From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 2/2] netfilter: conntrack: remove timer from ecache extension
Date: Tue, 10 Jun 2014 17:36:47 +0200 [thread overview]
Message-ID: <20140610153647.GC1970@breakpoint.cc> (raw)
In-Reply-To: <20140610145717.GA12398@localhost>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> I already told you, your patchset works in my testbed here.
>
> My only doubt still here is the need for the extra bit. I don't find
> the scenario that will trigger the problem yet. Some comments:
Its not obvious but you should be able to produce crashes in your
tests when you only look for dying-bit-not-set, however...
> > OR it can mean
> >
> > b) 'This conntrack is being allocated/setup as new connection, the
> > flag field was already cleared'.
>
> In this case, the conntrack is placed in the unconfirmed list or the
> hashes.
Not necessarily.
conntracks are placed on the dying list, when refcnt reaches zero
they're deleted from the dying list. But we could have picked it up
right before.
I *think* you're right in that we could avoid the extra bit if we hold
the dying list spinlock. Then, if we pick it up before removal, dying
bit is always set since no recycling can happen underneath.
> either a) release the entry whose event was already delivered or b)
> decrement the use counter.
>
> > I've found no way to tell these two conditions apart except via new bit.
>
> I believe the rule: "all dead conntracks have the dying bit set"
> always fulfills.
Looking at it again I think I need to rework the patch to use the appropriate
lock during traversal instead of rcu, as the dying list manipulation
routines don't use the _rcu versions for hlist manipulation anyway...
I'll send a v3 soon, after doing short sanity test.
Since 3.15 has been released already we should simply aim this patch for
3.17. No harm done.
Thanks for reviewing and testing!
prev parent reply other threads:[~2014-06-10 15:36 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-22 9:43 [PATCH -next] remove timer from ecache extension Florian Westphal
2014-05-22 9:43 ` [PATCH 1/2] netfilter: ctnetlink: only export whitelisted flags to userspace Florian Westphal
2014-05-22 9:43 ` [PATCH 2/2] netfilter: conntrack: remove timer from ecache extension Florian Westphal
2014-06-05 14:25 ` Pablo Neira Ayuso
2014-06-05 14:33 ` Pablo Neira Ayuso
2014-06-05 21:05 ` Florian Westphal
2014-06-05 14:56 ` Florian Westphal
2014-06-10 14:57 ` Pablo Neira Ayuso
2014-06-10 15:36 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140610153647.GC1970@breakpoint.cc \
--to=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).