Re: [PATCH 1/1] netfilter: fix soft lockup when netlink adds new entries

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@vger.kernel.org, Zambo Marcell <marcell.zambo@gmail.com>
Subject: Re: [PATCH 1/1] netfilter: fix soft lockup when netlink adds new entries
Date: Tue, 21 Feb 2012 15:52:34 +0100	[thread overview]
Message-ID: <20120221145234.GB25826@1984> (raw)
In-Reply-To: <1329832437-8733-2-git-send-email-kadlec@blackhole.kfki.hu>

Hi Jozsef,

On Tue, Feb 21, 2012 at 02:53:57PM +0100, Jozsef Kadlecsik wrote:
> Marcell Zambo and Janos Farago noticed and reported that when
> new conntrack entries are added via netlink and the conntrack table
> gets full, soft lockup happens. This is because the nf_conntrack_lock
> is held while nf_conntrack_alloc is called, which is in turn wants
> to lock nf_conntrack_lock while evicting entries from the full table.

Good catch.

> The patch fixes the soft lockup with limiting the holding of the
> nf_conntrack_lock to the minimum, where it's absolutely required.

Still one issue, see below.

> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> ---
>  net/netfilter/nf_conntrack_netlink.c |   43 ++++++++++++---------------------
>  1 files changed, 16 insertions(+), 27 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 9307b03..cc70517 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1367,15 +1367,12 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
>  						    nf_ct_protonum(ct));
>  		if (helper == NULL) {
>  			rcu_read_unlock();
> -			spin_unlock_bh(&nf_conntrack_lock);
>  #ifdef CONFIG_MODULES
>  			if (request_module("nfct-helper-%s", helpname) < 0) {
> -				spin_lock_bh(&nf_conntrack_lock);
>  				err = -EOPNOTSUPP;
>  				goto err1;
>  			}
>  
> -			spin_lock_bh(&nf_conntrack_lock);
>  			rcu_read_lock();
>  			helper = __nf_conntrack_helper_find(helpname,
>  							    nf_ct_l3num(ct),
> @@ -1469,7 +1466,10 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
>  		tstamp->start = ktime_to_ns(ktime_get_real());
>  
>  	add_timer(&ct->timeout);
> +	spin_lock_bh(&nf_conntrack_lock);
>  	nf_conntrack_hash_insert(ct);
> +	nf_conntrack_get(&ct->ct_general);
> +	spin_unlock_bh(&nf_conntrack_lock);
>  	rcu_read_unlock();
>  
>  	return ct;
> @@ -1490,6 +1490,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
>  	struct nf_conntrack_tuple otuple, rtuple;
>  	struct nf_conntrack_tuple_hash *h = NULL;
>  	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
> +	struct nf_conn *ct;
>  	u_int8_t u3 = nfmsg->nfgen_family;
>  	u16 zone;
>  	int err;
> @@ -1512,25 +1513,22 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
>  
>  	spin_lock_bh(&nf_conntrack_lock);
>  	if (cda[CTA_TUPLE_ORIG])
> -		h = __nf_conntrack_find(net, zone, &otuple);
> +		h = nf_conntrack_find_get(net, zone, &otuple);
>  	else if (cda[CTA_TUPLE_REPLY])
> -		h = __nf_conntrack_find(net, zone, &rtuple);
> +		h = nf_conntrack_find_get(net, zone, &rtuple);
> +	spin_unlock_bh(&nf_conntrack_lock);

We still have to keep the lock for the update case. Otherwise we may
clash with one update from the kernel.

next prev parent reply	other threads:[~2012-02-21 14:52 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-21 13:53 [PATCH 0/1] netfilter: fix soft lockup when netlink adds new entries Jozsef Kadlecsik
2012-02-21 13:53 ` [PATCH 1/1] " Jozsef Kadlecsik
2012-02-21 14:52   ` Pablo Neira Ayuso [this message]
2012-02-21 15:06     ` Jozsef Kadlecsik
2012-02-21 15:20       ` Pablo Neira Ayuso
2012-02-23 10:12       ` Pablo Neira Ayuso
2012-02-23 12:43         ` Jozsef Kadlecsik
2012-02-23 15:46           ` Pablo Neira Ayuso
2012-02-23 20:44             ` Jozsef Kadlecsik
2012-02-24  1:24               ` Pablo Neira Ayuso
2012-02-24  6:44                 ` Eric Dumazet
2012-02-24 10:01                   ` Pablo Neira Ayuso
2012-02-24 10:11                     ` Jozsef Kadlecsik
2012-02-24 11:36                     ` Pablo Neira Ayuso
2012-02-24  8:06                 ` Jozsef Kadlecsik
2012-02-24  9:59                   ` Pablo Neira Ayuso
2012-02-24 10:09                     ` Jozsef Kadlecsik
2012-02-24 10:45                       ` Jozsef Kadlecsik
2012-02-24 11:18                         ` Pablo Neira Ayuso
2012-02-24 11:33                         ` Pablo Neira Ayuso
2012-02-24 17:05                           ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120221145234.GB25826@1984 \
    --to=pablo@netfilter.org \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=marcell.zambo@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).