From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: sbrivio@redhat.com, Florian Westphal <fw@strlen.de>,
Yiming Qian <yimingqian591@gmail.com>
Subject: [PATCH nf 2/2] netfilter: nft_set_pipapo: prevent soft lockup during gc walk
Date: Tue, 3 Mar 2026 20:02:08 +0100 [thread overview]
Message-ID: <20260303190218.19781-3-fw@strlen.de> (raw)
In-Reply-To: <20260303190218.19781-1-fw@strlen.de>
The gc scan+shrinking process can take a very long time.
Add an upper ceiling: If we've queued up some elements for removal
already give up after spending up to 10s on gc compaction.
Note this intentionally doesn't add a call to cond_resched();
PREEMPT_NONE and _VOLUNTARY preemption models have been removed
recently.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nft_set_pipapo.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index d850166b8e45..0cd91f809655 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1686,6 +1686,7 @@ static void nft_pipapo_gc_deactivate(struct net *net, struct nft_set *set,
*/
static void pipapo_gc_scan(struct nft_set *set, struct nft_pipapo_match *m)
{
+ unsigned long stop_time = jiffies + 10 * HZ;
struct nft_pipapo *priv = nft_set_priv(set);
struct net *net = read_pnet(&set->net);
unsigned int rules_f0, first_rule = 0;
@@ -1697,6 +1698,9 @@ static void pipapo_gc_scan(struct nft_set *set, struct nft_pipapo_match *m)
const struct nft_pipapo_field *f;
unsigned int i, start, rules_fx;
+ if (priv->to_free && time_after(jiffies, stop_time))
+ return;
+
start = first_rule;
rules_fx = rules_f0;
--
2.52.0
prev parent reply other threads:[~2026-03-03 19:02 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 19:02 [PATCH nf 0/2] netfilter: nft_set_pipapo: fix UaF during gc walk Florian Westphal
2026-03-03 19:02 ` [PATCH nf 1/2] netfilter: nft_set_pipapo: split gc in unlink and reclaim phase Florian Westphal
2026-03-03 23:50 ` Florian Westphal
2026-03-03 19:02 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260303190218.19781-3-fw@strlen.de \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=sbrivio@redhat.com \
--cc=yimingqian591@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.