[{"id":3681965,"web_url":"http://patchwork.ozlabs.org/comment/3681965/","msgid":"<4dfcf8f6-0121-109b-83ee-c68fd06010c7@blackhole.kfki.hu>","list_archive_url":null,"date":"2026-04-24T10:29:20","subject":"Re: [PATCH nf 1/1] netfilter: ipset: keep comment extensions private\n on resize","submitter":{"id":1575,"url":"http://patchwork.ozlabs.org/api/people/1575/","name":"Jozsef Kadlecsik","email":"kadlec@blackhole.kfki.hu"},"content":"Hi,\n\nOn Wed, 22 Apr 2026, Ren Wei wrote:\n\n> From: Zhengchuan Liang \n>\n> Hash resize rebuilds the table by copying live elements into a new\n> table, while comment data is stored outside of the element body.\n>\n> Recreate the comment extension for resized entries so the new table\n> does not share comment storage with the retired table. Once resize\n> gives each table its own comment data again, the old table can return\n> to destroying its extensions in the normal teardown paths.\n>\n> This keeps comment lifetime and accounting consistent across resize\n> and the follow-up gc, dump, add, del and flush paths.\n\nI appreciate your patch and it solves the issue but I think it's not \noptimal.\n\nCould you rework it to use the 'struct list_head ad' add|del backlist \ninfrastructure of the hash types which handles the added/deleted entries \nduring resizing, but the proper handling of the comment extension for \ndeleted elements is missing. That way the unnecessary \nallocation/deallocation of the comment extension of all set element can be \navoided.\n\nBest regards,\nJozsef\n\n> Fixes: f66ee0410b1c (\"netfilter: ipset: Fix \"INFO: rcu detected stall in hash_xxx\" reports\")\n> Cc: stable@kernel.org\n> Reported-by: Yuan Tan \n> Reported-by: Yifan Wu \n> Reported-by: Juefei Pu \n> Reported-by: Xin Liu \n> Signed-off-by: Zhengchuan Liang \n> Signed-off-by: Ren Wei \n> ---\n> include/linux/netfilter/ipset/ip_set.h | 1 +\n> net/netfilter/ipset/ip_set_core.c | 36 ++++++++++++++++++++++++++\n> net/netfilter/ipset/ip_set_hash_gen.h | 15 ++++++-----\n> 3 files changed, 46 insertions(+), 6 deletions(-)\n>\n> diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h\n> index b98331572ad2..c3620899744c 100644\n> --- a/include/linux/netfilter/ipset/ip_set.h\n> +++ b/include/linux/netfilter/ipset/ip_set.h\n> @@ -336,6 +336,7 @@ extern size_t ip_set_elem_len(struct ip_set *set, struct nlattr *tb[],\n> \t\t\t size_t len, size_t align);\n> extern int ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],\n> \t\t\t\t struct ip_set_ext *ext);\n> +extern int ip_set_ext_copy(struct ip_set *set, void *dst, const void *src);\n> extern int ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,\n> \t\t\t\t const void *e, bool active);\n> extern bool ip_set_match_extensions(struct ip_set *set,\n> diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c\n> index c5a26236a0bb..0f5994ffec96 100644\n> --- a/net/netfilter/ipset/ip_set_core.c\n> +++ b/net/netfilter/ipset/ip_set_core.c\n> @@ -367,6 +367,42 @@ ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,\n> }\n> EXPORT_SYMBOL_GPL(ip_set_init_comment);\n>\n> +static int\n> +ip_set_copy_comment(struct ip_set *set, struct ip_set_comment *dst,\n> +\t\t const struct ip_set_comment *src)\n> +{\n> +\tstruct ip_set_comment_rcu *c, *newc;\n> +\tsize_t len;\n> +\n> +\tRCU_INIT_POINTER(dst->c, NULL);\n> +\n> +\tc = rcu_dereference_bh(src->c);\n> +\tif (!c)\n> +\t\treturn 0;\n> +\n> +\tlen = strlen(c->str);\n> +\tnewc = kmalloc(sizeof(*newc) + len + 1, GFP_ATOMIC);\n> +\tif (unlikely(!newc))\n> +\t\treturn -ENOMEM;\n> +\n> +\tmemcpy(newc->str, c->str, len + 1);\n> +\tset->ext_size += sizeof(*newc) + len + 1;\n> +\trcu_assign_pointer(dst->c, newc);\n> +\n> +\treturn 0;\n> +}\n> +\n> +int\n> +ip_set_ext_copy(struct ip_set *set, void *dst, const void *src)\n> +{\n> +\tif (SET_WITH_COMMENT(set))\n> +\t\treturn ip_set_copy_comment(set, ext_comment(dst, set),\n> +\t\t\t\t\t ext_comment(src, set));\n> +\n> +\treturn 0;\n> +}\n> +EXPORT_SYMBOL_GPL(ip_set_ext_copy);\n> +\n> /* Used only when dumping a set, protected by rcu_read_lock() */\n> static int\n> ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)\n> diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h\n> index b79e5dd2af03..b937a478f5ac 100644\n> --- a/net/netfilter/ipset/ip_set_hash_gen.h\n> +++ b/net/netfilter/ipset/ip_set_hash_gen.h\n> @@ -584,7 +584,7 @@ mtype_gc(struct work_struct *work)\n>\n> \tif (atomic_dec_and_test(&t->uref) && atomic_read(&t->ref)) {\n> \t\tpr_debug(\"Table destroy after resize by expire: %p\\n\", t);\n> -\t\tmtype_ahash_destroy(set, t, false);\n> +\t\tmtype_ahash_destroy(set, t, true);\n> \t}\n>\n> \tqueue_delayed_work(system_power_efficient_wq, &gc->dwork, next_run);\n> @@ -743,6 +743,9 @@ mtype_resize(struct ip_set *set, bool retried)\n> \t\t\t\t}\n> \t\t\t\td = ahash_data(m, m->pos, dsize);\n> \t\t\t\tmemcpy(d, data, dsize);\n> +\t\t\t\tret = ip_set_ext_copy(set, d, data);\n> +\t\t\t\tif (ret < 0)\n> +\t\t\t\t\tgoto cleanup;\n> \t\t\t\tset_bit(m->pos++, m->used);\n> \t\t\t\tt->hregion[nr].elements++;\n> #ifdef IP_SET_HASH_WITH_NETS\n> @@ -778,7 +781,7 @@ mtype_resize(struct ip_set *set, bool retried)\n> \t/* If there's nobody else using the table, destroy it */\n> \tif (atomic_dec_and_test(&orig->uref)) {\n> \t\tpr_debug(\"Table destroy by resize %p\\n\", orig);\n> -\t\tmtype_ahash_destroy(set, orig, false);\n> +\t\tmtype_ahash_destroy(set, orig, true);\n> \t}\n>\n> out:\n> @@ -791,7 +794,7 @@ mtype_resize(struct ip_set *set, bool retried)\n> \trcu_read_unlock_bh();\n> \tatomic_set(&orig->ref, 0);\n> \tatomic_dec(&orig->uref);\n> -\tmtype_ahash_destroy(set, t, false);\n> +\tmtype_ahash_destroy(set, t, true);\n> \tif (ret == -EAGAIN)\n> \t\tgoto retry;\n> \tgoto out;\n> @@ -1023,7 +1026,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n> out:\n> \tif (atomic_dec_and_test(&t->uref) && atomic_read(&t->ref)) {\n> \t\tpr_debug(\"Table destroy after resize by add: %p\\n\", t);\n> -\t\tmtype_ahash_destroy(set, t, false);\n> +\t\tmtype_ahash_destroy(set, t, true);\n> \t}\n> \treturn ret;\n> }\n> @@ -1135,7 +1138,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,\n> \t}\n> \tif (atomic_dec_and_test(&t->uref) && atomic_read(&t->ref)) {\n> \t\tpr_debug(\"Table destroy after resize by del: %p\\n\", t);\n> -\t\tmtype_ahash_destroy(set, t, false);\n> +\t\tmtype_ahash_destroy(set, t, true);\n> \t}\n> \treturn ret;\n> }\n> @@ -1341,7 +1344,7 @@ mtype_uref(struct ip_set *set, struct netlink_callback *cb, bool start)\n> \t\tif (atomic_dec_and_test(&t->uref) && atomic_read(&t->ref)) {\n> \t\t\tpr_debug(\"Table destroy after resize \"\n> \t\t\t\t \" by dump: %p\\n\", t);\n> -\t\t\tmtype_ahash_destroy(set, t, false);\n> +\t\t\tmtype_ahash_destroy(set, t, true);\n> \t\t}\n> \t\tcb->args[IPSET_CB_PRIVATE] = 0;\n> \t}\n> -- \n> 2.39.5\n>\n>","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=blackhole.kfki.hu header.i=@blackhole.kfki.hu\n header.a=rsa-sha256 header.s=20151130 header.b=Elo9OWnB;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12173-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=\"Elo9OWnB\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=148.6.0.49","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=blackhole.kfki.hu","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=blackhole.kfki.hu"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g28jM6kSPz1xvV\n\tfor ; Fri, 24 Apr 2026 20:44:39 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 43C1C301FD49\n\tfor ; Fri, 24 Apr 2026 10:39:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 47B8338A72C;\n\tFri, 24 Apr 2026 10:39:22 +0000 (UTC)","from smtp-out.kfki.hu (smtp-out.kfki.hu [148.6.0.49])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 30CA93246FE\n\tfor ; Fri, 24 Apr 2026 10:39:17 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n\tby smtp0.kfki.hu (Postfix) with ESMTP id 4g28Mm4thMz3sbBf;\n\tFri, 24 Apr 2026 12:29:24 +0200 (CEST)","from smtp0.kfki.hu ([127.0.0.1])\n by localhost (smtp0.kfki.hu [127.0.0.1]) (amavis, port 10026) with ESMTP\n id 9nshsPDRJOMB; Fri, 24 Apr 2026 12:29:22 +0200 (CEST)","from blackhole.kfki.hu (blackhole.szhk.kfki.hu [148.6.240.2])\n\tby smtp0.kfki.hu (Postfix) with ESMTP id 4g28Mj0t9fz3sbBH;\n\tFri, 24 Apr 2026 12:29:20 +0200 (CEST)","by blackhole.kfki.hu (Postfix, from userid 1000)\n\tid A50EE34316A; Fri, 24 Apr 2026 12:29:20 +0200 (CEST)","from localhost (localhost [127.0.0.1])\n\tby blackhole.kfki.hu (Postfix) with ESMTP id A33ED340D75;\n\tFri, 24 Apr 2026 12:29:20 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777027161; cv=none;\n b=UDKwzSiCnQsopFiimT7aUk0MBxrblYqCaE+D9bqDiPmXMTc3Fa85IpqNFbahxOMGBoOPVzy1167aAtu1VNuR9wFIHjD59UBU97/YCDWIErz7sgKCtytrjDw3woCkqchnp2scUC4G1lMmAfLNnku8EUAFy//1GHZjKzyak14j9LM=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777027161; c=relaxed/simple;\n\tbh=0jRdgofD41sdUg1MZut9lYtOvaJHnjNMV5kyTfo63W8=;\n\th=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:\n\t MIME-Version:Content-Type;\n b=JTkulLXmtoIQTS+xEEXGyo2M1zKY29XSZbyY+wg3iTydJ/IYq4IAxUErTw0c/AT0lVzhesK1d++7ltP9SKlZrH5Z3mXHUHzrMkA83bRmLajDd9k6l4dUoB2exlhZpx6Ht9rxVXp2CVWlWft7yxR9nDG6sjwUAw2oymaZx2zoh4U=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=blackhole.kfki.hu;\n spf=pass smtp.mailfrom=blackhole.kfki.hu;\n dkim=pass (1024-bit key) header.d=blackhole.kfki.hu\n header.i=@blackhole.kfki.hu header.b=Elo9OWnB;\n arc=none smtp.client-ip=148.6.0.49","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=\n\tblackhole.kfki.hu; h=mime-version:references:message-id\n\t:in-reply-to:from:from:date:date:received:received:received\n\t:received; s=20151130; t=1777026562; x=1778840963; bh=zq9k+lSAmJ\n\tjFP95mPGnlJzwJTFnmmg2f6oZBsnu/hB0=; b=Elo9OWnBEGt3oHGoekOrkQlv2r\n\t5H8FuC4PVU9R5T9vfKoc4NjcH9Xru9hNTo6/DLalwJPJIY+vwTJH3NVZj1fXawXC\n\thPb0ioMJYRQkbz5+ornj3q+uK/CBz5DPKT88l0Zdyuxq104HHNtHR36gL7e6ayjU\n\ttnNeyc2HS7PScup8I=","X-Virus-Scanned":"Debian amavis at smtp0.kfki.hu","Date":"Fri, 24 Apr 2026 12:29:20 +0200 (CEST)","From":"Jozsef Kadlecsik ","To":"Ren Wei ","cc":"netfilter-devel@vger.kernel.org, pablo@netfilter.org, fw@strlen.de,\n phil@nwl.cc, davem@davemloft.net, edumazet@google.com, kuba@kernel.org,\n pabeni@redhat.com, horms@kernel.org, kees@kernel.org,\n yuantan098@gmail.com,\n kadlec@netfilter.org, yifanwucs@gmail.com, zhen.ni@easystack.cn,\n tomapufckgml@gmail.com, bird@lzu.edu.cn, zcliangcn@gmail.com","Subject":"Re: [PATCH nf 1/1] netfilter: ipset: keep comment extensions private\n on resize","In-Reply-To":"\n ","Message-ID":"<4dfcf8f6-0121-109b-83ee-c68fd06010c7@blackhole.kfki.hu>","References":"\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII; format=flowed"}}]