netfilter: conntrack: Fix data-races around ct mark

	key->ct_zone = ct->zone.id;

#endif

#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)

	key->ct_mark = ct->mark;

	key->ct_mark = READ_ONCE(ct->mark);

#endif

	cl = nf_ct_labels_find(ct);

	switch (ctinfo) {

	case IP_CT_NEW:

		ct->mark = hash;

		WRITE_ONCE(ct->mark, hash);

		break;

	case IP_CT_RELATED:

	case IP_CT_RELATED_REPLY:

#ifdef DEBUG

	nf_ct_dump_tuple_ip(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);

#endif

	pr_debug("hash=%u ct_hash=%u ", hash, ct->mark);

	pr_debug("hash=%u ct_hash=%u ", hash, READ_ONCE(ct->mark));

	if (!clusterip_responsible(cipinfo->config, hash)) {

		pr_debug("not responsible\n");

		return NF_DROP;

			}

#ifdef CONFIG_NF_CONNTRACK_MARK

			ct->mark = exp->master->mark;

			ct->mark = READ_ONCE(exp->master->mark);

#endif

#ifdef CONFIG_NF_CONNTRACK_SECMARK

			ct->secmark = exp->master->secmark;

}

#ifdef CONFIG_NF_CONNTRACK_MARK

static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)

static int ctnetlink_dump_mark(struct sk_buff *skb, u32 mark)

{

	if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))

	if (nla_put_be32(skb, CTA_MARK, htonl(mark)))

		goto nla_put_failure;

	return 0;

static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)

{

	if (ctnetlink_dump_status(skb, ct) < 0 ||

	    ctnetlink_dump_mark(skb, ct) < 0 ||

	    ctnetlink_dump_mark(skb, READ_ONCE(ct->mark)) < 0 ||

	    ctnetlink_dump_secctx(skb, ct) < 0 ||

	    ctnetlink_dump_id(skb, ct) < 0 ||

	    ctnetlink_dump_use(skb, ct) < 0 ||

	struct sk_buff *skb;

	unsigned int type;

	unsigned int flags = 0, group;

	u32 mark;

	int err;

	if (events & (1 << IPCT_DESTROY)) {

	}

#ifdef CONFIG_NF_CONNTRACK_MARK

	if ((events & (1 << IPCT_MARK) || ct->mark)

	    && ctnetlink_dump_mark(skb, ct) < 0)

	mark = READ_ONCE(ct->mark);

	if ((events & (1 << IPCT_MARK) || mark) &&

	    ctnetlink_dump_mark(skb, mark) < 0)

		goto nla_put_failure;

#endif

	nlmsg_end(skb, nlh);

	}

#ifdef CONFIG_NF_CONNTRACK_MARK

	if ((ct->mark & filter->mark.mask) != filter->mark.val)

	if ((READ_ONCE(ct->mark) & filter->mark.mask) != filter->mark.val)

		goto ignore_entry;

#endif

	status = (u32)READ_ONCE(ct->status);

		mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));

	mark = ntohl(nla_get_be32(cda[CTA_MARK]));

	newmark = (ct->mark & mask) ^ mark;

	if (newmark != ct->mark)

		ct->mark = newmark;

	newmark = (READ_ONCE(ct->mark) & mask) ^ mark;

	if (newmark != READ_ONCE(ct->mark))

		WRITE_ONCE(ct->mark, newmark);

}

#endif

{

	const struct nf_conntrack_zone *zone;

	struct nlattr *nest_parms;

	u32 mark;

	zone = nf_ct_zone(ct);

		goto nla_put_failure;

#ifdef CONFIG_NF_CONNTRACK_MARK

	if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)

	mark = READ_ONCE(ct->mark);

	if (mark && ctnetlink_dump_mark(skb, mark) < 0)

		goto nla_put_failure;

#endif

	if (ctnetlink_dump_labels(skb, ct) < 0)

		goto release;

#if defined(CONFIG_NF_CONNTRACK_MARK)

	seq_printf(s, "mark=%u ", ct->mark);

	seq_printf(s, "mark=%u ", READ_ONCE(ct->mark));

#endif

	ct_show_secctx(s, ct);