From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Alexey Perevalov <a.perevalov@samsung.com>
Cc: alexey.perevalov@hotmail.com, mathieu.poirier@linaro.org,
netfilter-devel@vger.kernel.org, kyungmin.park@samsung.com,
hs81.go@samsung.com
Subject: Re: [PATCH 1/2] netfilter: nfnetlink_acct: avoid using NFACCT_F_OVERQUOTA with bit helper funcitons
Date: Wed, 30 Jul 2014 18:31:33 +0200 [thread overview]
Message-ID: <20140730163133.GB6018@salvia> (raw)
In-Reply-To: <1406733475-5222-2-git-send-email-a.perevalov@samsung.com>
On Wed, Jul 30, 2014 at 07:17:54PM +0400, Alexey Perevalov wrote:
> Bit helper functions were used for manipulation with NFACCT_F_OVERQUOTA,
> but they are accepting pit position, but not a bit mask. As a result
> not a third bit for NFACCT_F_OVERQUOTA was set, but forth. Such
> behaviour was dangarous and could lead to unexpected overquota report
> result.
>
> Signed-off-by: Alexey Perevalov <a.perevalov@samsung.com>
> ---
> net/netfilter/nfnetlink_acct.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
> index 2baa125..127d24e 100644
> --- a/net/netfilter/nfnetlink_acct.c
> +++ b/net/netfilter/nfnetlink_acct.c
> @@ -77,7 +77,7 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
> smp_mb__before_atomic();
> /* reset overquota flag if quota is enabled. */
> if ((matching->flags & NFACCT_F_QUOTA))
> - clear_bit(NFACCT_F_OVERQUOTA, &matching->flags);
> + matching->flags &= ~NFACCT_F_OVERQUOTA;
> return 0;
> }
> return -EBUSY;
> @@ -148,7 +148,7 @@ nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
> bytes = atomic64_xchg(&acct->bytes, 0);
> smp_mb__before_atomic();
> if (acct->flags & NFACCT_F_QUOTA)
> - clear_bit(NFACCT_F_OVERQUOTA, &acct->flags);
> + acct->flags &= ~NFACCT_F_OVERQUOTA;
> } else {
> pkts = atomic64_read(&acct->pkts);
> bytes = atomic64_read(&acct->bytes);
> @@ -411,8 +411,8 @@ int nfnl_acct_overquota(const struct sk_buff *skb, struct nf_acct *nfacct)
>
> ret = now > *quota;
>
> - if (now >= *quota &&
> - !test_and_set_bit(NFACCT_F_OVERQUOTA, &nfacct->flags)) {
We cannot do this. The aim of that code it to avoid to deliver several
overquota notification when several cpus are racing to update the
counters and check if they have go over the quota.
I think you have to define NFACCT_F_*_BIT and use it from the bitwise
functions to fix this. You can define these in:
include/uapi/linux/netfilter/nfnetlink_acct.h
And use them to define the enum nfnl_acct_flags.
Thanks.
next prev parent reply other threads:[~2014-07-30 16:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 15:17 [PATCH 0/2] fixes for NFACCT_F_OVERQUOTA usage Alexey Perevalov
2014-07-30 15:17 ` [PATCH 1/2] netfilter: nfnetlink_acct: avoid using NFACCT_F_OVERQUOTA with bit helper funcitons Alexey Perevalov
2014-07-30 16:31 ` Pablo Neira Ayuso [this message]
2014-07-31 13:14 ` [PATCH V2] " Alexey Perevalov
2014-07-31 18:44 ` Pablo Neira Ayuso
2014-07-30 15:17 ` [PATCH 2/2] netfilter: nfnetlink_acct: dump unmodified nfacct flags Alexey Perevalov
2014-07-30 16:25 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140730163133.GB6018@salvia \
--to=pablo@netfilter.org \
--cc=a.perevalov@samsung.com \
--cc=alexey.perevalov@hotmail.com \
--cc=hs81.go@samsung.com \
--cc=kyungmin.park@samsung.com \
--cc=mathieu.poirier@linaro.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).