From: Tariq Toukan <ttoukan.linux@gmail.com>
To: Jakub Kicinski <kuba@kernel.org>, davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
borisp@nvidia.com, john.fastabend@gmail.com, maximmi@nvidia.com,
tariqt@nvidia.com, vfedorenko@novek.ru,
Gal Pressman <gal@nvidia.com>, Saeed Mahameed <saeedm@nvidia.com>
Subject: Re: [PATCH net-next v3 7/7] tls: rx: do not use the standard strparser
Date: Thu, 9 Mar 2023 17:15:26 +0200 [thread overview]
Message-ID: <3c9eaf1b-b9eb-ed06-076a-de9a36d0993f@gmail.com> (raw)
In-Reply-To: <20220722235033.2594446-8-kuba@kernel.org>
On 23/07/2022 2:50, Jakub Kicinski wrote:
> TLS is a relatively poor fit for strparser. We pause the input
> every time a message is received, wait for a read which will
> decrypt the message, start the parser, repeat. strparser is
> built to delineate the messages, wrap them in individual skbs
> and let them float off into the stack or a different socket.
> TLS wants the data pages and nothing else. There's no need
> for TLS to keep cloning (and occasionally skb_unclone()'ing)
> the TCP rx queue.
>
> This patch uses a pre-allocated skb and attaches the skbs
> from the TCP rx queue to it as frags. TLS is careful never
> to modify the input skb without CoW'ing / detaching it first.
>
> Since we call TCP rx queue cleanup directly we also get back
> the benefit of skb deferred free.
>
> Overall this results in a 6% gain in my benchmarks.
>
> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Hi Jakub,
A few fixes were introduced for this patch, but it seems to still cause
issues.
I'm running simple client/server test with wrk and nginx and TLS RX
device offload on.
It fails with TlsDecryptError on the client side for the large file
(256000b), while succeeding for the small one (10000b). See repro
details below.
I narrowed the issue down to this offending patch, by applying a few
reverts (had to solve trivial conflicts):
Revert "tls: rx: do not use the standard strparser"
Revert "tls: rx: fix the false positive warning"
Revert "tls: rx: device: bound the frag walk"
Revert "tls: rx: device: don't try to copy too much on detach"
Revert "tls: rx: react to strparser initialization errors"
Revert "tls: strp: make sure the TCP skbs do not have overlapping data"
The error is caught by the if below, inside gcmaes_decrypt.
819 /* Compare generated tag with passed in tag. */
820 if (crypto_memneq(auth_tag_msg, auth_tag, auth_tag_len)) {
821 memzero_explicit(auth_tag, sizeof(auth_tag));
822 return -EBADMSG;
823 }
but I couldn't yet identify the root cause.
Any idea what could it be?
Reproduction:
$ ethtool --features eth2 tls-hw-rx-offload on
$ wrk_openssl_3_0_0 -b2.2.2.2 -t10 -c1000 -d5 --timeout 5s
https://2.2.2.3:20443/10000b.img
Running 5s test @ https://2.2.2.3:20443/10000b.img
10 threads and 1000 connections
Ready 8/10
Ready 2/10
Ready 9/10
Ready 3/10
Ready 4/10
Ready 6/10
Ready 0/10
Ready 1/10
Ready 7/10
Ready 5/10
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Thread Stats Avg Stdev Max +/- Stdev
Latency 112.97ms 19.05ms 160.31ms 80.71%
Req/Sec 0.88k 122.34 1.07k 61.86%
37495 requests in 5.06s, 366.24MB read
Requests/sec: 7415.86
Transfer/sec: 72.44MB
$ cat /proc/net/tls_stat
TlsCurrTxSw 0
TlsCurrRxSw 0
TlsCurrTxDevice 0
TlsCurrRxDevice 0
TlsTxSw 0
TlsRxSw 0
TlsTxDevice 1000
TlsRxDevice 1000
TlsDecryptError 0
TlsRxDeviceResync 1000
TlsDecryptRetry 0
TlsRxNoPadViolation 0
$ wrk_openssl_3_0_0 -b2.2.2.2 -t10 -c1000 -d5 --timeout 5s
https://2.2.2.3:20443/256000b.img
Running 5s test @ https://2.2.2.3:20443/256000b.img
10 threads and 1000 connections
Ready 6/10
Ready 2/10
Ready 7/10
Ready 9/10
Ready 1/10
Ready 4/10
Ready 8/10
Ready 3/10
Ready 5/10
Ready 0/10
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Ready all
Thread Stats Avg Stdev Max +/- Stdev
Latency 3.94s 106.78ms 4.10s 50.00%
Req/Sec 0.67 0.82 2.00 83.33%
38 requests in 7.71s, 154.14MB read
Socket errors: connect 0, read 1810, write 0, timeout 0
Requests/sec: 4.93
Transfer/sec: 19.98MB
$ cat /proc/net/tls_stat
TlsCurrTxSw 0
TlsCurrRxSw 0
TlsCurrTxDevice 0
TlsCurrRxDevice 0
TlsTxSw 0
TlsRxSw 0
TlsTxDevice 3810
TlsRxDevice 3810
TlsDecryptError 3634
TlsRxDeviceResync 3060
TlsDecryptRetry 0
TlsRxNoPadViolation 0
More monitors:
$ bpftrace -e 'kretprobe:generic_gcmaes_decrypt { @retval[retval] =
count(); }'
Attaching 1 probe...
^C
@retval[4294967222]: 2067
@retval[0]: 26143
$ bpftrace -e 'kprobe:generic_gcmaes_decrypt { @[kstack] = count(); }'
Attaching 1 probe...
^C
@[
generic_gcmaes_decrypt+1
tls_decrypt_sg+1258
tls_rx_one_record+72
tls_sw_recvmsg+870
inet_recvmsg+71
sock_recvmsg+68
____sys_recvmsg+111
___sys_recvmsg+126
__sys_recvmsg+78
do_syscall_64+61
entry_SYSCALL_64_after_hwframe+70
]: 27623
next prev parent reply other threads:[~2023-03-09 15:16 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-22 23:50 [PATCH net-next v3 0/7] tls: rx: decrypt from the TCP queue Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 1/7] tls: rx: wrap recv_pkt accesses in helpers Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 2/7] tls: rx: factor SW handling out of tls_rx_one_record() Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 3/7] tls: rx: don't free the output in case of zero-copy Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 4/7] tls: rx: device: keep the zero copy status with offload Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 5/7] tcp: allow tls to decrypt directly from the tcp rcv queue Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 6/7] tls: rx: device: add input CoW helper Jakub Kicinski
2022-07-22 23:50 ` [PATCH net-next v3 7/7] tls: rx: do not use the standard strparser Jakub Kicinski
2022-07-26 9:27 ` Paolo Abeni
2022-07-26 17:01 ` Jakub Kicinski
2022-07-26 17:26 ` Paolo Abeni
2022-08-02 14:54 ` Tariq Toukan
2022-08-02 15:40 ` Jakub Kicinski
2022-08-04 1:24 ` Jakub Kicinski
2022-08-04 6:13 ` Tariq Toukan
2022-08-04 8:05 ` Tariq Toukan
2022-08-04 15:35 ` Jakub Kicinski
2022-08-07 6:01 ` Tariq Toukan
2022-08-04 15:59 ` Jakub Kicinski
2022-08-07 6:01 ` Tariq Toukan
2022-08-08 5:24 ` Tariq Toukan
2022-08-08 18:24 ` Jakub Kicinski
2022-08-09 8:47 ` Tariq Toukan
2023-03-09 15:15 ` Tariq Toukan [this message]
2023-03-09 17:54 ` Jakub Kicinski
2023-03-12 17:59 ` Tariq Toukan
2023-03-13 18:22 ` Jakub Kicinski
2023-03-15 20:26 ` Tariq Toukan
2023-03-16 1:41 ` Jakub Kicinski
2022-07-26 22:00 ` [PATCH net-next v3 0/7] tls: rx: decrypt from the TCP queue patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3c9eaf1b-b9eb-ed06-076a-de9a36d0993f@gmail.com \
--to=ttoukan.linux@gmail.com \
--cc=borisp@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gal@nvidia.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=maximmi@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=saeedm@nvidia.com \
--cc=tariqt@nvidia.com \
--cc=vfedorenko@novek.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.