{"id":2229799,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2229799/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428175725.72050-3-ja@ssi.bg/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/1.1/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<20260428175725.72050-3-ja@ssi.bg>","date":"2026-04-28T17:57:20","name":"[nf,2/7] ipvs: fix races around the conn_lfactor and svc_lfactor sysctl vars","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"6c6d3e1c2aa9f7ba3aef54368828b03d5bdac1fb","submitter":{"id":2825,"url":"http://patchwork.ozlabs.org/api/1.1/people/2825/?format=json","name":"Julian Anastasov","email":"ja@ssi.bg"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260428175725.72050-3-ja@ssi.bg/mbox/","series":[{"id":501917,"url":"http://patchwork.ozlabs.org/api/1.1/series/501917/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=501917","date":"2026-04-28T17:57:19","name":"IPVS fixes for nf","version":1,"mbox":"http://patchwork.ozlabs.org/series/501917/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2229799/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2229799/checks/","tags":{},"headers":{"Return-Path":"\n <netfilter-devel+bounces-12269-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (4096-bit key;\n unprotected) header.d=ssi.bg header.i=@ssi.bg header.a=rsa-sha256\n header.s=ssi header.b=PpVxxW7v;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12269-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=\"PpVxxW7v\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=193.238.174.39","smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=ssi.bg"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g4pvX1652z1xvV\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 29 Apr 2026 04:32:40 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id BE4C63038842\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 28 Apr 2026 18:01:21 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 6312A328B62;\n\tTue, 28 Apr 2026 18:01:20 +0000 (UTC)","from mx.ssi.bg (mx.ssi.bg [193.238.174.39])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EDBC44D022;\n\tTue, 28 Apr 2026 18:01:17 +0000 (UTC)","from mx.ssi.bg (localhost [127.0.0.1])\n\tby mx.ssi.bg (Potsfix) with ESMTP id 20BD321187;\n\tTue, 28 Apr 2026 21:00:56 +0300 (EEST)","from box.ssi.bg (box.ssi.bg [193.238.174.46])\n\tby mx.ssi.bg (Potsfix) with ESMTPS;\n\tTue, 28 Apr 2026 21:00:54 +0300 (EEST)","from ja.ssi.bg (unknown [213.16.62.126])\n\tby box.ssi.bg (Potsfix) with ESMTPSA id 4B7BB62AA5;\n\tTue, 28 Apr 2026 21:00:54 +0300 (EEST)","from ja.home.ssi.bg (localhost.localdomain [127.0.0.1])\n\tby ja.ssi.bg (8.18.1/8.18.1) with ESMTP id 63SHvnOc072086;\n\tTue, 28 Apr 2026 20:57:49 +0300","(from root@localhost)\n\tby ja.home.ssi.bg (8.18.1/8.18.1/Submit) id 63SHvnZJ072085;\n\tTue, 28 Apr 2026 20:57:49 +0300"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777399279; cv=none;\n b=AUcyxBFqtJZZIlIDOrfIlwF/Ljd9JBcSXO3sVe5VlaoPNEoSXMSYRrOhFIg+chrBdVPGGw+Lwo1u6LaXkLSN9eepirYe7W60gC3BVTkMiYJS5YAncLoMcHgkVD6Kgc4h2+PL5pIYpt21UOBhKg35jfBzHuLvw0DLihSvhu1T37U=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777399279; c=relaxed/simple;\n\tbh=ftM5ukXQISH48XnQp4wEHNTt7YUjmI2Y/ZpTwXIbrFY=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=AW39Q+WqGTJWDQlQNJ7tvNsiTtIN03QVNFFC0lNgWSJVu3zGoAJEdKK9IOYgWtrmCk+s0rJ8YP+dr38W2QyGiXe41B62chsxWSvXBtFss/D7sqCt6avXEKvy2jJv+gvRQGjTT01dXqdpHq/aQpJibqRWH977YR3ZLUAN5dgwTIg=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=reject dis=none) header.from=ssi.bg;\n spf=pass smtp.mailfrom=ssi.bg;\n dkim=pass (4096-bit key) header.d=ssi.bg header.i=@ssi.bg header.b=PpVxxW7v;\n arc=none smtp.client-ip=193.238.174.39","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ssi.bg; h=cc:cc\n\t:content-transfer-encoding:date:from:from:in-reply-to:message-id\n\t:mime-version:references:reply-to:subject:subject:to:to; s=ssi;\n\t bh=CGEZvvNmG16fhPrQ1MGOmC9UlX+Su1JVXJPJ01Yi0Ys=; b=PpVxxW7vPvtu\n\tYMq0OsvHyC6voVFk+erwFZZoSYxd5iZbdLIqdCwp7todM9SCS+a48l7CTaVx2vJL\n\t81qssB3KZBfnutWkzo3TnN5Yzv6RLau4O5TORF8WxJ5fph5GGLm6Wfd2Zj6DoUut\n\tMcWG1hRwCncN2m4zhIluUp/kUOQ5Q9FuVYOcXrF2BX2fcWslJF3LtI7GQxrTopiK\n\t4+62NVCfbczM6fAW5fRPuReSaBU9DS47jK1ROuX7YMazLQ+++lIQ3oelHyHmdWV/\n\tmKd8vbP0Eti2c4wRh1vc/e3zcBwSFMuEJvSyVwoOt62gRnuwucacm+GWv8brnkEw\n\tQeSPvXNUGDJphsAPFycIxZBlW4PoV6EFF0vV09rwNg7FSOh6F3L+/yZl3cDv2cSr\n\tiihzqlOyDnIWTtCO5xETeHVMQkwNdcUogtuzevHH/Z8aT0KAwNU+Y57QmVqFcWyz\n\tFM/bxELL2tYb/WVpkgNUIF+TAZTIJJHFnnxp/xrNDQzjlatjqpkJtUqRE59puSJh\n\t16FDeFgoCrunhMYxS5MB0ZtvDxEs4UGYZkaMZBj8SRIXevE5u/CP7DxFH6JiTCRk\n\t+Fi9vS/wDt7Y9jT1f0IIw2KBWZ22RjTtBI18/t9CyGABnX+ERa0l9VYqp/wrFQhz\n\tQ6XNK/DEgX1hA9wm5AvppxYJ66fR09Y=","From":"Julian Anastasov <ja@ssi.bg>","To":"Simon Horman <horms@verge.net.au>","Cc":"Pablo Neira Ayuso <pablo@netfilter.org>, Florian Westphal <fw@strlen.de>,\n        Waiman Long <longman@redhat.com>, lvs-devel@vger.kernel.org,\n        netfilter-devel@vger.kernel.org","Subject":"[PATCH nf 2/7] ipvs: fix races around the conn_lfactor and\n svc_lfactor sysctl vars","Date":"Tue, 28 Apr 2026 20:57:20 +0300","Message-ID":"<20260428175725.72050-3-ja@ssi.bg>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260428175725.72050-1-ja@ssi.bg>","References":"<20260428175725.72050-1-ja@ssi.bg>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"Sashiko warns that the new sysctls vars can be changed\nafter the hash tables are destroyed and their respective\nresizing works canceled, leading to mod_delayed_work()\nbeing called for canceled works.\n\nSolve this in different ways. conn_tab can be present even\nwithout services and is destroyed only on netns exit, so use\ndisable_delayed_work_sync() to disable the work instead of\nadding more synchronization mechanisms.\n\nAs for the svc_table, it is destroyed when the services\nare deleted, so we must be sure that netns exit is not\ncalled yet (the check for 'enable') and the work is\nnot canceled by checking all under same mutex lock.\n\nAlso, use WRITE_ONCE when updating the sysctl vars as we\nalready read them with READ_ONCE.\n\nLink: https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de\nFixes: 8d7de5477e47 (\"ipvs: add conn_lfactor and svc_lfactor sysctl vars\")\nSigned-off-by: Julian Anastasov <ja@ssi.bg>\n---\n net/netfilter/ipvs/ip_vs_conn.c |  2 +-\n net/netfilter/ipvs/ip_vs_ctl.c  | 12 +++++++++---\n 2 files changed, 10 insertions(+), 4 deletions(-)","diff":"diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c\nindex 2082bfb2d93c..84a4921a7865 100644\n--- a/net/netfilter/ipvs/ip_vs_conn.c\n+++ b/net/netfilter/ipvs/ip_vs_conn.c\n@@ -1835,7 +1835,7 @@ static void ip_vs_conn_flush(struct netns_ipvs *ipvs)\n \n \tif (!rcu_dereference_protected(ipvs->conn_tab, 1))\n \t\treturn;\n-\tcancel_delayed_work_sync(&ipvs->conn_resize_work);\n+\tdisable_delayed_work_sync(&ipvs->conn_resize_work);\n \tif (!atomic_read(&ipvs->conn_count))\n \t\tgoto unreg;\n \ndiff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c\nindex 27e50afe9a54..caec516856e9 100644\n--- a/net/netfilter/ipvs/ip_vs_ctl.c\n+++ b/net/netfilter/ipvs/ip_vs_ctl.c\n@@ -2469,7 +2469,7 @@ static int ipvs_proc_conn_lfactor(const struct ctl_table *table, int write,\n \t\tif (val < -8 || val > 8) {\n \t\t\tret = -EINVAL;\n \t\t} else {\n-\t\t\t*valp = val;\n+\t\t\tWRITE_ONCE(*valp, val);\n \t\t\tif (rcu_access_pointer(ipvs->conn_tab))\n \t\t\t\tmod_delayed_work(system_unbound_wq,\n \t\t\t\t\t\t &ipvs->conn_resize_work, 0);\n@@ -2496,10 +2496,16 @@ static int ipvs_proc_svc_lfactor(const struct ctl_table *table, int write,\n \t\tif (val < -8 || val > 8) {\n \t\t\tret = -EINVAL;\n \t\t} else {\n-\t\t\t*valp = val;\n-\t\t\tif (rcu_access_pointer(ipvs->svc_table))\n+\t\t\tmutex_lock(&ipvs->service_mutex);\n+\t\t\tWRITE_ONCE(*valp, val);\n+\t\t\t/* Make sure the services are present */\n+\t\t\tif (rcu_access_pointer(ipvs->svc_table) &&\n+\t\t\t    READ_ONCE(ipvs->enable) &&\n+\t\t\t    !test_bit(IP_VS_WORK_SVC_NORESIZE,\n+\t\t\t\t      &ipvs->work_flags))\n \t\t\t\tmod_delayed_work(system_unbound_wq,\n \t\t\t\t\t\t &ipvs->svc_resize_work, 0);\n+\t\t\tmutex_unlock(&ipvs->service_mutex);\n \t\t}\n \t}\n \treturn ret;\n","prefixes":["nf","2/7"]}