From: Steven Rostedt <rostedt@goodmis.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Neal Cardwell <ncardwell@google.com>,
Eric Dumazet <edumazet@google.com>,
Yuchung Cheng <ycheng@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 43/86] ipv6: use a stronger hash for tcp
Date: Tue, 26 Mar 2013 13:21:42 -0400 [thread overview]
Message-ID: <20130326173606.841406336@goodmis.org> (raw)
In-Reply-To: 20130326172059.136127374@goodmis.org
[-- Attachment #1: 0043-ipv6-use-a-stronger-hash-for-tcp.patch --]
[-- Type: text/plain, Size: 4028 bytes --]
3.6.11.1 stable review patch.
If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 08dcdbf6a7b9d14c2302c5bd0c5390ddf122f664 ]
It looks like its possible to open thousands of TCP IPv6
sessions on a server, all landing in a single slot of TCP hash
table. Incoming packets have to lookup sockets in a very
long list.
We should hash all bits from foreign IPv6 addresses, using
a salt and hash mix, not a simple XOR.
inet6_ehashfn() can also separately use the ports, instead
of xoring them.
Reported-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
include/net/inet6_hashtables.h | 8 ++++----
include/net/inet_sock.h | 1 +
include/net/ipv6.h | 12 ++++++++++++
net/ipv4/af_inet.c | 9 +++++++--
4 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h
index 9e34c87..f071f50 100644
--- a/include/net/inet6_hashtables.h
+++ b/include/net/inet6_hashtables.h
@@ -28,16 +28,16 @@
struct inet_hashinfo;
-/* I have no idea if this is a good hash for v6 or not. -DaveM */
static inline unsigned int inet6_ehashfn(struct net *net,
const struct in6_addr *laddr, const u16 lport,
const struct in6_addr *faddr, const __be16 fport)
{
- u32 ports = (lport ^ (__force u16)fport);
+ u32 ports = (((u32)lport) << 16) | (__force u32)fport;
return jhash_3words((__force u32)laddr->s6_addr32[3],
- (__force u32)faddr->s6_addr32[3],
- ports, inet_ehash_secret + net_hash_mix(net));
+ ipv6_addr_jhash(faddr),
+ ports,
+ inet_ehash_secret + net_hash_mix(net));
}
static inline int inet6_sk_ehashfn(const struct sock *sk)
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index 613cfa4..8eac4a9 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -203,6 +203,7 @@ static inline void inet_sk_copy_descendant(struct sock *sk_to,
extern int inet_sk_rebuild_header(struct sock *sk);
extern u32 inet_ehash_secret;
+extern u32 ipv6_hash_secret;
extern void build_ehash_secret(void);
static inline unsigned int inet_ehashfn(struct net *net,
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 01c34b3..640591f 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -15,6 +15,7 @@
#include <linux/ipv6.h>
#include <linux/hardirq.h>
+#include <linux/jhash.h>
#include <net/if_inet6.h>
#include <net/ndisc.h>
#include <net/flow.h>
@@ -432,6 +433,17 @@ static inline u32 ipv6_addr_hash(const struct in6_addr *a)
#endif
}
+/* more secured version of ipv6_addr_hash() */
+static inline u32 ipv6_addr_jhash(const struct in6_addr *a)
+{
+ u32 v = (__force u32)a->s6_addr32[0] ^ (__force u32)a->s6_addr32[1];
+
+ return jhash_3words(v,
+ (__force u32)a->s6_addr32[2],
+ (__force u32)a->s6_addr32[3],
+ ipv6_hash_secret);
+}
+
static inline bool ipv6_addr_loopback(const struct in6_addr *a)
{
return (a->s6_addr32[0] | a->s6_addr32[1] |
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index fe4582c..26222ed 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -228,8 +228,12 @@ EXPORT_SYMBOL(inet_listen);
u32 inet_ehash_secret __read_mostly;
EXPORT_SYMBOL(inet_ehash_secret);
+u32 ipv6_hash_secret __read_mostly;
+EXPORT_SYMBOL(ipv6_hash_secret);
+
/*
- * inet_ehash_secret must be set exactly once
+ * inet_ehash_secret must be set exactly once, and to a non nul value
+ * ipv6_hash_secret must be set exactly once.
*/
void build_ehash_secret(void)
{
@@ -239,7 +243,8 @@ void build_ehash_secret(void)
get_random_bytes(&rnd, sizeof(rnd));
} while (rnd == 0);
- cmpxchg(&inet_ehash_secret, 0, rnd);
+ if (cmpxchg(&inet_ehash_secret, 0, rnd) == 0)
+ get_random_bytes(&ipv6_hash_secret, sizeof(ipv6_hash_secret));
}
EXPORT_SYMBOL(build_ehash_secret);
--
1.7.10.4
next prev parent reply other threads:[~2013-03-26 17:50 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-26 17:20 [PATCH 00/86] [ANNOUNCE] The new 3.6.11.x short-term extended stable series (stable review) Steven Rostedt
2013-03-26 17:21 ` [PATCH 01/86] sparc: huge_ptep_set_* functions need to call set_huge_pte_at() Steven Rostedt
2013-03-26 17:21 ` [PATCH 02/86] batman-adv: fix random jitter calculation Steven Rostedt
2013-03-26 17:21 ` [PATCH 03/86] inet: Fix kmemleak in tcp_v4/6_syn_recv_sock and dccp_v4/6_request_recv_sock Steven Rostedt
2013-03-26 17:21 ` [PATCH 04/86] net: sched: integer overflow fix Steven Rostedt
2013-03-26 17:21 ` [PATCH 05/86] tcp: fix MSG_SENDPAGE_NOTLAST logic Steven Rostedt
2013-03-26 17:21 ` [PATCH 06/86] tcp: tcp_replace_ts_recent() should not be called from tcp_validate_incoming() Steven Rostedt
2013-03-26 17:21 ` [PATCH 07/86] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation Steven Rostedt
2013-03-26 17:21 ` [PATCH 08/86] net: prevent setting ttl=0 via IP_TTL Steven Rostedt
2013-03-26 17:21 ` [PATCH 09/86] ipv6: fix the noflags test in addrconf_get_prefix_route Steven Rostedt
2013-03-26 17:21 ` [PATCH 10/86] MAINTAINERS: Stephen Hemminger email change Steven Rostedt
2013-03-26 17:21 ` [PATCH 11/86] ipv6: fix header length calculation in ip6_append_data() Steven Rostedt
2013-03-26 17:21 ` [PATCH 12/86] net: calxedaxgmac: throw away overrun frames Steven Rostedt
2013-03-26 17:21 ` [PATCH 13/86] net/mlx4_en: Fix bridged vSwitch configuration for non SRIOV mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 14/86] net/mlx4_core: Set number of msix vectors under SRIOV mode to firmware defaults Steven Rostedt
2013-03-26 17:21 ` [PATCH 15/86] isdn/gigaset: fix zero size border case in debug dump Steven Rostedt
2013-03-26 17:21 ` [PATCH 16/86] netxen: fix off by one bug in netxen_release_tx_buffer() Steven Rostedt
2013-03-26 17:21 ` [PATCH 17/86] r8169: remove the obsolete and incorrect AMD workaround Steven Rostedt
2013-03-26 17:21 ` [PATCH 18/86] net: loopback: fix a dst refcounting issue Steven Rostedt
2013-03-26 17:21 ` [PATCH 19/86] pktgen: correctly handle failures when adding a device Steven Rostedt
2013-03-26 17:21 ` [PATCH 20/86] ipv6: do not create neighbor entries for local delivery Steven Rostedt
2013-03-26 17:21 ` [PATCH 21/86] via-rhine: Fix bugs in NAPI support Steven Rostedt
2013-03-26 17:21 ` [PATCH 22/86] packet: fix leakage of tx_ring memory Steven Rostedt
2013-03-26 17:21 ` [PATCH 23/86] atm/iphase: rename fregt_t -> ffreg_t Steven Rostedt
2013-03-26 17:21 ` [PATCH 24/86] sctp: refactor sctp_outq_teardown to insure proper re-initalization Steven Rostedt
2013-03-26 17:21 ` [PATCH 25/86] net: sctp: sctp_setsockopt_auth_key: use kzfree instead of kfree Steven Rostedt
2013-03-26 17:21 ` [PATCH 26/86] net: sctp: sctp_endpoint_free: zero out secret key data Steven Rostedt
2013-03-26 17:21 ` [PATCH 27/86] xen/netback: shutdown the ring if it contains garbage Steven Rostedt
2013-03-26 17:21 ` [PATCH 28/86] xen/netback: dont leak pages on failure in xen_netbk_tx_check_gop Steven Rostedt
2013-03-26 17:21 ` [PATCH 29/86] xen/netback: free already allocated memory on failure in xen_netbk_get_requests Steven Rostedt
2013-03-26 17:21 ` [PATCH 30/86] netback: correct netbk_tx_err to handle wrap around Steven Rostedt
2013-03-26 17:21 ` [PATCH 31/86] tcp: frto should not set snd_cwnd to 0 Steven Rostedt
2013-03-26 17:21 ` [PATCH 32/86] tcp: fix for zero packets_in_flight was too broad Steven Rostedt
2013-03-26 17:21 ` [PATCH 33/86] bridge: Pull ip header into skb->data before looking into ip header Steven Rostedt
2013-03-26 17:21 ` [PATCH 34/86] tg3: Avoid null pointer dereference in tg3_interrupt in netconsole mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 35/86] tg3: Fix crc errors on jumbo frame receive Steven Rostedt
2013-03-26 17:21 ` [PATCH 36/86] sunvdc: Fix off-by-one in generic_request() Steven Rostedt
2013-03-26 17:21 ` [PATCH 37/86] bridge: set priority of STP packets Steven Rostedt
2013-03-26 17:21 ` [PATCH 38/86] net: fix infinite loop in __skb_recv_datagram() Steven Rostedt
2013-03-26 17:21 ` [PATCH 39/86] xen-netback: correctly return errors from netbk_count_requests() Steven Rostedt
2013-03-26 17:21 ` [PATCH 40/86] xen-netback: cancel the credit timer when taking the vif down Steven Rostedt
2013-03-26 17:21 ` [PATCH 41/86] net: fix a compile error when SOCK_REFCNT_DEBUG is enabled Steven Rostedt
2013-03-26 17:21 ` [PATCH 42/86] ipv4: fix a bug in ping_err() Steven Rostedt
2013-03-26 17:21 ` Steven Rostedt [this message]
2013-03-26 17:21 ` [PATCH 44/86] sock_diag: Fix out-of-bounds access to sock_diag_handlers[] Steven Rostedt
2013-03-26 17:21 ` [PATCH 45/86] vlan: adjust vlan_set_encap_proto() for its callers Steven Rostedt
2013-03-26 17:21 ` [PATCH 46/86] l2tp: Restore socket refcount when sendmsg succeeds Steven Rostedt
2013-03-26 17:21 ` [PATCH 47/86] rds: limit the size allocated by rds_message_alloc() Steven Rostedt
2013-03-26 17:21 ` [PATCH 48/86] net: ipv6: Dont purge default router if accept_ra=2 Steven Rostedt
2013-03-26 17:21 ` [PATCH 49/86] tcp: fix double-counted receiver RTT when leaving receiver fast path Steven Rostedt
2013-03-26 17:21 ` [PATCH 50/86] tun: add a missing nf_reset() in tun_net_xmit() Steven Rostedt
2013-03-26 17:21 ` [PATCH 51/86] macvlan: Set IFF_UNICAST_FLT flag to prevent unnecessary promisc mode Steven Rostedt
2013-03-26 17:21 ` [PATCH 52/86] netlabel: fix build problems when CONFIG_IPV6=n Steven Rostedt
2013-03-26 17:21 ` [PATCH 53/86] netlabel: correctly list all the static label mappings Steven Rostedt
2013-03-26 17:21 ` [PATCH 54/86] bridging: fix rx_handlers return code Steven Rostedt
2013-03-26 17:21 ` [PATCH 55/86] ipv6: stop multicast forwarding to process interface scoped addresses Steven Rostedt
2013-03-26 17:21 ` [PATCH 56/86] rtnl: fix info leak on RTM_GETLINK request for VF devices Steven Rostedt
2013-03-26 17:21 ` [PATCH 57/86] dcbnl: fix various netlink info leaks Steven Rostedt
2013-03-26 17:21 ` [PATCH 58/86] 6lowpan: Fix endianness issue in is_addr_link_local() Steven Rostedt
2013-03-26 17:21 ` [PATCH 59/86] ipv6: Change skb->data before using icmpv6_notify() to propagate redirect Steven Rostedt
2013-03-26 17:21 ` [PATCH 60/86] mac802154: fix NOHZ local_softirq_pending 08 warning Steven Rostedt
2013-03-26 17:22 ` [PATCH 61/86] sctp: jsctp_sf_eat_sack: fix jprobes function signature mismatch Steven Rostedt
2013-03-26 17:22 ` [PATCH 62/86] macvlan: fix macvlan_get_size() Steven Rostedt
2013-03-26 17:22 ` [PATCH 63/86] tcp: fix incorrect LOCKDROPPEDICMPS counter Steven Rostedt
2013-03-26 17:22 ` [PATCH 64/86] IP_GRE: Fix kernel panic in IP_GRE with GRE csum Steven Rostedt
2013-03-27 4:28 ` Ben Hutchings
2013-03-27 4:35 ` Steven Rostedt
2013-03-26 17:22 ` [PATCH 65/86] ipv4: Remove output route check in ipv4_mtu Steven Rostedt
2013-03-26 17:22 ` [PATCH 66/86] ipv4: Dont update the pmtu on mtu locked routes Steven Rostedt
2013-03-26 17:22 ` [PATCH 67/86] ipv6: Add an error handler for icmp6 Steven Rostedt
2013-03-26 17:22 ` [PATCH 68/86] ipv4: Invalidate the socket cached route on pmtu events if possible Steven Rostedt
2013-03-26 17:22 ` [PATCH 69/86] ipv4: Add a socket release callback for datagram sockets Steven Rostedt
2013-03-26 17:22 ` [PATCH 70/86] ipv4: Fix route refcount on pmtu discovery Steven Rostedt
2013-03-26 17:22 ` [PATCH 71/86] tcp: detect SYN/data drop when F-RTO is disabled Steven Rostedt
2013-03-26 17:22 ` [PATCH 72/86] tcp: fix an infinite loop in tcp_slow_start() Steven Rostedt
2013-03-26 17:22 ` [PATCH 73/86] tcp: dont abort splice() after small transfers Steven Rostedt
2013-03-26 17:22 ` [PATCH 74/86] tcp: splice: fix an infinite loop in tcp_read_sock() Steven Rostedt
2013-03-26 17:22 ` [PATCH 75/86] tcp: fix splice() and tcp collapsing interaction Steven Rostedt
2013-03-26 17:22 ` [PATCH 76/86] net: splice: avoid high order page splitting Steven Rostedt
2013-03-26 17:22 ` [PATCH 77/86] net: splice: fix __splice_segment() Steven Rostedt
2013-03-26 17:22 ` [PATCH 78/86] sparc64: Add missing HAVE_ARCH_TRANSPARENT_HUGEPAGE Steven Rostedt
2013-03-26 17:22 ` [PATCH 79/86] sparc64: Fix gfp_flags setting in tsb_grow() Steven Rostedt
2013-03-26 17:22 ` [PATCH 80/86] xfrm: release neighbor upon dst destruction Steven Rostedt
2013-03-26 17:22 ` [PATCH 81/86] ppp: set qdisc_tx_busylock to avoid LOCKDEP splat Steven Rostedt
2013-03-26 17:22 ` [PATCH 82/86] ipv6: fix race condition regarding dst->expires and dst->from Steven Rostedt
2013-03-26 17:22 ` [PATCH 83/86] ipv4: fix error handling in icmp_protocol Steven Rostedt
2013-03-26 17:22 ` [PATCH 84/86] tcp: fix SYN-data space mis-accounting Steven Rostedt
2013-03-26 17:22 ` [PATCH 85/86] mlx4_en: fix allocation of CPU affinity reverse-map Steven Rostedt
2013-03-28 8:47 ` Amir Vadai
2013-03-26 17:22 ` [PATCH 86/86] team: unsyc the devices addresses when port is removed Steven Rostedt
2013-03-26 17:46 ` [PATCH 00/86] [ANNOUNCE] The new 3.6.11.x short-term extended stable series (stable review) Steven Rostedt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130326173606.841406336@goodmis.org \
--to=rostedt@goodmis.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ncardwell@google.com \
--cc=stable@vger.kernel.org \
--cc=ycheng@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox