lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7bfa2e2e-b22d-7561-661b-41ef7714caf5@linux.dev>
Date:   Fri, 1 Apr 2022 21:56:26 +0300
From:   Vasily Averin <vasily.averin@...ux.dev>
To:     Florian Westphal <fw@...len.de>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>, kernel@...nvz.org,
        Jozsef Kadlecsik <kadlec@...filter.org>,
        netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org,
        Roman Gushchin <roman.gushchin@...ux.dev>
Subject: Re: [PATCH nft] nft: memcg accounting for dynamically allocated
 objects

On 4/1/22 15:03, Florian Westphal wrote:
> Vasily Averin <vasily.averin@...ux.dev> wrote:
>> nft_*.c files whose NFT_EXPR_STATEFUL flag is set on need to
>> use __GFP_ACCOUNT flag for objects that are dynamically
>> allocated from the packet path.
>>
>> Such objects are allocated inside .init() or .clone() callbacks
>> of struct nft_expr_ops executed in task context while processing
>> netlink messages.
> 
> They can also be called from packet path.

>> @@ -214,7 +214,7 @@ static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src)
>>  	struct nft_connlimit *priv_dst = nft_expr_priv(dst);
>>  	struct nft_connlimit *priv_src = nft_expr_priv(src);
>>  
>> -	priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
>> +	priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC | __GFP_ACCOUNT);
> 
> This can be called from packet path, via nft_dynset.c.
> 
> nft_do_chain -> nft_dynset_eval -> nft_dynset_new ->
> nft_dynset_expr_setup -> nft_expr_clone -> src->ops->clone()
> 

Thank you, I noticed this case but did not understand that it is related to packet path.

>> @@ -235,7 +235,7 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src)
>>  
>>  	nft_counter_fetch(priv, &total);
>>  
>> -	cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC);
>> +	cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC | __GFP_ACCOUNT);
>>  	if (cpu_stats == NULL)
>>  		return -ENOMEM;
> 
> Same problem as connlimit, can be called from packet path.
> Basically all GFP_ATOMIC are suspicious.
> 
> Not sure how to resolve this, similar mechanics in iptables world (e.g.
> connlimit or SET target) don't use memcg accounting.
> 
> Perhaps for now resend with only the GFP_KERNEL parts converted?
> Those are safe.

It is safe for packet path too, _ACCOUNT allocation will not be able to find memcg
in case of "!in_task()" context.
On the other hand any additional checks on such path will affect performance.

Could you please estimate how often is this code used in the case of nft vs packet path?

If packet path is rare case I think we can keep current code as is.
If the opposite is the case, then I can add __GFP_ACCOUNT flag depending on in_task() check. 

Thank you,
	Vasily Averin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ