From: Florian Westphal <fw@strlen.de>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: Florian Westphal <fw@strlen.de>,
netdev@vger.kernel.org, Nathan Harold <nharold@google.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
Yan Yan <evitayan@google.com>
Subject: Re: [PATCH ipsec] xfrm: migrate: work around 0 if_id on migrate
Date: Thu, 17 Oct 2024 12:52:51 +0200 [thread overview]
Message-ID: <20241017105251.GA12005@breakpoint.cc> (raw)
In-Reply-To: <CANP3RGeeR9vso0MyjRhFuTmx5K7ttt0bisHucce0ONeJotXOZw@mail.gmail.com>
Maciej Żenczykowski <maze@google.com> wrote:
> > +found:
> > /* Stage 2 - find and update state(s) */
> > for (i = 0, mp = m; i < num_migrate; i++, mp++) {
> > if ((x = xfrm_migrate_state_find(mp, net, if_id))) {
> > --
> > 2.45.2
> >
>
> Q: Considering the performance impact... would it make sense to hide
> this behind a sysctl or a kconfig?
Kconfig? I don't think so, all distros except Android would turn it on.
> Yan Yan: Also, while I know we found this issue in Android... do we
> actually need the fix? Wasn't the adjustment to netd sufficient?
> Android <16 doesn't support >6.6 anyway, and Android 16 should already
> have the netd fix...
... seems you already fixed this, so I suspect this slowpath won't ever
run in your case.
Following relevant cases exist:
1. Userspace asks to migrate existing policy, provides if_id > 0.
-> slowpath is elided.
2. Userspace asks to migrate existing policy, the policy is NOT for
xfrm_interface, -> slowpath is also elided because first attempt
finds the if_id 0 policy.
3. Like 1, but userspace does not set the if_id.
-> slowpath runs, BUT without it migration would not work.
4. Like 2, but the policy doesn't exist.
-> slowpath runs and slows things down for no reason.
For 1 and 2 even sysctl knob is irrelevant.
For 3, sysctl knob is *technically* irrelevant, either migrate is
broken (sysctl off) or its on and policy migrate will work.
This also hints we'd have to turn such sysctl on by default...
For 4, sysctl could be used to disable/avoid such slowdown.
But I'm not sure this is a relevant scenario in practice, aside
from fuzzers, AND it breaks 3) again if its off.
So I don't see a need to provide a config knob or a sysctl
that would have to be on by default...
If you think a Kconfig knob makes sense for Android sake I can respin
with such a knob, but I think I'd have to make it default-y.
next prev parent reply other threads:[~2024-10-17 10:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-17 9:43 [PATCH ipsec] xfrm: migrate: work around 0 if_id on migrate Florian Westphal
2024-10-17 10:39 ` Maciej Żenczykowski
2024-10-17 10:52 ` Florian Westphal [this message]
2024-10-17 11:03 ` Maciej Żenczykowski
2024-10-17 11:33 ` Florian Westphal
2024-10-17 13:21 ` Maciej Żenczykowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241017105251.GA12005@breakpoint.cc \
--to=fw@strlen.de \
--cc=evitayan@google.com \
--cc=maze@google.com \
--cc=netdev@vger.kernel.org \
--cc=nharold@google.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).