Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.1/patches/2220997/?format=api
{ "id": 2220997, "url": "http://patchwork.ozlabs.org/api/1.1/patches/2220997/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408163512.30537-7-fw@strlen.de/", "project": { "id": 26, "url": "http://patchwork.ozlabs.org/api/1.1/projects/26/?format=api", "name": "Netfilter Development", "link_name": "netfilter-devel", "list_id": "netfilter-devel.vger.kernel.org", "list_email": "netfilter-devel@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null }, "msgid": "<20260408163512.30537-7-fw@strlen.de>", "date": "2026-04-08T16:35:11", "name": "[net,6/7] netfilter: nfnetlink_queue: make hash table per queue", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "b4e6533d8301336003c10314f4ba10f5b85b9c85", "submitter": { "id": 1025, "url": "http://patchwork.ozlabs.org/api/1.1/people/1025/?format=api", "name": "Florian Westphal", "email": "fw@strlen.de" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260408163512.30537-7-fw@strlen.de/mbox/", "series": [ { "id": 499159, "url": "http://patchwork.ozlabs.org/api/1.1/series/499159/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499159", "date": "2026-04-08T16:35:05", "name": "[net,1/7] ipvs: fix NULL deref in ip_vs_add_service error path", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/499159/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2220997/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2220997/checks/", "tags": {}, "headers": { "Return-Path": "\n <netfilter-devel+bounces-11744-incoming=patchwork.ozlabs.org@vger.kernel.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "netfilter-devel@vger.kernel.org" ], "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11744-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30", "smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de", "smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc" ], "Received": [ "from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4frTKh53yGz1xv0\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 09 Apr 2026 02:39:04 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id B72703034B12\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 8 Apr 2026 16:35:45 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id B1DA63D1CC5;\n\tWed, 8 Apr 2026 16:35:44 +0000 (UTC)", "from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id EEF5C346FC4;\n\tWed, 8 Apr 2026 16:35:42 +0000 (UTC)", "by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid 5E57560560; Wed, 08 Apr 2026 18:35:41 +0200 (CEST)" ], "ARC-Seal": "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1775666144; cv=none;\n b=gCrw+b+D8LvCuheqK1LchPYeAoHBzbIFU8HxYdvcUBwM+7vEfGrM1jpwA8smrtxLTCIN/FMityGyA+yUlTBGjszTvDHGTrhvVzBrLSbh4O19JOP6sVXO07b+3fZkfA62XNwfhlc2XZvMjLPIavt4HiiMV2vxqR8svSiaxdp5UYw=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1775666144; c=relaxed/simple;\n\tbh=CzZif/O5X4SQxebPcaSgyr1O7l/aJlPWUVSucWTKmGo=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=mrTij8yKbTcBYENcqBN9xNKSpOesdG73JmIEgDIbh4raEeBzMzns3OBAQFXHSKFB93unJUB7Xja5zmssK92GsfpqMihn5ZR8WzIUZroRYKS3pzx95sPhG3Vm7K3TTH+dYcHTfnF/IhsbNSSdUvlCUZquanAN6MuIdZC3mmebHeY=", "ARC-Authentication-Results": "i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=Chamillionaire.breakpoint.cc;\n arc=none smtp.client-ip=91.216.245.30", "From": "Florian Westphal <fw@strlen.de>", "To": "<netdev@vger.kernel.org>", "Cc": "Paolo Abeni <pabeni@redhat.com>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tEric Dumazet <edumazet@google.com>,\n\tJakub Kicinski <kuba@kernel.org>,\n\t<netfilter-devel@vger.kernel.org>,\n\tpablo@netfilter.org", "Subject": "[PATCH net 6/7] netfilter: nfnetlink_queue: make hash table per queue", "Date": "Wed, 8 Apr 2026 18:35:11 +0200", "Message-ID": "<20260408163512.30537-7-fw@strlen.de>", "X-Mailer": "git-send-email 2.52.0", "In-Reply-To": "<20260408163512.30537-1-fw@strlen.de>", "References": "<20260408163512.30537-1-fw@strlen.de>", "Precedence": "bulk", "X-Mailing-List": "netfilter-devel@vger.kernel.org", "List-Id": "<netfilter-devel.vger.kernel.org>", "List-Subscribe": "<mailto:netfilter-devel+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:netfilter-devel+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit" }, "content": "Sharing a global hash table among all queues is tempting, but\nit can cause crash:\n\nBUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n[..]\n nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]\n nfnetlink_rcv_msg+0x46a/0x930\n kmem_cache_alloc_node_noprof+0x11e/0x450\n\nstruct nf_queue_entry is freed via kfree, but parallel cpu can still\nencounter such an nf_queue_entry when walking the list.\n\nAlternative fix is to free the nf_queue_entry via kfree_rcu() instead,\nbut as we have to alloc/free for each skb this will cause more mem\npressure.\n\nCc: Scott Mitchell <scott.k.mitch1@gmail.com>\nFixes: e19079adcd26 (\"netfilter: nfnetlink_queue: optimize verdict lookup with hash table\")\nSigned-off-by: Florian Westphal <fw@strlen.de>\n---\n include/net/netfilter/nf_queue.h | 1 -\n net/netfilter/nfnetlink_queue.c | 139 +++++++++++--------------------\n 2 files changed, 49 insertions(+), 91 deletions(-)", "diff": "diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h\nindex 45eb26b2e95b..d17035d14d96 100644\n--- a/include/net/netfilter/nf_queue.h\n+++ b/include/net/netfilter/nf_queue.h\n@@ -23,7 +23,6 @@ struct nf_queue_entry {\n \tstruct nf_hook_state\tstate;\n \tbool\t\t\tnf_ct_is_unconfirmed;\n \tu16\t\t\tsize; /* sizeof(entry) + saved route keys */\n-\tu16\t\t\tqueue_num;\n \n \t/* extra space to store route keys */\n };\ndiff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c\nindex 47f7f62906e2..8e02f84784da 100644\n--- a/net/netfilter/nfnetlink_queue.c\n+++ b/net/netfilter/nfnetlink_queue.c\n@@ -49,8 +49,8 @@\n #endif\n \n #define NFQNL_QMAX_DEFAULT 1024\n-#define NFQNL_HASH_MIN 1024\n-#define NFQNL_HASH_MAX 1048576\n+#define NFQNL_HASH_MIN 8\n+#define NFQNL_HASH_MAX 32768\n \n /* We're using struct nlattr which has 16bit nla_len. Note that nla_len\n * includes the header length. Thus, the maximum packet length that we\n@@ -60,29 +60,10 @@\n */\n #define NFQNL_MAX_COPY_RANGE (0xffff - NLA_HDRLEN)\n \n-/* Composite key for packet lookup: (net, queue_num, packet_id) */\n-struct nfqnl_packet_key {\n-\tpossible_net_t net;\n-\tu32 packet_id;\n-\tu16 queue_num;\n-} __aligned(sizeof(u32)); /* jhash2 requires 32-bit alignment */\n-\n-/* Global rhashtable - one for entire system, all netns */\n-static struct rhashtable nfqnl_packet_map __read_mostly;\n-\n-/* Helper to initialize composite key */\n-static inline void nfqnl_init_key(struct nfqnl_packet_key *key,\n-\t\t\t\t struct net *net, u32 packet_id, u16 queue_num)\n-{\n-\tmemset(key, 0, sizeof(*key));\n-\twrite_pnet(&key->net, net);\n-\tkey->packet_id = packet_id;\n-\tkey->queue_num = queue_num;\n-}\n-\n struct nfqnl_instance {\n \tstruct hlist_node hlist;\t\t/* global list of queues */\n-\tstruct rcu_head rcu;\n+\tstruct rhashtable nfqnl_packet_map;\n+\tstruct rcu_work\trwork;\n \n \tu32 peer_portid;\n \tunsigned int queue_maxlen;\n@@ -106,6 +87,7 @@ struct nfqnl_instance {\n \n typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);\n \n+static struct workqueue_struct *nfq_cleanup_wq __read_mostly;\n static unsigned int nfnl_queue_net_id __read_mostly;\n \n #define INSTANCE_BUCKETS\t16\n@@ -124,34 +106,10 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)\n \treturn ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;\n }\n \n-/* Extract composite key from nf_queue_entry for hashing */\n-static u32 nfqnl_packet_obj_hashfn(const void *data, u32 len, u32 seed)\n-{\n-\tconst struct nf_queue_entry *entry = data;\n-\tstruct nfqnl_packet_key key;\n-\n-\tnfqnl_init_key(&key, entry->state.net, entry->id, entry->queue_num);\n-\n-\treturn jhash2((u32 *)&key, sizeof(key) / sizeof(u32), seed);\n-}\n-\n-/* Compare stack-allocated key against entry */\n-static int nfqnl_packet_obj_cmpfn(struct rhashtable_compare_arg *arg,\n-\t\t\t\t const void *obj)\n-{\n-\tconst struct nfqnl_packet_key *key = arg->key;\n-\tconst struct nf_queue_entry *entry = obj;\n-\n-\treturn !net_eq(entry->state.net, read_pnet(&key->net)) ||\n-\t entry->queue_num != key->queue_num ||\n-\t entry->id != key->packet_id;\n-}\n-\n static const struct rhashtable_params nfqnl_rhashtable_params = {\n \t.head_offset = offsetof(struct nf_queue_entry, hash_node),\n-\t.key_len = sizeof(struct nfqnl_packet_key),\n-\t.obj_hashfn = nfqnl_packet_obj_hashfn,\n-\t.obj_cmpfn = nfqnl_packet_obj_cmpfn,\n+\t.key_offset = offsetof(struct nf_queue_entry, id),\n+\t.key_len = sizeof(u32),\n \t.automatic_shrinking = true,\n \t.min_size = NFQNL_HASH_MIN,\n \t.max_size = NFQNL_HASH_MAX,\n@@ -190,6 +148,10 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n \tspin_lock_init(&inst->lock);\n \tINIT_LIST_HEAD(&inst->queue_list);\n \n+\terr = rhashtable_init(&inst->nfqnl_packet_map, &nfqnl_rhashtable_params);\n+\tif (err < 0)\n+\t\tgoto out_free;\n+\n \tspin_lock(&q->instances_lock);\n \tif (instance_lookup(q, queue_num)) {\n \t\terr = -EEXIST;\n@@ -210,6 +172,8 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n \n out_unlock:\n \tspin_unlock(&q->instances_lock);\n+\trhashtable_destroy(&inst->nfqnl_packet_map);\n+out_free:\n \tkfree(inst);\n \treturn ERR_PTR(err);\n }\n@@ -217,15 +181,18 @@ instance_create(struct nfnl_queue_net *q, u_int16_t queue_num, u32 portid)\n static void nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,\n \t\t\tunsigned long data);\n \n-static void\n-instance_destroy_rcu(struct rcu_head *head)\n+static void instance_destroy_work(struct work_struct *work)\n {\n-\tstruct nfqnl_instance *inst = container_of(head, struct nfqnl_instance,\n-\t\t\t\t\t\t rcu);\n+\tstruct nfqnl_instance *inst;\n \n+\tinst = container_of(to_rcu_work(work), struct nfqnl_instance,\n+\t\t\t rwork);\n \trcu_read_lock();\n \tnfqnl_flush(inst, NULL, 0);\n \trcu_read_unlock();\n+\n+\trhashtable_destroy(&inst->nfqnl_packet_map);\n+\n \tkfree(inst);\n \tmodule_put(THIS_MODULE);\n }\n@@ -234,7 +201,9 @@ static void\n __instance_destroy(struct nfqnl_instance *inst)\n {\n \thlist_del_rcu(&inst->hlist);\n-\tcall_rcu(&inst->rcu, instance_destroy_rcu);\n+\n+\tINIT_RCU_WORK(&inst->rwork, instance_destroy_work);\n+\tqueue_rcu_work(nfq_cleanup_wq, &inst->rwork);\n }\n \n static void\n@@ -250,9 +219,7 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n {\n \tint err;\n \n-\tentry->queue_num = queue->queue_num;\n-\n-\terr = rhashtable_insert_fast(&nfqnl_packet_map, &entry->hash_node,\n+\terr = rhashtable_insert_fast(&queue->nfqnl_packet_map, &entry->hash_node,\n \t\t\t\t nfqnl_rhashtable_params);\n \tif (unlikely(err))\n \t\treturn err;\n@@ -266,23 +233,19 @@ __enqueue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n static void\n __dequeue_entry(struct nfqnl_instance *queue, struct nf_queue_entry *entry)\n {\n-\trhashtable_remove_fast(&nfqnl_packet_map, &entry->hash_node,\n+\trhashtable_remove_fast(&queue->nfqnl_packet_map, &entry->hash_node,\n \t\t\t nfqnl_rhashtable_params);\n \tlist_del(&entry->list);\n \tqueue->queue_total--;\n }\n \n static struct nf_queue_entry *\n-find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id,\n-\t\t struct net *net)\n+find_dequeue_entry(struct nfqnl_instance *queue, unsigned int id)\n {\n-\tstruct nfqnl_packet_key key;\n \tstruct nf_queue_entry *entry;\n \n-\tnfqnl_init_key(&key, net, id, queue->queue_num);\n-\n \tspin_lock_bh(&queue->lock);\n-\tentry = rhashtable_lookup_fast(&nfqnl_packet_map, &key,\n+\tentry = rhashtable_lookup_fast(&queue->nfqnl_packet_map, &id,\n \t\t\t\t nfqnl_rhashtable_params);\n \n \tif (entry)\n@@ -1531,7 +1494,7 @@ static int nfqnl_recv_verdict(struct sk_buff *skb, const struct nfnl_info *info,\n \n \tverdict = ntohl(vhdr->verdict);\n \n-\tentry = find_dequeue_entry(queue, ntohl(vhdr->id), info->net);\n+\tentry = find_dequeue_entry(queue, ntohl(vhdr->id));\n \tif (entry == NULL)\n \t\treturn -ENOENT;\n \n@@ -1880,40 +1843,38 @@ static int __init nfnetlink_queue_init(void)\n {\n \tint status;\n \n-\tstatus = rhashtable_init(&nfqnl_packet_map, &nfqnl_rhashtable_params);\n-\tif (status < 0)\n-\t\treturn status;\n+\tnfq_cleanup_wq = alloc_ordered_workqueue(\"nfq_workqueue\", 0);\n+\tif (!nfq_cleanup_wq)\n+\t\treturn -ENOMEM;\n \n \tstatus = register_pernet_subsys(&nfnl_queue_net_ops);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to register pernet ops\\n\");\n-\t\tgoto cleanup_rhashtable;\n-\t}\n+\tif (status < 0)\n+\t\tgoto cleanup_pernet_subsys;\n \n-\tnetlink_register_notifier(&nfqnl_rtnl_notifier);\n-\tstatus = nfnetlink_subsys_register(&nfqnl_subsys);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to create netlink socket\\n\");\n-\t\tgoto cleanup_netlink_notifier;\n-\t}\n+\tstatus = netlink_register_notifier(&nfqnl_rtnl_notifier);\n+\tif (status < 0)\n+\t goto cleanup_rtnl_notifier;\n \n \tstatus = register_netdevice_notifier(&nfqnl_dev_notifier);\n-\tif (status < 0) {\n-\t\tpr_err(\"failed to register netdevice notifier\\n\");\n-\t\tgoto cleanup_netlink_subsys;\n-\t}\n+\tif (status < 0)\n+\t\tgoto cleanup_dev_notifier;\n+\n+\tstatus = nfnetlink_subsys_register(&nfqnl_subsys);\n+\tif (status < 0)\n+\t\tgoto cleanup_nfqnl_subsys;\n \n \tnf_register_queue_handler(&nfqh);\n \n \treturn status;\n \n-cleanup_netlink_subsys:\n-\tnfnetlink_subsys_unregister(&nfqnl_subsys);\n-cleanup_netlink_notifier:\n+cleanup_nfqnl_subsys:\n+\tunregister_netdevice_notifier(&nfqnl_dev_notifier);\n+cleanup_dev_notifier:\n \tnetlink_unregister_notifier(&nfqnl_rtnl_notifier);\n+cleanup_rtnl_notifier:\n \tunregister_pernet_subsys(&nfnl_queue_net_ops);\n-cleanup_rhashtable:\n-\trhashtable_destroy(&nfqnl_packet_map);\n+cleanup_pernet_subsys:\n+\tdestroy_workqueue(nfq_cleanup_wq);\n \treturn status;\n }\n \n@@ -1924,9 +1885,7 @@ static void __exit nfnetlink_queue_fini(void)\n \tnfnetlink_subsys_unregister(&nfqnl_subsys);\n \tnetlink_unregister_notifier(&nfqnl_rtnl_notifier);\n \tunregister_pernet_subsys(&nfnl_queue_net_ops);\n-\n-\trhashtable_destroy(&nfqnl_packet_map);\n-\n+\tdestroy_workqueue(nfq_cleanup_wq);\n \trcu_barrier(); /* Wait for completion of call_rcu()'s */\n }\n \n", "prefixes": [ "net", "6/7" ] }