git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 5 Jun 2026 13:11:20 +0000 (15:11 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Sun, 14 Jun 2026 10:51:54 +0000 (12:51 +0200)
commit	eae341ecfc24eccad78451964a0eda7363e1fca5
tree	d9b9bf09116e81e8f5c26aca99d2cf93a6aebda2	tree \| snapshot
parent	64d7d5abe2160bba369b4a8f06bdf5630573bab0	commit \| diff

netfilter: nf_conncount: use per nf_conncount_data spinlocks

This change replaces the rb_root with a new container structure.
Instead of an array of locks shared by all nf_conncount_data objects,
each tree gains its own dedicated lock.

Downside: nf_conncount_data increases in size.  Before this change:
struct nf_conncount_data {
        [..]
        /* --- cacheline 33 boundary (2112 bytes) was 16 bytes ago --- */
        unsigned int               gc_tree;              /*  2128     4 */
        /* size: 2136, cachelines: 34, members: 7 */
        /* padding: 4 */

After:
        /* size: 4184, cachelines: 66, members: 7 */
        /* padding: 4 */

On LOCKDEP enabled kernels, this is even worse:
/* size: 18560, cachelines: 290, members: 7 */

(due to lockdep map in each spinlock).

For this reason also switch to kvzalloc.  The zeroing variant is needed
to not start with random (heap memory content) in the ->pending_trees
bitmap.

Followup patch will add and use a sequence counter.

Assisted-by: Claude:claude-sonnet-4-6
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>