Patch "netfilter: nf_tables: do not remove elements if set backend implements .abort" has been added to the 6.11-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: do not remove elements if set backend implements .abort

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-do-not-remove-elements-if-set-ba.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f3a9e949d2a1927ad6008a1273418f01f431b73a
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Mon Jul 15 13:32:31 2024 +0200

    netfilter: nf_tables: do not remove elements if set backend implements .abort
    
    [ Upstream commit c9526aeb4998393171d85225ff540e28c7d4ab86 ]
    
    pipapo set backend maintains two copies of the datastructure, removing
    the elements from the copy that is going to be discarded slows down
    the abort path significantly, from several minutes to few seconds after
    this patch.
    
    This patch was previously reverted by
    
      f86fb94011ae ("netfilter: nf_tables: revert do not remove elements if set backend implements .abort")
    
    but it is now possible since recent work by Florian Westphal to perform
    on-demand clone from insert/remove path:
    
      532aec7e878b ("netfilter: nft_set_pipapo: remove dirty flag")
      3f1d886cc7c3 ("netfilter: nft_set_pipapo: move cloning of match info to insert/removal path")
      a238106703ab ("netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone")
      c5444786d0ea ("netfilter: nft_set_pipapo: merge deactivate helper into caller")
      6c108d9bee44 ("netfilter: nft_set_pipapo: prepare walk function for on-demand clone")
      8b8a2417558c ("netfilter: nft_set_pipapo: prepare destroy function for on-demand clone")
      80efd2997fb9 ("netfilter: nft_set_pipapo: make pipapo_clone helper return NULL")
      a590f4760922 ("netfilter: nft_set_pipapo: move prove_locking helper around")
    
    after this series, the clone is fully released once aborted, no need to
    take it back to previous state. Thus, no stale reference to elements can
    occur.
    
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 472f211472db4..e792f153f9587 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10795,7 +10795,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
 				break;
 			}
 			te = nft_trans_container_elem(trans);
-			nft_setelem_remove(net, te->set, te->elem_priv);
+			if (!te->set->ops->abort ||
+			    nft_setelem_is_catchall(te->set, te->elem_priv))
+				nft_setelem_remove(net, te->set, te->elem_priv);
+
 			if (!nft_setelem_is_catchall(te->set, te->elem_priv))
 				atomic_dec(&te->set->nelems);
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux