Re: [PATCH v2] netfilter: nf_tables: Implement jump limit for nft_table_validate

[kernel test robot <lkp@intel.com>]

Hi Shaun,

kernel test robot noticed the following build errors:

[auto build test ERROR on netfilter-nf/main]
[also build test ERROR on linus/master v6.15-rc5 next-20250508]
[cannot apply to nf-next/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Shaun-Brady/netfilter-nf_tables-Implement-jump-limit-for-nft_table_validate/20250506-150258
base:   https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git main
patch link:    https://lore.kernel.org/r/20250506024900.1568391-1-brady.1345%40gmail.com
patch subject: [PATCH v2] netfilter: nf_tables: Implement jump limit for nft_table_validate
config: arm-randconfig-001-20250509 (https://download.01.org/0day-ci/archive/20250509/202505091702.01RMXhZx-lkp@intel.com/config)
compiler: arm-linux-gnueabi-gcc (GCC) 7.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250509/202505091702.01RMXhZx-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505091702.01RMXhZx-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/netfilter/nf_tables_api.c: In function 'nft_chain_validate':
>> net/netfilter/nf_tables_api.c:4022:29: error: 'struct netns_nf' has no member named 'nf_max_table_jumps_netns'
       jump_check = ctx->net->nf.nf_max_table_jumps_netns;
                                ^


vim +4022 net/netfilter/nf_tables_api.c

  4003	
  4004	/** nft_chain_validate - loop detection and hook validation
  4005	 *
  4006	 * @ctx: context containing call depth and base chain
  4007	 * @chain: chain to validate
  4008	 *
  4009	 * Walk through the rules of the given chain and chase all jumps/gotos
  4010	 * and set lookups until either the jump limit is hit or all reachable
  4011	 * chains have been validated.
  4012	 */
  4013	int nft_chain_validate(const struct nft_ctx *ctx, const struct nft_chain *chain)
  4014	{
  4015		struct nft_expr *expr, *last;
  4016		struct nft_rule *rule;
  4017		int err;
  4018		u32 jump_check = nf_max_table_jumps_netns;
  4019	
  4020		if (IS_ENABLED(CONFIG_SYSCTL)) {
  4021			if (!net_eq(ctx->net, &init_net))
> 4022				jump_check = ctx->net->nf.nf_max_table_jumps_netns;
  4023		}
  4024	
  4025		if (ctx->level == NFT_JUMP_STACK_SIZE ||
  4026		    (!net_eq(ctx->net, &init_net) &&
  4027		    ctx->total_jump_count >= jump_check))
  4028			return -EMLINK;
  4029	
  4030		list_for_each_entry(rule, &chain->rules, list) {
  4031			if (fatal_signal_pending(current))
  4032				return -EINTR;
  4033	
  4034			if (!nft_is_active_next(ctx->net, rule))
  4035				continue;
  4036	
  4037			nft_rule_for_each_expr(expr, last, rule) {
  4038				if (!expr->ops->validate)
  4039					continue;
  4040	
  4041				/* This may call nft_chain_validate() recursively,
  4042				 * callers that do so must increment ctx->level.
  4043				 */
  4044				err = expr->ops->validate(ctx, expr);
  4045				if (err < 0)
  4046					return err;
  4047			}
  4048		}
  4049	
  4050		return 0;
  4051	}
  4052	EXPORT_SYMBOL_GPL(nft_chain_validate);
  4053	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki