On Wed, Nov 1, 2023 at 10:51 AM Daniel Xu <dxu@xxxxxxxxx> wrote: > > Yeah, I agree the code in this patchset is not correct. I have the fix > (a KF_RELEASE wrapper around xfrm_state_put()) ready to send. I think > Steffen was gonna chat w/ you about this at IETF next week. But I can > send it now if you'd like. I say send a new version with all issues addressed now, since it might help to frame the discussion at IETF. > > To answer your question why it doesn't blow up immediately: > > * The test system only has ~33 inbound SAs and the test doesn't try to > delete any. So leak is not noticed in the test. Oddly enough I recall > `ip x s flush` working correctly... Could be misremembering. > > * Refcnt overflow will indeed happen, but some rough math shows it'll > take about 12 hrs receiving at 100Gbps for that to happen. 100Gbps = > 12.5 GB/s. 12.5GB / (32 CPUs) / (9000B) = 43k pps for each pcpu SA. > INT_MAX = 2 billion. 2B / 4k = 46k. 46k seconds to hours is ~12 hrs. > And I was only running traffic for ~1 hour. > > At least I think that math is right. Makes sense.
