src-test2/sys, branch master

Filter TCP connections to SO_REUSEPORT_LB listen sockets by NUMA domain

2020-12-19T22:04:46Z

In order to efficiently serve web traffic on a NUMA machine, one must avoid as many NUMA domain crossings as possible. With SO_REUSEPORT_LB, a number of workers can share a listen socket. However, even if a worker sets affinity to a core or set of cores on a NUMA domain, it will receive connections associated with all NUMA domains in the system. This will lead to cross-domain traffic when the server writes to the socket or calls sendfile(), and memory is allocated on the server's local NUMA node, but transmitted on the NUMA node associated with the TCP connection. Similarly, when the server reads from the socket, he will likely be reading memory allocated on the NUMA domain associated with the TCP connection. This change provides a new socket ioctl, TCP_REUSPORT_LB_NUMA. A server can now tell the kernel to filter traffic so that only incoming connections associated with the desired NUMA domain are given to the server. (Of course, in the case where there are no servers sharing the listen socket on some domain, then as a fallback, traffic will be hashed as normal to all servers sharing the listen socket regardless of domain). This allows a server to deal only with traffic that is local to its NUMA domain, and avoids cross-domain traffic in most cases. This patch, and a corresponding small patch to nginx to use TCP_REUSPORT_LB_NUMA allows us to serve 190Gb/s of kTLS encrypted https media content from dual-socket Xeons with only 13% (as measured by pcm.x) cross domain traffic on the memory controller. Reviewed by: jhb, bz (earlier version), bcr (man page) Tested by: gonzo Sponsored by: Netfix Differential Revision: https://reviews.freebsd.org/D21636

Optionally bind ktls threads to NUMA domains

2020-12-19T21:46:09Z

When ktls_bind_thread is 2, we pick a ktls worker thread that is bound to the same domain as the TCP connection associated with the socket. We use roughly the same code as netinet/tcp_hpts.c to do this. This allows crypto to run on the same domain as the TCP connection is associated with. Assuming TCP_REUSPORT_LB_NUMA (D21636) is in place & in use, this ensures that the crypto source and destination buffers are local to the same NUMA domain as we're running crypto on. This change (when TCP_REUSPORT_LB_NUMA, D21636, is used) reduces cross-domain traffic from over 37% down to about 13% as measured by pcm.x on a dual-socket Xeon using nginx and a Netflix workload. Reviewed by: jhb Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D21648

Ensure a minimum packet length before creating a mbuf in if_ure.

2020-12-19T11:03:54Z

Sponsored by: Mellanox Technologies // NVIDIA Networking

Move SYSCTL_ADD_PROC() to unlocked context in if_ure to avoid lock order reversal.

2020-12-19T11:00:11Z

MFC after: 1 week Reported by: Mark Millard Sponsored by: Mellanox Technologies // NVIDIA Networking

kern: cpuset: allow jails to modify child jails' roots

2020-12-19T03:30:06Z

This partially lifts a restriction imposed by r191639 ("Prevent a superuser inside a jail from modifying the dedicated root cpuset of that jail") that's perhaps beneficial after r192895 ("Add hierarchical jails."). Jails still cannot modify their own cpuset, but they can modify child jails' roots to further restrict them or widen them back to the modifying jails' own mask. As a side effect of this, the system root may once again widen the mask of jails as long as they're still using a subset of the parent jails' mask. This was previously prevented by the fact that cpuset_getroot of a root set will return that root, rather than the root's parent -- cpuset_modify uses cpuset_getroot since it was introduced in r327895, previously it was just validating against set->cs_parent which allowed the system root to widen jail masks. Reviewed by: jamie MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D27352

usb: Replace ITUNERNET vendor with MICROCHIP and improve product names

2020-12-18T23:31:36Z

These Mini-Box LCDs are using Microchip components and sub-licensed product IDs. Whilst here, update the constant names and descriptions for the products to use the names listed on the manufacturer's website rather than vague ones. The picoLCD 4x20 is named that on the manufacturer's website so prefer that name, even though linux-usb.org lists it with the numbers reversed as one might expect. Reviewed by: hselasky Differential Revision: https://reviews.freebsd.org/D27670

Add ELF flag to disable ASLR stack gap.

2020-12-18T23:14:39Z

Also centralize and unify checks to enable ASLR stack gap in a new helper exec_stackgap(). PR: 239873 Sponsored by: The FreeBSD Foundation MFC after: 1 week

proc.h: Reformat P_ and P2_ definitions.

2020-12-18T23:11:27Z

Use traditional explicit leading zero format for hex numbers. Align P2_ hex values. Wrap long lines by splitting comments. Sponsored by: The FreeBSD Foundation MFC after: 1 week

Switch direct rt fields access in rtsock.c to newly-create field acessors.

2020-12-18T22:00:57Z

rtsock code was build around the assumption that each rtentry record in the system radix tree is a ready-to-use sockaddr. This assumptions turned out to be not quite true: * masks have their length tweaked, so we have rtsock_fix_netmask() hack * IPv6 addresses have their scope embedded, so we have another explicit deembedding hack. Change the code to decouple rtentry internals from rtsock code using newly-created rtentry accessors. This will allow to eventually eliminate both of the hacks and change rtentry dst/mask format. Differential Revision: https://reviews.freebsd.org/D27451

Skip the vm.pmap.kernel_maps sysctl by default.

2020-12-18T20:41:23Z

This sysctl node can generate very verbose output, so don't trigger it for sysctl -a or sysctl vm.pmap. Reviewed by: markj, kib Differential Revision: https://reviews.freebsd.org/D27504