From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: Brian Witte <brianwitte@mailfence.com>,
kadlec@netfilter.org, netfilter-devel@vger.kernel.org,
syzbot+ff16b505ec9152e5f448@syzkaller.appspotmail.com
Subject: Re: [PATCH v4 nf-next 2/2] netfilter: nf_tables: serialize reset with spinlock and atomic
Date: Wed, 4 Feb 2026 22:42:22 +0100 [thread overview]
Message-ID: <aYO9PrZ1Vx1dHu6-@chamomile> (raw)
In-Reply-To: <aYOLBSdHzVUHLPXR@strlen.de>
On Wed, Feb 04, 2026 at 07:08:05PM +0100, Florian Westphal wrote:
> Brian Witte <brianwitte@mailfence.com> wrote:
> > On Mon, Feb 03, 2026 at 11:19:46PM +0100, Pablo Neira Ayuso wrote:
> > > Maybe this so it covers for get and dump path?
> > >
> > > static struct nftables_pernet *nft_pernet_from_nlskb(const struct sk_buff *skb)
> > > {
> > > struct sock *sk = skb->sk ? : NETLINK_CB(skb).sk;
> > >
> > > return nft_pernet(sock_net(sk));
> > > }
> > >
> > > in case it is worth to skip the unique nft_counter_lock below.
> >
> > I have v5 ready with Florian's global DEFINE_SPINLOCK approach:
> > split into 3 patches (revert, counter spinlock, quota atomic64_xchg),
> > with nft_counter_fetch_and_reset() wrapping fetch+reset under the
> > lock so parallel resets can't both read the same values. Tested and
> > working.
>
> Thanks.
>
> > Before I send: should I go with the global spinlock, or would you
> > prefer the per-net lock via nft_pernet_from_nlskb()? Happy to do
> > either.
>
> I don't think the nft_pernet_from_nlskb() will work as-is, for the
> get requests the target skb is allocated via alloc_skb() and I don't
> think the control block is initialised to hold the origin netlink query
> sk.
This is GET path:
static int netlink_unicast_kernel(struct sock *sk, struct sk_buff *skb,
struct sock *ssk)
{
int ret;
struct netlink_sock *nlk = nlk_sk(sk);
ret = -ECONNREFUSED;
if (nlk->netlink_rcv != NULL) {
ret = skb->len;
atomic_add(skb->truesize, &sk->sk_rmem_alloc);
netlink_skb_set_owner_r(skb, sk);
NETLINK_CB(skb).sk = ssk; <---------------------
netlink_deliver_tap_kernel(sk, ssk, skb);
nlk->netlink_rcv(skb);
consume_skb(skb);
prev parent reply other threads:[~2026-02-04 21:42 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-03 5:07 [PATCH v4 nf-next 0/2] netfilter: nf_tables: fix reset request deadlock Brian Witte
2026-02-03 5:07 ` [PATCH v4 nf-next 1/2] Revert nf_tables commit_mutex in reset path Brian Witte
2026-02-03 5:07 ` [PATCH v4 nf-next 2/2] netfilter: nf_tables: serialize reset with spinlock and atomic Brian Witte
2026-02-03 12:51 ` Florian Westphal
2026-02-03 22:19 ` Pablo Neira Ayuso
2026-02-04 17:58 ` Brian Witte
2026-02-04 18:08 ` Florian Westphal
2026-02-04 21:42 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYO9PrZ1Vx1dHu6-@chamomile \
--to=pablo@netfilter.org \
--cc=brianwitte@mailfence.com \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+ff16b505ec9152e5f448@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.