Completely separate from the big performance regression I noted earlier this week for the Linux 6.15 Git kernel and fixed yesterday in the upstream codebase, another significant performance issue was also uncovered and fixed this week in Linux 6.15 Git.
Cloudflare engineer Frederick Lawler took care of a performance problem in the kernel pertaining to “extremely heavy read-only workloads.” The specific work wasn’t mentioned but presumably a lot of read-only services running within Cloudflare but also benefiting others. Fortunately, this particular performance issue only manifests when making use of the Integrity Measurement Architecture (IMA) functionality.
Frederick Lawler explained in the commit merged to Linux 6.15 Git:
“ima: process_measurement() needlessly takes inode_lock() on MAY_READ
On IMA policy update, if a measure rule exists in the policy, IMA_MEASURE is set for ima_policy_flags which makes the violation_check
variable always true. Coupled with a no-action on MAY_READ for a FILE_CHECK call, we’re always taking the inode_lock().This becomes a performance problem for extremely heavy read-only workloads. Therefore, prevent this only in the case there’s no action to be taken.”
This performance fix is merged in time for Linux 6.15-rc4 due out on Sunday along with the unrelated performance regression fix I noted yesterday. Linux 6.15 stable should be out around the end of May.
