netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around

JIRA: https://issues.redhat.com/browse/RHEL-84544

commit df08c94
Author: Nicklas Bo Jensen <njensen@akamai.com>
Date:   Thu Feb 27 13:32:34 2025 +0000

    netfilter: nf_conncount: garbage collection is not skipped when jiffies wrap around

    nf_conncount is supposed to skip garbage collection if it has already
    run garbage collection in the same jiffy. Unfortunately, this is broken
    when jiffies wrap around which this patch fixes.

    The problem is that last_gc in the nf_conncount_list struct is an u32,
    but jiffies is an unsigned long which is 8 bytes on my systems. When
    those two are compared it only works until last_gc wraps around.

    See bug report: https://bugzilla.netfilter.org/show_bug.cgi?id=1778
    for more details.

    Fixes: d265929 ("netfilter: nf_conncount: reduce unnecessary GC")
    Signed-off-by: Nicklas Bo Jensen <njensen@akamai.com>
    Reviewed-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Author: CKI Backport Bot

net/netfilter/nf_conncount.c

@@ -132,7 +132,7 @@ static int __nf_conncount_add(struct net *net,
 	struct nf_conn *found_ct;
 	unsigned int collect = 0;
 
-	if (time_is_after_eq_jiffies((unsigned long)list->last_gc))
+	if ((u32)jiffies == list->last_gc)
 		goto add_new_node;
 
 	/* check the saved connections */
@@ -234,7 +234,7 @@ bool nf_conncount_gc_list(struct net *net,
 	bool ret = false;
 
 	/* don't bother if we just did GC */
-	if (time_is_after_eq_jiffies((unsigned long)READ_ONCE(list->last_gc)))
+	if ((u32)jiffies == READ_ONCE(list->last_gc))
 		return false;
 
 	/* don't bother if other cpu is already doing GC */