{"id":2230231,"url":"http://patchwork.ozlabs.org/api/1.1/patches/2230231/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/3e36bf8bad1bca13b2ed23eb6e9b6f238221f02f.1777468631.git.alessio.faina@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.1/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null},"msgid":"<3e36bf8bad1bca13b2ed23eb6e9b6f238221f02f.1777468631.git.alessio.faina@canonical.com>","date":"2026-04-29T13:57:20","name":"[SRU,N:linux-bluefield,1/1] UBUNTU: SAUCE: Revert \"netfilter: conntrack: rework offload nf_conn timeout extension logic\"","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ad1f53bef64b280c2fe55bd2400c218c67581afc","submitter":{"id":91694,"url":"http://patchwork.ozlabs.org/api/1.1/people/91694/?format=json","name":"Alessio Faina","email":"alessio.faina@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/3e36bf8bad1bca13b2ed23eb6e9b6f238221f02f.1777468631.git.alessio.faina@canonical.com/mbox/","series":[{"id":502068,"url":"http://patchwork.ozlabs.org/api/1.1/series/502068/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502068","date":"2026-04-29T13:57:20","name":"[SRU,N:linux-bluefield,1/1] UBUNTU: SAUCE: Revert \"netfilter: conntrack: rework offload nf_conn timeout extension logic\"","version":1,"mbox":"http://patchwork.ozlabs.org/series/502068/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2230231/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2230231/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=gHGI9b/J;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5Jlf5Dfdz1yHX\n\tfor ; Wed, 29 Apr 2026 23:57:34 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1wI5Pq-0001l9-Jg; Wed, 29 Apr 2026 13:57:26 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1wI5Po-0001kt-VC\n for kernel-team@lists.ubuntu.com; Wed, 29 Apr 2026 13:57:25 +0000","from mail-wm1-f70.google.com (mail-wm1-f70.google.com\n [209.85.128.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id C07B13F918\n for ; Wed, 29 Apr 2026 13:57:24 +0000 (UTC)","by mail-wm1-f70.google.com with SMTP id\n 5b1f17b1804b1-488d56f87e8so96148825e9.0\n for ; Wed, 29 Apr 2026 06:57:24 -0700 (PDT)","from localhost (93-35-127-183.ip55.fastwebnet.it. [93.35.127.183])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a7c5c7631sm52971225e9.13.2026.04.29.06.57.22\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 29 Apr 2026 06:57:23 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777471044;\n bh=qfLm0kRynpjClcGbJo8lXISvd6ZcFYgTj8S0ChoIfwQ=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=gHGI9b/Jmosm8xXN2DCIw6r07+sxNblM+RsJHsBI3qQf0BT/OGsYiourcsqqFcNuD\n YJLKufcRdhg4UgTKP/ZToeu2Itch6brMxjibsyQxy6W0Ps+7jiR9jsg2Rqsh/DRH+Y\n UoIzBoD2NJHsvRruxvcIxrxF1xUmH6cpXVPIpVtXEzQrVoABll1sTp/COr3/KYs1Rm\n sLbpddAec6+vCjFwWKOGR2QsY1TdVPJhvIjxU1SXQMrssHPdMDiB2P2LtaeaYjWO2S\n J5DasF3DiT38zjm2PEgvL7A0MWyRASahPEvTqIaN0ZYF7O5WiuG6tpCfpJyMeBA4nO\n l+dcnx1ZAHMec7W8Z85fHY604c0lI63s1NzW2IGzo1PMJYZAHUrzLMVyWp9VNz6fUA\n QlqqM5hB6udgRxKESXNsuSKJD6FswjbOMui41Gs3xaeJTaMLL7ogo27GcNqIOngISI\n lWFpisKB7o9NbbhU5p9tUv1tYRNGbLBuvD6wM9wW7MZlEZ+o/5RTTNieP/IE4knc7V\n OItK4TUbT3RHzdL60poIhl0q3K/M36UDqYK+vjEpxumSUvNKvy2AcuiIP8itM7cu53\n CG0qZ6tw/cGqvtBUh+llanK1p16LBknOazoJSVMNprsB2iPLBg1x25YvOdzYXlIC47\n jA4MVPWjUbDlWf6aiu2e1tYk=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777471044; x=1778075844;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=qfLm0kRynpjClcGbJo8lXISvd6ZcFYgTj8S0ChoIfwQ=;\n b=L7db0e6fYQDXACyS6JXSJUTqaQP2JxGjaDyGtts0NaVwARO2OUPkEIk0/Jdg7JcZ3G\n PQq1LVd7yvmreSvJ5ukXBS4udL0a77YuXsRU5zvhQ2PMc8BQWD3jtsss7KDfeof3l7y5\n nrWPFw0A+sBl9TN8WiZf+BpjxkbIKE4T0Ami7L58K0CoxsHZvmWm/X3viXfJrqo7JKj4\n B6wvYewPZNxdoBxGAmGqsqcaVJVaCjXcsz1JBl4G4BbChcZU5s8cCqLA6t0w/RayRd4s\n EmCy5KQ6XXh5VTADiMnAWhsCgwo5UZidLKDHrlZZT62PEFBkEPeh2szOJnHY+niQKW/W\n onoQ==","X-Gm-Message-State":"AOJu0YwGdkbUDVaBIuwCV4cqeyBLVRIF/WB/+LIm1BnuWwdRJZD++yhA\n rFNrrXwdjeSLFuEglvp4IsWT1yX4CSVGbxpIJw3CBrmxjA8Y6LRZSsXXuJuXTzryxT9Qo3rv1Wi\n kFCKdtVDAcIm0OppHtGP4xOF47kIfcOmA7lBCLg4sFiHHs6FwUDPtIJZjPqoOWOu02BYtRxxMzM\n PKyves6olPBwkwRg==","X-Gm-Gg":"AeBDiesGtTZaULFjatpClQA9apOa7Au1G47u8GX95kOzm4kQ8q0GjXuYm5lpfY757/5\n Yn98qnzdH4vh/oCCDeBE0aGel3diioMH92lRE9Szk3lRjXOU0PovwDIQ4so792L/6RxED7PhXoA\n KQGSpfVchQRdVC8WCy39qsUCtbZ12Aq6KtJemRw789OuWcxFwmudbADe75HwaV12//MFf4JUEK4\n BqKklCqpSU77p2dxTEKbcz/SVc0FW6VJod9vRd4DtVc802+bSYhqG2kdFYTIBOXQTysMaNV23wY\n hQOJLTF9TIsHQDNzCy94LLlnWHb1SF8W0yQDloeo/oN5gGVaOTwhobpcPSiqwW5+bkEc3SaTI6x\n dg7HwD/2uF+Te9jceEDrGrns50zs4/b5E1wcSeo8UeE/+/W9iLgMqOXVOBhN0F8y9H1T6zPw2+C\n 6SbUW/zd89+nrIeSrZPxexvAp+2LcNGg==","X-Received":["by 2002:a05:600c:8208:b0:489:1c1f:35f1 with SMTP id\n 5b1f17b1804b1-48a77ad5f64mr118167465e9.4.1777471044105;\n Wed, 29 Apr 2026 06:57:24 -0700 (PDT)","by 2002:a05:600c:8208:b0:489:1c1f:35f1 with SMTP id\n 5b1f17b1804b1-48a77ad5f64mr118166965e9.4.1777471043437;\n Wed, 29 Apr 2026 06:57:23 -0700 (PDT)"],"From":"Alessio Faina ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][N:linux-bluefield][PATCH 1/1] UBUNTU: SAUCE: Revert \"netfilter:\n conntrack: rework offload nf_conn timeout extension logic\"","Date":"Wed, 29 Apr 2026 15:57:20 +0200","Message-ID":"\n <3e36bf8bad1bca13b2ed23eb6e9b6f238221f02f.1777468631.git.alessio.faina@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"","References":"","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"BugLink: https://bugs.launchpad.net/bugs/2150645\n\nThis reverts commit def3e30c59ebb7f01df9d8526978479f2c9b7b7f.\n\nThis commit needs to be reverted as Nvidia reported a massive regression\nin performance.\n\nSigned-off-by: Alessio Faina \n---\n include/net/netfilter/nf_conntrack.h | 10 +++\n net/netfilter/nf_conntrack_core.c | 6 ++\n net/netfilter/nf_flow_table_core.c | 105 +--------------------------\n 3 files changed, 18 insertions(+), 103 deletions(-)","diff":"diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h\nindex ca26274196b9..a85051121af8 100644\n--- a/include/net/netfilter/nf_conntrack.h\n+++ b/include/net/netfilter/nf_conntrack.h\n@@ -323,6 +323,16 @@ static inline bool nf_ct_should_gc(const struct nf_conn *ct)\n \n #define\tNF_CT_DAY\t(86400 * HZ)\n \n+/* Set an arbitrary timeout large enough not to ever expire, this save\n+ * us a check for the IPS_OFFLOAD_BIT from the packet path via\n+ * nf_ct_is_expired().\n+ */\n+static inline void nf_ct_offload_timeout(struct nf_conn *ct)\n+{\n+\tif (nf_ct_expires(ct) < NF_CT_DAY / 2)\n+\t\tWRITE_ONCE(ct->timeout, nfct_time_stamp + NF_CT_DAY);\n+}\n+\n struct kernel_param;\n \n int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp);\ndiff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c\nindex fd0f6397da9d..299987f306c6 100644\n--- a/net/netfilter/nf_conntrack_core.c\n+++ b/net/netfilter/nf_conntrack_core.c\n@@ -1514,6 +1514,12 @@ static void gc_worker(struct work_struct *work)\n \n \t\t\ttmp = nf_ct_tuplehash_to_ctrack(h);\n \n+\t\t\tif (test_bit(IPS_OFFLOAD_BIT, &tmp->status)) {\n+\t\t\t\tnf_ct_offload_timeout(tmp);\n+\t\t\t\tif (!nf_conntrack_max95)\n+\t\t\t\t\tcontinue;\n+\t\t\t}\n+\n \t\t\tif (expired_count > GC_SCAN_EXPIRED_MAX) {\n \t\t\t\trcu_read_unlock();\n \ndiff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c\nindex 96f29f80d1bd..5c1ff07eaee0 100644\n--- a/net/netfilter/nf_flow_table_core.c\n+++ b/net/netfilter/nf_flow_table_core.c\n@@ -294,7 +294,7 @@ int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)\n \t\treturn err;\n \t}\n \n-\tnf_ct_refresh(flow->ct, NF_CT_DAY);\n+\tnf_ct_offload_timeout(flow->ct);\n \n \tif (nf_flowtable_hw_offload(flow_table)) {\n \t\t__set_bit(NF_FLOW_HW, &flow->flags);\n@@ -414,116 +414,15 @@ static bool nf_flow_custom_gc(struct nf_flowtable *flow_table,\n \treturn flow_table->type->gc && flow_table->type->gc(flow);\n }\n \n-/**\n- * nf_flow_table_tcp_timeout() - new timeout of offloaded tcp entry\n- * @ct:\t\tFlowtable offloaded tcp ct\n- *\n- * Return: number of seconds when ct entry should expire.\n- */\n-static u32 nf_flow_table_tcp_timeout(const struct nf_conn *ct)\n-{\n-\tu8 state = READ_ONCE(ct->proto.tcp.state);\n-\n-\tswitch (state) {\n-\tcase TCP_CONNTRACK_SYN_SENT:\n-\tcase TCP_CONNTRACK_SYN_RECV:\n-\t\treturn 0;\n-\tcase TCP_CONNTRACK_ESTABLISHED:\n-\t\treturn NF_CT_DAY;\n-\tcase TCP_CONNTRACK_FIN_WAIT:\n-\tcase TCP_CONNTRACK_CLOSE_WAIT:\n-\tcase TCP_CONNTRACK_LAST_ACK:\n-\tcase TCP_CONNTRACK_TIME_WAIT:\n-\t\treturn 5 * 60 * HZ;\n-\tcase TCP_CONNTRACK_CLOSE:\n-\t\treturn 0;\n-\t}\n-\n-\treturn 0;\n-}\n-\n-/**\n- * nf_flow_table_extend_ct_timeout() - Extend ct timeout of offloaded conntrack entry\n- * @ct:\t\tFlowtable offloaded ct\n- *\n- * Datapath lookups in the conntrack table will evict nf_conn entries\n- * if they have expired.\n- *\n- * Once nf_conn entries have been offloaded, nf_conntrack might not see any\n- * packets anymore. Thus ct->timeout is no longer refreshed and ct can\n- * be evicted.\n- *\n- * To avoid the need for an additional check on the offload bit for every\n- * packet processed via nf_conntrack_in(), set an arbitrary timeout large\n- * enough not to ever expire, this save us a check for the IPS_OFFLOAD_BIT\n- * from the packet path via nf_ct_is_expired().\n- */\n-static void nf_flow_table_extend_ct_timeout(struct nf_conn *ct)\n-{\n-\tstatic const u32 min_timeout = 5 * 60 * HZ;\n-\tu32 expires = nf_ct_expires(ct);\n-\n-\t/* normal case: large enough timeout, nothing to do. */\n-\tif (likely(expires >= min_timeout))\n-\t\treturn;\n-\n-\t/* must check offload bit after this, we do not hold any locks.\n-\t * flowtable and ct entries could have been removed on another CPU.\n-\t */\n-\tif (!refcount_inc_not_zero(&ct->ct_general.use))\n-\t\treturn;\n-\n-\t/* load ct->status after refcount increase */\n-\tsmp_acquire__after_ctrl_dep();\n-\n-\tif (nf_ct_is_confirmed(ct) &&\n-\t test_bit(IPS_OFFLOAD_BIT, &ct->status)) {\n-\t\tu8 l4proto = nf_ct_protonum(ct);\n-\t\tu32 new_timeout = true;\n-\n-\t\tswitch (l4proto) {\n-\t\tcase IPPROTO_UDP:\n-\t\t\tnew_timeout = NF_CT_DAY;\n-\t\t\tbreak;\n-\t\tcase IPPROTO_TCP:\n-\t\t\tnew_timeout = nf_flow_table_tcp_timeout(ct);\n-\t\t\tbreak;\n-\t\tdefault:\n-\t\t\tWARN_ON_ONCE(1);\n-\t\t\tbreak;\n-\t\t}\n-\n-\t\t/* Update to ct->timeout from nf_conntrack happens\n-\t\t * without holding ct->lock.\n-\t\t *\n-\t\t * Use cmpxchg to ensure timeout extension doesn't\n-\t\t * happen when we race with conntrack datapath.\n-\t\t *\n-\t\t * The inverse -- datapath updating ->timeout right\n-\t\t * after this -- is fine, datapath is authoritative.\n-\t\t */\n-\t\tif (new_timeout) {\n-\t\t\tnew_timeout += nfct_time_stamp;\n-\t\t\tcmpxchg(&ct->timeout, expires, new_timeout);\n-\t\t}\n-\t}\n-\n-\tnf_ct_put(ct);\n-}\n-\n static void nf_flow_offload_gc_step(struct nf_flowtable *flow_table,\n \t\t\t\t struct flow_offload *flow, void *data)\n {\n-\tbool teardown = test_bit(NF_FLOW_TEARDOWN, &flow->flags);\n-\n \tif (nf_flow_has_expired(flow) ||\n \t nf_ct_is_dying(flow->ct) ||\n \t nf_flow_custom_gc(flow_table, flow))\n \t\tflow_offload_teardown(flow);\n-\telse if (!teardown)\n-\t\tnf_flow_table_extend_ct_timeout(flow->ct);\n \n-\tif (teardown) {\n+\tif (test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {\n \t\tif (test_bit(NF_FLOW_HW, &flow->flags)) {\n \t\t\tif (!test_bit(NF_FLOW_HW_DYING, &flow->flags))\n \t\t\t\tnf_flow_offload_del(flow_table, flow);\n","prefixes":["SRU","N:linux-bluefield","1/1"]}