Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Sat, Sep 23, 2023 at 06:18:13PM +0200, Florian Westphal wrote:
> > callback_that_might_reset()
> > {
> > try_module_get ...
> > rcu_read_unlock()
> > mutex_lock(net->commit_mutex)
> > dumper();
> > mutex_unlock(net->commit_mutex)
> > rcu_read_lock();
> > module_put()
> > }
> >
> > should do the trick.
>
> Idiom above LGTM, *except for net->commit_mutex*. Please do not use
> ->commit_mutex: This will stall ruleset updates for no reason, netlink
> dump would grab and release such mutex for each netlink_recvmsg() call
> and netlink dump side will always retry because of NLM_F_EINTR.
It will stall updates, but for good reason: we are making changes to the
expressions state.
We even emit AUDIT messages about this.
So, I think the commit mutex is appropirate here.
That said, if you totally disagree, then I suppose a new "reset" mutex
could be used instead.
