lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 10 Aug 2020 13:03:51 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Florian Westphal <fw@...len.de>
Cc:     netfilter-devel@...r.kernel.org, lkp@...ts.01.org,
        linux-kernel@...r.kernel.org,
        kernel test robot <rong.a.chen@...el.com>
Subject: Re: [PATCH nf] netfilter: nft_compat: remove flush counter
 optimization

On Sun, Aug 09, 2020 at 08:28:01PM +0200, Florian Westphal wrote:
> WARNING: CPU: 1 PID: 16059 at lib/refcount.c:31 refcount_warn_saturate+0xdf/0xf
> [..]
>  __nft_mt_tg_destroy+0x42/0x50 [nft_compat]
>  nft_target_destroy+0x63/0x80 [nft_compat]
>  nf_tables_expr_destroy+0x1b/0x30 [nf_tables]
>  nf_tables_rule_destroy+0x3a/0x70 [nf_tables]
>  nf_tables_exit_net+0x186/0x3d0 [nf_tables]
> 
> Happens when a compat expr is destoyed from abort path.
> There is no functional impact; after this work queue is flushed
> unconditionally if its pending.
> 
> This removes the waitcount optimization.  Test of repeated
> iptables-restore of a ~60k kubernetes ruleset doesn't indicate
> a slowdown.  In case the counter is needed after all for some workloads
> we can revert this and increment the refcount for the
> != NFT_PREPARE_TRANS case to avoid the increment/decrement imbalance.
> 
> While at it, also flush for match case, this was an oversight
> in the original patch.

Applied, thanks.

Powered by blists - more mailing lists