提交 414ed7fe 编写于 作者: D David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Remove the flowtable hardware refresh state, fall back to the
   existing hardware pending state instead, from Roi Dayan.

2) Fix crash in pipapo avx2 lookup when FPU is in used from user
   context, from Stefano Brivio.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
...@@ -157,7 +157,6 @@ enum nf_flow_flags { ...@@ -157,7 +157,6 @@ enum nf_flow_flags {
NF_FLOW_HW, NF_FLOW_HW,
NF_FLOW_HW_DYING, NF_FLOW_HW_DYING,
NF_FLOW_HW_DEAD, NF_FLOW_HW_DEAD,
NF_FLOW_HW_REFRESH,
NF_FLOW_HW_PENDING, NF_FLOW_HW_PENDING,
}; };
......
...@@ -306,8 +306,7 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, ...@@ -306,8 +306,7 @@ void flow_offload_refresh(struct nf_flowtable *flow_table,
{ {
flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT; flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
if (likely(!nf_flowtable_hw_offload(flow_table) || if (likely(!nf_flowtable_hw_offload(flow_table)))
!test_and_clear_bit(NF_FLOW_HW_REFRESH, &flow->flags)))
return; return;
nf_flow_offload_add(flow_table, flow); nf_flow_offload_add(flow_table, flow);
......
...@@ -902,10 +902,11 @@ static void flow_offload_work_add(struct flow_offload_work *offload) ...@@ -902,10 +902,11 @@ static void flow_offload_work_add(struct flow_offload_work *offload)
err = flow_offload_rule_add(offload, flow_rule); err = flow_offload_rule_add(offload, flow_rule);
if (err < 0) if (err < 0)
set_bit(NF_FLOW_HW_REFRESH, &offload->flow->flags); goto out;
else
set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);
out:
nf_flow_offload_destroy(flow_rule); nf_flow_offload_destroy(flow_rule);
} }
......
...@@ -408,8 +408,8 @@ int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst, ...@@ -408,8 +408,8 @@ int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst,
* *
* Return: true on match, false otherwise. * Return: true on match, false otherwise.
*/ */
static bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set, bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
const u32 *key, const struct nft_set_ext **ext) const u32 *key, const struct nft_set_ext **ext)
{ {
struct nft_pipapo *priv = nft_set_priv(set); struct nft_pipapo *priv = nft_set_priv(set);
unsigned long *res_map, *fill_map; unsigned long *res_map, *fill_map;
......
...@@ -178,6 +178,8 @@ struct nft_pipapo_elem { ...@@ -178,6 +178,8 @@ struct nft_pipapo_elem {
int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst, int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst,
union nft_pipapo_map_bucket *mt, bool match_only); union nft_pipapo_map_bucket *mt, bool match_only);
bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,
const u32 *key, const struct nft_set_ext **ext);
/** /**
* pipapo_and_field_buckets_4bit() - Intersect 4-bit buckets * pipapo_and_field_buckets_4bit() - Intersect 4-bit buckets
......
...@@ -1131,6 +1131,9 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set, ...@@ -1131,6 +1131,9 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
bool map_index; bool map_index;
int i, ret = 0; int i, ret = 0;
if (unlikely(!irq_fpu_usable()))
return nft_pipapo_lookup(net, set, key, ext);
m = rcu_dereference(priv->match); m = rcu_dereference(priv->match);
/* This also protects access to all data related to scratch maps */ /* This also protects access to all data related to scratch maps */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册