1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com 2 * Copyright (c) 2016 Facebook 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 */ 13 #include <linux/bpf.h> 14 #include <linux/jhash.h> 15 #include <linux/filter.h> 16 #include <linux/rculist_nulls.h> 17 #include "percpu_freelist.h" 18 #include "bpf_lru_list.h" 19 #include "map_in_map.h" 20 21 struct bucket { 22 struct hlist_nulls_head head; 23 raw_spinlock_t lock; 24 }; 25 26 struct bpf_htab { 27 struct bpf_map map; 28 struct bucket *buckets; 29 void *elems; 30 union { 31 struct pcpu_freelist freelist; 32 struct bpf_lru lru; 33 }; 34 struct htab_elem *__percpu *extra_elems; 35 atomic_t count; /* number of elements in this hashtable */ 36 u32 n_buckets; /* number of hash buckets */ 37 u32 elem_size; /* size of each element in bytes */ 38 }; 39 40 /* each htab element is struct htab_elem + key + value */ 41 struct htab_elem { 42 union { 43 struct hlist_nulls_node hash_node; 44 struct { 45 void *padding; 46 union { 47 struct bpf_htab *htab; 48 struct pcpu_freelist_node fnode; 49 }; 50 }; 51 }; 52 union { 53 struct rcu_head rcu; 54 struct bpf_lru_node lru_node; 55 }; 56 u32 hash; 57 char key[0] __aligned(8); 58 }; 59 60 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node); 61 62 static bool htab_is_lru(const struct bpf_htab *htab) 63 { 64 return htab->map.map_type == BPF_MAP_TYPE_LRU_HASH || 65 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 66 } 67 68 static bool htab_is_percpu(const struct bpf_htab *htab) 69 { 70 return htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH || 71 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 72 } 73 74 static bool htab_is_prealloc(const struct bpf_htab *htab) 75 { 76 return !(htab->map.map_flags & BPF_F_NO_PREALLOC); 77 } 78 79 static inline void htab_elem_set_ptr(struct htab_elem *l, u32 key_size, 80 void __percpu *pptr) 81 { 82 *(void __percpu **)(l->key + key_size) = pptr; 83 } 84 85 static inline void __percpu *htab_elem_get_ptr(struct htab_elem *l, u32 key_size) 86 { 87 return *(void __percpu **)(l->key + key_size); 88 } 89 90 static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) 91 { 92 return *(void **)(l->key + roundup(map->key_size, 8)); 93 } 94 95 static struct htab_elem *get_htab_elem(struct bpf_htab *htab, int i) 96 { 97 return (struct htab_elem *) (htab->elems + i * htab->elem_size); 98 } 99 100 static void htab_free_elems(struct bpf_htab *htab) 101 { 102 int i; 103 104 if (!htab_is_percpu(htab)) 105 goto free_elems; 106 107 for (i = 0; i < htab->map.max_entries; i++) { 108 void __percpu *pptr; 109 110 pptr = htab_elem_get_ptr(get_htab_elem(htab, i), 111 htab->map.key_size); 112 free_percpu(pptr); 113 } 114 free_elems: 115 bpf_map_area_free(htab->elems); 116 } 117 118 static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key, 119 u32 hash) 120 { 121 struct bpf_lru_node *node = bpf_lru_pop_free(&htab->lru, hash); 122 struct htab_elem *l; 123 124 if (node) { 125 l = container_of(node, struct htab_elem, lru_node); 126 memcpy(l->key, key, htab->map.key_size); 127 return l; 128 } 129 130 return NULL; 131 } 132 133 static int prealloc_init(struct bpf_htab *htab) 134 { 135 u32 num_entries = htab->map.max_entries; 136 int err = -ENOMEM, i; 137 138 if (!htab_is_percpu(htab) && !htab_is_lru(htab)) 139 num_entries += num_possible_cpus(); 140 141 htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries); 142 if (!htab->elems) 143 return -ENOMEM; 144 145 if (!htab_is_percpu(htab)) 146 goto skip_percpu_elems; 147 148 for (i = 0; i < num_entries; i++) { 149 u32 size = round_up(htab->map.value_size, 8); 150 void __percpu *pptr; 151 152 pptr = __alloc_percpu_gfp(size, 8, GFP_USER | __GFP_NOWARN); 153 if (!pptr) 154 goto free_elems; 155 htab_elem_set_ptr(get_htab_elem(htab, i), htab->map.key_size, 156 pptr); 157 } 158 159 skip_percpu_elems: 160 if (htab_is_lru(htab)) 161 err = bpf_lru_init(&htab->lru, 162 htab->map.map_flags & BPF_F_NO_COMMON_LRU, 163 offsetof(struct htab_elem, hash) - 164 offsetof(struct htab_elem, lru_node), 165 htab_lru_map_delete_node, 166 htab); 167 else 168 err = pcpu_freelist_init(&htab->freelist); 169 170 if (err) 171 goto free_elems; 172 173 if (htab_is_lru(htab)) 174 bpf_lru_populate(&htab->lru, htab->elems, 175 offsetof(struct htab_elem, lru_node), 176 htab->elem_size, num_entries); 177 else 178 pcpu_freelist_populate(&htab->freelist, 179 htab->elems + offsetof(struct htab_elem, fnode), 180 htab->elem_size, num_entries); 181 182 return 0; 183 184 free_elems: 185 htab_free_elems(htab); 186 return err; 187 } 188 189 static void prealloc_destroy(struct bpf_htab *htab) 190 { 191 htab_free_elems(htab); 192 193 if (htab_is_lru(htab)) 194 bpf_lru_destroy(&htab->lru); 195 else 196 pcpu_freelist_destroy(&htab->freelist); 197 } 198 199 static int alloc_extra_elems(struct bpf_htab *htab) 200 { 201 struct htab_elem *__percpu *pptr, *l_new; 202 struct pcpu_freelist_node *l; 203 int cpu; 204 205 pptr = __alloc_percpu_gfp(sizeof(struct htab_elem *), 8, 206 GFP_USER | __GFP_NOWARN); 207 if (!pptr) 208 return -ENOMEM; 209 210 for_each_possible_cpu(cpu) { 211 l = pcpu_freelist_pop(&htab->freelist); 212 /* pop will succeed, since prealloc_init() 213 * preallocated extra num_possible_cpus elements 214 */ 215 l_new = container_of(l, struct htab_elem, fnode); 216 *per_cpu_ptr(pptr, cpu) = l_new; 217 } 218 htab->extra_elems = pptr; 219 return 0; 220 } 221 222 /* Called from syscall */ 223 static struct bpf_map *htab_map_alloc(union bpf_attr *attr) 224 { 225 bool percpu = (attr->map_type == BPF_MAP_TYPE_PERCPU_HASH || 226 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 227 bool lru = (attr->map_type == BPF_MAP_TYPE_LRU_HASH || 228 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 229 /* percpu_lru means each cpu has its own LRU list. 230 * it is different from BPF_MAP_TYPE_PERCPU_HASH where 231 * the map's value itself is percpu. percpu_lru has 232 * nothing to do with the map's value. 233 */ 234 bool percpu_lru = (attr->map_flags & BPF_F_NO_COMMON_LRU); 235 bool prealloc = !(attr->map_flags & BPF_F_NO_PREALLOC); 236 struct bpf_htab *htab; 237 int err, i; 238 u64 cost; 239 240 BUILD_BUG_ON(offsetof(struct htab_elem, htab) != 241 offsetof(struct htab_elem, hash_node.pprev)); 242 BUILD_BUG_ON(offsetof(struct htab_elem, fnode.next) != 243 offsetof(struct htab_elem, hash_node.pprev)); 244 245 if (lru && !capable(CAP_SYS_ADMIN)) 246 /* LRU implementation is much complicated than other 247 * maps. Hence, limit to CAP_SYS_ADMIN for now. 248 */ 249 return ERR_PTR(-EPERM); 250 251 if (attr->map_flags & ~(BPF_F_NO_PREALLOC | BPF_F_NO_COMMON_LRU)) 252 /* reserved bits should not be used */ 253 return ERR_PTR(-EINVAL); 254 255 if (!lru && percpu_lru) 256 return ERR_PTR(-EINVAL); 257 258 if (lru && !prealloc) 259 return ERR_PTR(-ENOTSUPP); 260 261 htab = kzalloc(sizeof(*htab), GFP_USER); 262 if (!htab) 263 return ERR_PTR(-ENOMEM); 264 265 /* mandatory map attributes */ 266 htab->map.map_type = attr->map_type; 267 htab->map.key_size = attr->key_size; 268 htab->map.value_size = attr->value_size; 269 htab->map.max_entries = attr->max_entries; 270 htab->map.map_flags = attr->map_flags; 271 272 /* check sanity of attributes. 273 * value_size == 0 may be allowed in the future to use map as a set 274 */ 275 err = -EINVAL; 276 if (htab->map.max_entries == 0 || htab->map.key_size == 0 || 277 htab->map.value_size == 0) 278 goto free_htab; 279 280 if (percpu_lru) { 281 /* ensure each CPU's lru list has >=1 elements. 282 * since we are at it, make each lru list has the same 283 * number of elements. 284 */ 285 htab->map.max_entries = roundup(attr->max_entries, 286 num_possible_cpus()); 287 if (htab->map.max_entries < attr->max_entries) 288 htab->map.max_entries = rounddown(attr->max_entries, 289 num_possible_cpus()); 290 } 291 292 /* hash table size must be power of 2 */ 293 htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); 294 295 err = -E2BIG; 296 if (htab->map.key_size > MAX_BPF_STACK) 297 /* eBPF programs initialize keys on stack, so they cannot be 298 * larger than max stack size 299 */ 300 goto free_htab; 301 302 if (htab->map.value_size >= KMALLOC_MAX_SIZE - 303 MAX_BPF_STACK - sizeof(struct htab_elem)) 304 /* if value_size is bigger, the user space won't be able to 305 * access the elements via bpf syscall. This check also makes 306 * sure that the elem_size doesn't overflow and it's 307 * kmalloc-able later in htab_map_update_elem() 308 */ 309 goto free_htab; 310 311 if (percpu && round_up(htab->map.value_size, 8) > PCPU_MIN_UNIT_SIZE) 312 /* make sure the size for pcpu_alloc() is reasonable */ 313 goto free_htab; 314 315 htab->elem_size = sizeof(struct htab_elem) + 316 round_up(htab->map.key_size, 8); 317 if (percpu) 318 htab->elem_size += sizeof(void *); 319 else 320 htab->elem_size += round_up(htab->map.value_size, 8); 321 322 /* prevent zero size kmalloc and check for u32 overflow */ 323 if (htab->n_buckets == 0 || 324 htab->n_buckets > U32_MAX / sizeof(struct bucket)) 325 goto free_htab; 326 327 cost = (u64) htab->n_buckets * sizeof(struct bucket) + 328 (u64) htab->elem_size * htab->map.max_entries; 329 330 if (percpu) 331 cost += (u64) round_up(htab->map.value_size, 8) * 332 num_possible_cpus() * htab->map.max_entries; 333 else 334 cost += (u64) htab->elem_size * num_possible_cpus(); 335 336 if (cost >= U32_MAX - PAGE_SIZE) 337 /* make sure page count doesn't overflow */ 338 goto free_htab; 339 340 htab->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT; 341 342 /* if map size is larger than memlock limit, reject it early */ 343 err = bpf_map_precharge_memlock(htab->map.pages); 344 if (err) 345 goto free_htab; 346 347 err = -ENOMEM; 348 htab->buckets = bpf_map_area_alloc(htab->n_buckets * 349 sizeof(struct bucket)); 350 if (!htab->buckets) 351 goto free_htab; 352 353 for (i = 0; i < htab->n_buckets; i++) { 354 INIT_HLIST_NULLS_HEAD(&htab->buckets[i].head, i); 355 raw_spin_lock_init(&htab->buckets[i].lock); 356 } 357 358 if (prealloc) { 359 err = prealloc_init(htab); 360 if (err) 361 goto free_buckets; 362 363 if (!percpu && !lru) { 364 /* lru itself can remove the least used element, so 365 * there is no need for an extra elem during map_update. 366 */ 367 err = alloc_extra_elems(htab); 368 if (err) 369 goto free_prealloc; 370 } 371 } 372 373 return &htab->map; 374 375 free_prealloc: 376 prealloc_destroy(htab); 377 free_buckets: 378 bpf_map_area_free(htab->buckets); 379 free_htab: 380 kfree(htab); 381 return ERR_PTR(err); 382 } 383 384 static inline u32 htab_map_hash(const void *key, u32 key_len) 385 { 386 return jhash(key, key_len, 0); 387 } 388 389 static inline struct bucket *__select_bucket(struct bpf_htab *htab, u32 hash) 390 { 391 return &htab->buckets[hash & (htab->n_buckets - 1)]; 392 } 393 394 static inline struct hlist_nulls_head *select_bucket(struct bpf_htab *htab, u32 hash) 395 { 396 return &__select_bucket(htab, hash)->head; 397 } 398 399 /* this lookup function can only be called with bucket lock taken */ 400 static struct htab_elem *lookup_elem_raw(struct hlist_nulls_head *head, u32 hash, 401 void *key, u32 key_size) 402 { 403 struct hlist_nulls_node *n; 404 struct htab_elem *l; 405 406 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 407 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 408 return l; 409 410 return NULL; 411 } 412 413 /* can be called without bucket lock. it will repeat the loop in 414 * the unlikely event when elements moved from one bucket into another 415 * while link list is being walked 416 */ 417 static struct htab_elem *lookup_nulls_elem_raw(struct hlist_nulls_head *head, 418 u32 hash, void *key, 419 u32 key_size, u32 n_buckets) 420 { 421 struct hlist_nulls_node *n; 422 struct htab_elem *l; 423 424 again: 425 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 426 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 427 return l; 428 429 if (unlikely(get_nulls_value(n) != (hash & (n_buckets - 1)))) 430 goto again; 431 432 return NULL; 433 } 434 435 /* Called from syscall or from eBPF program directly, so 436 * arguments have to match bpf_map_lookup_elem() exactly. 437 * The return value is adjusted by BPF instructions 438 * in htab_map_gen_lookup(). 439 */ 440 static void *__htab_map_lookup_elem(struct bpf_map *map, void *key) 441 { 442 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 443 struct hlist_nulls_head *head; 444 struct htab_elem *l; 445 u32 hash, key_size; 446 447 /* Must be called with rcu_read_lock. */ 448 WARN_ON_ONCE(!rcu_read_lock_held()); 449 450 key_size = map->key_size; 451 452 hash = htab_map_hash(key, key_size); 453 454 head = select_bucket(htab, hash); 455 456 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 457 458 return l; 459 } 460 461 static void *htab_map_lookup_elem(struct bpf_map *map, void *key) 462 { 463 struct htab_elem *l = __htab_map_lookup_elem(map, key); 464 465 if (l) 466 return l->key + round_up(map->key_size, 8); 467 468 return NULL; 469 } 470 471 /* inline bpf_map_lookup_elem() call. 472 * Instead of: 473 * bpf_prog 474 * bpf_map_lookup_elem 475 * map->ops->map_lookup_elem 476 * htab_map_lookup_elem 477 * __htab_map_lookup_elem 478 * do: 479 * bpf_prog 480 * __htab_map_lookup_elem 481 */ 482 static u32 htab_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf) 483 { 484 struct bpf_insn *insn = insn_buf; 485 const int ret = BPF_REG_0; 486 487 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 488 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 1); 489 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 490 offsetof(struct htab_elem, key) + 491 round_up(map->key_size, 8)); 492 return insn - insn_buf; 493 } 494 495 static void *htab_lru_map_lookup_elem(struct bpf_map *map, void *key) 496 { 497 struct htab_elem *l = __htab_map_lookup_elem(map, key); 498 499 if (l) { 500 bpf_lru_node_set_ref(&l->lru_node); 501 return l->key + round_up(map->key_size, 8); 502 } 503 504 return NULL; 505 } 506 507 /* It is called from the bpf_lru_list when the LRU needs to delete 508 * older elements from the htab. 509 */ 510 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node) 511 { 512 struct bpf_htab *htab = (struct bpf_htab *)arg; 513 struct htab_elem *l = NULL, *tgt_l; 514 struct hlist_nulls_head *head; 515 struct hlist_nulls_node *n; 516 unsigned long flags; 517 struct bucket *b; 518 519 tgt_l = container_of(node, struct htab_elem, lru_node); 520 b = __select_bucket(htab, tgt_l->hash); 521 head = &b->head; 522 523 raw_spin_lock_irqsave(&b->lock, flags); 524 525 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 526 if (l == tgt_l) { 527 hlist_nulls_del_rcu(&l->hash_node); 528 break; 529 } 530 531 raw_spin_unlock_irqrestore(&b->lock, flags); 532 533 return l == tgt_l; 534 } 535 536 /* Called from syscall */ 537 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) 538 { 539 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 540 struct hlist_nulls_head *head; 541 struct htab_elem *l, *next_l; 542 u32 hash, key_size; 543 int i = 0; 544 545 WARN_ON_ONCE(!rcu_read_lock_held()); 546 547 key_size = map->key_size; 548 549 if (!key) 550 goto find_first_elem; 551 552 hash = htab_map_hash(key, key_size); 553 554 head = select_bucket(htab, hash); 555 556 /* lookup the key */ 557 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 558 559 if (!l) 560 goto find_first_elem; 561 562 /* key was found, get next key in the same bucket */ 563 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_next_rcu(&l->hash_node)), 564 struct htab_elem, hash_node); 565 566 if (next_l) { 567 /* if next elem in this hash list is non-zero, just return it */ 568 memcpy(next_key, next_l->key, key_size); 569 return 0; 570 } 571 572 /* no more elements in this hash list, go to the next bucket */ 573 i = hash & (htab->n_buckets - 1); 574 i++; 575 576 find_first_elem: 577 /* iterate over buckets */ 578 for (; i < htab->n_buckets; i++) { 579 head = select_bucket(htab, i); 580 581 /* pick first element in the bucket */ 582 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_first_rcu(head)), 583 struct htab_elem, hash_node); 584 if (next_l) { 585 /* if it's not empty, just return it */ 586 memcpy(next_key, next_l->key, key_size); 587 return 0; 588 } 589 } 590 591 /* iterated over all buckets and all elements */ 592 return -ENOENT; 593 } 594 595 static void htab_elem_free(struct bpf_htab *htab, struct htab_elem *l) 596 { 597 if (htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH) 598 free_percpu(htab_elem_get_ptr(l, htab->map.key_size)); 599 kfree(l); 600 } 601 602 static void htab_elem_free_rcu(struct rcu_head *head) 603 { 604 struct htab_elem *l = container_of(head, struct htab_elem, rcu); 605 struct bpf_htab *htab = l->htab; 606 607 /* must increment bpf_prog_active to avoid kprobe+bpf triggering while 608 * we're calling kfree, otherwise deadlock is possible if kprobes 609 * are placed somewhere inside of slub 610 */ 611 preempt_disable(); 612 __this_cpu_inc(bpf_prog_active); 613 htab_elem_free(htab, l); 614 __this_cpu_dec(bpf_prog_active); 615 preempt_enable(); 616 } 617 618 static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) 619 { 620 struct bpf_map *map = &htab->map; 621 622 if (map->ops->map_fd_put_ptr) { 623 void *ptr = fd_htab_map_get_ptr(map, l); 624 625 map->ops->map_fd_put_ptr(ptr); 626 } 627 628 if (htab_is_prealloc(htab)) { 629 pcpu_freelist_push(&htab->freelist, &l->fnode); 630 } else { 631 atomic_dec(&htab->count); 632 l->htab = htab; 633 call_rcu(&l->rcu, htab_elem_free_rcu); 634 } 635 } 636 637 static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, 638 void *value, bool onallcpus) 639 { 640 if (!onallcpus) { 641 /* copy true value_size bytes */ 642 memcpy(this_cpu_ptr(pptr), value, htab->map.value_size); 643 } else { 644 u32 size = round_up(htab->map.value_size, 8); 645 int off = 0, cpu; 646 647 for_each_possible_cpu(cpu) { 648 bpf_long_memcpy(per_cpu_ptr(pptr, cpu), 649 value + off, size); 650 off += size; 651 } 652 } 653 } 654 655 static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, 656 void *value, u32 key_size, u32 hash, 657 bool percpu, bool onallcpus, 658 struct htab_elem *old_elem) 659 { 660 u32 size = htab->map.value_size; 661 bool prealloc = htab_is_prealloc(htab); 662 struct htab_elem *l_new, **pl_new; 663 void __percpu *pptr; 664 665 if (prealloc) { 666 if (old_elem) { 667 /* if we're updating the existing element, 668 * use per-cpu extra elems to avoid freelist_pop/push 669 */ 670 pl_new = this_cpu_ptr(htab->extra_elems); 671 l_new = *pl_new; 672 *pl_new = old_elem; 673 } else { 674 struct pcpu_freelist_node *l; 675 676 l = pcpu_freelist_pop(&htab->freelist); 677 if (!l) 678 return ERR_PTR(-E2BIG); 679 l_new = container_of(l, struct htab_elem, fnode); 680 } 681 } else { 682 if (atomic_inc_return(&htab->count) > htab->map.max_entries) 683 if (!old_elem) { 684 /* when map is full and update() is replacing 685 * old element, it's ok to allocate, since 686 * old element will be freed immediately. 687 * Otherwise return an error 688 */ 689 atomic_dec(&htab->count); 690 return ERR_PTR(-E2BIG); 691 } 692 l_new = kmalloc(htab->elem_size, GFP_ATOMIC | __GFP_NOWARN); 693 if (!l_new) 694 return ERR_PTR(-ENOMEM); 695 } 696 697 memcpy(l_new->key, key, key_size); 698 if (percpu) { 699 /* round up value_size to 8 bytes */ 700 size = round_up(size, 8); 701 702 if (prealloc) { 703 pptr = htab_elem_get_ptr(l_new, key_size); 704 } else { 705 /* alloc_percpu zero-fills */ 706 pptr = __alloc_percpu_gfp(size, 8, 707 GFP_ATOMIC | __GFP_NOWARN); 708 if (!pptr) { 709 kfree(l_new); 710 return ERR_PTR(-ENOMEM); 711 } 712 } 713 714 pcpu_copy_value(htab, pptr, value, onallcpus); 715 716 if (!prealloc) 717 htab_elem_set_ptr(l_new, key_size, pptr); 718 } else { 719 memcpy(l_new->key + round_up(key_size, 8), value, size); 720 } 721 722 l_new->hash = hash; 723 return l_new; 724 } 725 726 static int check_flags(struct bpf_htab *htab, struct htab_elem *l_old, 727 u64 map_flags) 728 { 729 if (l_old && map_flags == BPF_NOEXIST) 730 /* elem already exists */ 731 return -EEXIST; 732 733 if (!l_old && map_flags == BPF_EXIST) 734 /* elem doesn't exist, cannot update it */ 735 return -ENOENT; 736 737 return 0; 738 } 739 740 /* Called from syscall or from eBPF program */ 741 static int htab_map_update_elem(struct bpf_map *map, void *key, void *value, 742 u64 map_flags) 743 { 744 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 745 struct htab_elem *l_new = NULL, *l_old; 746 struct hlist_nulls_head *head; 747 unsigned long flags; 748 struct bucket *b; 749 u32 key_size, hash; 750 int ret; 751 752 if (unlikely(map_flags > BPF_EXIST)) 753 /* unknown flags */ 754 return -EINVAL; 755 756 WARN_ON_ONCE(!rcu_read_lock_held()); 757 758 key_size = map->key_size; 759 760 hash = htab_map_hash(key, key_size); 761 762 b = __select_bucket(htab, hash); 763 head = &b->head; 764 765 /* bpf_map_update_elem() can be called in_irq() */ 766 raw_spin_lock_irqsave(&b->lock, flags); 767 768 l_old = lookup_elem_raw(head, hash, key, key_size); 769 770 ret = check_flags(htab, l_old, map_flags); 771 if (ret) 772 goto err; 773 774 l_new = alloc_htab_elem(htab, key, value, key_size, hash, false, false, 775 l_old); 776 if (IS_ERR(l_new)) { 777 /* all pre-allocated elements are in use or memory exhausted */ 778 ret = PTR_ERR(l_new); 779 goto err; 780 } 781 782 /* add new element to the head of the list, so that 783 * concurrent search will find it before old elem 784 */ 785 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 786 if (l_old) { 787 hlist_nulls_del_rcu(&l_old->hash_node); 788 if (!htab_is_prealloc(htab)) 789 free_htab_elem(htab, l_old); 790 } 791 ret = 0; 792 err: 793 raw_spin_unlock_irqrestore(&b->lock, flags); 794 return ret; 795 } 796 797 static int htab_lru_map_update_elem(struct bpf_map *map, void *key, void *value, 798 u64 map_flags) 799 { 800 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 801 struct htab_elem *l_new, *l_old = NULL; 802 struct hlist_nulls_head *head; 803 unsigned long flags; 804 struct bucket *b; 805 u32 key_size, hash; 806 int ret; 807 808 if (unlikely(map_flags > BPF_EXIST)) 809 /* unknown flags */ 810 return -EINVAL; 811 812 WARN_ON_ONCE(!rcu_read_lock_held()); 813 814 key_size = map->key_size; 815 816 hash = htab_map_hash(key, key_size); 817 818 b = __select_bucket(htab, hash); 819 head = &b->head; 820 821 /* For LRU, we need to alloc before taking bucket's 822 * spinlock because getting free nodes from LRU may need 823 * to remove older elements from htab and this removal 824 * operation will need a bucket lock. 825 */ 826 l_new = prealloc_lru_pop(htab, key, hash); 827 if (!l_new) 828 return -ENOMEM; 829 memcpy(l_new->key + round_up(map->key_size, 8), value, map->value_size); 830 831 /* bpf_map_update_elem() can be called in_irq() */ 832 raw_spin_lock_irqsave(&b->lock, flags); 833 834 l_old = lookup_elem_raw(head, hash, key, key_size); 835 836 ret = check_flags(htab, l_old, map_flags); 837 if (ret) 838 goto err; 839 840 /* add new element to the head of the list, so that 841 * concurrent search will find it before old elem 842 */ 843 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 844 if (l_old) { 845 bpf_lru_node_set_ref(&l_new->lru_node); 846 hlist_nulls_del_rcu(&l_old->hash_node); 847 } 848 ret = 0; 849 850 err: 851 raw_spin_unlock_irqrestore(&b->lock, flags); 852 853 if (ret) 854 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 855 else if (l_old) 856 bpf_lru_push_free(&htab->lru, &l_old->lru_node); 857 858 return ret; 859 } 860 861 static int __htab_percpu_map_update_elem(struct bpf_map *map, void *key, 862 void *value, u64 map_flags, 863 bool onallcpus) 864 { 865 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 866 struct htab_elem *l_new = NULL, *l_old; 867 struct hlist_nulls_head *head; 868 unsigned long flags; 869 struct bucket *b; 870 u32 key_size, hash; 871 int ret; 872 873 if (unlikely(map_flags > BPF_EXIST)) 874 /* unknown flags */ 875 return -EINVAL; 876 877 WARN_ON_ONCE(!rcu_read_lock_held()); 878 879 key_size = map->key_size; 880 881 hash = htab_map_hash(key, key_size); 882 883 b = __select_bucket(htab, hash); 884 head = &b->head; 885 886 /* bpf_map_update_elem() can be called in_irq() */ 887 raw_spin_lock_irqsave(&b->lock, flags); 888 889 l_old = lookup_elem_raw(head, hash, key, key_size); 890 891 ret = check_flags(htab, l_old, map_flags); 892 if (ret) 893 goto err; 894 895 if (l_old) { 896 /* per-cpu hash map can update value in-place */ 897 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 898 value, onallcpus); 899 } else { 900 l_new = alloc_htab_elem(htab, key, value, key_size, 901 hash, true, onallcpus, NULL); 902 if (IS_ERR(l_new)) { 903 ret = PTR_ERR(l_new); 904 goto err; 905 } 906 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 907 } 908 ret = 0; 909 err: 910 raw_spin_unlock_irqrestore(&b->lock, flags); 911 return ret; 912 } 913 914 static int __htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 915 void *value, u64 map_flags, 916 bool onallcpus) 917 { 918 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 919 struct htab_elem *l_new = NULL, *l_old; 920 struct hlist_nulls_head *head; 921 unsigned long flags; 922 struct bucket *b; 923 u32 key_size, hash; 924 int ret; 925 926 if (unlikely(map_flags > BPF_EXIST)) 927 /* unknown flags */ 928 return -EINVAL; 929 930 WARN_ON_ONCE(!rcu_read_lock_held()); 931 932 key_size = map->key_size; 933 934 hash = htab_map_hash(key, key_size); 935 936 b = __select_bucket(htab, hash); 937 head = &b->head; 938 939 /* For LRU, we need to alloc before taking bucket's 940 * spinlock because LRU's elem alloc may need 941 * to remove older elem from htab and this removal 942 * operation will need a bucket lock. 943 */ 944 if (map_flags != BPF_EXIST) { 945 l_new = prealloc_lru_pop(htab, key, hash); 946 if (!l_new) 947 return -ENOMEM; 948 } 949 950 /* bpf_map_update_elem() can be called in_irq() */ 951 raw_spin_lock_irqsave(&b->lock, flags); 952 953 l_old = lookup_elem_raw(head, hash, key, key_size); 954 955 ret = check_flags(htab, l_old, map_flags); 956 if (ret) 957 goto err; 958 959 if (l_old) { 960 bpf_lru_node_set_ref(&l_old->lru_node); 961 962 /* per-cpu hash map can update value in-place */ 963 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 964 value, onallcpus); 965 } else { 966 pcpu_copy_value(htab, htab_elem_get_ptr(l_new, key_size), 967 value, onallcpus); 968 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 969 l_new = NULL; 970 } 971 ret = 0; 972 err: 973 raw_spin_unlock_irqrestore(&b->lock, flags); 974 if (l_new) 975 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 976 return ret; 977 } 978 979 static int htab_percpu_map_update_elem(struct bpf_map *map, void *key, 980 void *value, u64 map_flags) 981 { 982 return __htab_percpu_map_update_elem(map, key, value, map_flags, false); 983 } 984 985 static int htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 986 void *value, u64 map_flags) 987 { 988 return __htab_lru_percpu_map_update_elem(map, key, value, map_flags, 989 false); 990 } 991 992 /* Called from syscall or from eBPF program */ 993 static int htab_map_delete_elem(struct bpf_map *map, void *key) 994 { 995 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 996 struct hlist_nulls_head *head; 997 struct bucket *b; 998 struct htab_elem *l; 999 unsigned long flags; 1000 u32 hash, key_size; 1001 int ret = -ENOENT; 1002 1003 WARN_ON_ONCE(!rcu_read_lock_held()); 1004 1005 key_size = map->key_size; 1006 1007 hash = htab_map_hash(key, key_size); 1008 b = __select_bucket(htab, hash); 1009 head = &b->head; 1010 1011 raw_spin_lock_irqsave(&b->lock, flags); 1012 1013 l = lookup_elem_raw(head, hash, key, key_size); 1014 1015 if (l) { 1016 hlist_nulls_del_rcu(&l->hash_node); 1017 free_htab_elem(htab, l); 1018 ret = 0; 1019 } 1020 1021 raw_spin_unlock_irqrestore(&b->lock, flags); 1022 return ret; 1023 } 1024 1025 static int htab_lru_map_delete_elem(struct bpf_map *map, void *key) 1026 { 1027 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1028 struct hlist_nulls_head *head; 1029 struct bucket *b; 1030 struct htab_elem *l; 1031 unsigned long flags; 1032 u32 hash, key_size; 1033 int ret = -ENOENT; 1034 1035 WARN_ON_ONCE(!rcu_read_lock_held()); 1036 1037 key_size = map->key_size; 1038 1039 hash = htab_map_hash(key, key_size); 1040 b = __select_bucket(htab, hash); 1041 head = &b->head; 1042 1043 raw_spin_lock_irqsave(&b->lock, flags); 1044 1045 l = lookup_elem_raw(head, hash, key, key_size); 1046 1047 if (l) { 1048 hlist_nulls_del_rcu(&l->hash_node); 1049 ret = 0; 1050 } 1051 1052 raw_spin_unlock_irqrestore(&b->lock, flags); 1053 if (l) 1054 bpf_lru_push_free(&htab->lru, &l->lru_node); 1055 return ret; 1056 } 1057 1058 static void delete_all_elements(struct bpf_htab *htab) 1059 { 1060 int i; 1061 1062 for (i = 0; i < htab->n_buckets; i++) { 1063 struct hlist_nulls_head *head = select_bucket(htab, i); 1064 struct hlist_nulls_node *n; 1065 struct htab_elem *l; 1066 1067 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1068 hlist_nulls_del_rcu(&l->hash_node); 1069 htab_elem_free(htab, l); 1070 } 1071 } 1072 } 1073 1074 /* Called when map->refcnt goes to zero, either from workqueue or from syscall */ 1075 static void htab_map_free(struct bpf_map *map) 1076 { 1077 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1078 1079 /* at this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, 1080 * so the programs (can be more than one that used this map) were 1081 * disconnected from events. Wait for outstanding critical sections in 1082 * these programs to complete 1083 */ 1084 synchronize_rcu(); 1085 1086 /* some of free_htab_elem() callbacks for elements of this map may 1087 * not have executed. Wait for them. 1088 */ 1089 rcu_barrier(); 1090 if (!htab_is_prealloc(htab)) 1091 delete_all_elements(htab); 1092 else 1093 prealloc_destroy(htab); 1094 1095 free_percpu(htab->extra_elems); 1096 bpf_map_area_free(htab->buckets); 1097 kfree(htab); 1098 } 1099 1100 const struct bpf_map_ops htab_map_ops = { 1101 .map_alloc = htab_map_alloc, 1102 .map_free = htab_map_free, 1103 .map_get_next_key = htab_map_get_next_key, 1104 .map_lookup_elem = htab_map_lookup_elem, 1105 .map_update_elem = htab_map_update_elem, 1106 .map_delete_elem = htab_map_delete_elem, 1107 .map_gen_lookup = htab_map_gen_lookup, 1108 }; 1109 1110 const struct bpf_map_ops htab_lru_map_ops = { 1111 .map_alloc = htab_map_alloc, 1112 .map_free = htab_map_free, 1113 .map_get_next_key = htab_map_get_next_key, 1114 .map_lookup_elem = htab_lru_map_lookup_elem, 1115 .map_update_elem = htab_lru_map_update_elem, 1116 .map_delete_elem = htab_lru_map_delete_elem, 1117 }; 1118 1119 /* Called from eBPF program */ 1120 static void *htab_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1121 { 1122 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1123 1124 if (l) 1125 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1126 else 1127 return NULL; 1128 } 1129 1130 static void *htab_lru_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1131 { 1132 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1133 1134 if (l) { 1135 bpf_lru_node_set_ref(&l->lru_node); 1136 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1137 } 1138 1139 return NULL; 1140 } 1141 1142 int bpf_percpu_hash_copy(struct bpf_map *map, void *key, void *value) 1143 { 1144 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1145 struct htab_elem *l; 1146 void __percpu *pptr; 1147 int ret = -ENOENT; 1148 int cpu, off = 0; 1149 u32 size; 1150 1151 /* per_cpu areas are zero-filled and bpf programs can only 1152 * access 'value_size' of them, so copying rounded areas 1153 * will not leak any kernel data 1154 */ 1155 size = round_up(map->value_size, 8); 1156 rcu_read_lock(); 1157 l = __htab_map_lookup_elem(map, key); 1158 if (!l) 1159 goto out; 1160 if (htab_is_lru(htab)) 1161 bpf_lru_node_set_ref(&l->lru_node); 1162 pptr = htab_elem_get_ptr(l, map->key_size); 1163 for_each_possible_cpu(cpu) { 1164 bpf_long_memcpy(value + off, 1165 per_cpu_ptr(pptr, cpu), size); 1166 off += size; 1167 } 1168 ret = 0; 1169 out: 1170 rcu_read_unlock(); 1171 return ret; 1172 } 1173 1174 int bpf_percpu_hash_update(struct bpf_map *map, void *key, void *value, 1175 u64 map_flags) 1176 { 1177 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1178 int ret; 1179 1180 rcu_read_lock(); 1181 if (htab_is_lru(htab)) 1182 ret = __htab_lru_percpu_map_update_elem(map, key, value, 1183 map_flags, true); 1184 else 1185 ret = __htab_percpu_map_update_elem(map, key, value, map_flags, 1186 true); 1187 rcu_read_unlock(); 1188 1189 return ret; 1190 } 1191 1192 const struct bpf_map_ops htab_percpu_map_ops = { 1193 .map_alloc = htab_map_alloc, 1194 .map_free = htab_map_free, 1195 .map_get_next_key = htab_map_get_next_key, 1196 .map_lookup_elem = htab_percpu_map_lookup_elem, 1197 .map_update_elem = htab_percpu_map_update_elem, 1198 .map_delete_elem = htab_map_delete_elem, 1199 }; 1200 1201 const struct bpf_map_ops htab_lru_percpu_map_ops = { 1202 .map_alloc = htab_map_alloc, 1203 .map_free = htab_map_free, 1204 .map_get_next_key = htab_map_get_next_key, 1205 .map_lookup_elem = htab_lru_percpu_map_lookup_elem, 1206 .map_update_elem = htab_lru_percpu_map_update_elem, 1207 .map_delete_elem = htab_lru_map_delete_elem, 1208 }; 1209 1210 static struct bpf_map *fd_htab_map_alloc(union bpf_attr *attr) 1211 { 1212 struct bpf_map *map; 1213 1214 if (attr->value_size != sizeof(u32)) 1215 return ERR_PTR(-EINVAL); 1216 1217 /* pointer is stored internally */ 1218 attr->value_size = sizeof(void *); 1219 map = htab_map_alloc(attr); 1220 attr->value_size = sizeof(u32); 1221 1222 return map; 1223 } 1224 1225 static void fd_htab_map_free(struct bpf_map *map) 1226 { 1227 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1228 struct hlist_nulls_node *n; 1229 struct hlist_nulls_head *head; 1230 struct htab_elem *l; 1231 int i; 1232 1233 for (i = 0; i < htab->n_buckets; i++) { 1234 head = select_bucket(htab, i); 1235 1236 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1237 void *ptr = fd_htab_map_get_ptr(map, l); 1238 1239 map->ops->map_fd_put_ptr(ptr); 1240 } 1241 } 1242 1243 htab_map_free(map); 1244 } 1245 1246 /* only called from syscall */ 1247 int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, 1248 void *key, void *value, u64 map_flags) 1249 { 1250 void *ptr; 1251 int ret; 1252 u32 ufd = *(u32 *)value; 1253 1254 ptr = map->ops->map_fd_get_ptr(map, map_file, ufd); 1255 if (IS_ERR(ptr)) 1256 return PTR_ERR(ptr); 1257 1258 ret = htab_map_update_elem(map, key, &ptr, map_flags); 1259 if (ret) 1260 map->ops->map_fd_put_ptr(ptr); 1261 1262 return ret; 1263 } 1264 1265 static struct bpf_map *htab_of_map_alloc(union bpf_attr *attr) 1266 { 1267 struct bpf_map *map, *inner_map_meta; 1268 1269 inner_map_meta = bpf_map_meta_alloc(attr->inner_map_fd); 1270 if (IS_ERR(inner_map_meta)) 1271 return inner_map_meta; 1272 1273 map = fd_htab_map_alloc(attr); 1274 if (IS_ERR(map)) { 1275 bpf_map_meta_free(inner_map_meta); 1276 return map; 1277 } 1278 1279 map->inner_map_meta = inner_map_meta; 1280 1281 return map; 1282 } 1283 1284 static void *htab_of_map_lookup_elem(struct bpf_map *map, void *key) 1285 { 1286 struct bpf_map **inner_map = htab_map_lookup_elem(map, key); 1287 1288 if (!inner_map) 1289 return NULL; 1290 1291 return READ_ONCE(*inner_map); 1292 } 1293 1294 static void htab_of_map_free(struct bpf_map *map) 1295 { 1296 bpf_map_meta_free(map->inner_map_meta); 1297 fd_htab_map_free(map); 1298 } 1299 1300 const struct bpf_map_ops htab_of_maps_map_ops = { 1301 .map_alloc = htab_of_map_alloc, 1302 .map_free = htab_of_map_free, 1303 .map_get_next_key = htab_map_get_next_key, 1304 .map_lookup_elem = htab_of_map_lookup_elem, 1305 .map_delete_elem = htab_map_delete_elem, 1306 .map_fd_get_ptr = bpf_map_fd_get_ptr, 1307 .map_fd_put_ptr = bpf_map_fd_put_ptr, 1308 }; 1309