git/linux-cryptodev-2.6
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git synced 2026-04-18 03:23:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

netfilter: nft_counter: serialize reset with spinlock

Browse Source 
Add a global static spinlock to serialize counter fetch+reset
operations, preventing concurrent dump-and-reset from underrunning
values.

The lock is taken before fetching the total so that two parallel
resets cannot both read the same counter values and then both
subtract them.

A global lock is used for simplicity since resets are infrequent.
If this becomes a bottleneck, it can be replaced with a per-net
lock later.

Fixes: bd662c4218 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Fixes: 3d483faa66 ("netfilter: nf_tables: Add locking for NFT_MSG_GETSETELEM_RESET requests")
Fixes: 3cb03edb4d ("netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Brian Witte <brianwitte@mailfence.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
Brian Witte
2026-02-04 14:26:37 -06:00
committed by Florian Westphal
parent 07919126ec
commit 779c60a519
1 changed files with 16 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
net/netfilter/nft_counter.c
View File

@@ -32,6 +32,9 @@ struct nft_counter_percpu_priv {
static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync); static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync);
/* control plane only: sync fetch+reset */
static DEFINE_SPINLOCK(nft_counter_lock);
static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv, static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv,
struct nft_regs *regs, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
@@ -148,13 +151,25 @@ static void nft_counter_fetch(struct nft_counter_percpu_priv *priv,
} }
} }
static void nft_counter_fetch_and_reset(struct nft_counter_percpu_priv *priv,
struct nft_counter_tot *total)
{
spin_lock(&nft_counter_lock);
nft_counter_fetch(priv, total);
nft_counter_reset(priv, total);
spin_unlock(&nft_counter_lock);
}
static int nft_counter_do_dump(struct sk_buff *skb, static int nft_counter_do_dump(struct sk_buff *skb,
struct nft_counter_percpu_priv *priv, struct nft_counter_percpu_priv *priv,
bool reset) bool reset)
{ {
struct nft_counter_tot total; struct nft_counter_tot total;
nft_counter_fetch(priv, &total); if (unlikely(reset))
nft_counter_fetch_and_reset(priv, &total);
else
nft_counter_fetch(priv, &total);
if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes), if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
NFTA_COUNTER_PAD) || NFTA_COUNTER_PAD) ||
@@ -162,9 +177,6 @@ static int nft_counter_do_dump(struct sk_buff *skb,
NFTA_COUNTER_PAD)) NFTA_COUNTER_PAD))
goto nla_put_failure; goto nla_put_failure;
if (reset)
nft_counter_reset(priv, &total);
return 0; return 0;
nla_put_failure: nla_put_failure: