lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <afb39fa8-3b28-27eb-c8ac-22691a064495@netfilter.org>
Date: Thu, 18 Jan 2024 15:24:41 +0100 (CET)
From: Jozsef Kadlecsik <kadlec@...filter.org>
To: Eric Dumazet <edumazet@...gle.com>
cc: Pablo Neira Ayuso <pablo@...filter.org>, netfilter-devel@...r.kernel.org, 
    David Miller <davem@...emloft.net>, netdev@...r.kernel.org, 
    kuba@...nel.org, pabeni@...hat.com, Florian Westphal <fw@...len.de>
Subject: Re: [PATCH net 14/14] netfilter: ipset: fix performance regression
 in swap operation

Hi,

Please drop the patch from the batch, it needs more work (see below).

On Thu, 18 Jan 2024, Eric Dumazet wrote:

> On Wed, Jan 17, 2024 at 5:00 PM Pablo Neira Ayuso <pablo@...filter.org> wrote:
> >
> > The patch "netfilter: ipset: fix race condition between swap/destroy
> > and kernel side add/del/test", commit 28628fa9 fixes a race condition.
> > But the synchronize_rcu() added to the swap function unnecessarily slows
> > it down: it can safely be moved to destroy and use call_rcu() instead.
> > Thus we can get back the same performance and preventing the race condition
> > at the same time.
> >
> > Fixes: 28628fa952fe ("netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test")
> > Link: https://lore.kernel.org/lkml/C0829B10-EAA6-4809-874E-E1E9C05A8D84@automattic.com/
> > Reported-by: Ale Crismani <ale.crismani@...omattic.com>
> > Reported-by: David Wang <00107082@....com
> > Tested-by: Ale Crismani <ale.crismani@...omattic.com>
> > Tested-by: David Wang <00107082@....com
> > Signed-off-by: Jozsef Kadlecsik <kadlec@...filter.org>
> > Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> > ---
> >  include/linux/netfilter/ipset/ip_set.h |  2 ++
> >  net/netfilter/ipset/ip_set_core.c      | 31 +++++++++++++++++++-------
> >  2 files changed, 25 insertions(+), 8 deletions(-)
> >
> > diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
> > index e8c350a3ade1..912f750d0bea 100644
> > --- a/include/linux/netfilter/ipset/ip_set.h
> > +++ b/include/linux/netfilter/ipset/ip_set.h
> > @@ -242,6 +242,8 @@ extern void ip_set_type_unregister(struct ip_set_type *set_type);
> >
> >  /* A generic IP set */
> >  struct ip_set {
> > +       /* For call_cru in destroy */
> > +       struct rcu_head rcu;
> >         /* The name of the set */
> >         char name[IPSET_MAXNAMELEN];
> >         /* Lock protecting the set data */
> > diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
> > index 4c133e06be1d..3bf9bb345809 100644
> > --- a/net/netfilter/ipset/ip_set_core.c
> > +++ b/net/netfilter/ipset/ip_set_core.c
> > @@ -1182,6 +1182,14 @@ ip_set_destroy_set(struct ip_set *set)
> >         kfree(set);
> >  }
> >
> > +static void
> > +ip_set_destroy_set_rcu(struct rcu_head *head)
> > +{
> > +       struct ip_set *set = container_of(head, struct ip_set, rcu);
> > +
> > +       ip_set_destroy_set(set);
> 
> Calling ip_set_destroy_set() from BH (rcu callbacks) is not working.

Yeah, it calls cancel_delayed_work_sync() to handle the garbage collector 
and that can wait. The call can be moved into the main destroy function 
and let the rcu callback do just the minimal job, however it needs a 
restructuring. So please skip this patch now.

Best regards,
Jozsef
-- 
E-mail  : kadlec@...ckhole.kfki.hu, kadlecsik.jozsef@...ner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ