| From: |
| Chuck Lever <cel-AT-kernel.org> |
| To: |
| john.fastabend-AT-gmail.com, kuba-AT-kernel.org, sd-AT-queasysnail.net |
| Subject: |
| [PATCH net-next v8 0/5] TLS read_sock performance scalability |
| Date: |
| Tue, 28 Apr 2026 09:30:45 -0400 |
| Message-ID: |
| <20260428-tls-read-sock-v8-0-85f96c7df24c@oracle.com> |
| Cc: |
| netdev-AT-vger.kernel.org, kernel-tls-handshake-AT-lists.linux.dev, Chuck Lever <chuck.lever-AT-oracle.com>, Hannes Reinecke <hare-AT-suse.de>, Alistair Francis <alistair.francis-AT-wdc.com> |
| Archive-link: |
| Article |
I'd like to encourage in-kernel kTLS consumers (i.e., NFS and
NVMe/TCP) to coalesce on the use of read_sock. When I suggested
this to Hannes, he reported a few performance scalability issues
with read_sock. However, batch async decryption and its
submit/deliver scaffolding were dropped from this series because
async_capable is always false for TLS 1.3, the TLS version that
NFS and NVMe/TCP both require. Async crypto support for TLS 1.3
is a prerequisite for revisiting that work.
This series is now only a set of clean-ups. Support for async
has been deferred until after TLS KeyUpdate has been merged.
---
Changes since v7:
- Rebased on net-next (v7.1-rc1)
Changes since v6:
- Rebased on net-next, v5's 1/6 was merged upstream
Changes since v5:
- Patch 6: Set released = true when sk_flush_backlog() returns
true, so tls_strp_msg_load() knows the socket lock was
released (Sabrina)
- Patch 6: Drop Fixes tag; submit bug fix separately via net
if warranted (Sabrina)
- Patch 6: Note redundant flush on cold path in commit message
(Sabrina)
Changes since v4:
- Drop batch async decryption and submit/deliver restructure:
async_capable is always false for TLS 1.3, so the new code
was unreachable for NFS and NVMe/TCP
- Purge async_hold directly in tls_decrypt_async_wait() and drop
the tls_decrypt_async_drain() wrapper
- Merge tls_strp_check_rcv_quiet() into tls_strp_check_rcv() with
a bool wake parameter; fix lost wakeup on the recvmsg exit path
Changes since v3:
- Clarify why tls_decrypt_async_drain() is separate from _wait()
- Fold tls_err_abort() into tls_rx_one_record(), drop tls_rx_decrypt_record()
- Move backlog flush into tls_rx_rec_wait() so all RX paths benefit
Changes since v2:
- Fix short read self tests
Changes since v1:
- Add C11 reference
- Extend data_ready reduction to recvmsg and splice
- Restructure read_sock and recvmsg using shared helpers
---
Chuck Lever (5):
tls: Abort the connection on decrypt failure
tls: Fix dangling skb pointer in tls_sw_read_sock()
tls: Factor tls_strp_msg_release() from tls_strp_msg_done()
tls: Suppress spurious saved_data_ready on all receive paths
tls: Flush backlog before waiting for a new record
net/tls/tls.h | 4 ++--
net/tls/tls_main.c | 2 +-
net/tls/tls_strp.c | 42 +++++++++++++++++++++++++++++++-----------
net/tls/tls_sw.c | 50 ++++++++++++++++++++++++++++++--------------------
4 files changed, 64 insertions(+), 34 deletions(-)
---
base-commit: 790ead9394860e7d70c5e0e50a35b243e909a618
change-id: 20260317-tls-read-sock-a0022c9df265
Best regards,
--
Chuck Lever
