Commit b7529880 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level 



cgroup maximum depth is INT_MAX by default, there is a cgroup toggle to
restrict this maximum depth to a more reasonable value not to harm
performance. Remove unnecessary WARN_ON_ONCE which is reachable from
userspace.

Fixes: 7f3287db ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces")
Reported-by: default avatar <syzbot+57bac0866ddd99fe47c0@syzkaller.appspotmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 04317f4e

net/netfilter/nft_socket.c

+1 −1
Original line number Diff line number Diff line
@@ -68,7 +68,7 @@ static noinline int nft_socket_cgroup_subtree_level(void) 


	cgroup_put(cgrp);



	if (WARN_ON_ONCE(level > 255))

	if (level > 255)

		return -ERANGE;



	if (WARN_ON_ONCE(level < 0))