Commit 73d3c04b authored Sep 03, 2024 by Pablo Neira Ayuso

netfilter: nf_tables: annotate data-races around element expiration



element expiration can be read-write locklessly, it can be written by
dynset and read from netlink dump, add annotation.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

parent c5ad8ed6

include/net/netfilter/nf_tables.h

+1 −1

Original line number	Diff line number	Diff line
		@@ -835,7 +835,7 @@ static inline bool __nft_set_elem_expired(const struct nft_set_ext *ext,
		u64 tstamp)
		{
		return nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION) &&
		time_after_eq64(tstamp, *nft_set_ext_expiration(ext));
		time_after_eq64(tstamp, READ_ONCE(*nft_set_ext_expiration(ext)));
		}

		static inline bool nft_set_elem_expired(const struct nft_set_ext *ext)

net/netfilter/nf_tables_api.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -5827,7 +5827,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
		if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
		u64 expires, now = get_jiffies_64();

		expires = *nft_set_ext_expiration(ext);
		expires = READ_ONCE(*nft_set_ext_expiration(ext));
		if (time_before64(now, expires))
		expires -= now;
		else

net/netfilter/nft_dynset.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -96,7 +96,7 @@ void nft_dynset_eval(const struct nft_expr *expr,
		if (priv->op == NFT_DYNSET_OP_UPDATE &&
		nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
		timeout = priv->timeout ? : READ_ONCE(set->timeout);
		*nft_set_ext_expiration(ext) = get_jiffies_64() + timeout;
		WRITE_ONCE(*nft_set_ext_expiration(ext), get_jiffies_64() + timeout);
		}

		nft_set_elem_update_expr(ext, regs, pkt);