From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E1D7C3A5A2 for ; Thu, 22 Aug 2019 13:37:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F26D8233A0 for ; Thu, 22 Aug 2019 13:37:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389143AbfHVNhQ (ORCPT ); Thu, 22 Aug 2019 09:37:16 -0400 Received: from Chamillionaire.breakpoint.cc ([193.142.43.52]:46740 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725797AbfHVNhP (ORCPT ); Thu, 22 Aug 2019 09:37:15 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1i0nH5-0003qU-MC; Thu, 22 Aug 2019 15:37:11 +0200 Date: Thu, 22 Aug 2019 15:37:11 +0200 From: Florian Westphal To: Greg KH Cc: Florian Westphal , stable@vger.kernel.org, vakul.garg@nxp.com, netdev@vger.kernel.org, Kristian Evensen , Steffen Klassert Subject: Re: [PATCH 4.14.y stable] xfrm: policy: remove pcpu policy cache Message-ID: <20190822133711.GG20113@breakpoint.cc> References: <20190822112109.13269-1-fw@strlen.de> <20190822130941.GA15754@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190822130941.GA15754@kroah.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Greg KH wrote: > On Thu, Aug 22, 2019 at 01:21:09PM +0200, Florian Westphal wrote: > > commit e4db5b61c572475bbbcf63e3c8a2606bfccf2c9d upstream. > > > > Kristian Evensen says: > > In a project I am involved in, we are running ipsec (Strongswan) on > > different mt7621-based routers. Each router is configured as an > > initiator and has around ~30 tunnels to different responders (running > > on misc. devices). Before the flow cache was removed (kernel 4.9), we > > got a combined throughput of around 70Mbit/s for all tunnels on one > > router. However, we recently switched to kernel 4.14 (4.14.48), and > > the total throughput is somewhere around 57Mbit/s (best-case). I.e., a > > drop of around 20%. Reverting the flow cache removal restores, as > > expected, performance levels to that of kernel 4.9. > > > > When pcpu xdst exists, it has to be validated first before it can be > > used. > > > > A negative hit thus increases cost vs. no-cache. > > > > As number of tunnels increases, hit rate decreases so this pcpu caching > > isn't a viable strategy. > > > > Furthermore, the xdst cache also needs to run with BH off, so when > > removing this the bh disable/enable pairs can be removed too. > > > > Kristian tested a 4.14.y backport of this change and reported > > increased performance: > > > > In our tests, the throughput reduction has been reduced from around -20% > > to -5%. We also see that the overall throughput is independent of the > > number of tunnels, while before the throughput was reduced as the number > > of tunnels increased. > > > > Reported-by: Kristian Evensen > > Signed-off-by: Florian Westphal > > Signed-off-by: Steffen Klassert > > --- > > Vakul Garg reports traffic going via ipsec tunnels will cause the kernel > > to spin in an infinite loop due to xfrm policy reference count > > overflowing and becoming 0. > > The refcount leak is in the pcpu cache. Instead of fixing this, just > > remove the pcpu cache -- its not present in any other stable release. > > Vakul reported that this patch fixes the problem. > > > > There are no major deviations from the upstream revert; conflicts > > were only due to context. > > Now queued up, does 4.9.y also need this? No, 4.14 was the first kernel with this thing and its already gone in 4.19.