Page MenuHomeFreeBSD
Differential D30908

ktls: automatically disable inline hw (aka ifnet) ktls offload when TCP rexmits are high
ClosedPublic
Actions

Authored by gallatin on Jun 25 2021, 9:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sun, Nov 10, 9:18 AM
Unknown Object (File)
Sun, Nov 10, 2:15 AM
Unknown Object (File)
Sat, Nov 9, 9:31 AM
Unknown Object (File)
Wed, Oct 23, 1:13 AM
Unknown Object (File)
Sat, Oct 19, 8:13 PM
Unknown Object (File)
Sat, Oct 19, 12:11 AM
Unknown Object (File)
Sat, Oct 19, 12:11 AM
Unknown Object (File)
Sat, Oct 19, 12:11 AM
View All Files
Subscribers
melifaro

Details

Reviewers
hselasky
jhb
markj
rrs
tuexen
Group Reviewers
transport
Commits
rG28d0a740dd9a: ktls: auto-disable ifnet (inline hw) kTLS
Summary

Inline hardware TLS offload is efficient in most NIC implementations only when packets are transmitted in order. When packets are transmitted in order, the NIC can track encryption state between transmits. However, when packets are transmitted out of order, as they are during a TCP re-transmit, then the NIC needs to re-establish encryption state by re-DMA'ing the entire TLS record up to and including the segment that TCP is re-transmitting. The worse case is when a TCP segment falls at the end of a full-sized 16KB TLS record. In that case, we're DMA'ing over 10x as much data as we're sending in order to properly encrypt the re-transmitted bytes. If this happens too often, this can easily overwhelm the PCIe bus and starve the NIC for PCIe bandwidth.

This change adds a tunable & sysctl , kern.ipc.tls.ifnet_max_rexmit. This specifies the maximum percentage bytes that can be re-transmitted on a TCP connection before we automatically disable inline hw (aka ifnet) ktls offload for that connection and switch it to software ktls. This dramatically reduces output drops and increases bandwidth on Netflix servers using ifnet ktls offload with Mellanox CX6-DX NICs, and allows us to get much closer to the link bandwidth.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

gallatin created this revision.Jun 25 2021, 9:46 PM
Herald added a reviewer: transport. · View Herald TranscriptJun 25 2021, 9:46 PM
Herald added a subscriber: melifaro. · View Herald Transcript
gallatin requested review of this revision.Jun 25 2021, 9:46 PM
gallatin updated this revision to Diff 91410.Jun 27 2021, 1:34 PM

Moved the sorele() to after the call into tfb_hwtls_change(), as the sorele() may end up calling pru_detach() in sofree. This could release TCP state, causing an invalid tcpcb, leading to a panic when trying to call into the tcp function block.

markj added inline comments.Jun 27 2021, 2:15 PM
sys/kern/uipc_ktls.c
125

IMHO the name could be more descriptive, like ktls_hw_ifnet_max_rexmit_pct. That might be a bit long, but I'd at least add _pct.

2226

Is it possible for the sock ref to be leaked here?

2246

Above we handle the case so == NULL but here we dereference so unconditionally.

2258

It might be worth adding an explanation of exactly why it's beneficial to switch.

2271

SOCK_LOCK will assert if the socket lock is already held.

hselasky added a comment.Jun 28 2021, 3:10 PM

Where are you draining the ktls_disable_ifnet_help() function?

sys/kern/uipc_ktls.c
2204

Extra space here.

2241

Empty line here can be removed.

hselasky added a comment.Jun 28 2021, 3:18 PM

If you are not draining, then probably should protect all code with the network EPOCH at least.

gallatin added a comment.Jun 28 2021, 3:37 PM
In D30908#695725, @hselasky wrote:

Where are you draining the ktls_disable_ifnet_help() function?

I'm not. No draining is done for the reset tag task either. This is part of the core kernel, and no effort has been made to drain things at shutdown.

hselasky added a comment.Jun 28 2021, 3:59 PM
In D30908#695736, @gallatin wrote:
In D30908#695725, @hselasky wrote:

Where are you draining the ktls_disable_ifnet_help() function?

I'm not. No draining is done for the reset tag task either. This is part of the core kernel, and no effort has been made to drain things at shutdown.

What prevents the CPU from working on a freed INP?

gallatin updated this revision to Diff 91479.Jun 28 2021, 11:57 PM

Incorporated review feedback

gallatin marked 7 inline comments as done.Jun 29 2021, 12:00 AM
gallatin added inline comments.
sys/kern/uipc_ktls.c
2226

Good catch. I've re-structured things to fix that.

2271

Thanks; removed

gallatin marked 2 inline comments as done.Jun 29 2021, 12:00 AM
In D30908#695729, @hselasky wrote:

If you are not draining, then probably should protect all code with the network EPOCH at least.

Done

gallatin updated this revision to Diff 91503.Jun 29 2021, 4:16 PM

Remove epoch until i'm certain its needed, it introduces a lot of complexity and at least ktls_set_tx_mode() does not require epoch (as it sleeps)

hselasky added a comment.Jun 29 2021, 7:26 PM

Hi Drew,

I don't understand how you keep the asynchronous callback in sync with the state of the INP. The INP could have been freed and allocated by another TCP TLS connection by the time it gets execution time!

At some point you need to drain this callback, like we do with callout timers!

--HPS

hselasky added a comment.Jun 29 2021, 7:29 PM

Answering my own question: Is the in_pcbref() supposed to prevent the structure for going away? Then it looks good.

hselasky added inline comments.Jun 29 2021, 7:31 PM
sys/netinet/tcp_var.h
1161

Is signed with unsigned comparison OK here? Or should ktls_ifnet_max_rexmit_pct be made unsigned aswell?

hselasky added inline comments.Jun 29 2021, 7:32 PM
sys/kern/uipc_ktls.c
125

Probably want to make this unsigned.

sys/netinet/tcp_var.h
1160

I think you should have a check for division by zero??

gallatin updated this revision to Diff 91592.Jun 30 2021, 11:00 PM

Made ktls_ifnet_max_rexmit_pct unsigned as requested by Hans

gallatin marked 2 inline comments as done.Jun 30 2021, 11:02 PM
gallatin added inline comments.
sys/netinet/tcp_var.h
1160

I don't think thats needed. The denominator is tp->t_snd_rxt_bytes + tp->t_sndbytes; and this is only called when rxt bytes is updated, so I don't see how the sum could be zero.

gallatin added a comment.Jun 30 2021, 11:09 PM
In D30908#696274, @hselasky wrote:

Answering my own question: Is the in_pcbref() supposed to prevent the structure for going away? Then it looks good.

Yes, that's what the ref is for.

markj added a comment.Jul 5 2021, 12:35 PM

Looks ok to me, my comments are mostly style nits.

sys/kern/uipc_ktls.c
2206
2223

The pcb is only detached when the socket is about to be freed, but the socket reference taken earlier prevents that. So I think this should assert inp_socket != NULL instead. Otherwise it looks like the sock ref is leaked, but it isn't, unless I'm missing something.

2268
2292
2299
sys/netinet/tcp_var.h
45

opt_* includes should be sorted before the others.

1158

Extra newline.

gallatin updated this revision to Diff 91808.Jul 5 2021, 4:13 PM
  • Address Mark's review feedback
  • Re-check inp flags before calling into the tcp function block, as ktls_set_tx_mode() drops the inp_wlock, which can result in the connection being closed. I had a panic on a test machine due to not checking the flags last night.
gallatin marked 6 inline comments as done.Jul 5 2021, 4:15 PM
gallatin added inline comments.
sys/kern/uipc_ktls.c
2223

Yes, I see what you mean. I've replaced the check with an assert. This also simplifies the error handling, as a separate label is no longer needed.

hselasky added inline comments.Jul 5 2021, 4:16 PM
sys/kern/uipc_ktls.c
125

Missing "static" here?

gallatin marked an inline comment as done.Jul 5 2021, 4:24 PM
gallatin added inline comments.
sys/kern/uipc_ktls.c
125

No, this need to be global. tcp_account_for_send() accesses it. This is why it is in sys/ktls.h

hselasky accepted this revision.Jul 5 2021, 4:27 PM

Looks good to me.

markj accepted this revision.Jul 5 2021, 9:27 PM
rrs accepted this revision.Jul 6 2021, 1:04 PM
This revision is now accepted and ready to land.Jul 6 2021, 1:04 PM
Closed by commit rG28d0a740dd9a: ktls: auto-disable ifnet (inline hw) kTLS (authored by gallatin). · Explain WhyJul 6 2021, 2:29 PM
This revision was automatically updated to reflect the committed changes.
gallatin added a commit: rG28d0a740dd9a: ktls: auto-disable ifnet (inline hw) kTLS.

Revision Contents
Changeset List

PathSize
sys/
kern/
107 lines
netinet/
13 lines
sys/
15 lines

Diff 91882

View Options

sys/kern/uipc_ktls.c

Loading...
View Options

sys/netinet/tcp_var.h

Loading...
View Options

sys/sys/ktls.h

Loading...