Cannot allocate memory delete table inet filter

All of lore.kernel.org
 help / color / mirror / Atom feed

* Cannot allocate memory delete table inet filter
@ 2025-06-25  8:00 Sven Auhagen
  2025-06-25 14:29 ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Sven Auhagen @ 2025-06-25  8:00 UTC (permalink / raw)
  To: netfilter-devel@vger.kernel.org; +Cc: Florian Westphal

Hi,

we do see on occasions that we get the following error message, more so on x86 systems than on arm64:

Error: Could not process rule: Cannot allocate memory delete table inet filter

It is not a consistent error and does not happen all the time.
We are on Kernel 6.6.80, seems to me like we have something along the lines of the nf_tables: allow clone callbacks to sleep problem using GFP_ATOMIC.

Do you have any idea what I can try out/look at?

Best and thanks
Sven

**********************************************************************
DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-06-25  8:00 Cannot allocate memory delete table inet filter Sven Auhagen
@ 2025-06-25 14:29 ` Florian Westphal
  2025-06-25 14:51   ` Sven Auhagen
  2025-07-01 21:49   ` Florian Westphal
  0 siblings, 2 replies; 7+ messages in thread
From: Florian Westphal @ 2025-06-25 14:29 UTC (permalink / raw)
  To: Sven Auhagen; +Cc: netfilter-devel@vger.kernel.org

Sven Auhagen <Sven.Auhagen@belden.com> wrote:
> we do see on occasions that we get the following error message, more so on x86 systems than on arm64:
> 
> Error: Could not process rule: Cannot allocate memory delete table inet filter
> 
> It is not a consistent error and does not happen all the time.
> We are on Kernel 6.6.80, seems to me like we have something along the lines of the nf_tables: allow clone callbacks to sleep problem using GFP_ATOMIC.

Yes, set element deletion (flushing) requires atomic (non-sleepable)
allocations.

> Do you have any idea what I can try out/look at?

Do you have large sets? (I suspect yes).

As for a solution, I can see two:
1). Leverage what nft_set_pipapo.c is doing and extend
    this for all sets that could use the same solution.
    The .walk callback for pipapo doesn't need/use rcu read locks,
    and could use sleepable allocations.
    all set types except rhashtable could follow this.

    Then, we'd just need a way for the generic flush code to
    see that the walk callback can sleep (e.g. by annotation in
    set_ops).

    Upside: Clean and straightforward solution.
    Downside: won't work for rhashtable which runs under
    rcu read lock protection.
 2). Preallocate transaction elements before calling .walk
     in nft_set_flush(), based on set->nelems.

2) is a bit more (w)hacky but it would work for all set types.
And I could be wrong and the alloc problem isn't related to
nft_set_flush.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-06-25 14:29 ` Florian Westphal
@ 2025-06-25 14:51   ` Sven Auhagen
  2025-07-01  8:15     ` Sven Auhagen
  2025-07-01 21:49   ` Florian Westphal
  1 sibling, 1 reply; 7+ messages in thread
From: Sven Auhagen @ 2025-06-25 14:51 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel@vger.kernel.org

Thanks, I checked and this setup has a lot of sets and some of them have 100-200 entries.
When I clear all the sets I never have the error.
The nft_set_flush must be the reason.

I think 2. is the general solution that should work for all cases then.
I will have a look into that.

Best
Sven

Sven Auhagen <Sven.Auhagen@belden.com> wrote:
> we do see on occasions that we get the following error message, more so on x86 systems than on arm64:
> 
> Error: Could not process rule: Cannot allocate memory delete table inet filter
> 
> It is not a consistent error and does not happen all the time.
> We are on Kernel 6.6.80, seems to me like we have something along the lines of the nf_tables: allow clone callbacks to sleep problem using GFP_ATOMIC.

Yes, set element deletion (flushing) requires atomic (non-sleepable)
allocations.

> Do you have any idea what I can try out/look at?

Do you have large sets? (I suspect yes).

As for a solution, I can see two:
1). Leverage what nft_set_pipapo.c is doing and extend
    this for all sets that could use the same solution.
    The .walk callback for pipapo doesn't need/use rcu read locks,
    and could use sleepable allocations.
    all set types except rhashtable could follow this.

    Then, we'd just need a way for the generic flush code to
    see that the walk callback can sleep (e.g. by annotation in
    set_ops).

    Upside: Clean and straightforward solution.
    Downside: won't work for rhashtable which runs under
    rcu read lock protection.
 2). Preallocate transaction elements before calling .walk
     in nft_set_flush(), based on set->nelems.

2) is a bit more (w)hacky but it would work for all set types.
And I could be wrong and the alloc problem isn't related to
nft_set_flush.

**********************************************************************
DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-06-25 14:51   ` Sven Auhagen
@ 2025-07-01  8:15     ` Sven Auhagen
  2025-07-01 10:48       ` Florian Westphal
  0 siblings, 1 reply; 7+ messages in thread
From: Sven Auhagen @ 2025-07-01  8:15 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel@vger.kernel.org

One question regarding option 2.
Don't I need to rcu read lock the nft_set_flush now because when I preallocate the transaction I need to make sure that the nelems do not change before doing the walk?

Best
Sven

________________________________________
From: Sven Auhagen <Sven.Auhagen@belden.com>
Sent: Wednesday, June 25, 2025 4:51 PM
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org <netfilter-devel@vger.kernel.org>
Subject: Re: Cannot allocate memory delete table inet filter

Thanks, I checked and this setup has a lot of sets and some of them have 100-200 entries.
When I clear all the sets I never have the error.
The nft_set_flush must be the reason.

I think 2. is the general solution that should work for all cases then.
I will have a look into that.

Best
Sven

Sven Auhagen <Sven.Auhagen@belden.com> wrote:
> we do see on occasions that we get the following error message, more so on x86 systems than on arm64:
>
> Error: Could not process rule: Cannot allocate memory delete table inet filter
>
> It is not a consistent error and does not happen all the time.
> We are on Kernel 6.6.80, seems to me like we have something along the lines of the nf_tables: allow clone callbacks to sleep problem using GFP_ATOMIC.

Yes, set element deletion (flushing) requires atomic (non-sleepable)
allocations.

> Do you have any idea what I can try out/look at?

Do you have large sets? (I suspect yes).

As for a solution, I can see two:
1). Leverage what nft_set_pipapo.c is doing and extend
    this for all sets that could use the same solution.
    The .walk callback for pipapo doesn't need/use rcu read locks,
    and could use sleepable allocations.
    all set types except rhashtable could follow this.

    Then, we'd just need a way for the generic flush code to
    see that the walk callback can sleep (e.g. by annotation in
    set_ops).

    Upside: Clean and straightforward solution.
    Downside: won't work for rhashtable which runs under
    rcu read lock protection.
 2). Preallocate transaction elements before calling .walk
     in nft_set_flush(), based on set->nelems.

2) is a bit more (w)hacky but it would work for all set types.
And I could be wrong and the alloc problem isn't related to
nft_set_flush.

**********************************************************************
DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-07-01  8:15     ` Sven Auhagen
@ 2025-07-01 10:48       ` Florian Westphal
  0 siblings, 0 replies; 7+ messages in thread
From: Florian Westphal @ 2025-07-01 10:48 UTC (permalink / raw)
  To: Sven Auhagen; +Cc: netfilter-devel@vger.kernel.org

Sven Auhagen <Sven.Auhagen@belden.com> wrote:
> One question regarding option 2.
> Don't I need to rcu read lock the nft_set_flush now because when I preallocate the transaction I need to make sure that the nelems do not change before doing the walk?

rcu read lock won't make nelems stable either.

The preallocation can fall short (nelems increased) or
it can have leftover elements (if elements timed out or
were deleted) after the walk.

So, no, you don't need to hold the rcu read lock, but
you can't rely on nelems remaining stable.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-06-25 14:29 ` Florian Westphal
  2025-06-25 14:51   ` Sven Auhagen
@ 2025-07-01 21:49   ` Florian Westphal
  2025-07-02  3:51     ` Sven Auhagen
  1 sibling, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2025-07-01 21:49 UTC (permalink / raw)
  To: Sven Auhagen; +Cc: netfilter-devel@vger.kernel.org

Florian Westphal <fw@strlen.de> wrote:
> 1). Leverage what nft_set_pipapo.c is doing and extend
>     this for all sets that could use the same solution.
>     The .walk callback for pipapo doesn't need/use rcu read locks,
>     and could use sleepable allocations.
>     all set types except rhashtable could follow this.

FWIW I'm exploring a change to nft_set_hash to avoid the rcu read lock
when calling ->iter() for rhashtable.

If it works, this would allow to just replace the GFP_ATOMIC with GFP_KERNEL.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Cannot allocate memory delete table inet filter
  2025-07-01 21:49   ` Florian Westphal
@ 2025-07-02  3:51     ` Sven Auhagen
  0 siblings, 0 replies; 7+ messages in thread
From: Sven Auhagen @ 2025-07-02  3:51 UTC (permalink / raw)
  To: Florian Westphal; +Cc: netfilter-devel@vger.kernel.org

That would be great.
I implemented a version of 2. also and will test it today.

I preallocate the transaction elements before the walk and just allocate more atomically if the nelems changed.
This should be enough to preallocate the majority of transaction elems beforehand.

Florian Westphal <fw@strlen.de> wrote:
> 1). Leverage what nft_set_pipapo.c is doing and extend
>     this for all sets that could use the same solution.
>     The .walk callback for pipapo doesn't need/use rcu read locks,
>     and could use sleepable allocations.
>     all set types except rhashtable could follow this.

FWIW I'm exploring a change to nft_set_hash to avoid the rcu read lock
when calling ->iter() for rhashtable.

If it works, this would allow to just replace the GFP_ATOMIC with GFP_KERNEL.

**********************************************************************
DISCLAIMER:
Privileged and/or Confidential information may be contained in this message. If you are not the addressee of this message, you may not copy, use or deliver this message to anyone. In such event, you should destroy the message and kindly notify the sender by reply e-mail. It is understood that opinions or conclusions that do not relate to the official business of the company are neither given nor endorsed by the company. Thank You.

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2025-07-02  4:23 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-25  8:00 Cannot allocate memory delete table inet filter Sven Auhagen
2025-06-25 14:29 ` Florian Westphal
2025-06-25 14:51   ` Sven Auhagen
2025-07-01  8:15     ` Sven Auhagen
2025-07-01 10:48       ` Florian Westphal
2025-07-01 21:49   ` Florian Westphal
2025-07-02  3:51     ` Sven Auhagen

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.