ipv6: guard IPV6_MINHOPCOUNT with a static key

RFC 5082 IPV6_MINHOPCOUNT is rarely used on hosts.

Add a static key to remove from TCP fast path useless code,
and potential cache line miss to fetch tcp_inet6_sk(sk)->min_hopcount

Note that once ip6_min_hopcount static key has been enabled,
it stays enabled until next boot.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index f2d0ecc257bb28e6dd162d180c371e2b0487c8e3..c19bf51ded1d026e795a3f9ae0ff3be766fc174e 100644 (file)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -1092,6 +1092,7 @@ struct in6_addr *fl6_update_dst(struct flowi6 *fl6,
 /*
  *     socket options (ipv6_sockglue.c)
  */
+DECLARE_STATIC_KEY_FALSE(ip6_min_hopcount);
 
 int ipv6_setsockopt(struct sock *sk, int level, int optname, sockptr_t optval,
                    unsigned int optlen);

diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 9c3d28764b5c3a47a73491ea5d656867ece4fed2..41efca817db4228f265235a471449a3790075ce7 100644 (file)
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -55,6 +55,8 @@
 struct ip6_ra_chain *ip6_ra_chain;
 DEFINE_RWLOCK(ip6_ra_lock);
 
+DEFINE_STATIC_KEY_FALSE(ip6_min_hopcount);
+
 int ip6_ra_control(struct sock *sk, int sel)
 {
        struct ip6_ra_chain *ra, *new_ra, **rap;
@@ -950,6 +952,10 @@ done:
                        goto e_inval;
                if (val < 0 || val > 255)
                        goto e_inval;
+
+               if (val)
+                       static_branch_enable(&ip6_min_hopcount);
+
                /* tcp_v6_err() and tcp_v6_rcv() might read min_hopcount
                 * while we are changing it.
                 */

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index c93b2d48bb89a845c880679572c75a8791589525..6945583c0fa48256db5510866342e4aab672fd71 100644 (file)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -414,10 +414,12 @@ static int tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        if (sk->sk_state == TCP_CLOSE)
                goto out;
 
-       /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
-       if (ipv6_hdr(skb)->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
-               __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
-               goto out;
+       if (static_branch_unlikely(&ip6_min_hopcount)) {
+               /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
+               if (ipv6_hdr(skb)->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
+                       __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
+                       goto out;
+               }
        }
 
        tp = tcp_sk(sk);
@@ -1727,10 +1729,13 @@ process:
                        return 0;
                }
        }
-       /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
-       if (hdr->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
-               __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
-               goto discard_and_relse;
+
+       if (static_branch_unlikely(&ip6_min_hopcount)) {
+               /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
+               if (hdr->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
+                       __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
+                       goto discard_and_relse;
+               }
        }
 
        if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))