From patchwork Wed Nov 23 17:38:54 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 2131 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp2930440wrr; Wed, 23 Nov 2022 09:44:04 -0800 (PST) X-Google-Smtp-Source: AA0mqf4nSGnJ78RQaXGKoemfw5O8jUsioGvAhtSjLW+17XkXcfEDwzIQtEJQ8Xpx1AaMJkwVvhu+ X-Received: by 2002:a05:6402:e04:b0:469:e6ef:9164 with SMTP id h4-20020a0564020e0400b00469e6ef9164mr8272806edh.185.1669225444456; Wed, 23 Nov 2022 09:44:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669225444; cv=none; d=google.com; s=arc-20160816; b=Po2Z775VnClcLCbuBkEm7Dx3YZStpBAkXgMrEesqD+c6Wuf8Qpu3g7V7Jt6FXVHIZ+ TaOTnNTjOca68r4LiqYItKNj50JzexKFISM24M9u4hTXaJuy0n20W7i/YADaL+TqSOrJ AkB5wSDZhdyLe3r0hA1xQ8JQv27xA349OSa7VH+oJ4knIPZGyRwiCE0qvzzAzR21pEPa VCzre9AaQnXoQGkDYVagaBg3ZuxImFDVvQZ03CDagVao7ycfaHG0YHXk9pVoyYlveIr5 aplioJkIZ0a3F4ybTcFFXf43/qwEHAro57P0+wf45aQS3NFM4uDkAJ5Nw13ghGQ1QXFA U3oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=aBbCqsvEtt7KcugR7dnR//LPLGg791OqMuilfbsHMq8=; b=T35Zr4+xcbnJarVRLVIaGJTRvQi9ALTeTstTmk5Wn4V2XivuD5xGm/7GZwvDSnKI2b zJdWBPxObL3GbjMUA/vBt6HEYu8Xlr7usrDjeoIRiDx6qysCAXBRFuiYxVPOXoe752Ry Cn0VIki1+yjZl9m5fRqHv5Kpi27PVhieXpcXCkBAs6dCuIQ0ZX+ifD8kzfQVYccdZ+0H PoPYskoZE1u2uARlhTPvz3/xh2Ecq4nxnIeIuahBvbxwMNzEwwRoo6Wrsa8kN11Qvafl YOjJoqXrARTQ3yvCUe0egU5AvNE5HJm30pBUMGUNdVYZjvj9UxNQNHBGEdYrEa986bG4 6PZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=LfZLUeC5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hd10-20020a170907968a00b007830f14fffesi16613632ejc.375.2022.11.23.09.43.37; Wed, 23 Nov 2022 09:44:04 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@arista.com header.s=google header.b=LfZLUeC5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=arista.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239087AbiKWRjX (ORCPT + 99 others); Wed, 23 Nov 2022 12:39:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239068AbiKWRjL (ORCPT ); Wed, 23 Nov 2022 12:39:11 -0500 Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9715A8FF9C for ; Wed, 23 Nov 2022 09:39:08 -0800 (PST) Received: by mail-wr1-x42c.google.com with SMTP id e11so17595980wru.8 for ; Wed, 23 Nov 2022 09:39:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=aBbCqsvEtt7KcugR7dnR//LPLGg791OqMuilfbsHMq8=; b=LfZLUeC55V2LhChnueGr1rbfHkquuf9jzJkH3uVMjuCZz98dTepMZq1QzLonH03xKg /AHzZ58ERxejSksjrKlSJRqM1JVew09umBvXKetZ8fdlrSDXzfH3U+Aymwy0VmqNluR0 xifnLLXdIh5HFeQ+zbMUsCaYdB6caOjNNOvnG9Cp8FOqm0kLvB16QM0zUtSvPWeJheuW hkW4NAFOuomj2Et+OGV6jv++z6qJywxpR5S3N/2EPKl2bVK0Oci07UPAkc7phGk8MfhT Eyynp6tkUElg8eWTj7Pz0bKXuqB3TUj6Hk6hFjmxgpU86qsSQBWibw6aIsWrpZaQ/2dK swcw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=aBbCqsvEtt7KcugR7dnR//LPLGg791OqMuilfbsHMq8=; b=3D7H6Qahhn8Cp3s68esqUuDqk2H+V2pScy/lHDEgCOv4IJ1AXu8iqpegCoScjnCRpc M9+85sMRPB28S+HBvrhl0eoTmbE9/quWB/MDKHB3P0fGVK/z66XtvetPWzYf0vlQc5sZ PIMgJPIcah1cbJOBKYj7LW6+iSSFCoTwiYnYCYUNN6ITPqN30waLIK2s+Nynp3BVu7Bq LFnT/cUWfozZYh8LCQpWqIXRDGVVj5lhg9Yo88xpfPINZ5ySmX3/3nNPO80zYjVTu2KW Ixdj6yUr1hQsem1eYiKUIpsF/3jnrNYhrTYOGSPdPGeriCygw+sV0h2u6i9ClbpRVw3b ri5g== X-Gm-Message-State: ANoB5pkS0F54RCjUoipA797r5Nnt9fm2IRhlbHI9ZXC7WVxc22A6farx oxO6NAyZmhkNSc5gyHEdLP7oz5ttDP9Wsw== X-Received: by 2002:a05:6000:510:b0:22e:3ca6:d4ab with SMTP id a16-20020a056000051000b0022e3ca6d4abmr18793779wrf.658.1669225146829; Wed, 23 Nov 2022 09:39:06 -0800 (PST) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id v10-20020adfe28a000000b0023647841c5bsm17464636wri.60.2022.11.23.09.39.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 23 Nov 2022 09:39:06 -0800 (PST) From: Dmitry Safonov To: linux-kernel@vger.kernel.org, David Ahern , Eric Dumazet , Peter Zijlstra Cc: Dmitry Safonov , Ard Biesheuvel , Bob Gilligan , "David S. Miller" , Dmitry Safonov <0x7f454c46@gmail.com>, Francesco Ruggeri , Hideaki YOSHIFUJI , Jakub Kicinski , Jason Baron , Josh Poimboeuf , Paolo Abeni , Salam Noureddine , Steven Rostedt , netdev@vger.kernel.org Subject: [PATCH v6 0/5] net/tcp: Dynamically disable TCP-MD5 static key Date: Wed, 23 Nov 2022 17:38:54 +0000 Message-Id: <20221123173859.473629-1-dima@arista.com> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1750309740023932180?= X-GMAIL-MSGID: =?utf-8?q?1750309740023932180?= Changes from v5: - Corrected comment for static_key_fast_inc_not_negative() (Peter) - Renamed static_key_fast_inc_not_negative() => static_key_fast_inc_not_disabled() (as suggested by Peter) - static_key_fast_inc_not_disabled() is exported and declared in the patch 1 that defines it, rather than in patch 3 that uses it (Peter) Changes from v4: - Used rcu_dereference_protected() for tp->md5sig_info in tcp_md5_do_add() and tcp_md5_key_copy() fail paths to make sure there won't be false-positives from sparse (Jakub) - Added Acked-by: Jakub Kicinski Changes from v3: - Used atomic_try_cmpxchg() as suggested by Peter Zijlstra - Renamed static_key_fast_inc() => static_key_fast_inc_not_negative() (addressing Peter Zijlstra's review) - Based on linux-tip/master - tcp_md5_key_copy() now does net_warn_ratelimited() (addressing Peter Zijlstra's review) tcp_md5_do_add() does not as it returns -EUSERS from setsockopt() syscall back to the userspace - Corrected WARN_ON_ONCE(!static_key_fast_inc(key)) (Spotted by Jason Baron) - Moved declaration of static_key_fast_inc_not_negative() and its EXPORT_SYMBOL_GPL() to the patch 3 that uses it, "net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction" (addressing Peter Zijlstra's review) - Added patch 4 that destroys the newly created request socket if md5 info allocation or static_key increment was unsuccessful. Instead of proceeding to add a socket without TCP-MD5 keys. - Added patch 5 that separates helper tcp_time_wait_init() and converts BUG_ON() to WARN_ON_ONCE(). Changes from v2: - Prevent key->enabled from turning negative by overflow from static_key_slow_inc() or static_key_fast_inc() (addressing Peter Zijlstra's review) - Added checks if static_branch_inc() and static_key_fast_int() were successful to TCP-MD5 code. Changes from v1: - Add static_key_fast_inc() helper rather than open-coded atomic_inc() (as suggested by Eric Dumazet) Version 5: https://lore.kernel.org/all/20221122185534.308643-1-dima@arista.com/T/#u Version 4: https://lore.kernel.org/all/20221115211905.1685426-1-dima@arista.com/T/#u Version 3: https://lore.kernel.org/all/20221111212320.1386566-1-dima@arista.com/T/#u Version 2: https://lore.kernel.org/all/20221103212524.865762-1-dima@arista.com/T/#u Version 1: https://lore.kernel.org/all/20221102211350.625011-1-dima@arista.com/T/#u The static key introduced by commit 6015c71e656b ("tcp: md5: add tcp_md5_needed jump label") is a fast-path optimization aimed at avoiding a cache line miss. Once an MD5 key is introduced in the system the static key is enabled and never disabled. Address this by disabling the static key when the last tcp_md5sig_info in system is destroyed. Previously it was submitted as a part of TCP-AO patches set [1]. Now in attempt to split 36 patches submission, I send this independently. Cc: Ard Biesheuvel Cc: Bob Gilligan Cc: David Ahern Cc: "David S. Miller" Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Eric Dumazet Cc: Francesco Ruggeri Cc: Hideaki YOSHIFUJI Cc: Jakub Kicinski Cc: Jason Baron Cc: Josh Poimboeuf Cc: Paolo Abeni Cc: Peter Zijlstra Cc: Salam Noureddine Cc: Steven Rostedt Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org [1]: https://lore.kernel.org/all/20221027204347.529913-1-dima@arista.com/T/#u Thanks, Dmitry Dmitry Safonov (5): jump_label: Prevent key->enabled int overflow net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction net/tcp: Do cleanup on tcp_md5_key_copy() failure net/tcp: Separate initialization of twsk include/linux/jump_label.h | 21 +++++++-- include/net/tcp.h | 10 ++-- kernel/jump_label.c | 56 +++++++++++++++++----- net/ipv4/tcp.c | 5 +- net/ipv4/tcp_ipv4.c | 96 +++++++++++++++++++++++++++++--------- net/ipv4/tcp_minisocks.c | 61 +++++++++++++++--------- net/ipv4/tcp_output.c | 4 +- net/ipv6/tcp_ipv6.c | 21 ++++----- 8 files changed, 194 insertions(+), 80 deletions(-) base-commit: 736b6d81d93cf61a0601af90bd552103ef997b3f