From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v3 09/16] netfilter: nfnetlink_cttimeout: use rcu protection in cttimeout_get_timeout
Date: Fri, 8 Apr 2022 11:53:10 +0200 [thread overview]
Message-ID: <YlAF/ZdhRsVWCWpg@salvia> (raw)
In-Reply-To: <20220323132214.6700-10-fw@strlen.de>
On Wed, Mar 23, 2022 at 02:22:07PM +0100, Florian Westphal wrote:
> I'd like to be able to switch lifetime management of ctnl_timeout
> to free-on-zero-refcount.
>
> This isn't possible at the moment because removal of the structures
> from the pernet list requires the nfnl mutex and release may happen from
> softirq.
>
> Current solution is to prevent this by disallowing policy object removal
> if the refcount is > 1 (i.e., policy is still referenced from the ruleset).
>
> Switch traversal to rcu-read-lock as a first step to reduce reliance on
> nfnl mutex protection: removal from softirq would require a extra list
> spinlock.
Needs .type = NFNL_CB_RCU?
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> net/netfilter/nfnetlink_cttimeout.c | 27 ++++++++++++++-------------
> 1 file changed, 14 insertions(+), 13 deletions(-)
>
> diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
> index eea486f32971..aef2547bb579 100644
> --- a/net/netfilter/nfnetlink_cttimeout.c
> +++ b/net/netfilter/nfnetlink_cttimeout.c
> @@ -253,6 +253,7 @@ static int cttimeout_get_timeout(struct sk_buff *skb,
> const struct nlattr * const cda[])
> {
> struct nfct_timeout_pernet *pernet = nfct_timeout_pernet(info->net);
> + struct sk_buff *skb2;
> int ret = -ENOENT;
> char *name;
> struct ctnl_timeout *cur;
> @@ -268,31 +269,31 @@ static int cttimeout_get_timeout(struct sk_buff *skb,
> return -EINVAL;
> name = nla_data(cda[CTA_TIMEOUT_NAME]);
>
> - list_for_each_entry(cur, &pernet->nfct_timeout_list, head) {
> - struct sk_buff *skb2;
> + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
> + if (!skb2)
> + return -ENOMEM;
> +
> + rcu_read_lock();
>
> + list_for_each_entry_rcu(cur, &pernet->nfct_timeout_list, head) {
> if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
> continue;
>
> - skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
> - if (skb2 == NULL) {
> - ret = -ENOMEM;
> - break;
> - }
> -
> ret = ctnl_timeout_fill_info(skb2, NETLINK_CB(skb).portid,
> info->nlh->nlmsg_seq,
> NFNL_MSG_TYPE(info->nlh->nlmsg_type),
> IPCTNL_MSG_TIMEOUT_NEW, cur);
> - if (ret <= 0) {
> - kfree_skb(skb2);
> + if (ret <= 0)
> break;
> - }
>
> - ret = nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
> - break;
> + rcu_read_unlock();
> +
> + return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
> }
>
> + rcu_read_unlock();
> + kfree_skb(skb2);
> +
> return ret;
> }
>
> --
> 2.34.1
>
next prev parent reply other threads:[~2022-04-08 9:53 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-23 13:21 [PATCH nf-next v3 00/16] netfilter: conntrack: remove percpu lists Florian Westphal
2022-03-23 13:21 ` [PATCH nf-next v3 01/16] nfnetlink: handle already-released nl socket Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 02/16] netfilter: ctnetlink: make ecache event cb global again Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 03/16] netfilter: ecache: move to separate structure Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 04/16] netfilter: ecache: use dedicated list for event redelivery Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 05/16] netfilter: conntrack: split inner loop of list dumping to own function Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 06/16] netfilter: conntrack: include ecache dying list in dumps Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 07/16] netfilter: conntrack: remove the percpu dying list Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 08/16] netfilter: cttimeout: inc/dec module refcount per object, not per use refcount Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 09/16] netfilter: nfnetlink_cttimeout: use rcu protection in cttimeout_get_timeout Florian Westphal
2022-04-08 9:53 ` Pablo Neira Ayuso [this message]
2022-03-23 13:22 ` [PATCH nf-next v3 10/16] netfilter: cttimeout: decouple unlink and free on netns destruction Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 11/16] netfilter: remove nf_ct_unconfirmed_destroy helper Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 12/16] netfilter: extensions: introduce extension genid count Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 13/16] netfilter: cttimeout: decouple unlink and free on netns destruction Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 14/16] netfilter: conntrack: remove __nf_ct_unconfirmed_destroy Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 15/16] netfilter: conntrack: remove unconfirmed list Florian Westphal
2022-03-23 13:22 ` [PATCH nf-next v3 16/16] netfilter: conntrack: avoid unconditional local_bh_disable Florian Westphal
2022-04-08 9:56 ` [PATCH nf-next v3 00/16] netfilter: conntrack: remove percpu lists Pablo Neira Ayuso
2022-04-08 9:59 ` Pablo Neira Ayuso
2022-04-08 10:05 ` Pablo Neira Ayuso
2022-04-08 10:09 ` Pablo Neira Ayuso
2022-04-08 10:11 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlAF/ZdhRsVWCWpg@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).