]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
netfilter: nft_counter: serialize reset with spinlock
authorBrian Witte <brianwitte@mailfence.com>
Wed, 4 Feb 2026 20:26:37 +0000 (14:26 -0600)
committerFlorian Westphal <fw@strlen.de>
Tue, 17 Feb 2026 14:04:20 +0000 (15:04 +0100)
Add a global static spinlock to serialize counter fetch+reset
operations, preventing concurrent dump-and-reset from underrunning
values.

The lock is taken before fetching the total so that two parallel
resets cannot both read the same counter values and then both
subtract them.

A global lock is used for simplicity since resets are infrequent.
If this becomes a bottleneck, it can be replaced with a per-net
lock later.

Fixes: bd662c4218f9 ("netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests")
Fixes: 3d483faa6663 ("netfilter: nf_tables: Add locking for NFT_MSG_GETSETELEM_RESET requests")
Fixes: 3cb03edb4de3 ("netfilter: nf_tables: Add locking for NFT_MSG_GETRULE_RESET requests")
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Brian Witte <brianwitte@mailfence.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
net/netfilter/nft_counter.c

index 0d70325280cc57d9f3198e5cf79e538f474015af..169ae93688bcc5d60818d9238342efe64b9bfbeb 100644 (file)
@@ -32,6 +32,9 @@ struct nft_counter_percpu_priv {
 
 static DEFINE_PER_CPU(struct u64_stats_sync, nft_counter_sync);
 
+/* control plane only: sync fetch+reset */
+static DEFINE_SPINLOCK(nft_counter_lock);
+
 static inline void nft_counter_do_eval(struct nft_counter_percpu_priv *priv,
                                       struct nft_regs *regs,
                                       const struct nft_pktinfo *pkt)
@@ -148,13 +151,25 @@ static void nft_counter_fetch(struct nft_counter_percpu_priv *priv,
        }
 }
 
+static void nft_counter_fetch_and_reset(struct nft_counter_percpu_priv *priv,
+                                       struct nft_counter_tot *total)
+{
+       spin_lock(&nft_counter_lock);
+       nft_counter_fetch(priv, total);
+       nft_counter_reset(priv, total);
+       spin_unlock(&nft_counter_lock);
+}
+
 static int nft_counter_do_dump(struct sk_buff *skb,
                               struct nft_counter_percpu_priv *priv,
                               bool reset)
 {
        struct nft_counter_tot total;
 
-       nft_counter_fetch(priv, &total);
+       if (unlikely(reset))
+               nft_counter_fetch_and_reset(priv, &total);
+       else
+               nft_counter_fetch(priv, &total);
 
        if (nla_put_be64(skb, NFTA_COUNTER_BYTES, cpu_to_be64(total.bytes),
                         NFTA_COUNTER_PAD) ||
@@ -162,9 +177,6 @@ static int nft_counter_do_dump(struct sk_buff *skb,
                         NFTA_COUNTER_PAD))
                goto nla_put_failure;
 
-       if (reset)
-               nft_counter_reset(priv, &total);
-
        return 0;
 
 nla_put_failure: