Differential D35763

ipsec: replace SECASVAR mtx by rmlock
ClosedPublic
Actions

Authored by kp on Jul 10 2022, 11:26 AM.

Details

Reviewers

None

Group Reviewers

network

Commits

rG1243360b1a02: ipsec: replace SECASVAR mtx by rmlock
rG0361f165f219: ipsec: replace SECASVAR mtx by rmlock

Summary

This mutex is a significant point of contention in the ipsec code, and
can be relatively trivially replaced by a read-mostly lock.
It does require a separate lock for the replay protection, which we do
here by adding a separate mutex.

This improves throughput (without replay protection) by 10-15%.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Jul 10 2022, 11:26 AM

Herald added subscribers: glebius, melifaro, ae, imp. · View Herald TranscriptJul 10 2022, 11:26 AM

kp requested review of this revision.Jul 10 2022, 11:26 AM

Harbormaster completed remote builds in B46348: Diff 107975.Jul 10 2022, 11:26 AM

This is a largely mechanical substitution, there's going to be room for further improvement, but it's a somewhat significant gain already so it's worth doing anyway.

There are some places where the current locking looks odd to me, but I've not yet been able to dig further. This change doesn't improve that, but also doesn't make it any worse.

zlei added a subscriber: zlei.Jul 11 2022, 2:03 AM

mjg added a subscriber: mjg.Jul 11 2022, 11:17 AM

mjg added inline comments.

sys/netipsec/xform_ah.c
968	this is an example why the patch in the current form does not work: replay count gets bumped without the lock by many cpus at the same time. all places of the sort will need to be coverted to use atomics. Specifically this one will unfortunately need to be a fcmpset loop to make sure you don't bump across the limit. i was looking at replacing this lock myself and my general idea was to use sequence counters. it would avoid degeneration from IPIs on write locking (although I don't know how frequently that's needed) and be faster single-threaded at least on amd64. However, it may happen to be slower on arm64 as it requires 2 load fences.