archives/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-03-08 01:04:41 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

netfilter: nft_counter: serialize reset with spinlock

Browse source 
Add a global static spinlock to serialize counter fetch+reset
operations, preventing concurrent dump-and-reset from underrunning
values.

The lock is taken before fetching the total so that two parallel
resets cannot both read the same counter values and then both
subtract them.

A global lock is used for simplicity since resets are infrequent.
If this becomes a bottleneck, it can be replaced with a per-net
lock later.

Fixes: bd662c4218 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Fixes: 3d483faa66 ("netfilter: nf_tables: Add locking for NFT_MSG_GETSETELEM_RESET requests")
Fixes: 3cb03edb4d ("netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Brian Witte <brianwitte@mailfence.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
This commit is contained in:
Brian Witte 2026-02-04 14:26:37 -06:00 committed by Florian Westphal
parent 07919126ec
commit 779c60a519
1 changed files with 16 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

20
net/netfilter/nft_counter.c
View file

@ -32,6 +32,9 @@ struct nft_counter_percpu_priv {
static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync);
/* control plane only: sync fetch+reset */
static DEFINE_SPINLOCK(nft_counter_lock);
static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@ -148,13 +151,25 @@ static void nft_counter_fetch(struct nft_counter_percpu_priv *priv,
}
}
static void nft_counter_fetch_and_reset(struct nft_counter_percpu_priv *priv,
struct nft_counter_tot *total)
{
spin_lock(&nft_counter_lock);
nft_counter_fetch(priv, total);
nft_counter_reset(priv, total);
spin_unlock(&nft_counter_lock);
}
static int nft_counter_do_dump(struct sk_buff *skb,
struct nft_counter_percpu_priv *priv,
bool reset)
{
struct nft_counter_tot total;
nft_counter_fetch(priv, &total);
if (unlikely(reset))
nft_counter_fetch_and_reset(priv, &total);
else
nft_counter_fetch(priv, &total);
if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
NFTA_COUNTER_PAD) ||
@ -162,9 +177,6 @@ static int nft_counter_do_dump(struct sk_buff *skb,
NFTA_COUNTER_PAD))
goto nla_put_failure;
if (reset)
nft_counter_reset(priv, &total);
return 0;
nla_put_failure: