From: Florian Westphal <fw@strlen.de>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Florian Westphal <fw@strlen.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Lameter <cl@linux.com>,
Andrey Ryabinin <aryabinin@virtuozzo.com>,
Theodore Ts'o <tytso@mit.edu>, Jan Kara <jack@suse.com>,
linux-ext4@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
David Miller <davem@davemloft.net>,
NetFilter <netfilter-devel@vger.kernel.org>,
coreteam@netfilter.org,
Network Development <netdev@vger.kernel.org>,
Gerrit Renker <gerrit@erg.abdn.ac.uk>,
dccp@vger.kernel.org, Jani Nikula <jani.nikula@linux.intel.com>,
Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
Rodrigo Vivi <rodrigo.vivi@intel.com>,
Dave Airlie <airlied@linux.ie>,
Subject: Re: SLAB_TYPESAFE_BY_RCU without constructors (was Re: [PATCH v4 13/17] khwasan: add hooks implementation)
Date: Wed, 1 Aug 2018 13:40:48 +0200 [thread overview]
Message-ID: <20180801114048.ufkr7zwmir7ps3vl@breakpoint.cc> (raw)
In-Reply-To: <CACT4Y+aHWpgDZygXv=smWwdVMWfjpedyajuVvvLDGMK-wFD5Lw@mail.gmail.com>
Dmitry Vyukov <dvyukov@google.com> wrote:
> On Wed, Aug 1, 2018 at 12:35 PM, Florian Westphal <fw@strlen.de> wrote:
> > Dmitry Vyukov <dvyukov@google.com> wrote:
> >> Still can't grasp all details.
> >> There is state that we read without taking ct->ct_general.use ref
> >> first, namely ct->state and what's used by nf_ct_key_equal.
> >> So let's say the entry we want to find is in the list, but
> >> ____nf_conntrack_find finds a wrong entry earlier because all state it
> >> looks at is random garbage, so it returns the wrong entry to
> >> __nf_conntrack_find_get.
> >
> > If an entry can be found, it can't be random garbage.
> > We never link entries into global table until state has been set up.
>
> But... we don't hold a reference to the entry. So say it's in the
> table with valid state, now ____nf_conntrack_find discovers it, now
> the entry is removed and reused a dozen of times will all associated
> state reinitialization. And nf_ct_key_equal looks at it concurrently
> and decides if it's the entry we are looking for or now. I think
> unless we hold a ref to the entry, it's state needs to be considered
> random garbage for correctness reasoning.
It checks if it might be the entry we're looking for.
If this was complete random garbage, scheme would not work, as then
we could have entry that isn't in table, has nonzero refcount, but
has its confirmed bit set.
I don't see how that would be possible, any reallocation
makes sure ct->status has CONFIRMED bit clear before setting refcount
to nonzero value.
I think this is the scenario you hint at is:
1. nf_ct_key_equal is true
2. the entry is free'd (or was already free'd)
3. we return NULL to caller due to atomic_inc_not_zero() failure
but i fail to see how thats wrong?
Sure, we could restart lookup but how would that help?
We'd not find the 'candidate' entry again.
We might find entry that has been inserted at this very instant but
newly allocated entries are only inserted into global table until the skb that
created the nf_conn object has made it through the network stack
(postrouting for fowarded, or input for local delivery).
So, the likelyhood of such restart finding another candidate is close to 0,
and won't prevent 'insert race' from happening.
next prev parent reply other threads:[~2018-08-01 11:40 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-31 17:01 SLAB_TYPESAFE_BY_RCU without constructors (was Re: [PATCH v4 13/17] khwasan: add hooks implementation) Andrey Ryabinin
2018-07-31 17:09 ` Florian Westphal
2018-07-31 17:32 ` Eric Dumazet
2018-07-31 17:36 ` Christopher Lameter
2018-07-31 17:41 ` Eric Dumazet
2018-07-31 17:51 ` Dmitry Vyukov
2018-07-31 18:16 ` Eric Dumazet
2018-07-31 17:49 ` Linus Torvalds
2018-07-31 18:51 ` Linus Torvalds
2018-08-01 8:46 ` Dmitry Vyukov
2018-08-01 9:10 ` Dmitry Vyukov
2018-08-01 10:35 ` Florian Westphal
2018-08-01 10:41 ` Dmitry Vyukov
2018-08-01 11:40 ` Florian Westphal [this message]
2018-08-01 12:38 ` Dmitry Vyukov
2018-08-01 13:46 ` Florian Westphal
2018-08-01 13:52 ` Dmitry Vyukov
2018-08-06 20:20 ` Jan Kara
2018-08-01 9:03 ` Andrey Ryabinin
2018-08-01 10:23 ` Eric Dumazet
2018-08-01 10:34 ` Dmitry Vyukov
2018-08-01 11:28 ` Eric Dumazet
2018-08-01 11:35 ` Dmitry Vyukov
2018-08-01 15:15 ` Christopher Lameter
2018-08-01 15:37 ` Eric Dumazet
2018-08-01 15:51 ` Misuse of constructors Matthew Wilcox
2018-08-01 15:53 ` SLAB_TYPESAFE_BY_RCU without constructors (was Re: [PATCH v4 13/17] khwasan: add hooks implementation) Dmitry Vyukov
2018-08-01 16:22 ` Christopher Lameter
2018-08-01 16:25 ` Eric Dumazet
2018-08-01 16:47 ` Dmitry Vyukov
2018-08-01 17:18 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180801114048.ufkr7zwmir7ps3vl@breakpoint.cc \
--to=fw@strlen.de \
--cc=airlied@linux.ie \
--cc=aryabinin@virtuozzo.com \
--cc=cl@linux.com \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=dccp@vger.kernel.org \
--cc=dvyukov@google.com \
--cc=gerrit@erg.abdn.ac.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jack@suse.com \
--cc=jani.nikula@linux.intel.com \
--cc=joonas.lahtinen@linux.intel.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-ext4@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=rodrigo.vivi@intel.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).