From: Greg KH <greg@kroah.com>
To: Florian Westphal <fw@strlen.de>
Cc: stable@vger.kernel.org, vakul.garg@nxp.com,
netdev@vger.kernel.org,
Kristian Evensen <kristian.evensen@gmail.com>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: Re: [PATCH 4.14.y stable] xfrm: policy: remove pcpu policy cache
Date: Thu, 22 Aug 2019 06:09:41 -0700 [thread overview]
Message-ID: <20190822130941.GA15754@kroah.com> (raw)
In-Reply-To: <20190822112109.13269-1-fw@strlen.de>
On Thu, Aug 22, 2019 at 01:21:09PM +0200, Florian Westphal wrote:
> commit e4db5b61c572475bbbcf63e3c8a2606bfccf2c9d upstream.
>
> Kristian Evensen says:
> In a project I am involved in, we are running ipsec (Strongswan) on
> different mt7621-based routers. Each router is configured as an
> initiator and has around ~30 tunnels to different responders (running
> on misc. devices). Before the flow cache was removed (kernel 4.9), we
> got a combined throughput of around 70Mbit/s for all tunnels on one
> router. However, we recently switched to kernel 4.14 (4.14.48), and
> the total throughput is somewhere around 57Mbit/s (best-case). I.e., a
> drop of around 20%. Reverting the flow cache removal restores, as
> expected, performance levels to that of kernel 4.9.
>
> When pcpu xdst exists, it has to be validated first before it can be
> used.
>
> A negative hit thus increases cost vs. no-cache.
>
> As number of tunnels increases, hit rate decreases so this pcpu caching
> isn't a viable strategy.
>
> Furthermore, the xdst cache also needs to run with BH off, so when
> removing this the bh disable/enable pairs can be removed too.
>
> Kristian tested a 4.14.y backport of this change and reported
> increased performance:
>
> In our tests, the throughput reduction has been reduced from around -20%
> to -5%. We also see that the overall throughput is independent of the
> number of tunnels, while before the throughput was reduced as the number
> of tunnels increased.
>
> Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> ---
> Vakul Garg reports traffic going via ipsec tunnels will cause the kernel
> to spin in an infinite loop due to xfrm policy reference count
> overflowing and becoming 0.
> The refcount leak is in the pcpu cache. Instead of fixing this, just
> remove the pcpu cache -- its not present in any other stable release.
> Vakul reported that this patch fixes the problem.
>
> There are no major deviations from the upstream revert; conflicts
> were only due to context.
Now queued up, does 4.9.y also need this?
thanks,
greg k-h
next prev parent reply other threads:[~2019-08-22 13:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-19 12:55 Help needed - Kernel lockup while running ipsec Vakul Garg
2019-08-19 17:38 ` Florian Westphal
2019-08-20 9:10 ` Vakul Garg
2019-08-20 9:23 ` Florian Westphal
2019-08-20 9:26 ` Vakul Garg
2019-08-20 9:30 ` Vakul Garg
2019-08-20 9:38 ` Florian Westphal
2019-08-20 9:52 ` Vakul Garg
2019-08-20 10:38 ` Vakul Garg
2019-08-21 7:37 ` Vakul Garg
2019-08-21 16:11 ` Florian Westphal
2019-08-22 10:23 ` Vakul Garg
2019-08-22 11:21 ` [PATCH 4.14.y stable] xfrm: policy: remove pcpu policy cache Florian Westphal
2019-08-22 13:09 ` Greg KH [this message]
2019-08-22 13:37 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190822130941.GA15754@kroah.com \
--to=greg@kroah.com \
--cc=fw@strlen.de \
--cc=kristian.evensen@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=vakul.garg@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.