From: Phil Sutter <phil@nwl.cc>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>, netfilter-devel@vger.kernel.org
Subject: Re: [nf PATCH v2 8/8] netfilter: nf_tables: Add locking for NFT_MSG_GETSETELEM_RESET requests
Date: Fri, 29 Sep 2023 13:03:45 +0200 [thread overview]
Message-ID: <ZRavEQkFrQ0u2P+C@orbyte.nwl.cc> (raw)
In-Reply-To: <20230928174630.GD19098@breakpoint.cc>
On Thu, Sep 28, 2023 at 07:46:30PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > +static int nf_tables_dumpreset_set(struct sk_buff *skb,
> > + struct netlink_callback *cb)
> > +{
> > + struct nftables_pernet *nft_net = nft_pernet(sock_net(skb->sk));
> > + struct nft_set_dump_ctx *dump_ctx = cb->data;
> > + int ret, skip = cb->args[0];
> > +
> > + mutex_lock(&nft_net->commit_mutex);
> > + ret = nf_tables_dump_set(skb, cb);
> > + mutex_unlock(&nft_net->commit_mutex);
> > +
> > + if (cb->args[0] > skip)
> > + audit_log_nft_set_reset(dump_ctx->ctx.table, cb->seq,
> > + cb->args[0] - skip);
> > +
>
> Once commit_mutex is dropped, parallel user can
> delete table, and ctx.table references garbage.
>
> So I think this needs to be done under mutex.
OK, will do.
> > c.data = &dump_ctx;
> > @@ -6108,18 +6178,25 @@ static int nf_tables_getsetelem(struct sk_buff *skb,
> > if (!nla[NFTA_SET_ELEM_LIST_ELEMENTS])
> > return -EINVAL;
> >
> > + if (!try_module_get(THIS_MODULE))
> > + return -EINVAL;
> > + rcu_read_unlock();
> > + mutex_lock(&nft_net->commit_mutex);
> > + rcu_read_lock();
>
> Why do we need to regain the rcu read lock here?
> Are we tripping over a now bogus rcu_derefence check or is there
> another reason?
Yes, I got a lockdep warning because rhashtable_lookup() called from
nft_rhash_get() calls rht_dereference_rcu() which wants either ht->mutex
or RCU read lock held.
Cheers, Phil
next prev parent reply other threads:[~2023-09-29 11:03 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-28 16:52 [nf PATCH v2 0/8] Introduce locking for reset requests Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 1/8] netfilter: nf_tables: Don't allocate nft_rule_dump_ctx Phil Sutter
2023-09-28 18:49 ` Pablo Neira Ayuso
2023-09-29 10:15 ` Phil Sutter
2023-09-28 19:00 ` Florian Westphal
2023-09-29 10:13 ` Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 2/8] netfilter: nf_tables: Introduce nf_tables_getrule_single() Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 3/8] netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 4/8] netfilter: nf_tables: Introduce struct nft_obj_dump_ctx Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 5/8] netfilter: nf_tables: Introduce nf_tables_getobj_single Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 6/8] netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 7/8] netfilter: nf_tables: Pass reset bit in nft_set_dump_ctx Phil Sutter
2023-09-28 18:53 ` Pablo Neira Ayuso
2023-09-29 10:08 ` Phil Sutter
2023-09-29 10:15 ` Pablo Neira Ayuso
2023-09-29 10:18 ` Phil Sutter
2023-09-29 10:56 ` Pablo Neira Ayuso
2023-09-29 11:12 ` Phil Sutter
2023-09-28 16:52 ` [nf PATCH v2 8/8] netfilter: nf_tables: Add locking for NFT_MSG_GETSETELEM_RESET requests Phil Sutter
2023-09-28 17:46 ` Florian Westphal
2023-09-28 18:47 ` Pablo Neira Ayuso
2023-09-28 18:57 ` Florian Westphal
2023-09-28 19:04 ` Pablo Neira Ayuso
2023-09-28 19:21 ` Florian Westphal
2023-09-28 20:07 ` Florian Westphal
2023-09-29 11:25 ` Phil Sutter
2023-09-29 11:30 ` Florian Westphal
2023-09-29 11:45 ` Phil Sutter
2023-09-28 19:39 ` Jozsef Kadlecsik
2023-09-28 20:09 ` Florian Westphal
2023-09-28 20:25 ` Jozsef Kadlecsik
2023-09-29 11:03 ` Phil Sutter [this message]
2023-09-28 18:51 ` Pablo Neira Ayuso
2023-09-29 10:28 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZRavEQkFrQ0u2P+C@orbyte.nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).