Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp4425153pxb; Mon, 21 Feb 2022 21:12:45 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFDPVD+y15i+0NQp6ZbIpEJUlqP+bemAm96auEJ8BxUApFZHhAPtc7V2E1O+jFkJgWj8g1 X-Received: by 2002:aa7:909a:0:b0:4e1:6d4:5905 with SMTP id i26-20020aa7909a000000b004e106d45905mr23387530pfa.34.1645506765043; Mon, 21 Feb 2022 21:12:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645506765; cv=none; d=google.com; s=arc-20160816; b=uKW0KMi/vf59AgPrZ8id4xXCXCGZTpPVvd5+G6+d1Rd/jeT2+fPdGWqKSx8SVOrgwh x9ekWXZOpBhfLmK3HK9IFTSyE/RNF+Up1NcjF6fPFDAtrschK6ArHQZ3oWkRu4BftMtQ jfoZn3ZDVdwSV1iYqvh/Ur3ruUFLnGhcGTl1D9gN5ms53cipURU7BhE8u4oOW49IGdR4 NOITWGRcCbrCdCoBt8hv4WAx5esiUfhKNkgrTnoPseIpWB5O6MIO7Ek8viwlLrqL6R94 bnMeBKvIQvzFNz9BPacG6nrfKocsSbyDbSih/mrKfJkcwDEqpN9qXqD2qPA/p1w+GlFS QA8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gmuVDjQ7mv3eWalxW5hMI1V8B1iIsO081ZigYLdD2do=; b=m8QwFQNYSbhO59ri/zXE6Qaj4QHICX2IofG540cLcwoJvUwADMbFZWC27DqriKnuau bqpbeyS8O86ULfeSFkhPDLUAr+Llzqy9GAG25NhLsmVdOUWzcvmR9DVmO+/L48uMNMdJ 2vAhEb4G8e5wAYuBwswcGrljOmDBx/+ub1yFa13bnD0nSMMSxvdVnGITGkWVW1Z4HRXk gx0rY8cP6LJL8Pk2vr0XsFPOvq/e8OZ+hrUAmCAXltfKcteQ4NdJiB7PWiIxEHIpmetH s25lB5De5xmDTsxJddL50OTqvwWLD8kOopYrKwDreOQO/l0nazdvERjL12AWpqsIEjJp V91A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GInGNqsR; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id o22si19448442pgb.359.2022.02.21.21.12.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Feb 2022 21:12:45 -0800 (PST) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GInGNqsR; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 42794D8851; Mon, 21 Feb 2022 20:45:16 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351339AbiBUJhA (ORCPT + 99 others); Mon, 21 Feb 2022 04:37:00 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:48082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349141AbiBUJ1f (ORCPT ); Mon, 21 Feb 2022 04:27:35 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C909913F12; Mon, 21 Feb 2022 01:12:27 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6638560018; Mon, 21 Feb 2022 09:12:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4C370C340E9; Mon, 21 Feb 2022 09:12:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1645434746; bh=lO9+SfRYxZy7LfpZ9kZoV+XdWXmb8YWDq3BsOi5WrkQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GInGNqsRouSkb4v2u6VrWdpcTGEqSQCBKIBReyktHbfl+ALi8P4NbzspzWo0DEhwW s77tDg9ln3KgcpafrIQY3WmzVESqM0JrHHiy7fjPwktGrFigCZWQ2TXcUH+jID7/2n 0rrcvZv4QABtoZoQc5at7TM9jyZeYWKwr2QZcqdo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Congyu Liu , Willem de Bruijn , Jakub Kicinski Subject: [PATCH 5.15 084/196] ipv6: per-netns exclusive flowlabel checks Date: Mon, 21 Feb 2022 09:48:36 +0100 Message-Id: <20220221084933.742361302@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220221084930.872957717@linuxfoundation.org> References: <20220221084930.872957717@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn commit 0b0dff5b3b98c5c7ce848151df9da0b3cdf0cc8b upstream. Ipv6 flowlabels historically require a reservation before use. Optionally in exclusive mode (e.g., user-private). Commit 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist") introduced a fastpath that avoids this check when no exclusive leases exist in the system, and thus any flowlabel use will be granted. That allows skipping the control operation to reserve a flowlabel entirely. Though with a warning if the fast path fails: This is an optimization. Robust applications still have to revert to requesting leases if the fast path fails due to an exclusive lease. Still, this is subtle. Better isolate network namespaces from each other. Flowlabels are per-netns. Also record per-netns whether exclusive leases are in use. Then behavior does not change based on activity in other netns. Changes v2 - wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled Fixes: 59c820b2317f ("ipv6: elide flowlabel check if no exclusive leases exist") Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/ Reported-by: Congyu Liu Signed-off-by: Willem de Bruijn Tested-by: Congyu Liu Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- include/net/ipv6.h | 5 ++++- include/net/netns/ipv6.h | 3 ++- net/ipv6/ip6_flowlabel.c | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -391,17 +391,20 @@ static inline void txopt_put(struct ipv6 kfree_rcu(opt, rcu); } +#if IS_ENABLED(CONFIG_IPV6) struct ip6_flowlabel *__fl6_sock_lookup(struct sock *sk, __be32 label); extern struct static_key_false_deferred ipv6_flowlabel_exclusive; static inline struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label) { - if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key)) + if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) && + READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl)) return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT); return NULL; } +#endif struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, struct ip6_flowlabel *fl, --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h @@ -77,9 +77,10 @@ struct netns_ipv6 { spinlock_t fib6_gc_lock; unsigned int ip6_rt_gc_expire; unsigned long ip6_rt_last_gc; + unsigned char flowlabel_has_excl; #ifdef CONFIG_IPV6_MULTIPLE_TABLES - unsigned int fib6_rules_require_fldissect; bool fib6_has_custom_rules; + unsigned int fib6_rules_require_fldissect; #ifdef CONFIG_IPV6_SUBTREES unsigned int fib6_routes_require_src; #endif --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c @@ -450,8 +450,10 @@ fl_create(struct net *net, struct sock * err = -EINVAL; goto done; } - if (fl_shared_exclusive(fl) || fl->opt) + if (fl_shared_exclusive(fl) || fl->opt) { + WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1); static_branch_deferred_inc(&ipv6_flowlabel_exclusive); + } return fl; done: