diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-17 10:10:29 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-07-23 14:18:01 +0200 |
commit | 32c3973d808301e7a980f80fee8818fdf7c82b09 (patch) | |
tree | 4756695d6f470d5b5b9f7e20cd0ac109c532b50f /net | |
parent | netfilter: nf_tables: fix audit memory leak in nf_tables_commit (diff) | |
download | linux-32c3973d808301e7a980f80fee8818fdf7c82b09.tar.xz linux-32c3973d808301e7a980f80fee8818fdf7c82b09.zip |
netfilter: flowtable: avoid possible false sharing
The flowtable follows the same timeout approach as conntrack, use the
same idiom as in cc16921351d8 ("netfilter: conntrack: avoid same-timeout
update") but also include the fix provided by e37542ba111f ("netfilter:
conntrack: avoid possible false sharing").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
-rw-r--r-- | net/netfilter/nf_flow_table_core.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c index 1e50908b1b7e..551976e4284c 100644 --- a/net/netfilter/nf_flow_table_core.c +++ b/net/netfilter/nf_flow_table_core.c @@ -331,7 +331,11 @@ EXPORT_SYMBOL_GPL(flow_offload_add); void flow_offload_refresh(struct nf_flowtable *flow_table, struct flow_offload *flow) { - flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); + u32 timeout; + + timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow); + if (READ_ONCE(flow->timeout) != timeout) + WRITE_ONCE(flow->timeout, timeout); if (likely(!nf_flowtable_hw_offload(flow_table))) return; |