OrgACRN
/
acrn-kernel
mirror of https://github.com/projectacrn/acrn-kernel.git
1
0
Fork 0
Code Issues Releases Wiki Activity
acrn-kernel/net/netfilter
History
Jozsef Kadlecsik 8964cc36ba netfilter: ipset: Rework long task execution when adding/deleting entries 
[ Upstream commit 5e29dc36bd ]

When adding/deleting large number of elements in one step in ipset, it can
take a reasonable amount of time and can result in soft lockup errors. The
patch 5f7b51bf09 ("netfilter: ipset: Limit the maximal range of
consecutive elements to add/delete") tried to fix it by limiting the max
elements to process at all. However it was not enough, it is still possible
that we get hung tasks. Lowering the limit is not reasonable, so the
approach in this patch is as follows: rely on the method used at resizing
sets and save the state when we reach a smaller internal batch limit,
unlock/lock and proceed from the saved state. Thus we can avoid long
continuous tasks and at the same time removed the limit to add/delete large
number of elements in one step.

The nfnl mutex is held during the whole operation which prevents one to
issue other ipset commands in parallel.

Fixes: 5f7b51bf09 ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete")
Reported-by: syzbot+9204e7399656300bf271@syzkaller.appspotmail.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2023-01-12 12:02:26 +01:00
..
ipset netfilter: ipset: Rework long task execution when adding/deleting entries 2023-01-12 12:02:26 +01:00
ipvs ipvs: use u64_stats_t for the per-cpu counters 2022-12-31 13:32:26 +01:00
Kconfig netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y 2022-08-17 08:46:30 +02:00
Makefile net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c 2022-10-03 09:17:32 -07:00
core.c Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
nf_conncount.c
nf_conntrack_acct.c
nf_conntrack_amanda.c
nf_conntrack_bpf.c net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c 2022-10-03 09:17:32 -07:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: conntrack: fix using __this_cpu_add in preemptible 2022-11-30 13:08:49 +01:00
nf_conntrack_ecache.c
nf_conntrack_expect.c
nf_conntrack_extend.c
nf_conntrack_ftp.c netfilter: nf_ct_ftp: fix deadlock when nat rewrite is needed 2022-09-20 23:50:03 +02:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: nf_ct_h323: cap packet size at 64k 2022-08-11 16:50:49 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: remove nf_conntrack_helper sysctl and modparam toggles 2022-08-31 12:12:32 +02:00
nf_conntrack_irc.c netfilter: nf_conntrack_irc: Tighten matching on DCC message 2022-09-07 15:55:23 +02:00
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: fix compilation warning after data race fixes in ct mark 2022-11-30 13:08:49 +01:00
nf_conntrack_pptp.c
nf_conntrack_proto.c
nf_conntrack_proto_dccp.c
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c
nf_conntrack_proto_icmp.c
nf_conntrack_proto_icmpv6.c netfilter: conntrack: set icmpv6 redirects as RELATED 2022-12-31 13:32:19 +01:00
nf_conntrack_proto_sctp.c
nf_conntrack_proto_tcp.c netfilter: conntrack: reduce timeout when receiving out-of-window fin or rst 2022-09-07 16:46:03 +02:00
nf_conntrack_proto_udp.c
nf_conntrack_sane.c netfilter: nf_ct_sane: remove pseudo skb linearization 2022-08-11 16:50:25 +02:00
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix ct_sip_walk_headers 2022-09-07 15:06:26 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c
nf_flow_table_core.c netfilter: flowtable: fix stuck flows on cleanup due to pending work 2022-08-24 07:43:21 +02:00
nf_flow_table_inet.c
nf_flow_table_ip.c
nf_flow_table_offload.c netfilter: flowtable: really fix NAT IPv6 offload 2022-12-31 13:32:52 +01:00
nf_flow_table_procfs.c
nf_hooks_lwtunnel.c
nf_internals.h
nf_log.c netfilter: move from strlcpy with unused retval to strscpy 2022-09-07 16:46:03 +02:00
nf_log_syslog.c
nf_nat_amanda.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_bpf.c net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c 2022-10-03 09:17:32 -07:00
nf_nat_core.c netfilter: nf_nat: Fix possible memory leak in nf_nat_init() 2022-11-02 10:47:22 +01:00
nf_nat_ftp.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_helper.c netfilter: nat: avoid long-running port range loop 2022-09-07 16:46:04 +02:00
nf_nat_irc.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_masquerade.c
nf_nat_proto.c
nf_nat_redirect.c
nf_nat_sip.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_tftp.c
nf_queue.c
nf_sockopt.c
nf_synproxy_core.c
nf_tables_api.c netfilter: nf_tables: honor set timeout and garbage collection updates 2023-01-12 12:01:58 +01:00
nf_tables_core.c netfilter: nf_tables: fix crash when nf_trace is enabled 2022-08-05 18:50:14 -07:00
nf_tables_offload.c
nf_tables_trace.c
nfnetlink.c netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() 2022-11-08 23:16:13 +01:00
nfnetlink_acct.c
nfnetlink_cthelper.c
nfnetlink_cttimeout.c
nfnetlink_hook.c Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
nfnetlink_log.c
nfnetlink_osf.c netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find() 2022-09-07 15:55:28 +02:00
nfnetlink_queue.c netfilter: nf_queue: do not allow packet truncation below transport header offset 2022-07-26 21:12:42 +02:00
nft_bitwise.c netfilter: nf_tables: upfront validation of data via nft_data_init() 2022-08-09 20:13:29 +02:00
nft_byteorder.c
nft_chain_filter.c
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: upfront validation of data via nft_data_init() 2022-08-09 20:13:29 +02:00
nft_compat.c
nft_connlimit.c
nft_counter.c
nft_ct.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
nft_dup_netdev.c
nft_dynset.c netfilter: nf_tables: validate variable length element extension 2022-08-09 19:38:16 +02:00
nft_exthdr.c
nft_fib.c
nft_fib_inet.c
nft_fib_netdev.c
nft_flow_offload.c
nft_fwd_netdev.c
nft_hash.c
nft_immediate.c netfilter: nf_tables: upfront validation of data via nft_data_init() 2022-08-09 20:13:29 +02:00
nft_last.c
nft_limit.c
nft_log.c
nft_lookup.c
nft_masq.c
nft_meta.c
nft_nat.c
nft_numgen.c
nft_objref.c
nft_osf.c netfilter: move from strlcpy with unused retval to strscpy 2022-09-07 16:46:03 +02:00
nft_payload.c netlink: introduce bigendian integer types 2022-11-01 21:29:06 -07:00
nft_queue.c netfilter: nft_queue: only allow supported familes and hooks 2022-07-26 21:12:42 +02:00
nft_quota.c
nft_range.c netfilter: nf_tables: upfront validation of data via nft_data_init() 2022-08-09 20:13:29 +02:00
nft_redir.c
nft_reject.c
nft_reject_inet.c
nft_reject_netdev.c
nft_rt.c
nft_set_bitmap.c
nft_set_hash.c
nft_set_pipapo.c netfilter: nft_set_pipapo: Actually validate intervals in fields after the first one 2022-11-28 13:17:11 +01:00
nft_set_pipapo.h
nft_set_pipapo_avx2.c
nft_set_pipapo_avx2.h
nft_set_rbtree.c
nft_socket.c cgroup: Replace cgroup->ancestor_ids[] with ->ancestors[] 2022-08-15 11:16:47 -10:00
nft_synproxy.c
nft_tproxy.c netfilter: nft_tproxy: restrict to prerouting hook 2022-08-23 21:24:34 +02:00
nft_tunnel.c netfilter: nft_tunnel: restrict it to netdev family 2022-08-24 07:43:21 +02:00
nft_xfrm.c
utils.c
x_tables.c netfilter: move from strlcpy with unused retval to strscpy 2022-09-07 16:46:03 +02:00
xt_AUDIT.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_CONNSECMARK.c
xt_CT.c
xt_DSCP.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c
xt_LED.c
xt_LOG.c
xt_MASQUERADE.c
xt_NETMAP.c
xt_NFLOG.c
xt_NFQUEUE.c
xt_RATEEST.c netfilter: move from strlcpy with unused retval to strscpy 2022-09-07 16:46:03 +02:00
xt_REDIRECT.c
xt_SECMARK.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_TEE.c
xt_TPROXY.c
xt_TRACE.c
xt_addrtype.c
xt_bpf.c
xt_cgroup.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c
xt_connmark.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
xt_conntrack.c
xt_cpu.c
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c
xt_helper.c
xt_hl.c
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_length.c
xt_limit.c
xt_mac.c
xt_mark.c
xt_multiport.c
xt_nat.c
xt_nfacct.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_realm.c
xt_recent.c
xt_repldata.h
xt_sctp.c
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
xt_string.c
xt_tcpmss.c
xt_tcpudp.c
xt_time.c
xt_u32.c