This patch provides a performance optimization in the pfkey_add path. Prior versions have a serious performance problem when adding a large number of SAs to a node. For example, if a backup node needs to be loaded with the SAs previously held by a failed active node, thousands of SAs may need to be added as rapidly as possible. Tests show that without this patch, such additions may take several minutes. The cause is that the available algorithm modules are probed each time instead of only when needed. This patch changes the unconditional call to xfrm_probe_algs() to only be done when it may be needed. An example that loads 2000 SAs gives the following results: Without patch real 0m42.643s user 0m0.120s sys 0m0.800s With patch real 0m0.537s user 0m0.076s sys 0m0.276s Signed-Off-By: Mark Huth =============================================== diff --git a/net/key/af_key.c b/net/key/af_key.c index a994441..c970d5e 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1445,16 +1445,15 @@ static int key_notify_sa(struct xfrm_state *x, struct km_event *c) static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, void **ext_hdrs) { struct xfrm_state *x; - int err; + int err, probe_done = 0; struct km_event c; - xfrm_probe_algs(); - x = pfkey_msg2xfrm_state(hdr, ext_hdrs); if (IS_ERR(x)) return PTR_ERR(x); xfrm_state_hold(x); +try_again: if (hdr->sadb_msg_type == SADB_ADD) err = xfrm_state_add(x); else @@ -1464,6 +1463,11 @@ static int pfkey_add(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hdr, AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x); if (err < 0) { + if (!probe_done) { + xfrm_probe_algs(); + probe_done = 1; + goto try_again; + } x->km.state = XFRM_STATE_DEAD; __xfrm_state_put(x); goto out;