* [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-14 19:41 Florian Westphal
2019-10-14 20:52 ` kbuild test robot
` (4 more replies)
0 siblings, 5 replies; 13+ messages in thread
From: Florian Westphal @ 2019-10-14 19:41 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
When dumping the unconfirmed lists, the cpu that is processing the ct
entry can realloc ct->ext at any time.
Accessing extensions from another CPU is ok provided rcu read lock is held.
Once extension space will be reallocated with plain krealloc
this isn't used anymore.
Dumping the extension area for confirmed or dying conntracks is fine:
no reallocations are allowed and list iteration holds appropriate
locks that prevent ct (and thus ct->ext) from getting free'd.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_netlink.c | 77 ++++++++++++++++++----------
1 file changed, 51 insertions(+), 26 deletions(-)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index e2d13cd18875..db04e1bfb04d 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -506,9 +506,44 @@ static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
return -1;
}
+/* all these functions access ct->ext. Caller must either hold a reference
+ * on ct or prevent its deletion by holding either the bucket spinlock or
+ * pcpu dying list lock.
+ */
+static int ctnetlink_dump_extinfo(struct sk_buff *skb,
+ const struct nf_conn *ct, u32 type)
+{
+ if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
+ ctnetlink_dump_timestamp(skb, ct) < 0 ||
+ ctnetlink_dump_helpinfo(skb, ct) < 0 ||
+ ctnetlink_dump_labels(skb, ct) < 0 ||
+ ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
+ ctnetlink_dump_ct_synproxy(skb, ct) < 0)
+ return -1;
+
+ return 0;
+}
+
+static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
+{
+ if (ctnetlink_dump_status(skb, ct) < 0 ||
+ ctnetlink_dump_mark(skb, ct) < 0 ||
+ ctnetlink_dump_secctx(skb, ct) < 0 ||
+ ctnetlink_dump_id(skb, ct) < 0 ||
+ ctnetlink_dump_use(skb, ct) < 0 ||
+ ctnetlink_dump_master(skb, ct) < 0)
+ return -1;
+
+ if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
+ (ctnetlink_dump_timeout(skb, ct) < 0 ||
+ ctnetlink_dump_protoinfo(skb, ct) < 0))
+
+ return 0;
+}
+
static int
ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
- struct nf_conn *ct)
+ struct nf_conn *ct, bool extinfo)
{
const struct nf_conntrack_zone *zone;
struct nlmsghdr *nlh;
@@ -552,23 +587,9 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
NF_CT_DEFAULT_ZONE_DIR) < 0)
goto nla_put_failure;
- if (ctnetlink_dump_status(skb, ct) < 0 ||
- ctnetlink_dump_acct(skb, ct, type) < 0 ||
- ctnetlink_dump_timestamp(skb, ct) < 0 ||
- ctnetlink_dump_helpinfo(skb, ct) < 0 ||
- ctnetlink_dump_mark(skb, ct) < 0 ||
- ctnetlink_dump_secctx(skb, ct) < 0 ||
- ctnetlink_dump_labels(skb, ct) < 0 ||
- ctnetlink_dump_id(skb, ct) < 0 ||
- ctnetlink_dump_use(skb, ct) < 0 ||
- ctnetlink_dump_master(skb, ct) < 0 ||
- ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
- ctnetlink_dump_ct_synproxy(skb, ct) < 0)
+ if (ctnetlink_dump_info(skb, ct) < 0)
goto nla_put_failure;
-
- if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
- (ctnetlink_dump_timeout(skb, ct) < 0 ||
- ctnetlink_dump_protoinfo(skb, ct) < 0))
+ if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
goto nla_put_failure;
nlmsg_end(skb, nlh);
@@ -953,13 +974,11 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
if (!ctnetlink_filter_match(ct, cb->data))
continue;
- rcu_read_lock();
res =
ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq,
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
- ct);
- rcu_read_unlock();
+ ct, true);
if (res < 0) {
nf_conntrack_get(&ct->ct_general);
cb->args[1] = (unsigned long)ct;
@@ -1364,10 +1383,8 @@ static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
return -ENOMEM;
}
- rcu_read_lock();
err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
- NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
- rcu_read_unlock();
+ NFNL_MSG_TYPE(nlh->nlmsg_type), ct, true);
nf_ct_put(ct);
if (err <= 0)
goto free;
@@ -1429,12 +1446,20 @@ ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying
continue;
cb->args[1] = 0;
}
- rcu_read_lock();
+
+ /* We can't dump extension info for the unconfirmed
+ * list because unconfirmed conntracks can have ct->ext
+ * reallocated (and thus freed).
+ *
+ * In the dying list case ct->ext can't be altered during
+ * list walk anymore, and free can only occur after ct
+ * has been unlinked from the dying list (which can't
+ * happen until after we drop pcpu->lock).
+ */
res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
cb->nlh->nlmsg_seq,
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
- ct);
- rcu_read_unlock();
+ ct, dying ? true : false);
if (res < 0) {
if (!atomic_inc_not_zero(&ct->ct_general.use))
continue;
--
2.21.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
@ 2019-10-14 20:52 ` kbuild test robot
2019-10-15 2:58 ` kbuild test robot
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-14 20:52 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 3532 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-defconfig (attached as .config)
compiler: gcc-7 (Debian 7.4.0-13) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_extinfo':
>> net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_info':
>> net/netfilter/nf_conntrack_netlink.c:542:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
vim +520 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
> 520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> 521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
527 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
528 {
529 if (ctnetlink_dump_status(skb, ct) < 0 ||
530 ctnetlink_dump_mark(skb, ct) < 0 ||
531 ctnetlink_dump_secctx(skb, ct) < 0 ||
532 ctnetlink_dump_id(skb, ct) < 0 ||
533 ctnetlink_dump_use(skb, ct) < 0 ||
534 ctnetlink_dump_master(skb, ct) < 0)
535 return -1;
536
537 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
538 (ctnetlink_dump_timeout(skb, ct) < 0 ||
539 ctnetlink_dump_protoinfo(skb, ct) < 0))
540
541 return 0;
> 542 }
543
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28153 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-14 20:52 ` kbuild test robot
0 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-14 20:52 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 3611 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-defconfig (attached as .config)
compiler: gcc-7 (Debian 7.4.0-13) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_extinfo':
>> net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_info':
>> net/netfilter/nf_conntrack_netlink.c:542:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
vim +520 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
> 520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> 521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
527 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
528 {
529 if (ctnetlink_dump_status(skb, ct) < 0 ||
530 ctnetlink_dump_mark(skb, ct) < 0 ||
531 ctnetlink_dump_secctx(skb, ct) < 0 ||
532 ctnetlink_dump_id(skb, ct) < 0 ||
533 ctnetlink_dump_use(skb, ct) < 0 ||
534 ctnetlink_dump_master(skb, ct) < 0)
535 return -1;
536
537 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
538 (ctnetlink_dump_timeout(skb, ct) < 0 ||
539 ctnetlink_dump_protoinfo(skb, ct) < 0))
540
541 return 0;
> 542 }
543
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 28153 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
@ 2019-10-15 2:58 ` kbuild test robot
2019-10-15 2:58 ` kbuild test robot
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-15 2:58 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
# apt-get install sparse
# sparse version: v0.6.1-rc1-43-g0ccb3b4-dirty
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: sparse: incorrect type in argument 2 (different modifiers) @@ expected struct nf_conn *ct @@ got structstruct nf_conn *ct @@
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: expected struct nf_conn *ct
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: got struct nf_conn const *ct
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: sparse: incorrect type in argument 2 (different modifiers) @@ expected struct nf_conn *ct @@ got structstruct nf_conn *ct @@
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: expected struct nf_conn *ct
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: got struct nf_conn const *ct
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: sparse: incompatible types in comparison expression (different address spaces):
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: struct nf_conntrack_helper [noderef] <asn:4> *
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: struct nf_conntrack_helper *
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected char const * @@ got char [noderechar const * @@
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: expected char const *
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: got char [noderef] <asn:4> *
net/netfilter/nf_conntrack_netlink.c:951:36: sparse: sparse: context imbalance in 'ctnetlink_dump_table' - unexpected unlock
include/linux/rcupdate.h:651:9: sparse: sparse: context imbalance in 'ctnetlink_parse_nat_setup' - unexpected unlock
vim +520 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
> 520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-15 2:58 ` kbuild test robot
0 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-15 2:58 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 3324 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
# apt-get install sparse
# sparse version: v0.6.1-rc1-43-g0ccb3b4-dirty
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: sparse: incorrect type in argument 2 (different modifiers) @@ expected struct nf_conn *ct @@ got structstruct nf_conn *ct @@
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: expected struct nf_conn *ct
>> net/netfilter/nf_conntrack_netlink.c:520:44: sparse: got struct nf_conn const *ct
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: sparse: incorrect type in argument 2 (different modifiers) @@ expected struct nf_conn *ct @@ got structstruct nf_conn *ct @@
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: expected struct nf_conn *ct
net/netfilter/nf_conntrack_netlink.c:521:45: sparse: got struct nf_conn const *ct
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: sparse: incompatible types in comparison expression (different address spaces):
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: struct nf_conntrack_helper [noderef] <asn:4> *
net/netfilter/nf_conntrack_netlink.c:1694:34: sparse: struct nf_conntrack_helper *
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: sparse: incorrect type in argument 1 (different address spaces) @@ expected char const * @@ got char [noderechar const * @@
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: expected char const *
net/netfilter/nf_conntrack_netlink.c:3146:29: sparse: got char [noderef] <asn:4> *
net/netfilter/nf_conntrack_netlink.c:951:36: sparse: sparse: context imbalance in 'ctnetlink_dump_table' - unexpected unlock
include/linux/rcupdate.h:651:9: sparse: sparse: context imbalance in 'ctnetlink_parse_nat_setup' - unexpected unlock
vim +520 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
> 520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
@ 2019-10-15 3:14 ` kbuild test robot
2019-10-15 2:58 ` kbuild test robot
` (3 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-15 3:14 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 14967 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-randconfig-g004-201941 (attached as .config)
compiler: gcc-7 (Debian 7.4.0-13) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_extinfo':
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:58:52: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:58:52: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:58:61: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:58:61: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:69:3: note: in definition of macro '__trace_if_value'
(cond) ? \
^~~~
include/linux/compiler.h:56:28: note: in expansion of macro '__trace_if_var'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:69:3: note: in definition of macro '__trace_if_value'
(cond) ? \
^~~~
include/linux/compiler.h:56:28: note: in expansion of macro '__trace_if_var'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_info':
net/netfilter/nf_conntrack_netlink.c:542:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
Cyclomatic Complexity 5 include/linux/compiler.h:__read_once_size
Cyclomatic Complexity 5 include/linux/compiler.h:__write_once_size
Cyclomatic Complexity 1 include/linux/kasan-checks.h:kasan_check_read
Cyclomatic Complexity 1 include/linux/kasan-checks.h:kasan_check_write
Cyclomatic Complexity 4 arch/x86/include/asm/bitops.h:arch_set_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:arch___set_bit
Cyclomatic Complexity 4 arch/x86/include/asm/bitops.h:arch_clear_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:constant_test_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:variable_test_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:fls
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:set_bit
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:__set_bit
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:clear_bit
Cyclomatic Complexity 1 include/uapi/linux/byteorder/little_endian.h:__le32_to_cpup
Cyclomatic Complexity 1 include/linux/log2.h:__ilog2_u32
Cyclomatic Complexity 2 arch/x86/include/asm/jump_label.h:arch_static_branch_jump
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_read
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_inc
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_dec_and_test
Cyclomatic Complexity 3 arch/x86/include/asm/atomic.h:arch_atomic_try_cmpxchg
Cyclomatic Complexity 1 arch/x86/include/asm/atomic64_32.h:arch_atomic64_xchg
Cyclomatic Complexity 1 arch/x86/include/asm/atomic64_32.h:arch_atomic64_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_inc
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_try_cmpxchg
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_dec_and_test
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic64_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic64_xchg
Cyclomatic Complexity 1 include/linux/err.h:ERR_PTR
Cyclomatic Complexity 1 include/linux/err.h:PTR_ERR
Cyclomatic Complexity 9 arch/x86/include/asm/preempt.h:__preempt_count_add
Cyclomatic Complexity 9 arch/x86/include/asm/preempt.h:__preempt_count_sub
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_lock_bh
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_unlock
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_unlock_bh
Cyclomatic Complexity 1 include/linux/rcupdate.h:__rcu_read_lock
Cyclomatic Complexity 1 include/linux/rcupdate.h:__rcu_read_unlock
Cyclomatic Complexity 5 include/linux/rcupdate.h:rcu_read_lock
Cyclomatic Complexity 1 include/linux/ktime.h:ktime_to_ns
Cyclomatic Complexity 1 include/linux/list_nulls.h:is_a_nulls
Cyclomatic Complexity 4 include/linux/slab.h:kmalloc_type
Cyclomatic Complexity 84 include/linux/slab.h:kmalloc_index
Cyclomatic Complexity 1 include/linux/slab.h:kmalloc_large
Cyclomatic Complexity 10 include/linux/slab.h:kmalloc
Cyclomatic Complexity 1 include/linux/slab.h:kzalloc
Cyclomatic Complexity 1 include/linux/skbuff.h:skb_is_nonlinear
Cyclomatic Complexity 1 include/linux/skbuff.h:skb_tail_pointer
Cyclomatic Complexity 2 include/linux/skbuff.h:skb_tailroom
Cyclomatic Complexity 1 include/net/net_namespace.h:net_eq
Cyclomatic Complexity 1 include/net/net_namespace.h:read_pnet
Cyclomatic Complexity 5 include/linux/netfilter.h:nf_inet_addr_cmp
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_msg_size
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_total_size
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_data
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_report
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_end
Cyclomatic Complexity 1 include/net/netlink.h:nla_data
Cyclomatic Complexity 1 include/net/netlink.h:nla_len
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_be32
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_u8
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_in_addr
Cyclomatic Complexity 1 include/net/netlink.h:nla_nest_end
Cyclomatic Complexity 1 include/net/sock.h:sock_net
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_tuplehash_to_ctrack
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_l3num
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_protonum
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_net
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_expires
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_is_expired
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_zones.h:nf_ct_zone
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_zones.h:nf_ct_zone_init
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_extend.h:__nf_ct_ext_exist
Cyclomatic Complexity 3 include/net/netfilter/nf_conntrack_extend.h:nf_ct_ext_exist
Cyclomatic Complexity 3 include/net/netfilter/nf_conntrack_extend.h:__nf_ct_ext_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_ecache.h:nf_ct_ecache_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_ecache.h:nf_conntrack_eventmask_report
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_helper.h:nfct_help
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_seqadj.h:nfct_seqadj
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_acct.h:nf_conn_acct_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_timestamp.h:nf_conn_tstamp_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_timestamp.h:nf_ct_tstamp_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_labels.h:nf_ct_labels_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_synproxy.h:nfct_synproxy
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_synproxy.h:nfct_synproxy_ext_add
Cyclomatic Complexity 1 include/linux/netfilter/nfnetlink.h:nfnl_msg_type
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_attach_labels
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:expect_iter_all
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_init
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_exit
Cyclomatic Complexity 2 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_exit_batch
Cyclomatic Complexity 2 include/asm-generic/bitops-instrumented.h:test_bit
vim +/if +516 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
> 516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 36004 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-15 3:14 ` kbuild test robot
0 siblings, 0 replies; 13+ messages in thread
From: kbuild test robot @ 2019-10-15 3:14 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 15198 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-randconfig-g004-201941 (attached as .config)
compiler: gcc-7 (Debian 7.4.0-13) 7.4.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_extinfo':
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:58:52: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:58:52: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:58:61: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:58:61: note: in definition of macro '__trace_if_var'
#define __trace_if_var(cond) (__builtin_constant_p(cond) ? (cond) : __trace_if_value(cond))
^~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:520:37: warning: passing argument 2 of 'ctnetlink_dump_ct_seq_adj' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
^
include/linux/compiler.h:69:3: note: in definition of macro '__trace_if_value'
(cond) ? \
^~~~
include/linux/compiler.h:56:28: note: in expansion of macro '__trace_if_var'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:438:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~
In file included from include/linux/init.h:5:0,
from net/netfilter/nf_conntrack_netlink.c:18:
net/netfilter/nf_conntrack_netlink.c:521:38: warning: passing argument 2 of 'ctnetlink_dump_ct_synproxy' discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
ctnetlink_dump_ct_synproxy(skb, ct) < 0)
^
include/linux/compiler.h:69:3: note: in definition of macro '__trace_if_value'
(cond) ? \
^~~~
include/linux/compiler.h:56:28: note: in expansion of macro '__trace_if_var'
#define if(cond, ...) if ( __trace_if_var( !!(cond , ## __VA_ARGS__) ) )
^~~~~~~~~~~~~~
>> net/netfilter/nf_conntrack_netlink.c:516:2: note: in expansion of macro 'if'
if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
^~
net/netfilter/nf_conntrack_netlink.c:462:12: note: expected 'struct nf_conn *' but argument is of type 'const struct nf_conn *'
static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
^~~~~~~~~~~~~~~~~~~~~~~~~~
net/netfilter/nf_conntrack_netlink.c: In function 'ctnetlink_dump_info':
net/netfilter/nf_conntrack_netlink.c:542:1: warning: control reaches end of non-void function [-Wreturn-type]
}
^
Cyclomatic Complexity 5 include/linux/compiler.h:__read_once_size
Cyclomatic Complexity 5 include/linux/compiler.h:__write_once_size
Cyclomatic Complexity 1 include/linux/kasan-checks.h:kasan_check_read
Cyclomatic Complexity 1 include/linux/kasan-checks.h:kasan_check_write
Cyclomatic Complexity 4 arch/x86/include/asm/bitops.h:arch_set_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:arch___set_bit
Cyclomatic Complexity 4 arch/x86/include/asm/bitops.h:arch_clear_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:constant_test_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:variable_test_bit
Cyclomatic Complexity 1 arch/x86/include/asm/bitops.h:fls
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:set_bit
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:__set_bit
Cyclomatic Complexity 1 include/asm-generic/bitops-instrumented.h:clear_bit
Cyclomatic Complexity 1 include/uapi/linux/byteorder/little_endian.h:__le32_to_cpup
Cyclomatic Complexity 1 include/linux/log2.h:__ilog2_u32
Cyclomatic Complexity 2 arch/x86/include/asm/jump_label.h:arch_static_branch_jump
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_read
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_inc
Cyclomatic Complexity 1 arch/x86/include/asm/atomic.h:arch_atomic_dec_and_test
Cyclomatic Complexity 3 arch/x86/include/asm/atomic.h:arch_atomic_try_cmpxchg
Cyclomatic Complexity 1 arch/x86/include/asm/atomic64_32.h:arch_atomic64_xchg
Cyclomatic Complexity 1 arch/x86/include/asm/atomic64_32.h:arch_atomic64_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_inc
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_try_cmpxchg
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic_dec_and_test
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic64_read
Cyclomatic Complexity 1 include/asm-generic/atomic-instrumented.h:atomic64_xchg
Cyclomatic Complexity 1 include/linux/err.h:ERR_PTR
Cyclomatic Complexity 1 include/linux/err.h:PTR_ERR
Cyclomatic Complexity 9 arch/x86/include/asm/preempt.h:__preempt_count_add
Cyclomatic Complexity 9 arch/x86/include/asm/preempt.h:__preempt_count_sub
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_lock_bh
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_unlock
Cyclomatic Complexity 1 include/linux/spinlock.h:spin_unlock_bh
Cyclomatic Complexity 1 include/linux/rcupdate.h:__rcu_read_lock
Cyclomatic Complexity 1 include/linux/rcupdate.h:__rcu_read_unlock
Cyclomatic Complexity 5 include/linux/rcupdate.h:rcu_read_lock
Cyclomatic Complexity 1 include/linux/ktime.h:ktime_to_ns
Cyclomatic Complexity 1 include/linux/list_nulls.h:is_a_nulls
Cyclomatic Complexity 4 include/linux/slab.h:kmalloc_type
Cyclomatic Complexity 84 include/linux/slab.h:kmalloc_index
Cyclomatic Complexity 1 include/linux/slab.h:kmalloc_large
Cyclomatic Complexity 10 include/linux/slab.h:kmalloc
Cyclomatic Complexity 1 include/linux/slab.h:kzalloc
Cyclomatic Complexity 1 include/linux/skbuff.h:skb_is_nonlinear
Cyclomatic Complexity 1 include/linux/skbuff.h:skb_tail_pointer
Cyclomatic Complexity 2 include/linux/skbuff.h:skb_tailroom
Cyclomatic Complexity 1 include/net/net_namespace.h:net_eq
Cyclomatic Complexity 1 include/net/net_namespace.h:read_pnet
Cyclomatic Complexity 5 include/linux/netfilter.h:nf_inet_addr_cmp
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_msg_size
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_total_size
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_data
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_report
Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_end
Cyclomatic Complexity 1 include/net/netlink.h:nla_data
Cyclomatic Complexity 1 include/net/netlink.h:nla_len
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_be32
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_u8
Cyclomatic Complexity 1 include/net/netlink.h:nla_get_in_addr
Cyclomatic Complexity 1 include/net/netlink.h:nla_nest_end
Cyclomatic Complexity 1 include/net/sock.h:sock_net
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_tuplehash_to_ctrack
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_l3num
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_protonum
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_net
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_expires
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack.h:nf_ct_is_expired
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_zones.h:nf_ct_zone
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_zones.h:nf_ct_zone_init
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_extend.h:__nf_ct_ext_exist
Cyclomatic Complexity 3 include/net/netfilter/nf_conntrack_extend.h:nf_ct_ext_exist
Cyclomatic Complexity 3 include/net/netfilter/nf_conntrack_extend.h:__nf_ct_ext_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_ecache.h:nf_ct_ecache_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_ecache.h:nf_conntrack_eventmask_report
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_helper.h:nfct_help
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_seqadj.h:nfct_seqadj
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_acct.h:nf_conn_acct_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_timestamp.h:nf_conn_tstamp_find
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_timestamp.h:nf_ct_tstamp_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_labels.h:nf_ct_labels_ext_add
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_synproxy.h:nfct_synproxy
Cyclomatic Complexity 1 include/net/netfilter/nf_conntrack_synproxy.h:nfct_synproxy_ext_add
Cyclomatic Complexity 1 include/linux/netfilter/nfnetlink.h:nfnl_msg_type
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_attach_labels
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:expect_iter_all
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_init
Cyclomatic Complexity 1 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_exit
Cyclomatic Complexity 2 net/netfilter/nf_conntrack_netlink.c:ctnetlink_net_exit_batch
Cyclomatic Complexity 2 include/asm-generic/bitops-instrumented.h:test_bit
vim +/if +516 net/netfilter/nf_conntrack_netlink.c
508
509 /* all these functions access ct->ext. Caller must either hold a reference
510 * on ct or prevent its deletion by holding either the bucket spinlock or
511 * pcpu dying list lock.
512 */
513 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
514 const struct nf_conn *ct, u32 type)
515 {
> 516 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
517 ctnetlink_dump_timestamp(skb, ct) < 0 ||
518 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
519 ctnetlink_dump_labels(skb, ct) < 0 ||
520 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
521 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
522 return -1;
523
524 return 0;
525 }
526
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 36004 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
2019-10-14 20:52 ` kbuild test robot
@ 2019-10-15 9:23 ` Dan Carpenter
2019-10-15 3:14 ` kbuild test robot
` (2 subsequent siblings)
4 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2019-10-15 9:23 UTC (permalink / raw)
To: kbuild, Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
Hi Florian,
I love your patch! Perhaps something to improve:
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/netfilter/nf_conntrack_netlink.c:537 ctnetlink_dump_info() warn: if statement not indented
# https://github.com/0day-ci/linux/commit/c8040548c0416425c95ae3b7008ef5d829168d3b
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout c8040548c0416425c95ae3b7008ef5d829168d3b
vim +537 net/netfilter/nf_conntrack_netlink.c
c8040548c04164 Florian Westphal 2019-10-14 527 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
c8040548c04164 Florian Westphal 2019-10-14 528 {
c8040548c04164 Florian Westphal 2019-10-14 529 if (ctnetlink_dump_status(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 530 ctnetlink_dump_mark(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 531 ctnetlink_dump_secctx(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 532 ctnetlink_dump_id(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 533 ctnetlink_dump_use(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 534 ctnetlink_dump_master(skb, ct) < 0)
c8040548c04164 Florian Westphal 2019-10-14 535 return -1;
c8040548c04164 Florian Westphal 2019-10-14 536
c8040548c04164 Florian Westphal 2019-10-14 @537 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
c8040548c04164 Florian Westphal 2019-10-14 538 (ctnetlink_dump_timeout(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 539 ctnetlink_dump_protoinfo(skb, ct) < 0))
Part of the "return -EINVAL;" commit must be missing. This should
generate a compile warning about reaching the end of a non-void
function.
c8040548c04164 Florian Westphal 2019-10-14 540
c8040548c04164 Florian Westphal 2019-10-14 541 return 0;
c8040548c04164 Florian Westphal 2019-10-14 542 }
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-15 9:23 ` Dan Carpenter
0 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2019-10-15 9:23 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 2455 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/netfilter/nf_conntrack_netlink.c:537 ctnetlink_dump_info() warn: if statement not indented
# https://github.com/0day-ci/linux/commit/c8040548c0416425c95ae3b7008ef5d829168d3b
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout c8040548c0416425c95ae3b7008ef5d829168d3b
vim +537 net/netfilter/nf_conntrack_netlink.c
c8040548c04164 Florian Westphal 2019-10-14 527 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
c8040548c04164 Florian Westphal 2019-10-14 528 {
c8040548c04164 Florian Westphal 2019-10-14 529 if (ctnetlink_dump_status(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 530 ctnetlink_dump_mark(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 531 ctnetlink_dump_secctx(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 532 ctnetlink_dump_id(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 533 ctnetlink_dump_use(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 534 ctnetlink_dump_master(skb, ct) < 0)
c8040548c04164 Florian Westphal 2019-10-14 535 return -1;
c8040548c04164 Florian Westphal 2019-10-14 536
c8040548c04164 Florian Westphal 2019-10-14 @537 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
c8040548c04164 Florian Westphal 2019-10-14 538 (ctnetlink_dump_timeout(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 539 ctnetlink_dump_protoinfo(skb, ct) < 0))
Part of the "return -EINVAL;" commit must be missing. This should
generate a compile warning about reaching the end of a non-void
function.
c8040548c04164 Florian Westphal 2019-10-14 540
c8040548c04164 Florian Westphal 2019-10-14 541 return 0;
c8040548c04164 Florian Westphal 2019-10-14 542 }
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
@ 2019-10-15 9:23 ` Dan Carpenter
0 siblings, 0 replies; 13+ messages in thread
From: Dan Carpenter @ 2019-10-15 9:23 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 2455 bytes --]
Hi Florian,
I love your patch! Perhaps something to improve:
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-ctnetlink-don-t-dump-ct-extensions-of-unconfirmed-conntracks/20191015-040005
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
net/netfilter/nf_conntrack_netlink.c:537 ctnetlink_dump_info() warn: if statement not indented
# https://github.com/0day-ci/linux/commit/c8040548c0416425c95ae3b7008ef5d829168d3b
git remote add linux-review https://github.com/0day-ci/linux
git remote update linux-review
git checkout c8040548c0416425c95ae3b7008ef5d829168d3b
vim +537 net/netfilter/nf_conntrack_netlink.c
c8040548c04164 Florian Westphal 2019-10-14 527 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
c8040548c04164 Florian Westphal 2019-10-14 528 {
c8040548c04164 Florian Westphal 2019-10-14 529 if (ctnetlink_dump_status(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 530 ctnetlink_dump_mark(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 531 ctnetlink_dump_secctx(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 532 ctnetlink_dump_id(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 533 ctnetlink_dump_use(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 534 ctnetlink_dump_master(skb, ct) < 0)
c8040548c04164 Florian Westphal 2019-10-14 535 return -1;
c8040548c04164 Florian Westphal 2019-10-14 536
c8040548c04164 Florian Westphal 2019-10-14 @537 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
c8040548c04164 Florian Westphal 2019-10-14 538 (ctnetlink_dump_timeout(skb, ct) < 0 ||
c8040548c04164 Florian Westphal 2019-10-14 539 ctnetlink_dump_protoinfo(skb, ct) < 0))
Part of the "return -EINVAL;" commit must be missing. This should
generate a compile warning about reaching the end of a non-void
function.
c8040548c04164 Florian Westphal 2019-10-14 540
c8040548c04164 Florian Westphal 2019-10-14 541 return 0;
c8040548c04164 Florian Westphal 2019-10-14 542 }
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
` (3 preceding siblings ...)
2019-10-15 9:23 ` Dan Carpenter
@ 2019-10-15 21:06 ` Jeremy Sowden
2019-10-15 21:22 ` Florian Westphal
4 siblings, 1 reply; 13+ messages in thread
From: Jeremy Sowden @ 2019-10-15 21:06 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 5414 bytes --]
On 2019-10-14, at 21:41:41 +0200, Florian Westphal wrote:
> When dumping the unconfirmed lists, the cpu that is processing the ct
> entry can realloc ct->ext at any time.
>
> Accessing extensions from another CPU is ok provided rcu read lock is
> held.
>
> Once extension space will be reallocated with plain krealloc this
> isn't used anymore.
>
> Dumping the extension area for confirmed or dying conntracks is fine:
> no reallocations are allowed and list iteration holds appropriate
> locks that prevent ct (and thus ct->ext) from getting free'd.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> net/netfilter/nf_conntrack_netlink.c | 77 ++++++++++++++++++----------
> 1 file changed, 51 insertions(+), 26 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index e2d13cd18875..db04e1bfb04d 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -506,9 +506,44 @@ static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
> return -1;
> }
>
> +/* all these functions access ct->ext. Caller must either hold a reference
> + * on ct or prevent its deletion by holding either the bucket spinlock or
> + * pcpu dying list lock.
> + */
> +static int ctnetlink_dump_extinfo(struct sk_buff *skb,
> + const struct nf_conn *ct, u32 type)
> +{
> + if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
> + ctnetlink_dump_timestamp(skb, ct) < 0 ||
> + ctnetlink_dump_helpinfo(skb, ct) < 0 ||
> + ctnetlink_dump_labels(skb, ct) < 0 ||
> + ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> + ctnetlink_dump_ct_synproxy(skb, ct) < 0)
> + return -1;
> +
> + return 0;
> +}
> +
> +static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
> +{
> + if (ctnetlink_dump_status(skb, ct) < 0 ||
> + ctnetlink_dump_mark(skb, ct) < 0 ||
> + ctnetlink_dump_secctx(skb, ct) < 0 ||
> + ctnetlink_dump_id(skb, ct) < 0 ||
> + ctnetlink_dump_use(skb, ct) < 0 ||
> + ctnetlink_dump_master(skb, ct) < 0)
> + return -1;
> +
> + if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
> + (ctnetlink_dump_timeout(skb, ct) < 0 ||
> + ctnetlink_dump_protoinfo(skb, ct) < 0))
> +
> + return 0;
> +}
> +
> static int
> ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
> - struct nf_conn *ct)
> + struct nf_conn *ct, bool extinfo)
> {
> const struct nf_conntrack_zone *zone;
> struct nlmsghdr *nlh;
> @@ -552,23 +587,9 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
> NF_CT_DEFAULT_ZONE_DIR) < 0)
> goto nla_put_failure;
>
> - if (ctnetlink_dump_status(skb, ct) < 0 ||
> - ctnetlink_dump_acct(skb, ct, type) < 0 ||
> - ctnetlink_dump_timestamp(skb, ct) < 0 ||
> - ctnetlink_dump_helpinfo(skb, ct) < 0 ||
> - ctnetlink_dump_mark(skb, ct) < 0 ||
> - ctnetlink_dump_secctx(skb, ct) < 0 ||
> - ctnetlink_dump_labels(skb, ct) < 0 ||
> - ctnetlink_dump_id(skb, ct) < 0 ||
> - ctnetlink_dump_use(skb, ct) < 0 ||
> - ctnetlink_dump_master(skb, ct) < 0 ||
> - ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> - ctnetlink_dump_ct_synproxy(skb, ct) < 0)
> + if (ctnetlink_dump_info(skb, ct) < 0)
> goto nla_put_failure;
> -
> - if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
> - (ctnetlink_dump_timeout(skb, ct) < 0 ||
> - ctnetlink_dump_protoinfo(skb, ct) < 0))
> + if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
> goto nla_put_failure;
>
> nlmsg_end(skb, nlh);
> @@ -953,13 +974,11 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
> if (!ctnetlink_filter_match(ct, cb->data))
> continue;
>
> - rcu_read_lock();
> res =
> ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
> cb->nlh->nlmsg_seq,
> NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
> - ct);
> - rcu_read_unlock();
> + ct, true);
> if (res < 0) {
> nf_conntrack_get(&ct->ct_general);
> cb->args[1] = (unsigned long)ct;
> @@ -1364,10 +1383,8 @@ static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
> return -ENOMEM;
> }
>
> - rcu_read_lock();
> err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
> - NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
> - rcu_read_unlock();
> + NFNL_MSG_TYPE(nlh->nlmsg_type), ct, true);
> nf_ct_put(ct);
> if (err <= 0)
> goto free;
> @@ -1429,12 +1446,20 @@ ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying
> continue;
> cb->args[1] = 0;
> }
> - rcu_read_lock();
> +
> + /* We can't dump extension info for the unconfirmed
> + * list because unconfirmed conntracks can have ct->ext
> + * reallocated (and thus freed).
> + *
> + * In the dying list case ct->ext can't be altered during
> + * list walk anymore, and free can only occur after ct
> + * has been unlinked from the dying list (which can't
> + * happen until after we drop pcpu->lock).
> + */
> res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
> cb->nlh->nlmsg_seq,
> NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
> - ct);
> - rcu_read_unlock();
> + ct, dying ? true : false);
s/dying ? true : false/dying/
> if (res < 0) {
> if (!atomic_inc_not_zero(&ct->ct_general.use))
> continue;
> --
> 2.21.0
>
>
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-15 21:06 ` Jeremy Sowden
@ 2019-10-15 21:22 ` Florian Westphal
2019-10-15 21:29 ` Jeremy Sowden
0 siblings, 1 reply; 13+ messages in thread
From: Florian Westphal @ 2019-10-15 21:22 UTC (permalink / raw)
To: Jeremy Sowden; +Cc: Florian Westphal, netfilter-devel
Jeremy Sowden <jeremy@azazel.net> wrote:
> On 2019-10-14, at 21:41:41 +0200, Florian Westphal wrote:
> > When dumping the unconfirmed lists, the cpu that is processing the ct
> > entry can realloc ct->ext at any time.
> >
> > Accessing extensions from another CPU is ok provided rcu read lock is
> > held.
> >
> > Once extension space will be reallocated with plain krealloc this
> > isn't used anymore.
> >
> > Dumping the extension area for confirmed or dying conntracks is fine:
> > no reallocations are allowed and list iteration holds appropriate
> > locks that prevent ct (and thus ct->ext) from getting free'd.
> >
> > Signed-off-by: Florian Westphal <fw@strlen.de>
> > ---
> > net/netfilter/nf_conntrack_netlink.c | 77 ++++++++++++++++++----------
> > 1 file changed, 51 insertions(+), 26 deletions(-)
> >
> > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > index e2d13cd18875..db04e1bfb04d 100644
> > --- a/net/netfilter/nf_conntrack_netlink.c
> > +++ b/net/netfilter/nf_conntrack_netlink.c
> > @@ -506,9 +506,44 @@ static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
> > return -1;
> > }
> >
> > +/* all these functions access ct->ext. Caller must either hold a reference
> > + * on ct or prevent its deletion by holding either the bucket spinlock or
> > + * pcpu dying list lock.
> > + */
> > +static int ctnetlink_dump_extinfo(struct sk_buff *skb,
> > + const struct nf_conn *ct, u32 type)
> > +{
> > + if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
> > + ctnetlink_dump_timestamp(skb, ct) < 0 ||
> > + ctnetlink_dump_helpinfo(skb, ct) < 0 ||
> > + ctnetlink_dump_labels(skb, ct) < 0 ||
> > + ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> > + ctnetlink_dump_ct_synproxy(skb, ct) < 0)
> > + return -1;
> > +
> > + return 0;
> > +}
> > +
> > +static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
> > +{
> > + if (ctnetlink_dump_status(skb, ct) < 0 ||
> > + ctnetlink_dump_mark(skb, ct) < 0 ||
> > + ctnetlink_dump_secctx(skb, ct) < 0 ||
> > + ctnetlink_dump_id(skb, ct) < 0 ||
> > + ctnetlink_dump_use(skb, ct) < 0 ||
> > + ctnetlink_dump_master(skb, ct) < 0)
> > + return -1;
> > +
> > + if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
> > + (ctnetlink_dump_timeout(skb, ct) < 0 ||
> > + ctnetlink_dump_protoinfo(skb, ct) < 0))
> > +
> > + return 0;
> > +}
> > +
> > static int
> > ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
> > - struct nf_conn *ct)
> > + struct nf_conn *ct, bool extinfo)
[..]
> > +
> > + /* We can't dump extension info for the unconfirmed
> > + * list because unconfirmed conntracks can have ct->ext
> > + * reallocated (and thus freed).
> > + *
> > + * In the dying list case ct->ext can't be altered during
> > + * list walk anymore, and free can only occur after ct
> > + * has been unlinked from the dying list (which can't
> > + * happen until after we drop pcpu->lock).
> > + */
> > res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
> > cb->nlh->nlmsg_seq,
> > NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
> > - ct);
> > - rcu_read_unlock();
> > + ct, dying ? true : false);
>
> s/dying ? true : false/dying/
Yes, but it found it misleading since the last argument isn't about
'dying' or not, it tells that we can safely access ct->ext.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks
2019-10-15 21:22 ` Florian Westphal
@ 2019-10-15 21:29 ` Jeremy Sowden
0 siblings, 0 replies; 13+ messages in thread
From: Jeremy Sowden @ 2019-10-15 21:29 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 3731 bytes --]
On 2019-10-15, at 23:22:04 +0200, Florian Westphal wrote:
> Jeremy Sowden wrote:
> > On 2019-10-14, at 21:41:41 +0200, Florian Westphal wrote:
> > > When dumping the unconfirmed lists, the cpu that is processing the
> > > ct entry can realloc ct->ext at any time.
> > >
> > > Accessing extensions from another CPU is ok provided rcu read lock
> > > is held.
> > >
> > > Once extension space will be reallocated with plain krealloc this
> > > isn't used anymore.
> > >
> > > Dumping the extension area for confirmed or dying conntracks is
> > > fine: no reallocations are allowed and list iteration holds
> > > appropriate locks that prevent ct (and thus ct->ext) from getting
> > > free'd.
> > >
> > > Signed-off-by: Florian Westphal <fw@strlen.de>
> > > ---
> > > net/netfilter/nf_conntrack_netlink.c | 77 ++++++++++++++++++----------
> > > 1 file changed, 51 insertions(+), 26 deletions(-)
> > >
> > > diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> > > index e2d13cd18875..db04e1bfb04d 100644
> > > --- a/net/netfilter/nf_conntrack_netlink.c
> > > +++ b/net/netfilter/nf_conntrack_netlink.c
> > > @@ -506,9 +506,44 @@ static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
> > > return -1;
> > > }
> > >
> > > +/* all these functions access ct->ext. Caller must either hold a reference
> > > + * on ct or prevent its deletion by holding either the bucket spinlock or
> > > + * pcpu dying list lock.
> > > + */
> > > +static int ctnetlink_dump_extinfo(struct sk_buff *skb,
> > > + const struct nf_conn *ct, u32 type)
> > > +{
> > > + if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
> > > + ctnetlink_dump_timestamp(skb, ct) < 0 ||
> > > + ctnetlink_dump_helpinfo(skb, ct) < 0 ||
> > > + ctnetlink_dump_labels(skb, ct) < 0 ||
> > > + ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
> > > + ctnetlink_dump_ct_synproxy(skb, ct) < 0)
> > > + return -1;
> > > +
> > > + return 0;
> > > +}
> > > +
> > > +static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
> > > +{
> > > + if (ctnetlink_dump_status(skb, ct) < 0 ||
> > > + ctnetlink_dump_mark(skb, ct) < 0 ||
> > > + ctnetlink_dump_secctx(skb, ct) < 0 ||
> > > + ctnetlink_dump_id(skb, ct) < 0 ||
> > > + ctnetlink_dump_use(skb, ct) < 0 ||
> > > + ctnetlink_dump_master(skb, ct) < 0)
> > > + return -1;
> > > +
> > > + if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
> > > + (ctnetlink_dump_timeout(skb, ct) < 0 ||
> > > + ctnetlink_dump_protoinfo(skb, ct) < 0))
> > > +
> > > + return 0;
> > > +}
> > > +
> > > static int
> > > ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
> > > - struct nf_conn *ct)
> > > + struct nf_conn *ct, bool extinfo)
>
> [..]
>
> > > +
> > > + /* We can't dump extension info for the unconfirmed
> > > + * list because unconfirmed conntracks can have ct->ext
> > > + * reallocated (and thus freed).
> > > + *
> > > + * In the dying list case ct->ext can't be altered during
> > > + * list walk anymore, and free can only occur after ct
> > > + * has been unlinked from the dying list (which can't
> > > + * happen until after we drop pcpu->lock).
> > > + */
> > > res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
> > > cb->nlh->nlmsg_seq,
> > > NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
> > > - ct);
> > > - rcu_read_unlock();
> > > + ct, dying ? true : false);
> >
> > s/dying ? true : false/dying/
>
> Yes, but it found it misleading since the last argument isn't about
> 'dying' or not, it tells that we can safely access ct->ext.
Fair enough. Read in the context of a patch, it just looks
tautological.
J.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2019-10-15 21:29 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-14 19:41 [PATCH nf-next] netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks Florian Westphal
2019-10-14 20:52 ` kbuild test robot
2019-10-14 20:52 ` kbuild test robot
2019-10-15 2:58 ` kbuild test robot
2019-10-15 2:58 ` kbuild test robot
2019-10-15 3:14 ` kbuild test robot
2019-10-15 3:14 ` kbuild test robot
2019-10-15 9:23 ` Dan Carpenter
2019-10-15 9:23 ` Dan Carpenter
2019-10-15 9:23 ` Dan Carpenter
2019-10-15 21:06 ` Jeremy Sowden
2019-10-15 21:22 ` Florian Westphal
2019-10-15 21:29 ` Jeremy Sowden
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.