hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
38253922a8
sst-linux/net/netfilter
History
Sebastian Andrzej Siewior 2d4a7a091f netfilter: nft_counter: Use u64_stats_t for statistic. 
commit 4a1d3acd6ea86075e77fcc1188c3fc372833ba73 upstream.

The nft_counter uses two s64 counters for statistics. Those two are
protected by a seqcount to ensure that the 64bit variable is always
properly seen during updates even on 32bit architectures where the store
is performed by two writes. A side effect is that the two counter (bytes
and packet) are written and read together in the same window.

This can be replaced with u64_stats_t. write_seqcount_begin()/ end() is
replaced with u64_stats_update_begin()/ end() and behaves the same way
as with seqcount_t on 32bit architectures. Additionally there is a
preempt_disable on PREEMPT_RT to ensure that a reader does not preempt a
writer.
On 64bit architectures the macros are removed and the reads happen
without any retries. This also means that the reader can observe one
counter (bytes) from before the update and the other counter (packets)
but that is okay since there is no requirement to have both counter from
the same update window.

Convert the statistic to u64_stats_t. There is one optimisation:
nft_counter_do_init() and nft_counter_clone() allocate a new per-CPU
counter and assign a value to it. During this assignment preemption is
disabled which is not needed because the counter is not yet exposed to
the system so there can not be another writer or reader. Therefore
disabling preemption is omitted and raw_cpu_ptr() is used to obtain a
pointer to a counter for the assignment.

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-03-28 21:59:01 +01:00
..
ipset netfilter: ipset: Fix for recursive locking warning 2024-12-27 13:52:55 +01:00
ipvs ipvs: prevent integer overflow in do_ip_vs_get_ctl() 2025-03-28 21:58:49 +01:00
core.c netfilter: let reset rules clean out conntrack entries 2024-03-06 14:45:08 +00:00
Kconfig
Makefile
nf_conncount.c netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() 2025-03-28 21:58:49 +01:00
nf_conntrack_acct.c
nf_conntrack_amanda.c
nf_conntrack_bpf.c netfilter, bpf: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry() 2023-10-06 14:56:38 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: allow exp not to be removed in nf_ct_find_expectation 2025-03-07 16:56:41 +01:00
nf_conntrack_ecache.c netfilter: ctnetlink: make event listener tracking global 2023-03-11 13:55:24 +01:00
nf_conntrack_expect.c netfilter: allow exp not to be removed in nf_ct_find_expectation 2025-03-07 16:56:41 +01:00
nf_conntrack_extend.c netfilter: conntrack: fix extension size table 2023-10-06 14:56:36 +02:00
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: Add protection for bmp length out of range 2024-03-15 10:48:16 -04:00
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: Avoid nf_ct_helper_hash uses after free 2023-07-19 16:22:16 +02:00
nf_conntrack_irc.c
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS 2024-10-17 15:21:14 +02:00
nf_conntrack_pptp.c
nf_conntrack_proto_dccp.c netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one 2023-07-19 16:21:13 +02:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c
nf_conntrack_proto_icmp.c
nf_conntrack_proto_icmpv6.c
nf_conntrack_proto_sctp.c netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new 2024-03-01 13:26:27 +01:00
nf_conntrack_proto_tcp.c netfilter: let reset rules clean out conntrack entries 2024-03-06 14:45:08 +00:00
nf_conntrack_proto_udp.c
nf_conntrack_proto.c
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. 2023-07-19 16:21:13 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: conntrack: fix possible bug_on with enable_hooks=1 2023-05-24 17:32:32 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c
nf_flow_table_core.c netfilter: nft_flow_offload: release dst in case direct xmit path is used 2024-03-01 13:26:37 +01:00
nf_flow_table_inet.c netfilter: flowtable: validate vlan header 2024-08-29 17:30:47 +02:00
nf_flow_table_ip.c netfilter: flowtable: validate vlan header 2024-08-29 17:30:47 +02:00
nf_flow_table_offload.c netfilter: flowtable: initialise extack before use 2024-08-29 17:30:25 +02:00
nf_flow_table_procfs.c
nf_hooks_lwtunnel.c
nf_internals.h
nf_log_syslog.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
nf_log.c netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger 2024-02-05 20:13:02 +00:00
nf_nat_amanda.c
nf_nat_bpf.c
nf_nat_core.c
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c
nf_nat_proto.c
nf_nat_redirect.c netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-20 11:52:17 +01:00
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
nf_sockopt.c
nf_synproxy_core.c
nf_tables_api.c netfilter: nf_tables: reject mismatching sum of field_len with set key length 2025-02-21 13:49:25 +01:00
nf_tables_core.c netfilter: nf_tables: set transport offset from mac header for netdev/egress 2024-01-10 17:10:21 +01:00
nf_tables_offload.c
nf_tables_trace.c
nfnetlink_acct.c
nfnetlink_cthelper.c
nfnetlink_cttimeout.c
nfnetlink_hook.c
nfnetlink_log.c netfilter: nfnetlink_log: use proper helper for fetching physinif 2024-01-25 15:27:50 -08:00
nfnetlink_osf.c netfilter: nfnetlink_osf: avoid OOB read 2023-09-19 12:28:03 +02:00
nfnetlink_queue.c netfilter: nf_queue: drop packets with cloned unconfirmed conntracks 2024-08-29 17:30:25 +02:00
nfnetlink.c netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM 2023-06-21 16:00:58 +02:00
nft_bitwise.c netfilter: nft_bitwise: fix register tracking 2023-06-14 11:15:20 +02:00
nft_byteorder.c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2023-11-28 17:07:05 +00:00
nft_chain_filter.c netfilter: nf_tables: honor table dormant flag from netdev release event path 2024-05-02 16:29:26 +02:00
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c
nft_compat.c netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() 2024-03-06 14:45:08 +00:00
nft_connlimit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_counter.c netfilter: nft_counter: Use u64_stats_t for statistic. 2025-03-28 21:59:01 +01:00
nft_ct.c netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. 2025-03-28 21:58:48 +01:00
nft_dup_netdev.c
nft_dynset.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_exthdr.c netfilter: nft_exthdr: fix offset with ipv4_find_option() 2025-03-28 21:58:50 +01:00
nft_fib_inet.c
nft_fib_netdev.c
nft_fib.c netfilter: nft_fib: allow from forward/input without iif selector 2024-06-12 11:03:58 +02:00
nft_flow_offload.c netfilter: nft_flow_offload: update tcp state flags under lock 2025-02-21 13:49:06 +01:00
nft_fwd_netdev.c
nft_hash.c
nft_immediate.c netfilter: nft_immediate: drop chain reference counter on error 2024-01-10 17:10:24 +01:00
nft_last.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_limit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_log.c
nft_lookup.c netfilter: nf_tables: missing iterator type in lookup walk 2024-09-30 16:23:54 +02:00
nft_masq.c netfilter: nft_masq: correct length for loading protocol registers 2023-03-22 13:33:42 +01:00
nft_meta.c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2023-11-28 17:07:05 +00:00
nft_nat.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_numgen.c
nft_objref.c netfilter: nf_tables: report use refcount overflow 2023-08-16 18:27:30 +02:00
nft_osf.c
nft_payload.c netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 2024-11-08 16:26:42 +01:00
nft_queue.c
nft_quota.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_range.c
nft_redir.c netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-11-20 11:52:17 +01:00
nft_reject_inet.c
nft_reject_netdev.c
nft_reject.c
nft_rt.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_set_bitmap.c netfilter: nf_tables: drop map element references from preparation phase 2023-06-28 11:12:32 +02:00
nft_set_hash.c netfilter: nft_set_hash: skip duplicated elements pending gc run 2024-12-14 19:54:23 +01:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: disable softinterrupts 2024-08-03 08:49:49 +02:00
nft_set_pipapo_avx2.h
nft_set_pipapo.c netfilter: nf_tables: missing iterator type in lookup walk 2024-09-30 16:23:54 +02:00
nft_set_pipapo.h netfilter: nf_set_pipapo: fix initial map fill 2024-08-03 08:49:24 +02:00
nft_set_rbtree.c netfilter: nf_tables: use timestamp to check for set element timeout 2024-07-05 09:31:44 +02:00
nft_socket.c netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level 2024-12-14 19:54:20 +01:00
nft_synproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_tproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_tunnel.c netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV 2024-02-05 20:13:01 +00:00
nft_xfrm.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
utils.c
x_tables.c netfilter: Fix use-after-free in get_info() 2024-11-08 16:26:41 +01:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_AUDIT.c
xt_bpf.c
xt_cgroup.c
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_comment.c
xt_connbytes.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_connlabel.c
xt_connlimit.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c netfilter: x_tables: fix LED ID check in led_tg_check() 2024-12-14 19:54:20 +01:00
xt_length.c netfilter: use skb_ip_totlen and iph_totlen 2024-01-10 17:10:21 +01:00
xt_limit.c
xt_LOG.c
xt_mac.c
xt_mark.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_NFQUEUE.c
xt_osf.c netfilter: nfnetlink_osf: fix module autoload 2023-06-28 11:12:33 +02:00
xt_owner.c netfilter: xt_owner: Fix for unsafe access of sk->sk_socket 2023-12-13 18:39:11 +01:00
xt_physdev.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_realm.c
xt_recent.c netfilter: xt_recent: fix (increase) ipv6 literal buffer length 2023-11-20 11:52:17 +01:00
xt_REDIRECT.c netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-11-20 11:52:17 +01:00
xt_repldata.h
xt_sctp.c netfilter: xt_sctp: validate the flag_info count 2023-09-13 09:42:59 +02:00
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_set.c
xt_socket.c net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c
xt_time.c
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_u32.c netfilter: xt_u32: validate user space input 2023-09-13 09:42:59 +02:00