Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp665635rdg; Thu, 12 Oct 2023 18:13:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFoKOZcGN2nIFJCIX18XdDqSW+khtQm5SXlYG5DImLwBLXbTT4Mn6xs0U2h522Uwln/R4Ib X-Received: by 2002:a05:6a20:c18a:b0:174:32c:dfcb with SMTP id bg10-20020a056a20c18a00b00174032cdfcbmr6718317pzb.31.1697159609732; Thu, 12 Oct 2023 18:13:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697159609; cv=none; d=google.com; s=arc-20160816; b=0NlnUpCd+zVTPGf8ASW5tFRHPLuYiF47fjpV9GrkI/7UFpJmZ1fK39piRD9byHqQRM ouNf9p9DOTKole9Z+lLi3+lmbwDudGgUi7vVR4/oqkkUECdVqAzGlIsbUo9plITAH9W2 GTJd2EmTGhQ5KDWf27yNxu6+wqS5xk/Z0ke278CTKtZXKV2ixZEnQVxlgv7SKyWAn5dL V7O0oN5HsZbLn/TViyqheMtma58LhHVXXYWlS/YMa09AkoGKKlJz0JjvGvKo5FbSJSoF sNJJZsjaYf5U2P0lgnqstcJeEVqZAKbQKNL/Co/lzZDTIMjTx6fKSJ780NpEolD3t3fO hZyw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=AMJnEzubrAnZX3cVNcFw4aHCDFoa3PCcaOxjV6VRS+0=; fh=RS5xk2Yo9202uD/sfCsf4nBVuUGQaJEuWklJtn7kn6c=; b=Mx7SsuCf4Pre32/3ACfyjDqMo0m+ROhimJSmYqbxn6f6xWCRnJ2YSQJjd5/nN51kJv LOsJYVAa8E4nb3yEsvGvmr4m1idHd30qXS5T0KaFfi/z+4jlf4c0VCmU4SsGKwzjjApo 6PdpLaDBNihT94PRJsQecwIEdqPoLfrqIw3vrZNS5Hd8v7icsRk7tS+0aPVYZ5gUNiJZ jDaOnxj6qlNYizFsM/uPG3lkbTR6/fd0p7EHg0/j73/wtPfH23SRyj/VFg9P2LIpfShl Y0mlZGeHPejteDnbxLZ+WyNGTf6lmrT2dSaIpqi1Jz0Ji9oggvt0auFi6iMexp+xYlyH q0Vg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=HS+h4Wa+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id t16-20020a639550000000b005ac0759396asi1197pgn.634.2023.10.12.18.13.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Oct 2023 18:13:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20230601.gappssmtp.com header.s=20230601 header.b=HS+h4Wa+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id B26B480C0353; Thu, 12 Oct 2023 18:13:28 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229469AbjJMBNY (ORCPT + 99 others); Thu, 12 Oct 2023 21:13:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229450AbjJMBNX (ORCPT ); Thu, 12 Oct 2023 21:13:23 -0400 Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CD63CA for ; Thu, 12 Oct 2023 18:13:21 -0700 (PDT) Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-690f8e63777so389272b3a.0 for ; Thu, 12 Oct 2023 18:13:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20230601.gappssmtp.com; s=20230601; t=1697159601; x=1697764401; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=AMJnEzubrAnZX3cVNcFw4aHCDFoa3PCcaOxjV6VRS+0=; b=HS+h4Wa+IMVdFNCYi7/E0nXCEJ1TZmq/beUe+MUTtTEz9k+LNI72O23j3yAqrIGCAk eGlTxrVhgYNU6P3aiD++90HTaT+0JCZp4hiF4npfLZBUZ13gtjjbqS2a5gKqJ9/x/Kk4 eRfTTZNZQfB70JGf+/YVk4v8k3kj/Vc07za/DukVP3HDPBaw39Fyb/F4EYpxJIGpgVWw F0E4vzTHXTUqISzY8Fk8WrmEn7Z2PCml5eqxiWBzZg2zx5M69ZIbGTnL/rDTHLbU4x0H vio3fLQYqttWGLtq0m9AvOgact3R7wNBIuxc7PYawZ3k0W88kCq3c7dybu118RTTBMkQ OFlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697159601; x=1697764401; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AMJnEzubrAnZX3cVNcFw4aHCDFoa3PCcaOxjV6VRS+0=; b=QpG6Kv1PXPCR3VMltg/IbD+iS0sb4z+BNT+zbRWy7t5zeiWo2MEpsx8s0G75x/RiAf UbxQdCkqHOJOfHD65JMg1JZn2fXtBNuJCxBIelZXv7cNPoY1UXHtIzJgDhaXskrJDuhO VwNizyc2lDSqnDbuXB5w9x9ZiBkj3ohP0lfpB7qYjyaefsGEqDv1gIx1YwqUCEACqvba AMi7OUwJpM5e8WhkmY8Siof/7aQKmi/IJq2iTAjHgs1nQzbSVjAozjBS0AQ/Rk6JxMmm P1Iuek7ypYyyZHocjATBPlmpEPNs5Y+/DXBjNF4MCGjz/Zs47dl8NshKXIYdLmPo32HG z+dQ== X-Gm-Message-State: AOJu0YwPEoHsY15d62bhjZvaaiPYtmzBFsNKC/DHLkcmdDrgrzV4V8rc F5J+n28F0G0ZRLrngGtzw9J69Q== X-Received: by 2002:a05:6a20:7d85:b0:163:57ba:2ad4 with SMTP id v5-20020a056a207d8500b0016357ba2ad4mr30560645pzj.2.1697159600617; Thu, 12 Oct 2023 18:13:20 -0700 (PDT) Received: from [192.168.1.136] ([198.8.77.194]) by smtp.gmail.com with ESMTPSA id jj3-20020a170903048300b001c9cc44eb60sm2610748plb.201.2023.10.12.18.13.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Oct 2023 18:13:19 -0700 (PDT) Message-ID: <8b200d4c-6c28-47f6-b43d-98ed10a9b4f5@kernel.dk> Date: Thu, 12 Oct 2023 19:13:18 -0600 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Problem with io_uring splice and KTLS Content-Language: en-US To: Sascha Hauer Cc: Pavel Begunkov , io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, kernel@pengutronix.de, Boris Pismenny , John Fastabend , Jakub Kicinski , netdev@vger.kernel.org References: <20231010141932.GD3114228@pengutronix.de> <20231012133407.GA3359458@pengutronix.de> From: Jens Axboe In-Reply-To: <20231012133407.GA3359458@pengutronix.de> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 12 Oct 2023 18:13:28 -0700 (PDT) On 10/12/23 7:34 AM, Sascha Hauer wrote: > On Tue, Oct 10, 2023 at 08:28:13AM -0600, Jens Axboe wrote: >> On 10/10/23 8:19 AM, Sascha Hauer wrote: >>> Hi, >>> >>> I am working with a webserver using io_uring in conjunction with KTLS. The >>> webserver basically splices static file data from a pipe to a socket which uses >>> KTLS for encryption. When splice is done the socket is closed. This works fine >>> when using software encryption in KTLS. Things go awry though when the software >>> encryption is replaced with the CAAM driver which replaces the synchronous >>> encryption with a asynchronous queue/interrupt/completion flow. >>> >>> So far I have traced it down to tls_push_sg() calling tcp_sendmsg_locked() to >>> send the completed encrypted messages. tcp_sendmsg_locked() sometimes waits for >>> more memory on the socket by calling sk_stream_wait_memory(). This in turn >>> returns -ERESTARTSYS due to: >>> >>> if (signal_pending(current)) >>> goto do_interrupted; >>> >>> The current task has the TIF_NOTIFY_SIGNAL set due to: >>> >>> io_req_normal_work_add() >>> { >>> ... >>> /* This interrupts sk_stream_wait_memory() (notify_method == TWA_SIGNAL) */ >>> task_work_add(req->task, &tctx->task_work, ctx->notify_method))) >>> } >>> >>> The call stack when sk_stream_wait_memory() fails is as follows: >>> >>> [ 1385.428816] dump_backtrace+0xa0/0x128 >>> [ 1385.432568] show_stack+0x20/0x38 >>> [ 1385.435878] dump_stack_lvl+0x48/0x60 >>> [ 1385.439539] dump_stack+0x18/0x28 >>> [ 1385.442850] tls_push_sg+0x100/0x238 >>> [ 1385.446424] tls_tx_records+0x118/0x1d8 >>> [ 1385.450257] tls_sw_release_resources_tx+0x74/0x1a0 >>> [ 1385.455135] tls_sk_proto_close+0x2f8/0x3f0 >>> [ 1385.459315] inet_release+0x58/0xb8 >>> [ 1385.462802] inet6_release+0x3c/0x60 >>> [ 1385.466374] __sock_release+0x48/0xc8 >>> [ 1385.470035] sock_close+0x20/0x38 >>> [ 1385.473347] __fput+0xbc/0x280 >>> [ 1385.476399] ____fput+0x18/0x30 >>> [ 1385.479537] task_work_run+0x80/0xe0 >>> [ 1385.483108] io_run_task_work+0x40/0x108 >>> [ 1385.487029] __arm64_sys_io_uring_enter+0x164/0xad8 >>> [ 1385.491907] invoke_syscall+0x50/0x128 >>> [ 1385.495655] el0_svc_common.constprop.0+0x48/0xf0 >>> [ 1385.500359] do_el0_svc_compat+0x24/0x40 >>> [ 1385.504279] el0_svc_compat+0x38/0x108 >>> [ 1385.508026] el0t_32_sync_handler+0x98/0x140 >>> [ 1385.512294] el0t_32_sync+0x194/0x198 >>> >>> So the socket is being closed and KTLS tries to send out the remaining >>> completed messages. From a splice point of view everything has been sent >>> successfully, but not everything made it through KTLS to the socket and the >>> remaining data is sent while closing the socket. >>> >>> I vaguely understand what's going on here, but I haven't got the >>> slightest idea what to do about this. Any ideas? >> >> Two things to try: >> >> 1) Depending on how you use the ring, set it up with >> IORING_SETUP_SINGLE_ISSUER | IORING_SETUP_DEFER_TASKRUN. The latter will >> avoid using signal based task_work notifications, which may be messing >> you up here. >> >> 2) io_uring will hold a reference to the file/socket. I'm unsure if this >> is a problem in the above case, but sometimes it'll prevent the final >> flush. >> >> Do you have a reproducer that could be run to test? Sometimes easier to >> see what's going on when you can experiment, it'll save some time. > > Okay, here is a reproducer: > > https://github.com/saschahauer/webserver-uring-test.git > > Execute ./prepare.sh in that repository, it will compile the webserver, > generate cert.pem/key.pem and generate some testfile to download. If the > meson build doesn't work for you then you can compile the program by > hand with something like: > > gcc -O3 -Wall -o webserver webserver_liburing.c -lcrypto -lssl -luring > > When the webserver is started you can get a file from it with: > > curl -k https://:8443/foo -o foo > > or: > > while true; do curl -k https://:8443/foo -o foo; if [ $? != 0 ]; then break; fi; done > > This should run without problems as by default likely the encryption > requests are running synchronously. > > In case you don't have encryption hardware you can create an > asynchronous encryption module using cryptd. Compile a kernel with > CONFIG_CRYPTO_USER_API_AEAD and CONFIG_CRYPTO_CRYPTD and start the > webserver with the '-c' option. /proc/crypto should then contain an > entry with: > > name : gcm(aes) > driver : cryptd(gcm_base(ctr(aes-generic),ghash-generic)) > module : kernel > priority : 150 > > Make sure there is no other module providing gcm(aes) with a priority higher > than 150 so that this one is actually used. > > With that the while true loop above should break out with a short read > fairly fast. Passing IORING_SETUP_SINGLE_ISSUER | IORING_SETUP_DEFER_TASKRUN > to io_uring_queue_init() makes it harder to reproduce for me. With that > I need multiple shells in parallel running the above loop. > > The repository also contains a kernel patch which will provide you a > stack dump when KTLS gets an error from tcp_sendmsg_locked(). > > Now I hope I haven't done anything silly in the webserver ;) Perfect! Thanks a lot for preparing all of that. Not sure I'll get to it tomorrow, but if not, then definitely on Monday. -- Jens Axboe