netfilter: nf_tables: defer gc run if previous batch is still pending

gvrose8192 · gvrose8192 · commit 007aea776189 · 2024-10-23T16:59:06.000-07:00
jira VUlN-597 subsystem-sync netfilter:nf_tables 4.18.0-511 commit-author Florian Westphal <fw@strlen.de> commit 8e51830 Don't queue more gc work, else we may queue the same elements multiple times. If an element is flagged as dead, this can mean that either the previous gc request was invalidated/discarded by a transaction or that the previous request is still pending in the system work queue. The latter will happen if the gc interval is set to a very low value, e.g. 1ms, and system work queue is backlogged. The sets refcount is 1 if no previous gc requeusts are queued, so add a helper for this and skip gc run if old requests are pending. Add a helper for this and skip the gc run in this case. Fixes: f6c383b ("netfilter: nf_tables: adapt set backend to use GC transaction API") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 8e51830) Signed-off-by: Greg Rose <g.v.rose@ciq.com>
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
@@ -519,6 +519,11 @@ static inline void *nft_set_priv(const struct nft_set *set)
 	return (void *)set->data;
 }
 
+static inline bool nft_set_gc_is_pending(const struct nft_set *s)
+{
+	return refcount_read(&s->refs) != 1;
+}
+
 static inline struct nft_set *nft_set_container_of(const void *priv)
 {
 	return (void *)priv - offsetof(struct nft_set, data);
diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
@@ -308,6 +308,9 @@ static void nft_rhash_gc(struct work_struct *work)
 	nft_net = nft_pernet(net);
 	gc_seq = READ_ONCE(nft_net->gc_seq);
 
+	if (nft_set_gc_is_pending(set))
+		goto done;
+
 	gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
 	if (!gc)
 		goto done;
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
@@ -481,6 +481,9 @@ static void nft_rbtree_gc(struct work_struct *work)
 	nft_net = nft_pernet(net);
 	gc_seq  = READ_ONCE(nft_net->gc_seq);
 
+	if (nft_set_gc_is_pending(set))
+		goto done;
+
 	gc = nft_trans_gc_alloc(set, gc_seq, GFP_KERNEL);
 	if (!gc)
 		goto done;

Original file line number	Diff line number	Diff line change
`@@ -519,6 +519,11 @@ static inline void nft_set_priv(const struct nft_set set)`
`519`	`519`	`return (void *)set->data;`
`520`	`520`	`}`
`521`	`521`
	`522`	`+static inline bool nft_set_gc_is_pending(const struct nft_set *s)`
	`523`	`+{`
	`524`	`+ return refcount_read(&s->refs) != 1;`
	`525`	`+}`
	`526`	`+`
`522`	`527`	`static inline struct nft_set nft_set_container_of(const void priv)`
`523`	`528`	`{`
`524`	`529`	`return (void *)priv - offsetof(struct nft_set, data);`