]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
netfilter: nft_flow_offload: update tcp state flags under lock
authorFlorian Westphal <fw@strlen.de>
Mon, 13 Jan 2025 23:50:34 +0000 (00:50 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 13 Mar 2025 11:49:59 +0000 (12:49 +0100)
commit920f736e6c64faf989218a0a4f3252e62f3ad7dd
tree51d05dbfaf620792db3a2839bd011b876b928dcf
parent38646749d6e12f9d80a08d21ca39f0beca20230d
netfilter: nft_flow_offload: update tcp state flags under lock

[ Upstream commit 7a4b61406395291ffb7220a10e8951a9a8684819 ]

The conntrack entry is already public, there is a small chance that another
CPU is handling a packet in reply direction and racing with the tcp state
update.

Move this under ct spinlock.

This is done once, when ct is about to be offloaded, so this should
not result in a noticeable performance hit.

Fixes: 8437a6209f76 ("netfilter: nft_flow_offload: set liberal tracking mode for tcp")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
net/netfilter/nft_flow_offload.c