1 files changed, 27 insertions, 0 deletions

diff --git a/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch b/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch
new file mode 100644
index 0000000000..69c06c51d8
--- /dev/null
+++ b/target/linux/generic/backport-5.10/610-v5.15-58-netfilter-flowtable-avoid-possible-false-sharing.patch
@@ -0,0 +1,27 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 17 Jul 2021 10:10:29 +0200
+Subject: [PATCH] netfilter: flowtable: avoid possible false sharing
+
+The flowtable follows the same timeout approach as conntrack, use the
+same idiom as in cc16921351d8 ("netfilter: conntrack: avoid same-timeout
+update") but also include the fix provided by e37542ba111f ("netfilter:
+conntrack: avoid possible false sharing").
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/net/netfilter/nf_flow_table_core.c
++++ b/net/netfilter/nf_flow_table_core.c
+@@ -328,7 +328,11 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
+ void flow_offload_refresh(struct nf_flowtable *flow_table,
+ 			  struct flow_offload *flow)
+ {
+-	flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
++	u32 timeout;
++
++	timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
++	if (READ_ONCE(flow->timeout) != timeout)
++		WRITE_ONCE(flow->timeout, timeout);
+ 
+ 	if (likely(!nf_flowtable_hw_offload(flow_table)))
+ 		return;