kernel: backport flow offload fixes to 5.10

[openwrt/staging/chunkeey.git] / target / linux / generic / backport-5.10 / 610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch

diff --git a/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch b/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch
new file mode 100644 (file)
index 0000000..69c06c5
--- /dev/null
+++ b/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch
@@ -0,0 +1,27 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 17 Jul 2021 10:10:29 +0200
+Subject: [PATCH] netfilter: flowtable: avoid possible false sharing
+
+The flowtable follows the same timeout approach as conntrack, use the
+same idiom as in cc16921351d8 ("netfilter: conntrack: avoid same-timeout
+update") but also include the fix provided by e37542ba111f ("netfilter:
+conntrack: avoid possible false sharing").
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -328,7 +328,11 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
+ void flow_offload_refresh(struct nf_flowtable *flow_table,
+                         struct flow_offload *flow)
+ {
+-      flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
++      u32 timeout;
++
++      timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
++      if (READ_ONCE(flow->timeout) != timeout)
++              WRITE_ONCE(flow->timeout, timeout);
+ 
+       if (likely(!nf_flowtable_hw_offload(flow_table)))
+               return;