From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E72D2C04AB4 for ; Fri, 17 May 2019 20:32:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B26CA2087B for ; Fri, 17 May 2019 20:32:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lUK9iUI4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727644AbfEQUcl (ORCPT ); Fri, 17 May 2019 16:32:41 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:44837 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726757AbfEQUcl (ORCPT ); Fri, 17 May 2019 16:32:41 -0400 Received: by mail-pf1-f195.google.com with SMTP id g9so4191910pfo.11 for ; Fri, 17 May 2019 13:32:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=Pkjjm2IPHEDZQ8vle/ofNfsB0sZa7wj3k6gVceCDCiA=; b=lUK9iUI4m15cUG0MX9JUMy8PEaNCYVAlgOU3o44wcswXLQHi7Ka/+dsraw16vHMg7k TjX/yAvc+I36zqzzh9zbReGqdE2o/yYTsSOckgbBcblRMZIDTWUsROIbMSIx90cdt9LL MO/l8tFzDNXF44+bLoUQp+KMzpMnneWvaHjoSuDcMB50L33QNzVFwKtguCx9WD8kz8bY vmNIz7JyE3IRZd7iXWCrFZlIj0/aSKd1mTIzopRpObyIwO/j+FO0RKkxKu88BdfflTJl xCbT0lEwpDi3lPoWkPx1sbJHLn9HOMX40xaGchERVyRrr5JhVclds/iYgz4BRZoh3IK5 zfFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Pkjjm2IPHEDZQ8vle/ofNfsB0sZa7wj3k6gVceCDCiA=; b=H1n06Hev66QDHhRKKya/RKP1f9C3FLQIem38EG96wFFCEsBijTrwz5NGSVQh/wvmnd IFFU41mybMJxpDXtcBRv9GGngjYmFereOQyGajwjJBPbrIsCgX0jwGBgin9Q0iU/h/2A O76EvrKZPLu+sPyLqEajMJeJ3TEmp2rQ5PfUyDzLrkhVR5308MS+29qjrw4jfduLQ2Nx 1UkGbTZn+YooDoNYN32AnaAEPKy0HboXWAPi69Kbs5v+p1Z9hj/aFUz39gscD5r55HGB n6cKQ9nE3r0yORr8Y/SJQRTj2stJMi09ubmpiSHuZzZR+5NjR0qcpdHAyUVKIQ5Pv2Hr 3VPw== X-Gm-Message-State: APjAAAVpHHNn0L0WuVzlqhpsI+T4pk2OChCnjgtbNPi1sp0hOb5CAWoR 0sANz24OTY9VslZ+1OYTlQZrv4G5 X-Google-Smtp-Source: APXvYqzSGe/Y3ys8U2aZThcktAjtLHIjZ8UzcnfC/l/5IFe8lJ4DNVlvT8vpiNin6xLhD09LdmIFpw== X-Received: by 2002:a62:5b81:: with SMTP id p123mr64807031pfb.158.1558125160227; Fri, 17 May 2019 13:32:40 -0700 (PDT) Received: from [192.168.86.235] (c-73-241-150-70.hsd1.ca.comcast.net. [73.241.150.70]) by smtp.gmail.com with ESMTPSA id t18sm15538028pgm.69.2019.05.17.13.32.38 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Fri, 17 May 2019 13:32:39 -0700 (PDT) Subject: Re: [PATCH net-next RFC] ipv6: elide flowlabel check if no exclusive leases exist To: Willem de Bruijn , netdev@vger.kernel.org Cc: Willem de Bruijn References: <20190517155625.117835-1-willemdebruijn.kernel@gmail.com> From: Eric Dumazet Message-ID: Date: Fri, 17 May 2019 13:32:33 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <20190517155625.117835-1-willemdebruijn.kernel@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 5/17/19 8:56 AM, Willem de Bruijn wrote: > From: Willem de Bruijn > > Processes can request ipv6 flowlabels with cmsg IPV6_FLOWINFO. > If not set, by default an autogenerated flowlabel is selected. > > Explicit flowlabels require a control operation per label plus a > datapath check on every connection (every datagram if unconnected). > > This is particularly expensive on unconnected sockets with many > connections, such as QUIC. > > In the common case, where no lease is exclusive, the check can be > safely elided, as both lease request and check trivially succeed. > Indeed, autoflowlabel does the same (even with exclusive leases). > > Elide the check if no process has requested an exclusive lease. > > This is an optimization. Robust applications still have to revert to > requesting leases if the fast path fails due to an exclusive lease. > > This is decidedly an RFC patch: > - need to update all fl6_sock_lookup callers, not just udp > - behavior should be per-netns isolated > > Other approaches considered: > - a single "get all flowlabels, non-exclusive" flowlabel get request > if set, elide fl6_sock_lookup and fail exclusive lease requests > > - sysctls (only useful if on by default, with static_branch) > A) "non-exclusive mode", failing all exclusive lease requests: > processes already have to be robust against lease failure > B) just bypass check in fl6_sock_lookup, like autoflowlabel > > Signed-off-by: Willem de Bruijn > --- > include/net/ipv6.h | 11 +++++++++++ > net/ipv6/ip6_flowlabel.c | 6 ++++++ > net/ipv6/udp.c | 8 ++++---- > 3 files changed, 21 insertions(+), 4 deletions(-) > > diff --git a/include/net/ipv6.h b/include/net/ipv6.h > index daf80863d3a50..8881cee572410 100644 > --- a/include/net/ipv6.h > +++ b/include/net/ipv6.h > @@ -17,6 +17,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -343,7 +344,17 @@ static inline void txopt_put(struct ipv6_txoptions *opt) > kfree_rcu(opt, rcu); > } > > +extern struct static_key_false ipv6_flowlabel_exclusive; > struct ip6_flowlabel *fl6_sock_lookup(struct sock *sk, __be32 label); > +static inline struct ip6_flowlabel *fl6_sock_verify(struct sock *sk, > + __be32 label) > +{ > + if (static_branch_unlikely(&ipv6_flowlabel_exclusive)) > + return fl6_sock_lookup(sk, label) ? : ERR_PTR(-ENOENT); > + > + return NULL; > +} > + > struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space, > struct ip6_flowlabel *fl, > struct ipv6_txoptions *fopt); > diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c > index be5f3d7ceb966..d5f4233b04e0c 100644 > --- a/net/ipv6/ip6_flowlabel.c > +++ b/net/ipv6/ip6_flowlabel.c > @@ -57,6 +57,8 @@ static DEFINE_SPINLOCK(ip6_fl_lock); > > static DEFINE_SPINLOCK(ip6_sk_fl_lock); > > +DEFINE_STATIC_KEY_FALSE(ipv6_flowlabel_exclusive); > + > #define for_each_fl_rcu(hash, fl) \ > for (fl = rcu_dereference_bh(fl_ht[(hash)]); \ > fl != NULL; \ > @@ -98,6 +100,8 @@ static void fl_free_rcu(struct rcu_head *head) > { > struct ip6_flowlabel *fl = container_of(head, struct ip6_flowlabel, rcu); > > + if (fl->share != IPV6_FL_S_NONE && fl->share != IPV6_FL_S_ANY) > + static_branch_dec(&ipv6_flowlabel_exclusive); static_branch_dec() can not be invoked from a rcu call back. > if (fl->share == IPV6_FL_S_PROCESS) > put_pid(fl->owner.pid); > kfree(fl->opt); > @@ -423,6 +427,8 @@ fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq, > } > fl->dst = freq->flr_dst; > atomic_set(&fl->users, 1); > + if (fl->share != IPV6_FL_S_ANY) > + static_branch_inc(&ipv6_flowlabel_exclusive); Can this be used by unpriv users ? If yes, then you want to use static_key_false_deferred instead