl_init(struct net *net)
>
> static __net_exit void xfrm4_net_sysctl_exit(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> if (!net->ipv4.xfrm4_hdr)
> return;
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 247bd4d8ee45..9c34a351f115 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -7235,7 +7235,7 @@ static int __addrconf_sysctl_register(struct net *net, char *dev_name,
> static void __addrconf_sysctl_unregister(struct net *net,
> struct ipv6_devconf *p, int ifindex)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> if (!p->sysctl_header)
> return;
> diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
> index 1a51a44571c3..98809f846229 100644
> --- a/net/ipv6/netfilter/nf_conntrack_reasm.c
> +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
> @@ -105,7 +105,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
> static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
> {
> struct nft_ct_frag6_pernet *nf_frag = nf_frag_pernet(net);
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = nf_frag->nf_frag_frags_hdr->ctl_table_arg;
> unregister_net_sysctl_table(nf_frag->nf_frag_frags_hdr);
> diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
> index acb4f119e11f..ee95cdcc8747 100644
> --- a/net/ipv6/reassembly.c
> +++ b/net/ipv6/reassembly.c
> @@ -487,7 +487,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
>
> static void __net_exit ip6_frags_ns_sysctl_unregister(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->ipv6.sysctl.frags_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->ipv6.sysctl.frags_hdr);
> diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
> index 888676163e90..75de55f907b0 100644
> --- a/net/ipv6/sysctl_net_ipv6.c
> +++ b/net/ipv6/sysctl_net_ipv6.c
> @@ -313,9 +313,9 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
>
> static void __net_exit ipv6_sysctl_net_exit(struct net *net)
> {
> - struct ctl_table *ipv6_table;
> - struct ctl_table *ipv6_route_table;
> - struct ctl_table *ipv6_icmp_table;
> + const struct ctl_table *ipv6_table;
> + const struct ctl_table *ipv6_route_table;
> + const struct ctl_table *ipv6_icmp_table;
>
> ipv6_table = net->ipv6.sysctl.hdr->ctl_table_arg;
> ipv6_route_table = net->ipv6.sysctl.route_hdr->ctl_table_arg;
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 42fb6996b077..4891012b692f 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -218,7 +218,7 @@ static int __net_init xfrm6_net_sysctl_init(struct net *net)
>
> static void __net_exit xfrm6_net_sysctl_exit(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> if (!net->ipv6.sysctl.xfrm6_hdr)
> return;
> diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
> index 6dab883a08dd..973881b8faa3 100644
> --- a/net/mpls/af_mpls.c
> +++ b/net/mpls/af_mpls.c
> @@ -1438,7 +1438,7 @@ static void mpls_dev_sysctl_unregister(struct net_device *dev,
> struct mpls_dev *mdev)
> {
> struct net *net = dev_net(dev);
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> if (!mdev->sysctl)
> return;
> @@ -2706,7 +2706,7 @@ static void mpls_net_exit(struct net *net)
> {
> struct mpls_route __rcu **platform_label;
> size_t platform_labels;
> - struct ctl_table *table;
> + const struct ctl_table *table;
> unsigned int index;
>
> table = net->mpls.ctl->ctl_table_arg;
> diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
> index 13fe0748dde8..8d661156ab8c 100644
> --- a/net/mptcp/ctrl.c
> +++ b/net/mptcp/ctrl.c
> @@ -198,7 +198,7 @@ static int mptcp_pernet_new_table(struct net *net, struct mptcp_pernet *pernet)
>
> static void mptcp_pernet_del_table(struct mptcp_pernet *pernet)
> {
> - struct ctl_table *table = pernet->ctl_table_hdr->ctl_table_arg;
> + const struct ctl_table *table = pernet->ctl_table_hdr->ctl_table_arg;
>
> unregister_net_sysctl_table(pernet->ctl_table_hdr);
>
> diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
> index 0ee98ce5b816..bb9dea676ec1 100644
> --- a/net/netfilter/nf_conntrack_standalone.c
> +++ b/net/netfilter/nf_conntrack_standalone.c
> @@ -1122,7 +1122,7 @@ static int nf_conntrack_standalone_init_sysctl(struct net *net)
> static void nf_conntrack_standalone_fini_sysctl(struct net *net)
> {
> struct nf_conntrack_net *cnet = nf_ct_pernet(net);
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = cnet->sysctl_header->ctl_table_arg;
> unregister_net_sysctl_table(cnet->sysctl_header);
> diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
> index 370f8231385c..efedd2f13ac7 100644
> --- a/net/netfilter/nf_log.c
> +++ b/net/netfilter/nf_log.c
> @@ -514,7 +514,7 @@ static int netfilter_log_sysctl_init(struct net *net)
>
> static void netfilter_log_sysctl_exit(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->nf.nf_log_dir_header->ctl_table_arg;
> unregister_net_sysctl_table(net->nf.nf_log_dir_header);
> diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
> index f65d6f92afcb..25bdf17c7262 100644
> --- a/net/sctp/sysctl.c
> +++ b/net/sctp/sysctl.c
> @@ -624,7 +624,7 @@ int sctp_sysctl_net_register(struct net *net)
>
> void sctp_sysctl_net_unregister(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->sctp.sysctl_header->ctl_table_arg;
> unregister_net_sysctl_table(net->sctp.sysctl_header);
> diff --git a/net/smc/smc_sysctl.c b/net/smc/smc_sysctl.c
> index a5946d1b9d60..4e8baa2e7ea4 100644
> --- a/net/smc/smc_sysctl.c
> +++ b/net/smc/smc_sysctl.c
> @@ -133,7 +133,7 @@ int __net_init smc_sysctl_net_init(struct net *net)
>
> void __net_exit smc_sysctl_net_exit(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->smc.smc_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->smc.smc_hdr);
> diff --git a/net/unix/sysctl_net_unix.c b/net/unix/sysctl_net_unix.c
> index 3e84b31c355a..44996af61999 100644
> --- a/net/unix/sysctl_net_unix.c
> +++ b/net/unix/sysctl_net_unix.c
> @@ -52,7 +52,7 @@ int __net_init unix_sysctl_register(struct net *net)
>
> void unix_sysctl_unregister(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->unx.ctl->ctl_table_arg;
> unregister_net_sysctl_table(net->unx.ctl);
> diff --git a/net/xfrm/xfrm_sysctl.c b/net/xfrm/xfrm_sysctl.c
> index 7fdeafc838a7..e972930c292b 100644
> --- a/net/xfrm/xfrm_sysctl.c
> +++ b/net/xfrm/xfrm_sysctl.c
> @@ -76,7 +76,7 @@ int __net_init xfrm_sysctl_init(struct net *net)
>
> void __net_exit xfrm_sysctl_fini(struct net *net)
> {
> - struct ctl_table *table;
> + const struct ctl_table *table;
>
> table = net->xfrm.sysctl_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->xfrm.sysctl_hdr);
>
> ---
> base-commit: 48a8b5270db856be233021e47a5f1dc02d47ed0d
> change-id: 20231226-sysctl-const-table-arg-2c828e0264dc
>
> Best regards,
> --
> Thomas Weißschuh <linux@xxxxxxxxxxxxxx>
>
--
Kees Cook