Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp1746079rdh;
        Tue, 26 Sep 2023 02:09:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFkSbNTECNDdL9ppDJ5lILxUHRKT5jBOJYOgo33wxDpL990WtZ1ZfgT9zuDPIGkHxITz9uq
X-Received: by 2002:a17:90b:4f4a:b0:268:c569:f2af with SMTP id pj10-20020a17090b4f4a00b00268c569f2afmr5944116pjb.7.1695719376097;
        Tue, 26 Sep 2023 02:09:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695719376; cv=none;
        d=google.com; s=arc-20160816;
        b=nl013Le8avPIyGnxRzu+jgUTOrdJD/Y3Dfk07NxZb0ennuWPpxcK3ZujNv6CsQhaqI
         /vZgKS8nCluTGYuvw//WTxNU/hkjP814vgu3/rt9sVWWhVzRXtefA4WEqZ+Q1AYED60x
         ab1Q25sW5NHx+w0XydSWKVVw6Se9/O8+yFJji2eBwqxf6H3sCxQrRnk1Oj5zUkPcKPno
         DNmIwFDqcXlxcUO9xhOhYku+vRazZQsoMfsEoYjkhKC/kssWrLKhW7XV0VVPasH7LmMx
         f/u0wEFkgyIcaWo7V16gZtytxDzUzPv2JeCGL4W9qj2ej0w6JMZFYN5et6acT+Yu4KXc
         0Cyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=;
        fh=6l/j8S/IOSSuU/FDPIivP6mQHx+esXyBAeWoFcn7fcE=;
        b=zosArNiaYaK0LNXyH533ktkPpzwSjk37c0+cIiyjpdRi6FPLIUKcjY+Z9MS1AspDQx
         5LC6HYs1NSeRWcLqaPdf52sSl0HBQGUWKPFCiSz6YcW8MKJk6ECHVUJSiuRTOmWhrIf6
         zj+3Q3m+x7/1mG4VWx8hTQobSYr91X+2z2/d1XDtQa+r7/kzOsYxQleYPrLqSNX9ipGK
         r4vPBkNLYi81qWXQTgA6kgrd1ci97zM2KGUIB8qKje/t3ObWFWuqnfrpOf+aBOQLkNLr
         LeeBG0Px849PXWIG7z4Xy9ZSu/NaObSMlkjvwJo/GZPwdXKUAmMeo5JuMxHZ7YnE9goV
         b4qA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b="eVBYK/fZ";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1])
        by mx.google.com with ESMTPS id mg24-20020a17090b371800b0025c219a68e3si11830125pjb.45.2023.09.26.02.09.35
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 26 Sep 2023 02:09:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b="eVBYK/fZ";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by morse.vger.email (Postfix) with ESMTP id 5858081FAD97;
	Mon, 25 Sep 2023 23:39:12 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233819AbjIZGjL (ORCPT <rfc822;bharatb.linux@gmail.com>
        + 99 others); Tue, 26 Sep 2023 02:39:11 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49504 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233757AbjIZGjJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Sep 2023 02:39:09 -0400
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 61F8B116;
        Mon, 25 Sep 2023 23:39:02 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id 38308e7fff4ca-2bfed7c4e6dso135128941fa.1;
        Mon, 25 Sep 2023 23:39:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1695710340; x=1696315140; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=;
        b=eVBYK/fZZ8sArYAzt80NlSEYz5YueAeTBmFrv1BxvFdVsIuLC4Plueq9E4SW7V8rhp
         s0dZhrb1JdrjoCvTmSTdp2ls3R+6aM39VBwALow+xq5vA8+RRcOm6Imv8gBuqb7guN8V
         1gP4qqiy/lCJbysGtH1PypTLuJJ+QJupGB26gyo0hcthkRkTtOR1CpJFTo8gW9tHlyZC
         CJF47ol8t5pS0yo47UKX94fsrKP7hdwj/oy4H53ngC+xgXPoBgFjVA2MiEP/xaLReqQ6
         ATTpzkY2ji093g6ulAkz/uiZlfgUiE5oPhNi5FhiiKw36ornbV7f1jxVeFuZ0WrLmDzC
         LDYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1695710340; x=1696315140;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=xOK6OfHsH5UzXX07PzrwQsARRjCcdnyHQS4dDua03nw=;
        b=HiBM1U6+j7skFecrjJqGdh2k2btq/9VzXwzu4c7j9imRN0GVwP3KzVUhk957ThpJRu
         yKOZdjzkxwrJ/4Dzd3OHQWV3o5h/EfOcHmnncxu8eyOq5mB/rV7xKmZpnMl/o64RWFov
         KoA3OaZVIs/38b5yiAOuZZON+FeGPOzsWbjNQ2b3SAzV5/yrG5POBAi2LrIvCgmkYFjo
         W42e951IsjObh78peF7uO/sAT7FissUuB49iqL6eBkYr0PlyBalD3VejtC52HBIhIokH
         OnC+Dn2ypjRmB+66ecbI7MOeFVWqGgXvD8/wKHl2jcb5HJkDV14R8ikaeDFYQ+OCfX/q
         ursw==
X-Gm-Message-State: AOJu0YwK0qcMxI/sfNM87/ayn7DBxLjZf446QYx1wNrYHp6hVXtAdfIx
        SEC/WR/X/oVYicsoJUbWhIpi9mL6U60H9g==
X-Received: by 2002:a2e:97c8:0:b0:2bc:e954:4203 with SMTP id m8-20020a2e97c8000000b002bce9544203mr7159098ljj.26.1695710340426;
        Mon, 25 Sep 2023 23:39:00 -0700 (PDT)
Received: from f (cst-prg-24-34.cust.vodafone.cz. [46.135.24.34])
        by smtp.gmail.com with ESMTPSA id lw3-20020a170906bcc300b009ade1a4f795sm7244603ejb.168.2023.09.25.23.38.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 25 Sep 2023 23:38:59 -0700 (PDT)
Date:   Tue, 26 Sep 2023 08:38:57 +0200
From:   Mateusz Guzik <mjguzik@gmail.com>
To:     John Johansen <john.johansen@canonical.com>
Cc:     Vinicius Costa Gomes <vinicius.gomes@intel.com>,
        linux-security-module@vger.kernel.org, apparmor@lists.ubuntu.com,
        linux-kernel@vger.kernel.org
Subject: Re: [apparmor] use per-cpu refcounts for apparmor labels?
Message-ID: <20230926063857.h3afce5hagnlkoob@f>
References: <CAGudoHFfG7mARwSqcoLNwV81-KX4Bici5FQHjoNG4f9m83oLyg@mail.gmail.com>
 <87a5t9bypm.fsf@intel.com>
 <c6379a39-42f2-b3f9-c835-bbebe516ba3a@canonical.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <c6379a39-42f2-b3f9-c835-bbebe516ba3a@canonical.com>
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Mon, 25 Sep 2023 23:39:12 -0700 (PDT)

On Mon, Sep 25, 2023 at 11:21:26PM -0700, John Johansen wrote:
> On 9/25/23 16:49, Vinicius Costa Gomes wrote:
> > Hi Mateusz,
> > 
> > Mateusz Guzik <mjguzik@gmail.com> writes:
> > 
> > > I'm sanity-checking perf in various microbenchmarks and I found
> > > apparmor to be the main bottleneck in some of them.
> > > 
> > > For example: will-it-scale open1_processes -t 16, top of the profile:
> > >    20.17%  [kernel]                   [k] apparmor_file_alloc_security
> > >    20.08%  [kernel]                   [k] apparmor_file_open
> > >    20.05%  [kernel]                   [k] apparmor_file_free_security
> > >    18.39%  [kernel]                   [k] apparmor_current_getsecid_subj
> > > [snip]
> > > 
> > > This serializes on refing/unrefing apparmor objs, sounds like a great
> > > candidate for per-cpu refcounting instead (I'm assuming they are
> > > expected to be long-lived).
> > > 
> > > I would hack it up myself, but I failed to find a clear spot to switch
> > > back from per-cpu to centalized operation and don't want to put
> > > serious effort into it.
> > > 
> > > Can you sort this out?
> > 
> 
> I will add looking into it on the todo list. Its going to have to come
> after some other major cleanups land, and I am not sure we can make
> the semantic work well for some of these. For other we might get away
> with switching to a critical section like Vinicius's patch has done
> for apparmor_current_getsecid_subj.
> 

Is there an eta?

I looked at dodging ref round trips myself, but then found that ref
manipulation in apparmor_file_alloc_security and the free counterpart
cannot be avoided. Thus per-cpu refs instead.

Perhaps making the label as stale would be a good enough switching
point? Is it *guaranteed* to get labelled as stale before it gets freed?

btw, __aa_proxy_redirect open-codes setting the flag.

> > I was looking at this same workload, and proposed a patch[1] some time
> > ago, see if it helps:
> > 
> > https://lists.ubuntu.com/archives/apparmor/2023-August/012914.html
> > 
> > But my idea was different, in many cases, we are looking at the label
> > associated with the current task, and there's no need to take the
> > refcount.
> > 
> 
> yes, and thanks for that.
>