netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around

commit df08c94baafb001de6cf44bb7098bb557f36c335 upstream.

nf_conncount is supposed to skip garbage collection if it has already
run garbage collection in the same jiffy. Unfortunately, this is broken
when jiffies wrap around which this patch fixes.

The problem is that last_gc in the nf_conncount_list struct is an u32,
but jiffies is an unsigned long which is 8 bytes on my systems. When
those two are compared it only works until last_gc wraps around.

See bug report: https://bugzilla.netfilter.org/show_bug.cgi?id=1778
for more details.

Fixes: d265929930e2 ("netfilter: nf_conncount: reduce unnecessary GC")
Signed-off-by: Nicklas Bo Jensen <njensen@akamai.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 3e8828bdcd1b359fb047e817df417b214198a0f2..97b631a81484d4d60cf3b7a46b47e22e8d7cc86e 100644 (file)
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -182,7 +182,7 @@ static int __nf_conncount_add(struct net *net,
                return -EEXIST;
        }
 
-       if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
+       if ((u32)jiffies == list->last_gc)
                goto add_new_node;
 
        /* check the saved connections */
@@ -288,7 +288,7 @@ bool nf_conncount_gc_list(struct net *net,
        bool ret = false;
 
        /* don't bother if we just did GC */
-       if (time_is_after_eq_jiffies((unsigned long)READ_ONCE(list->last_gc)))
+       if ((u32)jiffies == READ_ONCE(list->last_gc))
                return false;
 
        /* don't bother if other cpu is already doing GC */