Commit 1fdf2dea authored May 26, 2022 by Willem de Bruijn Committed by Zheng Zengkai May 26, 2022

ipv6: per-netns exclusive flowlabel checks

stable inclusion
from stable-v5.10.102
commit 4f523f15e5d753ac055302bc29ca9677d6692eed
bugzilla: https://gitee.com/openeuler/kernel/issues/I575QT

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=4f523f15e5d753ac055302bc29ca9677d6692eed

--------------------------------

commit 0b0dff5b upstream.

Ipv6 flowlabels historically require a reservation before use.
Optionally in exclusive mode (e.g., user-private).

Commit 59c820b2 ("ipv6: elide flowlabel check if no exclusive
leases exist") introduced a fastpath that avoids this check when no
exclusive leases exist in the system, and thus any flowlabel use
will be granted.

That allows skipping the control operation to reserve a flowlabel
entirely. Though with a warning if the fast path fails:

This is an optimization. Robust applications still have to revert to
requesting leases if the fast path fails due to an exclusive lease.

Still, this is subtle. Better isolate network namespaces from each
other. Flowlabels are per-netns. Also record per-netns whether
exclusive leases are in use. Then behavior does not change based on
activity in other netns.

Changes
v2
- wrap in IS_ENABLED(CONFIG_IPV6) to avoid breakage if disabled

Fixes: 59c820b2 ("ipv6: elide flowlabel check if no exclusive leases exist")
Link: https://lore.kernel.org/netdev/MWHPR2201MB1072BCCCFCE779E4094837ACD0329@MWHPR2201MB1072.namprd22.prod.outlook.com/

Reported-by: Congyu Liu <liu3101@purdue.edu>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Tested-by: Congyu Liu <liu3101@purdue.edu>
Link: https://lore.kernel.org/r/20220215160037.1976072-1-willemdebruijn.kernel@gmail.com

Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>

parent 2ce5966c

include/net/ipv6.h

+4 −1

Original line number	Diff line number	Diff line
		@@ -390,17 +390,20 @@ static inline void txopt_put(struct ipv6_txoptions *opt)
		kfree_rcu(opt, rcu);
		}

		#if IS_ENABLED(CONFIG_IPV6)
		struct ip6_flowlabel __fl6_sock_lookup(struct sock sk, __be32 label);

		extern struct static_key_false_deferred ipv6_flowlabel_exclusive;
		static inline struct ip6_flowlabel fl6_sock_lookup(struct sock sk,
		__be32 label)
		{
		if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key))
		if (static_branch_unlikely(&ipv6_flowlabel_exclusive.key) &&
		READ_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl))
		return __fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT);

		return NULL;
		}
		#endif

		struct ipv6_txoptions fl6_merge_options(struct ipv6_txoptions opt_space,
		struct ip6_flowlabel *fl,

+5 −0

Original line number	Diff line number	Diff line
		@@ -83,6 +83,11 @@ struct netns_ipv6 {
		unsigned long ip6_rt_last_gc;
		#ifdef CONFIG_IPV6_MULTIPLE_TABLES
		unsigned int fib6_rules_require_fldissect;
		#endif
		#ifndef __GENKSYMS__
		unsigned char flowlabel_has_excl;
		#endif
		#ifdef CONFIG_IPV6_MULTIPLE_TABLES
		bool fib6_has_custom_rules;
		#ifdef CONFIG_IPV6_SUBTREES
		unsigned int fib6_routes_require_src;

+3 −1

Original line number	Diff line number	Diff line
		@@ -450,8 +450,10 @@ fl_create(struct net net, struct sock sk, struct in6_flowlabel_req *freq,
		err = -EINVAL;
		goto done;
		}
		if (fl_shared_exclusive(fl) \|\| fl->opt)
		if (fl_shared_exclusive(fl) \|\| fl->opt) {
		WRITE_ONCE(sock_net(sk)->ipv6.flowlabel_has_excl, 1);
		static_branch_deferred_inc(&ipv6_flowlabel_exclusive);
		}
		return fl;

		done: