This patch fixes the following splat.
[118709.054937] BUG: using smp_processor_id() in preemptible [] code:
test/1571
[118709.054970] caller is nft_update_chain_stats.isra.4+0x53/0x97 [nf_tables]
[118709.054980] CPU: 2 PID: 1571 Comm: test Not tainted 4.17.0-rc6+ #335
[...]
There is a difference between error messages in iptables and
iptables-compat:
#sudo iptables-compat -D INPUT 4
iptables: No chain/target/match by that name.
#sudo iptables -D INPUT 4
iptables: Index of deletion too big.
Now, will show same error message.
Signed-off-by: Arushi Singhal
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 528766cfd0a0..ab306e169d36 100644
---
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 9454c7fc1978..528766cfd0a0 100644
---
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 879807f6015b..d0cfce2fb72b 100644
---
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 16 +---
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d0cfce2fb72b..9454c7fc1978 100644
---
We can make all dumps and lookups lockless.
Dumps currently only hold the nfnl mutex on the dump request itself.
Dumps can span multiple syscalls, dump continuation doesn't acquire the
nfnl mutex anywhere, i.e. the dump callbacks in nf_tables already use
rcu and never rely on nfnl mutex being
This callback just fetches the current base sequence,
there is no need to serialize this with nfnl nft mutex.
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c
This series converts all get/dump requests to .call_rcu.
This allows listing rulesets, sets, etc. even if another entity is
performaning an update.
In the dump case, only the dump request was locked via nfnl mutex,
i.e. the dump callbacks in nf_tables already use rcu read locks
everywhere.
So
Signed-off-by: Florian Westphal
---
net/netfilter/nf_tables_api.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e87faf5ea10c..879807f6015b 100644
---
Same rationale as preceeding commit.
This and all other remaining patches in the series apply
the same scheme to all dump requests:
- use the nft_netlink_dump_start_rcu helper added in first patch
- use GFP_ATOMIC and rcu list iteration
- switch to .call_rcu
... thus making all dumps in
abort batch processing and return so task can exit faster.
Otherwise even SIGKILL has no immediate effect.
Signed-off-by: Florian Westphal
---
net/netfilter/nfnetlink.c | 8
1 file changed, 8 insertions(+)
diff --git a/net/netfilter/nfnetlink.c
harmless, but it avoids sparse warnings:
nf_tables_api.c:2813:16: warning: incorrect type in return expression
(different base types)
nf_tables_api.c:2863:47: warning: incorrect type in argument 3 (different base
types)
nf_tables_api.c:3524:47: warning: incorrect type in argument 3 (different
Just use .call_rcu instead. We can drop the rcu read lock
after obtaining a reference and re-acquire on return.
Signed-off-by: Florian Westphal
---
net/netfilter/nft_compat.c | 29 ++---
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git
14 matches
Mail list logo