From patchwork Tue Nov 15 21:19:00 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 1696 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2947326wru; Tue, 15 Nov 2022 13:23:51 -0800 (PST) X-Google-Smtp-Source: AA0mqf4BCd1KCru9i+ggBMLxrFSsXtFZ/pL7mBisB+RyUGI3VvivowZ0he18E+PQNdA1Xp8yIllm X-Received: by 2002:a65:4d4b:0:b0:476:df56:b35e with SMTP id j11-20020a654d4b000000b00476df56b35emr1164877pgt.449.1668547430843; Tue, 15 Nov 2022 13:23:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668547430; cv=none; d=google.com; s=arc-20160816; b=s2xvD+O4JviFlIso9WQ9OBP6q/mL6jBTeSx73HTAw63w4ZsrtG1z8TZtCo8FRnlnKJ ztVZe3s7dfLncCdibaxzfrKI0Uun0gjxLDJBaPQZgKxAeaiU1D/3QsuqMPGCQFvvLWGZ +zJmoYhYgTyHZu7un1qopu98CKcO9HWI/bLtK19i4NmdkfiYLI7hhsXXKtnVlC+H1g6b LbG7n9Pje1INh+LCFRZdlbJqaWhcUE8+LFMi/8VUVaoyuuk7oyHqqFdYRNcuVTHqN8Dq DF0WXyaIilg8PPu6iZTInnnBQqX3p9MAcEfplWmTPGS2o8EWIeykSbk7T7i+QWX9G9Ix uXcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=vZD/7uHvS5J34N2GYYAfPmKEdHy2neeRIgKH7Q4ZaFo=; b=y8Nv80nKZ0jL7vg8utteIyyA+lyUru+16x2x71xtaH+HBcZAVV0C7HD5m5oAtqaL33 sMvVKGVjYf86H3IrfqvFxgOhigy/OkJN4rAsTeFsbmZUwfaxmayYbZkXgTPTxyBL4xdx rP2Ghlnf4NNM1LpZCik2moBQiaQThUTzJ/LRrR06Eu6pArxuHzBoBkH8ez+brJyIVCsc +GzS9Ub3HpYgUog4Nln6435NjvbTGeWtjMmdMPHHgLGFsvfJcHr7N4N08bM7ATyfeYlI UAwWTy5ciDnN12yvzWM6Iafkv/Yas33BZ+IbK9X0yxXXGchHJqCTF0768DEGkw2e4aoh bsqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=PJYCv+Ux; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id iy15-20020a170903130f00b00187242da09asi12648352plb.265.2022.11.15.13.23.14; Tue, 15 Nov 2022 13:23:50 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=PJYCv+Ux; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230211AbiKOVTu (ORCPT + 99 others); Tue, 15 Nov 2022 16:19:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229642AbiKOVTr (ORCPT ); Tue, 15 Nov 2022 16:19:47 -0500 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06B672124B for ; Tue, 15 Nov 2022 13:19:46 -0800 (PST) Received: by mail-wr1-x429.google.com with SMTP id cl5so26542274wrb.9 for ; Tue, 15 Nov 2022 13:19:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=vZD/7uHvS5J34N2GYYAfPmKEdHy2neeRIgKH7Q4ZaFo=; b=PJYCv+UxpU0P2K09mErm2HV6J0RWh+zwcSAdUZBcNry6+hpOlyCwSL2zk4qHh/3eCv nxZsax44TN0KfUiX1HNcq3t5UTdc/8FgpvCNsdx6ci9CNMQou1modM/PQ7hPxh3Tzlg3 5ju/VdA6fWiZP0gycaJ5YysqrT+Hx2NvsdkJIK7DyJGlBi5LqZingJeYgsH3vCOaee0F mQ9k9DHwH4nbK9vrcA139ojzq3lWw3tV4FUFAiSDjb9UL9oYGdDtA+mJ7i+H28G1pwut iFAWZQzYdM7Yj55gGKystqyswarfz078yJAtgAskXJIrvt2cb9my1BJ25O3YgGKhp9e6 r3ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vZD/7uHvS5J34N2GYYAfPmKEdHy2neeRIgKH7Q4ZaFo=; b=pjzAQ0md88dol+mCjFu8Vv5Cq8ClrebNCsytxDQtfSwMMFV2hqNYXwNoZkmim/enqQ CWXYcgmi2RPh/47qZ7ZcY1C2m/tTmhLjcK4OmDxiAvWY9aXvLfKUtH0zc5xsKRo/h/1y tIwFo3ua7zA38SEwD2BzYlkUnC6LWiW1FpZit/l1ThsGo5z1c2/2GfK4RLldOxqz1tkL pMUzGpShTtyAvVwUWbBc7eIMzHFw8eTRqU3Q2covysotspzgQeK68Mo90/mjW2Xj4U7c 7suti8I1PlPPv0++Hz0FVAg3RFTe5k9cCC30X83MT5UTsBdi+L/h4lUcBz1u8Hwq20Zv ptGA== X-Gm-Message-State: ANoB5pnNCwmAM9qmBbqWwy5MqUTErTUZBGixHI7cv5hGWBlzgQP/xnXN ykBb8kv0FvZmhRQ7jLQ3QELZVJ3YYVH4eg== X-Received: by 2002:a5d:4ec4:0:b0:241:6a95:6aa1 with SMTP id s4-20020a5d4ec4000000b002416a956aa1mr12044058wrv.458.1668547152711; Tue, 15 Nov 2022 13:19:12 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id n41-20020a05600c502900b003c65c9a36dfsm17201487wmr.48.2022.11.15.13.19.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Nov 2022 13:19:12 -0800 (PST) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Peter Zijlstra Cc: Dmitry Safonov , Ard Biesheuvel , Bob Gilligan , "David S. Miller" , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Hideaki YOSHIFUJI , Jakub Kicinski , Jason Baron , Josh Poimboeuf , Paolo Abeni , Salam Noureddine , Steven Rostedt , netdev@vger.kernel.org Subject: [PATCH v4 0/5] net/tcp: Dynamically disable TCP-MD5 static key Date: Tue, 15 Nov 2022 21:19:00 +0000 Message-Id: <20221115211905.1685426-1-dima@arista.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749598790637309056?= X-GMAIL-MSGID: =?utf-8?q?1749598790637309056?= Changes from v3: - Used atomic_try_cmpxchg() as suggested by Peter Zijlstra - Renamed static_key_fast_inc() => static_key_fast_inc_not_negative() (addressing Peter Zijlstra's review) - Based on linux-tip/master - tcp_md5_key_copy() now does net_warn_ratelimited() (addressing Peter Zijlstra's review) tcp_md5_do_add() does not as it returns -EUSERS from setsockopt() syscall back to the userspace - Corrected WARN_ON_ONCE(!static_key_fast_inc(key)) (Spotted by Jason Baron) - Moved declaration of static_key_fast_inc_not_negative() and its EXPORT_SYMBOL_GPL() to the patch 3 that uses it, "net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction" (addressing Peter Zijlstra's review) - Added patch 4 that destroys the newly created request socket if md5 info allocation or static_key increment was unsuccessful. Instead of proceeding to add a socket without TCP-MD5 keys. - Added patch 5 that separates helper tcp_time_wait_init() and converts BUG_ON() to WARN_ON_ONCE(). Changes from v2: - Prevent key->enabled from turning negative by overflow from static_key_slow_inc() or static_key_fast_inc() (addressing Peter Zijlstra's review) - Added checks if static_branch_inc() and static_key_fast_int() were successful to TCP-MD5 code. Changes from v1: - Add static_key_fast_inc() helper rather than open-coded atomic_inc() (as suggested by Eric Dumazet) Version 3: https://lore.kernel.org/all/20221111212320.1386566-1-dima@arista.com/T/#u Version 2: https://lore.kernel.org/all/20221103212524.865762-1-dima@arista.com/T/#u Version 1: https://lore.kernel.org/all/20221102211350.625011-1-dima@arista.com/T/#u The static key introduced by commit 6015c71e656b ("tcp: md5: add tcp_md5_needed jump label") is a fast-path optimization aimed at avoiding a cache line miss. Once an MD5 key is introduced in the system the static key is enabled and never disabled. Address this by disabling the static key when the last tcp_md5sig_info in system is destroyed. Previously it was submitted as a part of TCP-AO patches set [1]. Now in attempt to split 36 patches submission, I send this independently. Cc: Ard Biesheuvel Cc: Bob Gilligan Cc: David Ahern Cc: "David S. Miller" Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Eric Dumazet Cc: Francesco Ruggeri Cc: Hideaki YOSHIFUJI Cc: Jakub Kicinski Cc: Jason Baron Cc: Josh Poimboeuf Cc: Paolo Abeni Cc: Peter Zijlstra Cc: Salam Noureddine Cc: Steven Rostedt Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org [1]: https://lore.kernel.org/all/20221027204347.529913-1-dima@arista.com/T/#u Thanks, Dmitry Dmitry Safonov (5): jump_label: Prevent key->enabled int overflow net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction net/tcp: Do cleanup on tcp_md5_key_copy() failure net/tcp: Separate initialization of twsk include/linux/jump_label.h | 21 +++++++-- include/net/tcp.h | 10 ++-- kernel/jump_label.c | 55 +++++++++++++++++----- net/ipv4/tcp.c | 5 +- net/ipv4/tcp_ipv4.c | 94 +++++++++++++++++++++++++++++--------- net/ipv4/tcp_minisocks.c | 61 ++++++++++++++++--------- net/ipv4/tcp_output.c | 4 +- net/ipv6/tcp_ipv6.c | 21 ++++----- 8 files changed, 191 insertions(+), 80 deletions(-) base-commit: 094226ad94f471a9f19e8f8e7140a09c2625abaa