Hi,
On Wed, 17 Jan 2024, Eric Dumazet wrote:
> On Wed, Jan 17, 2024 at 5:00 PM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> >
> > From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>
> >
> > The patch "netfilter: ipset: fix race condition between swap/destroy
> > and kernel side add/del/test", commit 28628fa9 fixes a race condition.
> > But the synchronize_rcu() added to the swap function unnecessarily slows
> > it down: it can safely be moved to destroy and use call_rcu() instead.
> > Thus we can get back the same performance and preventing the race condition
> > at the same time.
>
> ...
>
> >
> > @@ -2357,6 +2369,9 @@ ip_set_net_exit(struct net *net)
> >
> > inst->is_deleted = true; /* flag for ip_set_nfnl_put */
> >
> > + /* Wait for call_rcu() in destroy */
> > + rcu_barrier();
> > +
> > nfnl_lock(NFNL_SUBSYS_IPSET);
> > for (i = 0; i < inst->ip_set_max; i++) {
> > set = ip_set(inst, i);
> > --
> > 2.30.2
> >
>
> If I am reading this right, time for netns dismantles will increase,
> even for netns not using ipset
>
> If there is no other option, please convert "struct pernet_operations
> ip_set_net_ops".exit to an exit_batch() handler,
> to at least have a factorized rcu_barrier();
You are right, the call to rcu_barrier() can safely be moved to
ip_set_fini(). I'm going to prepare a new version of the patch.
Thanks for catching it.
Best regards,
Jozsef
--
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
