From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org, netfilter-devel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Florian Westphal <fw@strlen.de>
Subject: [PATCH 4.19 174/213] netfilter: nf_tables: defer gc run if previous batch is still pending
Date: Thu, 13 Jun 2024 13:33:42 +0200 [thread overview]
Message-ID: <20240613113234.694621487@linuxfoundation.org> (raw)
In-Reply-To: <20240613113227.969123070@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 8e51830e29e12670b4c10df070a4ea4c9593e961 upstream.
Don't queue more gc work, else we may queue the same elements multiple
times.
If an element is flagged as dead, this can mean that either the previous
gc request was invalidated/discarded by a transaction or that the previous
request is still pending in the system work queue.
The latter will happen if the gc interval is set to a very low value,
e.g. 1ms, and system work queue is backlogged.
The sets refcount is 1 if no previous gc requeusts are queued, so add
a helper for this and skip gc run if old requests are pending.
Add a helper for this and skip the gc run in this case.
Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netfilter/nf_tables.h | 5 +++++
net/netfilter/nft_set_hash.c | 3 +++
net/netfilter/nft_set_rbtree.c | 3 +++
3 files changed, 11 insertions(+)
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -445,6 +445,11 @@ static inline void *nft_set_priv(const s
return (void *)set->data;
}
+static inline bool nft_set_gc_is_pending(const struct nft_set *s)
+{
+ return refcount_read(&s->refs) != 1;
+}
+
static inline struct nft_set *nft_set_container_of(const void *priv)
{
return (void *)priv - offsetof(struct nft_set, data);
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -304,6 +304,9 @@ static void nft_rhash_gc(struct work_str
nft_net = net_generic(net, nf_tables_net_id);
gc_seq = READ_ONCE(nft_net->gc_seq);
+ if (nft_set_gc_is_pending(set))
+ goto done;
+
gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
if (!gc)
goto done;
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -618,6 +618,9 @@ static void nft_rbtree_gc(struct work_st
nft_net = net_generic(net, nf_tables_net_id);
gc_seq = READ_ONCE(nft_net->gc_seq);
+ if (nft_set_gc_is_pending(set))
+ goto done;
+
gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
if (!gc)
goto done;
next prev parent reply other threads:[~2024-06-13 11:44 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20240613113227.969123070@linuxfoundation.org>
2024-06-13 11:33 ` [PATCH 4.19 159/213] netfilter: nf_tables: pass context to nft_set_destroy() Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 160/213] netfilter: nftables: rename set element data activation/deactivation functions Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 161/213] netfilter: nf_tables: drop map element references from preparation phase Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 162/213] netfilter: nft_set_rbtree: allow loose matching of closing element in interval Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 163/213] netfilter: nft_set_rbtree: Add missing expired checks Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 164/213] netfilter: nft_set_rbtree: Switch to node list walk for overlap detection Greg Kroah-Hartman
2024-07-01 20:51 ` Ben Hutchings
2024-07-01 21:48 ` Pablo Neira Ayuso
2024-07-01 21:52 ` Pablo Neira Ayuso
2024-07-01 22:02 ` Ben Hutchings
2024-06-13 11:33 ` [PATCH 4.19 165/213] netfilter: nft_set_rbtree: fix null deref on element insertion Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 166/213] netfilter: nft_set_rbtree: fix overlap expiration walk Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 167/213] netfilter: nf_tables: dont skip expired elements during walk Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 168/213] netfilter: nf_tables: GC transaction API to avoid race with control plane Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 169/213] netfilter: nf_tables: adapt set backend to use GC transaction API Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 170/213] netfilter: nf_tables: remove busy mark and gc batch API Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 171/213] netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 172/213] netfilter: nf_tables: GC transaction race with netns dismantle Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 173/213] netfilter: nf_tables: GC transaction race with abort path Greg Kroah-Hartman
2024-06-13 11:33 ` Greg Kroah-Hartman [this message]
2024-06-13 11:33 ` [PATCH 4.19 175/213] netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 176/213] netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 177/213] netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 178/213] netfilter: nf_tables: fix memleak when more than 255 elements expired Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 179/213] netfilter: nf_tables: unregister flowtable hooks on netns exit Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 180/213] netfilter: nf_tables: double hook unregistration in netns path Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 181/213] netfilter: nftables: update table flags from the commit phase Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 182/213] netfilter: nf_tables: fix table flag updates Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 183/213] netfilter: nf_tables: disable toggling dormant table state more than once Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 184/213] netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19) Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 185/213] netfilter: nft_dynset: fix timeouts later than 23 days Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 186/213] netfilter: nftables: exthdr: fix 4-byte stack OOB write Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 187/213] netfilter: nft_dynset: report EOPNOTSUPP on missing set feature Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 188/213] netfilter: nft_dynset: relax superfluous check on set updates Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 189/213] netfilter: nf_tables: mark newset as dead on transaction abort Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 190/213] netfilter: nf_tables: skip dead set elements in netlink dump Greg Kroah-Hartman
2024-06-13 11:33 ` [PATCH 4.19 191/213] netfilter: nf_tables: validate NFPROTO_* family Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 192/213] netfilter: nft_set_rbtree: skip end interval element from gc Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 193/213] netfilter: nf_tables: set dormant flag on hook register failure Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 194/213] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 195/213] netfilter: nf_tables: do not compare internal table flags on updates Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 196/213] netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 197/213] netfilter: nf_tables: reject new basechain after table flag update Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 4.19 198/213] netfilter: nf_tables: discard table flag update with pending basechain deletion Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240613113234.694621487@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).