* [PATCH v3 net-next 0/3] rtnetlink: RTNL avoidance in rtnl_getlink()
@ 2026-05-20 10:32 Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 1/3] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list() Eric Dumazet
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-20 10:32 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, David Ahern, netdev,
eric.dumazet, Eric Dumazet
Many shell scripts invoke iproute2 commands specifying a device by
its name.
This series improves their performance avoiding RTNL acquisition
for their (repeated) name->index conversion.
v3: insert patch 2/3 in the series (Jakub reported a KASAN splat)
Eric Dumazet (3):
rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()
net: defer netdev_name_node_alt_flush() call to netdev_run_todo()
rtnetlink: do not acquire RTNL for RTM_GETLINK with
RTEXT_FILTER_NAME_ONLY
net/core/dev.c | 4 +--
net/core/rtnetlink.c | 86 ++++++++++++++++++++++++++++++--------------
2 files changed, 61 insertions(+), 29 deletions(-)
--
2.54.0.631.ge1b05301d1-goog
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v3 net-next 1/3] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list()
2026-05-20 10:32 [PATCH v3 net-next 0/3] rtnetlink: RTNL avoidance in rtnl_getlink() Eric Dumazet
@ 2026-05-20 10:32 ` Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 2/3] net: defer netdev_name_node_alt_flush() call to netdev_run_todo() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 3/3] rtnetlink: do not acquire RTNL for RTM_GETLINK with RTEXT_FILTER_NAME_ONLY Eric Dumazet
2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-20 10:32 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, David Ahern, netdev,
eric.dumazet, Eric Dumazet
Avoid corrupting a netlink message and confuse user space in the
very unlikely case rtnl_fill_prop_list was able to produce a very big
nested element.
This is extremely unlikely, because rtnl_prop_list_size()
provisions nla_total_size(ALTIFNAMSIZ) per altname.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/core/rtnetlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 6a5e9ace55a0880d7b1e4303d12dc0a8b8b7c5ed..ae0254f19178735b2805a8189e81a960a49b2858 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1971,7 +1971,9 @@ static int rtnl_fill_prop_list(struct sk_buff *skb,
if (ret <= 0)
goto nest_cancel;
- nla_nest_end(skb, prop_list);
+ if (nla_nest_end_safe(skb, prop_list) < 0)
+ goto nest_cancel;
+
return 0;
nest_cancel:
--
2.54.0.631.ge1b05301d1-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 net-next 2/3] net: defer netdev_name_node_alt_flush() call to netdev_run_todo()
2026-05-20 10:32 [PATCH v3 net-next 0/3] rtnetlink: RTNL avoidance in rtnl_getlink() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 1/3] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list() Eric Dumazet
@ 2026-05-20 10:32 ` Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 3/3] rtnetlink: do not acquire RTNL for RTM_GETLINK with RTEXT_FILTER_NAME_ONLY Eric Dumazet
2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-20 10:32 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, David Ahern, netdev,
eric.dumazet, Eric Dumazet
In the following patch, we want to call rtnl_fill_prop_list() without
RTNL being held, but after a device reference was taken.
We need to free altnames in netdev_run_todo() instead of
unregister_netdevice_many_notify().
Freeing will only happen once all device references
have been released.
Note that dev->name_node serves as the anchor for altnames,
thus must be also freed in netdev_run_todo().
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jakub Kicinski <kuba@kernel.org>
---
net/core/dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 26ac8eb9b259d489159c7ab5a2b206d425110b3b..2d795f3f569be00361809823fd3e59fb1871919c 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -11738,6 +11738,8 @@ void netdev_run_todo(void)
WARN_ON(rcu_access_pointer(dev->ip_ptr));
WARN_ON(rcu_access_pointer(dev->ip6_ptr));
+ netdev_name_node_alt_flush(dev);
+ netdev_name_node_free(dev->name_node);
netdev_do_free_pcpu_stats(dev);
if (dev->priv_destructor)
dev->priv_destructor(dev);
@@ -12451,8 +12453,6 @@ void unregister_netdevice_many_notify(struct list_head *head,
dev_uc_flush(dev);
dev_mc_flush(dev);
- netdev_name_node_alt_flush(dev);
- netdev_name_node_free(dev->name_node);
netdev_rss_contexts_free(dev);
--
2.54.0.631.ge1b05301d1-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v3 net-next 3/3] rtnetlink: do not acquire RTNL for RTM_GETLINK with RTEXT_FILTER_NAME_ONLY
2026-05-20 10:32 [PATCH v3 net-next 0/3] rtnetlink: RTNL avoidance in rtnl_getlink() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 1/3] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 2/3] net: defer netdev_name_node_alt_flush() call to netdev_run_todo() Eric Dumazet
@ 2026-05-20 10:32 ` Eric Dumazet
2 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-20 10:32 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, David Ahern, netdev,
eric.dumazet, Eric Dumazet
When RTEXT_FILTER_NAME_ONLY is requested, rtnl_fill_ifinfo()
is dumping device attributes which do not need RTNL protection.
Many shell scripts invoke iproute2 commands specifying a device by
its name. After this patch, they will no longer add RTNL pressure.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/core/rtnetlink.c | 82 ++++++++++++++++++++++++++++++--------------
1 file changed, 56 insertions(+), 26 deletions(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index ae0254f19178735b2805a8189e81a960a49b2858..587bb8bbc73d0b2075ca508a5537200f65f74594 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2068,7 +2068,6 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb,
struct nlmsghdr *nlh;
struct Qdisc *qdisc;
- ASSERT_RTNL();
nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ifm), flags);
if (nlh == NULL)
return -EMSGSIZE;
@@ -2091,6 +2090,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb,
if (ext_filter_mask & RTEXT_FILTER_NAME_ONLY)
goto end;
+ ASSERT_RTNL();
if (tgt_netnsid >= 0 &&
nla_put_s32(skb, IFLA_TARGET_NETNSID, tgt_netnsid))
goto nla_put_failure;
@@ -3468,6 +3468,21 @@ static struct net_device *rtnl_dev_get(struct net *net,
return __dev_get_by_name(net, ifname);
}
+static struct net_device *rtnl_dev_get_rcu(struct net *net,
+ struct nlattr *tb[])
+{
+ char ifname[ALTIFNAMSIZ];
+
+ if (tb[IFLA_IFNAME])
+ nla_strscpy(ifname, tb[IFLA_IFNAME], IFNAMSIZ);
+ else if (tb[IFLA_ALT_IFNAME])
+ nla_strscpy(ifname, tb[IFLA_ALT_IFNAME], ALTIFNAMSIZ);
+ else
+ return NULL;
+
+ return dev_get_by_name_rcu(net, ifname);
+}
+
static int rtnl_setlink(struct sk_buff *skb, struct nlmsghdr *nlh,
struct netlink_ext_ack *extack)
{
@@ -4187,14 +4202,15 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
struct netlink_ext_ack *extack)
{
struct net *net = sock_net(skb->sk);
+ struct nlattr *tb[IFLA_MAX + 1];
+ netdevice_tracker dev_tracker;
+ struct net_device *dev = NULL;
struct net *tgt_net = net;
+ u32 ext_filter_mask = 0;
struct ifinfomsg *ifm;
- struct nlattr *tb[IFLA_MAX+1];
- struct net_device *dev = NULL;
struct sk_buff *nskb;
int netnsid = -1;
int err;
- u32 ext_filter_mask = 0;
err = rtnl_valid_getlink_req(skb, nlh, tb, extack);
if (err < 0)
@@ -4214,43 +4230,56 @@ static int rtnl_getlink(struct sk_buff *skb, struct nlmsghdr *nlh,
if (tb[IFLA_EXT_MASK])
ext_filter_mask = nla_get_u32(tb[IFLA_EXT_MASK]);
- err = -EINVAL;
ifm = nlmsg_data(nlh);
- if (ifm->ifi_index > 0)
- dev = __dev_get_by_index(tgt_net, ifm->ifi_index);
- else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME])
- dev = rtnl_dev_get(tgt_net, tb);
- else
+ rcu_read_lock();
+ if (ifm->ifi_index > 0) {
+ dev = dev_get_by_index_rcu(tgt_net, ifm->ifi_index);
+ } else if (tb[IFLA_IFNAME] || tb[IFLA_ALT_IFNAME]) {
+ dev = rtnl_dev_get_rcu(tgt_net, tb);
+ } else {
+ rcu_read_unlock();
+ err = -EINVAL;
goto out;
+ }
+ netdev_hold(dev, &dev_tracker, GFP_ATOMIC);
+ rcu_read_unlock();
err = -ENODEV;
if (dev == NULL)
goto out;
+ if (!(ext_filter_mask & RTEXT_FILTER_NAME_ONLY)) {
+ rtnl_lock();
+ /* Synchronize the carrier state so we don't report a state
+ * that we're not actually going to honour immediately; if
+ * the driver just did a carrier off->on transition, we can
+ * only TX if link watch work has run, but without this we'd
+ * already report carrier on, even if it doesn't work yet.
+ */
+ linkwatch_sync_dev(dev);
+ }
+
err = -ENOBUFS;
nskb = nlmsg_new_large(if_nlmsg_size(dev, ext_filter_mask));
- if (nskb == NULL)
- goto out;
+ if (nskb)
+ err = rtnl_fill_ifinfo(nskb, dev, net,
+ RTM_NEWLINK, NETLINK_CB(skb).portid,
+ nlh->nlmsg_seq, 0, 0, ext_filter_mask,
+ 0, NULL, 0, netnsid, GFP_KERNEL);
- /* Synchronize the carrier state so we don't report a state
- * that we're not actually going to honour immediately; if
- * the driver just did a carrier off->on transition, we can
- * only TX if link watch work has run, but without this we'd
- * already report carrier on, even if it doesn't work yet.
- */
- linkwatch_sync_dev(dev);
+ if (!(ext_filter_mask & RTEXT_FILTER_NAME_ONLY))
+ rtnl_unlock();
- err = rtnl_fill_ifinfo(nskb, dev, net,
- RTM_NEWLINK, NETLINK_CB(skb).portid,
- nlh->nlmsg_seq, 0, 0, ext_filter_mask,
- 0, NULL, 0, netnsid, GFP_KERNEL);
if (err < 0) {
/* -EMSGSIZE implies BUG in if_nlmsg_size */
- WARN_ON(err == -EMSGSIZE);
+ WARN_ON_ONCE(err == -EMSGSIZE &&
+ !(ext_filter_mask & RTEXT_FILTER_NAME_ONLY));
kfree_skb(nskb);
- } else
+ } else {
err = rtnl_unicast(nskb, net, NETLINK_CB(skb).portid);
+ }
out:
+ netdev_put(dev, &dev_tracker);
if (netnsid >= 0)
put_net(tgt_net);
@@ -7116,7 +7145,8 @@ static const struct rtnl_msg_handler rtnetlink_rtnl_msg_handlers[] __initconst =
{.msgtype = RTM_DELLINK, .doit = rtnl_dellink,
.flags = RTNL_FLAG_DOIT_PERNET_WIP},
{.msgtype = RTM_GETLINK, .doit = rtnl_getlink,
- .dumpit = rtnl_dump_ifinfo, .flags = RTNL_FLAG_DUMP_SPLIT_NLM_DONE},
+ .dumpit = rtnl_dump_ifinfo,
+ .flags = RTNL_FLAG_DUMP_SPLIT_NLM_DONE | RTNL_FLAG_DOIT_UNLOCKED},
{.msgtype = RTM_SETLINK, .doit = rtnl_setlink,
.flags = RTNL_FLAG_DOIT_PERNET_WIP},
{.msgtype = RTM_GETADDR, .dumpit = rtnl_dump_all},
--
2.54.0.631.ge1b05301d1-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-20 10:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-20 10:32 [PATCH v3 net-next 0/3] rtnetlink: RTNL avoidance in rtnl_getlink() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 1/3] rtnetlink: use nla_nest_end_safe() in rtnl_fill_prop_list() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 2/3] net: defer netdev_name_node_alt_flush() call to netdev_run_todo() Eric Dumazet
2026-05-20 10:32 ` [PATCH v3 net-next 3/3] rtnetlink: do not acquire RTNL for RTM_GETLINK with RTEXT_FILTER_NAME_ONLY Eric Dumazet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox