From: Florian Westphal <fw@strlen.de>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Miller <davem@davemloft.net>,
fw@strlen.de, netdev@vger.kernel.org, Thomas Graf <tgraf@suug.ch>
Subject: Re: rhashtable - Cap total number of entries to 2^31
Date: Thu, 27 Apr 2017 12:11:34 +0200 [thread overview]
Message-ID: <20170427101134.GB448@breakpoint.cc> (raw)
In-Reply-To: <20170427054451.GA529@gondor.apana.org.au>
Herbert Xu <herbert@gondor.apana.org.au> wrote:
> On Tue, Apr 25, 2017 at 10:48:22AM -0400, David Miller wrote:
> > From: Florian Westphal <fw@strlen.de>
> > Date: Tue, 25 Apr 2017 16:17:49 +0200
> >
> > > I'd have less of an issue with this if we'd be talking about
> > > something computationally expensive, but this is about storing
> > > an extra value inside a struct just to avoid one "shr" in insert path...
> >
> > Agreed, this shift is probably filling an available cpu cycle :-)
>
> OK, but we need to have an extra field for another reason anyway.
> The problem is that we're not capping the total number of elements
> in the hashtable when max_size is not set, this means that nelems
> can overflow which will cause havoc with the automatic shrinking
> when it tries to fit 2^32 entries into a minimum-sized table.
Right, good catch.
I guess eventually we should get rid of min_size and max_size
completely as parameters and keep actual sizing/bucket count internal to
rhashtable.
In fact I would not be surprised if some existing users did set
max_size under assumption it is a 'max element count'.
> ---8<---
> When max_size is not set or if it set to a sufficiently large
> value, the nelems counter can overflow. This would cause havoc
> with the automatic shrinking as it would then attempt to fit a
> huge number of entries into a tiny hash table.
>
> This patch fixes this by adding max_elems to struct rhashtable
> to cap the number of elements. This is set to 2^31 as nelems is
> not a precise count. This is sufficiently smaller than UINT_MAX
> that it should be safe.
>
> When max_size is set max_elems will be lowered to at most twice
> max_size as is the status quo.
>
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
[..]
> diff --git a/include/linux/rhashtable.h b/include/linux/rhashtable.h
> @@ -165,6 +166,7 @@ struct rhashtable {
> atomic_t nelems;
> unsigned int key_len;
> struct rhashtable_params p;
> + unsigned int max_elems;
> bool rhlist;
> struct work_struct run_work;
> struct mutex mutex;
> @@ -327,8 +329,7 @@ static inline bool rht_grow_above_100(const struct rhashtable *ht,
> static inline bool rht_grow_above_max(const struct rhashtable *ht,
> const struct bucket_table *tbl)
> {
> - return ht->p.max_size &&
> - (atomic_read(&ht->nelems) / 2u) >= ht->p.max_size;
> + return atomic_read(&ht->nelems) >= ht->max_elems;
> }
>
> /* The bucket lock is selected based on the hash and protects mutations
> diff --git a/lib/rhashtable.c b/lib/rhashtable.c
> index f3b82e0..751630b 100644
> --- a/lib/rhashtable.c
> +++ b/lib/rhashtable.c
> @@ -961,6 +961,11 @@ int rhashtable_init(struct rhashtable *ht,
> if (params->max_size)
> ht->p.max_size = rounddown_pow_of_two(params->max_size);
>
> + /* Cap total entries at 2^31 to avoid nelems overflow. */
> + ht->max_elems = 1u << 31;
> + if (ht->p.max_size < ht->max_elems / 2)
> + ht->max_elems = ht->p.max_size * 2;
> +
Looks like instead of adding this max_elems you could instead have fixed this via
if (!ht->p.max_size)
ht->p.max_size = INT_MAX / 2;
if (ht->p.max_size > INT_MAX / 2)
return -EINVAL;
next prev parent reply other threads:[~2017-04-27 10:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-25 9:41 [PATCH net-next] rhashtable: remove insecure_max_entries param Florian Westphal
2017-04-25 11:04 ` Herbert Xu
2017-04-25 11:23 ` Florian Westphal
2017-04-25 13:28 ` Herbert Xu
2017-04-25 14:17 ` Florian Westphal
2017-04-25 14:48 ` David Miller
2017-04-27 5:44 ` rhashtable - Cap total number of entries to 2^31 Herbert Xu
2017-04-27 10:11 ` Florian Westphal [this message]
2017-04-27 10:13 ` Herbert Xu
2017-04-27 15:48 ` David Miller
2017-04-27 21:16 ` Florian Fainelli
2017-04-27 22:21 ` Florian Fainelli
2017-04-27 22:28 ` [PATCH net-next] rhashtable: Make sure max_size is non zero Florian Fainelli
2017-04-27 22:32 ` Florian Fainelli
2017-04-27 22:30 ` Florian Fainelli
2017-04-28 6:10 ` [PATCH net-next] rhashtable: Do not lower max_elems when max_size is zero Herbert Xu
2017-04-28 14:14 ` David Miller
2017-04-28 15:42 ` Florian Fainelli
2017-04-28 10:23 ` rhashtable - Cap total number of entries to 2^31 Christian Borntraeger
2017-04-28 11:31 ` Herbert Xu
2017-04-28 11:43 ` Christian Borntraeger
2017-04-28 2:10 ` [lkp-robot] [rhashtable ] df7008bdd5: Kernel_panic-not_syncing:rtnetlink_init:cannot_initialize_rtnetlink kernel test robot
2017-04-26 18:39 ` [PATCH net-next] rhashtable: remove insecure_max_entries param David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170427101134.GB448@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).