1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com 2 * Copyright (c) 2016 Facebook 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 */ 13 #include <linux/bpf.h> 14 #include <linux/jhash.h> 15 #include <linux/filter.h> 16 #include <linux/rculist_nulls.h> 17 #include "percpu_freelist.h" 18 #include "bpf_lru_list.h" 19 #include "map_in_map.h" 20 21 #define HTAB_CREATE_FLAG_MASK \ 22 (BPF_F_NO_PREALLOC | BPF_F_NO_COMMON_LRU | BPF_F_NUMA_NODE | \ 23 BPF_F_RDONLY | BPF_F_WRONLY) 24 25 struct bucket { 26 struct hlist_nulls_head head; 27 raw_spinlock_t lock; 28 }; 29 30 struct bpf_htab { 31 struct bpf_map map; 32 struct bucket *buckets; 33 void *elems; 34 union { 35 struct pcpu_freelist freelist; 36 struct bpf_lru lru; 37 }; 38 struct htab_elem *__percpu *extra_elems; 39 atomic_t count; /* number of elements in this hashtable */ 40 u32 n_buckets; /* number of hash buckets */ 41 u32 elem_size; /* size of each element in bytes */ 42 }; 43 44 /* each htab element is struct htab_elem + key + value */ 45 struct htab_elem { 46 union { 47 struct hlist_nulls_node hash_node; 48 struct { 49 void *padding; 50 union { 51 struct bpf_htab *htab; 52 struct pcpu_freelist_node fnode; 53 }; 54 }; 55 }; 56 union { 57 struct rcu_head rcu; 58 struct bpf_lru_node lru_node; 59 }; 60 u32 hash; 61 char key[0] __aligned(8); 62 }; 63 64 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node); 65 66 static bool htab_is_lru(const struct bpf_htab *htab) 67 { 68 return htab->map.map_type == BPF_MAP_TYPE_LRU_HASH || 69 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 70 } 71 72 static bool htab_is_percpu(const struct bpf_htab *htab) 73 { 74 return htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH || 75 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 76 } 77 78 static bool htab_is_prealloc(const struct bpf_htab *htab) 79 { 80 return !(htab->map.map_flags & BPF_F_NO_PREALLOC); 81 } 82 83 static inline void htab_elem_set_ptr(struct htab_elem *l, u32 key_size, 84 void __percpu *pptr) 85 { 86 *(void __percpu **)(l->key + key_size) = pptr; 87 } 88 89 static inline void __percpu *htab_elem_get_ptr(struct htab_elem *l, u32 key_size) 90 { 91 return *(void __percpu **)(l->key + key_size); 92 } 93 94 static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) 95 { 96 return *(void **)(l->key + roundup(map->key_size, 8)); 97 } 98 99 static struct htab_elem *get_htab_elem(struct bpf_htab *htab, int i) 100 { 101 return (struct htab_elem *) (htab->elems + i * htab->elem_size); 102 } 103 104 static void htab_free_elems(struct bpf_htab *htab) 105 { 106 int i; 107 108 if (!htab_is_percpu(htab)) 109 goto free_elems; 110 111 for (i = 0; i < htab->map.max_entries; i++) { 112 void __percpu *pptr; 113 114 pptr = htab_elem_get_ptr(get_htab_elem(htab, i), 115 htab->map.key_size); 116 free_percpu(pptr); 117 cond_resched(); 118 } 119 free_elems: 120 bpf_map_area_free(htab->elems); 121 } 122 123 static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key, 124 u32 hash) 125 { 126 struct bpf_lru_node *node = bpf_lru_pop_free(&htab->lru, hash); 127 struct htab_elem *l; 128 129 if (node) { 130 l = container_of(node, struct htab_elem, lru_node); 131 memcpy(l->key, key, htab->map.key_size); 132 return l; 133 } 134 135 return NULL; 136 } 137 138 static int prealloc_init(struct bpf_htab *htab) 139 { 140 u32 num_entries = htab->map.max_entries; 141 int err = -ENOMEM, i; 142 143 if (!htab_is_percpu(htab) && !htab_is_lru(htab)) 144 num_entries += num_possible_cpus(); 145 146 htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries, 147 htab->map.numa_node); 148 if (!htab->elems) 149 return -ENOMEM; 150 151 if (!htab_is_percpu(htab)) 152 goto skip_percpu_elems; 153 154 for (i = 0; i < num_entries; i++) { 155 u32 size = round_up(htab->map.value_size, 8); 156 void __percpu *pptr; 157 158 pptr = __alloc_percpu_gfp(size, 8, GFP_USER | __GFP_NOWARN); 159 if (!pptr) 160 goto free_elems; 161 htab_elem_set_ptr(get_htab_elem(htab, i), htab->map.key_size, 162 pptr); 163 cond_resched(); 164 } 165 166 skip_percpu_elems: 167 if (htab_is_lru(htab)) 168 err = bpf_lru_init(&htab->lru, 169 htab->map.map_flags & BPF_F_NO_COMMON_LRU, 170 offsetof(struct htab_elem, hash) - 171 offsetof(struct htab_elem, lru_node), 172 htab_lru_map_delete_node, 173 htab); 174 else 175 err = pcpu_freelist_init(&htab->freelist); 176 177 if (err) 178 goto free_elems; 179 180 if (htab_is_lru(htab)) 181 bpf_lru_populate(&htab->lru, htab->elems, 182 offsetof(struct htab_elem, lru_node), 183 htab->elem_size, num_entries); 184 else 185 pcpu_freelist_populate(&htab->freelist, 186 htab->elems + offsetof(struct htab_elem, fnode), 187 htab->elem_size, num_entries); 188 189 return 0; 190 191 free_elems: 192 htab_free_elems(htab); 193 return err; 194 } 195 196 static void prealloc_destroy(struct bpf_htab *htab) 197 { 198 htab_free_elems(htab); 199 200 if (htab_is_lru(htab)) 201 bpf_lru_destroy(&htab->lru); 202 else 203 pcpu_freelist_destroy(&htab->freelist); 204 } 205 206 static int alloc_extra_elems(struct bpf_htab *htab) 207 { 208 struct htab_elem *__percpu *pptr, *l_new; 209 struct pcpu_freelist_node *l; 210 int cpu; 211 212 pptr = __alloc_percpu_gfp(sizeof(struct htab_elem *), 8, 213 GFP_USER | __GFP_NOWARN); 214 if (!pptr) 215 return -ENOMEM; 216 217 for_each_possible_cpu(cpu) { 218 l = pcpu_freelist_pop(&htab->freelist); 219 /* pop will succeed, since prealloc_init() 220 * preallocated extra num_possible_cpus elements 221 */ 222 l_new = container_of(l, struct htab_elem, fnode); 223 *per_cpu_ptr(pptr, cpu) = l_new; 224 } 225 htab->extra_elems = pptr; 226 return 0; 227 } 228 229 /* Called from syscall */ 230 static struct bpf_map *htab_map_alloc(union bpf_attr *attr) 231 { 232 bool percpu = (attr->map_type == BPF_MAP_TYPE_PERCPU_HASH || 233 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 234 bool lru = (attr->map_type == BPF_MAP_TYPE_LRU_HASH || 235 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 236 /* percpu_lru means each cpu has its own LRU list. 237 * it is different from BPF_MAP_TYPE_PERCPU_HASH where 238 * the map's value itself is percpu. percpu_lru has 239 * nothing to do with the map's value. 240 */ 241 bool percpu_lru = (attr->map_flags & BPF_F_NO_COMMON_LRU); 242 bool prealloc = !(attr->map_flags & BPF_F_NO_PREALLOC); 243 int numa_node = bpf_map_attr_numa_node(attr); 244 struct bpf_htab *htab; 245 int err, i; 246 u64 cost; 247 248 BUILD_BUG_ON(offsetof(struct htab_elem, htab) != 249 offsetof(struct htab_elem, hash_node.pprev)); 250 BUILD_BUG_ON(offsetof(struct htab_elem, fnode.next) != 251 offsetof(struct htab_elem, hash_node.pprev)); 252 253 if (lru && !capable(CAP_SYS_ADMIN)) 254 /* LRU implementation is much complicated than other 255 * maps. Hence, limit to CAP_SYS_ADMIN for now. 256 */ 257 return ERR_PTR(-EPERM); 258 259 if (attr->map_flags & ~HTAB_CREATE_FLAG_MASK) 260 /* reserved bits should not be used */ 261 return ERR_PTR(-EINVAL); 262 263 if (!lru && percpu_lru) 264 return ERR_PTR(-EINVAL); 265 266 if (lru && !prealloc) 267 return ERR_PTR(-ENOTSUPP); 268 269 if (numa_node != NUMA_NO_NODE && (percpu || percpu_lru)) 270 return ERR_PTR(-EINVAL); 271 272 htab = kzalloc(sizeof(*htab), GFP_USER); 273 if (!htab) 274 return ERR_PTR(-ENOMEM); 275 276 /* mandatory map attributes */ 277 htab->map.map_type = attr->map_type; 278 htab->map.key_size = attr->key_size; 279 htab->map.value_size = attr->value_size; 280 htab->map.max_entries = attr->max_entries; 281 htab->map.map_flags = attr->map_flags; 282 htab->map.numa_node = numa_node; 283 284 /* check sanity of attributes. 285 * value_size == 0 may be allowed in the future to use map as a set 286 */ 287 err = -EINVAL; 288 if (htab->map.max_entries == 0 || htab->map.key_size == 0 || 289 htab->map.value_size == 0) 290 goto free_htab; 291 292 if (percpu_lru) { 293 /* ensure each CPU's lru list has >=1 elements. 294 * since we are at it, make each lru list has the same 295 * number of elements. 296 */ 297 htab->map.max_entries = roundup(attr->max_entries, 298 num_possible_cpus()); 299 if (htab->map.max_entries < attr->max_entries) 300 htab->map.max_entries = rounddown(attr->max_entries, 301 num_possible_cpus()); 302 } 303 304 /* hash table size must be power of 2 */ 305 htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); 306 307 err = -E2BIG; 308 if (htab->map.key_size > MAX_BPF_STACK) 309 /* eBPF programs initialize keys on stack, so they cannot be 310 * larger than max stack size 311 */ 312 goto free_htab; 313 314 if (htab->map.value_size >= KMALLOC_MAX_SIZE - 315 MAX_BPF_STACK - sizeof(struct htab_elem)) 316 /* if value_size is bigger, the user space won't be able to 317 * access the elements via bpf syscall. This check also makes 318 * sure that the elem_size doesn't overflow and it's 319 * kmalloc-able later in htab_map_update_elem() 320 */ 321 goto free_htab; 322 323 htab->elem_size = sizeof(struct htab_elem) + 324 round_up(htab->map.key_size, 8); 325 if (percpu) 326 htab->elem_size += sizeof(void *); 327 else 328 htab->elem_size += round_up(htab->map.value_size, 8); 329 330 /* prevent zero size kmalloc and check for u32 overflow */ 331 if (htab->n_buckets == 0 || 332 htab->n_buckets > U32_MAX / sizeof(struct bucket)) 333 goto free_htab; 334 335 cost = (u64) htab->n_buckets * sizeof(struct bucket) + 336 (u64) htab->elem_size * htab->map.max_entries; 337 338 if (percpu) 339 cost += (u64) round_up(htab->map.value_size, 8) * 340 num_possible_cpus() * htab->map.max_entries; 341 else 342 cost += (u64) htab->elem_size * num_possible_cpus(); 343 344 if (cost >= U32_MAX - PAGE_SIZE) 345 /* make sure page count doesn't overflow */ 346 goto free_htab; 347 348 htab->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT; 349 350 /* if map size is larger than memlock limit, reject it early */ 351 err = bpf_map_precharge_memlock(htab->map.pages); 352 if (err) 353 goto free_htab; 354 355 err = -ENOMEM; 356 htab->buckets = bpf_map_area_alloc(htab->n_buckets * 357 sizeof(struct bucket), 358 htab->map.numa_node); 359 if (!htab->buckets) 360 goto free_htab; 361 362 for (i = 0; i < htab->n_buckets; i++) { 363 INIT_HLIST_NULLS_HEAD(&htab->buckets[i].head, i); 364 raw_spin_lock_init(&htab->buckets[i].lock); 365 } 366 367 if (prealloc) { 368 err = prealloc_init(htab); 369 if (err) 370 goto free_buckets; 371 372 if (!percpu && !lru) { 373 /* lru itself can remove the least used element, so 374 * there is no need for an extra elem during map_update. 375 */ 376 err = alloc_extra_elems(htab); 377 if (err) 378 goto free_prealloc; 379 } 380 } 381 382 return &htab->map; 383 384 free_prealloc: 385 prealloc_destroy(htab); 386 free_buckets: 387 bpf_map_area_free(htab->buckets); 388 free_htab: 389 kfree(htab); 390 return ERR_PTR(err); 391 } 392 393 static inline u32 htab_map_hash(const void *key, u32 key_len) 394 { 395 return jhash(key, key_len, 0); 396 } 397 398 static inline struct bucket *__select_bucket(struct bpf_htab *htab, u32 hash) 399 { 400 return &htab->buckets[hash & (htab->n_buckets - 1)]; 401 } 402 403 static inline struct hlist_nulls_head *select_bucket(struct bpf_htab *htab, u32 hash) 404 { 405 return &__select_bucket(htab, hash)->head; 406 } 407 408 /* this lookup function can only be called with bucket lock taken */ 409 static struct htab_elem *lookup_elem_raw(struct hlist_nulls_head *head, u32 hash, 410 void *key, u32 key_size) 411 { 412 struct hlist_nulls_node *n; 413 struct htab_elem *l; 414 415 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 416 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 417 return l; 418 419 return NULL; 420 } 421 422 /* can be called without bucket lock. it will repeat the loop in 423 * the unlikely event when elements moved from one bucket into another 424 * while link list is being walked 425 */ 426 static struct htab_elem *lookup_nulls_elem_raw(struct hlist_nulls_head *head, 427 u32 hash, void *key, 428 u32 key_size, u32 n_buckets) 429 { 430 struct hlist_nulls_node *n; 431 struct htab_elem *l; 432 433 again: 434 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 435 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 436 return l; 437 438 if (unlikely(get_nulls_value(n) != (hash & (n_buckets - 1)))) 439 goto again; 440 441 return NULL; 442 } 443 444 /* Called from syscall or from eBPF program directly, so 445 * arguments have to match bpf_map_lookup_elem() exactly. 446 * The return value is adjusted by BPF instructions 447 * in htab_map_gen_lookup(). 448 */ 449 static void *__htab_map_lookup_elem(struct bpf_map *map, void *key) 450 { 451 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 452 struct hlist_nulls_head *head; 453 struct htab_elem *l; 454 u32 hash, key_size; 455 456 /* Must be called with rcu_read_lock. */ 457 WARN_ON_ONCE(!rcu_read_lock_held()); 458 459 key_size = map->key_size; 460 461 hash = htab_map_hash(key, key_size); 462 463 head = select_bucket(htab, hash); 464 465 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 466 467 return l; 468 } 469 470 static void *htab_map_lookup_elem(struct bpf_map *map, void *key) 471 { 472 struct htab_elem *l = __htab_map_lookup_elem(map, key); 473 474 if (l) 475 return l->key + round_up(map->key_size, 8); 476 477 return NULL; 478 } 479 480 /* inline bpf_map_lookup_elem() call. 481 * Instead of: 482 * bpf_prog 483 * bpf_map_lookup_elem 484 * map->ops->map_lookup_elem 485 * htab_map_lookup_elem 486 * __htab_map_lookup_elem 487 * do: 488 * bpf_prog 489 * __htab_map_lookup_elem 490 */ 491 static u32 htab_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf) 492 { 493 struct bpf_insn *insn = insn_buf; 494 const int ret = BPF_REG_0; 495 496 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 497 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 1); 498 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 499 offsetof(struct htab_elem, key) + 500 round_up(map->key_size, 8)); 501 return insn - insn_buf; 502 } 503 504 static void *htab_lru_map_lookup_elem(struct bpf_map *map, void *key) 505 { 506 struct htab_elem *l = __htab_map_lookup_elem(map, key); 507 508 if (l) { 509 bpf_lru_node_set_ref(&l->lru_node); 510 return l->key + round_up(map->key_size, 8); 511 } 512 513 return NULL; 514 } 515 516 static u32 htab_lru_map_gen_lookup(struct bpf_map *map, 517 struct bpf_insn *insn_buf) 518 { 519 struct bpf_insn *insn = insn_buf; 520 const int ret = BPF_REG_0; 521 const int ref_reg = BPF_REG_1; 522 523 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 524 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 4); 525 *insn++ = BPF_LDX_MEM(BPF_B, ref_reg, ret, 526 offsetof(struct htab_elem, lru_node) + 527 offsetof(struct bpf_lru_node, ref)); 528 *insn++ = BPF_JMP_IMM(BPF_JNE, ref_reg, 0, 1); 529 *insn++ = BPF_ST_MEM(BPF_B, ret, 530 offsetof(struct htab_elem, lru_node) + 531 offsetof(struct bpf_lru_node, ref), 532 1); 533 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 534 offsetof(struct htab_elem, key) + 535 round_up(map->key_size, 8)); 536 return insn - insn_buf; 537 } 538 539 /* It is called from the bpf_lru_list when the LRU needs to delete 540 * older elements from the htab. 541 */ 542 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node) 543 { 544 struct bpf_htab *htab = (struct bpf_htab *)arg; 545 struct htab_elem *l = NULL, *tgt_l; 546 struct hlist_nulls_head *head; 547 struct hlist_nulls_node *n; 548 unsigned long flags; 549 struct bucket *b; 550 551 tgt_l = container_of(node, struct htab_elem, lru_node); 552 b = __select_bucket(htab, tgt_l->hash); 553 head = &b->head; 554 555 raw_spin_lock_irqsave(&b->lock, flags); 556 557 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 558 if (l == tgt_l) { 559 hlist_nulls_del_rcu(&l->hash_node); 560 break; 561 } 562 563 raw_spin_unlock_irqrestore(&b->lock, flags); 564 565 return l == tgt_l; 566 } 567 568 /* Called from syscall */ 569 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) 570 { 571 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 572 struct hlist_nulls_head *head; 573 struct htab_elem *l, *next_l; 574 u32 hash, key_size; 575 int i = 0; 576 577 WARN_ON_ONCE(!rcu_read_lock_held()); 578 579 key_size = map->key_size; 580 581 if (!key) 582 goto find_first_elem; 583 584 hash = htab_map_hash(key, key_size); 585 586 head = select_bucket(htab, hash); 587 588 /* lookup the key */ 589 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 590 591 if (!l) 592 goto find_first_elem; 593 594 /* key was found, get next key in the same bucket */ 595 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_next_rcu(&l->hash_node)), 596 struct htab_elem, hash_node); 597 598 if (next_l) { 599 /* if next elem in this hash list is non-zero, just return it */ 600 memcpy(next_key, next_l->key, key_size); 601 return 0; 602 } 603 604 /* no more elements in this hash list, go to the next bucket */ 605 i = hash & (htab->n_buckets - 1); 606 i++; 607 608 find_first_elem: 609 /* iterate over buckets */ 610 for (; i < htab->n_buckets; i++) { 611 head = select_bucket(htab, i); 612 613 /* pick first element in the bucket */ 614 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_first_rcu(head)), 615 struct htab_elem, hash_node); 616 if (next_l) { 617 /* if it's not empty, just return it */ 618 memcpy(next_key, next_l->key, key_size); 619 return 0; 620 } 621 } 622 623 /* iterated over all buckets and all elements */ 624 return -ENOENT; 625 } 626 627 static void htab_elem_free(struct bpf_htab *htab, struct htab_elem *l) 628 { 629 if (htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH) 630 free_percpu(htab_elem_get_ptr(l, htab->map.key_size)); 631 kfree(l); 632 } 633 634 static void htab_elem_free_rcu(struct rcu_head *head) 635 { 636 struct htab_elem *l = container_of(head, struct htab_elem, rcu); 637 struct bpf_htab *htab = l->htab; 638 639 /* must increment bpf_prog_active to avoid kprobe+bpf triggering while 640 * we're calling kfree, otherwise deadlock is possible if kprobes 641 * are placed somewhere inside of slub 642 */ 643 preempt_disable(); 644 __this_cpu_inc(bpf_prog_active); 645 htab_elem_free(htab, l); 646 __this_cpu_dec(bpf_prog_active); 647 preempt_enable(); 648 } 649 650 static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) 651 { 652 struct bpf_map *map = &htab->map; 653 654 if (map->ops->map_fd_put_ptr) { 655 void *ptr = fd_htab_map_get_ptr(map, l); 656 657 map->ops->map_fd_put_ptr(ptr); 658 } 659 660 if (htab_is_prealloc(htab)) { 661 pcpu_freelist_push(&htab->freelist, &l->fnode); 662 } else { 663 atomic_dec(&htab->count); 664 l->htab = htab; 665 call_rcu(&l->rcu, htab_elem_free_rcu); 666 } 667 } 668 669 static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, 670 void *value, bool onallcpus) 671 { 672 if (!onallcpus) { 673 /* copy true value_size bytes */ 674 memcpy(this_cpu_ptr(pptr), value, htab->map.value_size); 675 } else { 676 u32 size = round_up(htab->map.value_size, 8); 677 int off = 0, cpu; 678 679 for_each_possible_cpu(cpu) { 680 bpf_long_memcpy(per_cpu_ptr(pptr, cpu), 681 value + off, size); 682 off += size; 683 } 684 } 685 } 686 687 static bool fd_htab_map_needs_adjust(const struct bpf_htab *htab) 688 { 689 return htab->map.map_type == BPF_MAP_TYPE_HASH_OF_MAPS && 690 BITS_PER_LONG == 64; 691 } 692 693 static u32 htab_size_value(const struct bpf_htab *htab, bool percpu) 694 { 695 u32 size = htab->map.value_size; 696 697 if (percpu || fd_htab_map_needs_adjust(htab)) 698 size = round_up(size, 8); 699 return size; 700 } 701 702 static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, 703 void *value, u32 key_size, u32 hash, 704 bool percpu, bool onallcpus, 705 struct htab_elem *old_elem) 706 { 707 u32 size = htab_size_value(htab, percpu); 708 bool prealloc = htab_is_prealloc(htab); 709 struct htab_elem *l_new, **pl_new; 710 void __percpu *pptr; 711 712 if (prealloc) { 713 if (old_elem) { 714 /* if we're updating the existing element, 715 * use per-cpu extra elems to avoid freelist_pop/push 716 */ 717 pl_new = this_cpu_ptr(htab->extra_elems); 718 l_new = *pl_new; 719 *pl_new = old_elem; 720 } else { 721 struct pcpu_freelist_node *l; 722 723 l = pcpu_freelist_pop(&htab->freelist); 724 if (!l) 725 return ERR_PTR(-E2BIG); 726 l_new = container_of(l, struct htab_elem, fnode); 727 } 728 } else { 729 if (atomic_inc_return(&htab->count) > htab->map.max_entries) 730 if (!old_elem) { 731 /* when map is full and update() is replacing 732 * old element, it's ok to allocate, since 733 * old element will be freed immediately. 734 * Otherwise return an error 735 */ 736 atomic_dec(&htab->count); 737 return ERR_PTR(-E2BIG); 738 } 739 l_new = kmalloc_node(htab->elem_size, GFP_ATOMIC | __GFP_NOWARN, 740 htab->map.numa_node); 741 if (!l_new) 742 return ERR_PTR(-ENOMEM); 743 } 744 745 memcpy(l_new->key, key, key_size); 746 if (percpu) { 747 if (prealloc) { 748 pptr = htab_elem_get_ptr(l_new, key_size); 749 } else { 750 /* alloc_percpu zero-fills */ 751 pptr = __alloc_percpu_gfp(size, 8, 752 GFP_ATOMIC | __GFP_NOWARN); 753 if (!pptr) { 754 kfree(l_new); 755 return ERR_PTR(-ENOMEM); 756 } 757 } 758 759 pcpu_copy_value(htab, pptr, value, onallcpus); 760 761 if (!prealloc) 762 htab_elem_set_ptr(l_new, key_size, pptr); 763 } else { 764 memcpy(l_new->key + round_up(key_size, 8), value, size); 765 } 766 767 l_new->hash = hash; 768 return l_new; 769 } 770 771 static int check_flags(struct bpf_htab *htab, struct htab_elem *l_old, 772 u64 map_flags) 773 { 774 if (l_old && map_flags == BPF_NOEXIST) 775 /* elem already exists */ 776 return -EEXIST; 777 778 if (!l_old && map_flags == BPF_EXIST) 779 /* elem doesn't exist, cannot update it */ 780 return -ENOENT; 781 782 return 0; 783 } 784 785 /* Called from syscall or from eBPF program */ 786 static int htab_map_update_elem(struct bpf_map *map, void *key, void *value, 787 u64 map_flags) 788 { 789 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 790 struct htab_elem *l_new = NULL, *l_old; 791 struct hlist_nulls_head *head; 792 unsigned long flags; 793 struct bucket *b; 794 u32 key_size, hash; 795 int ret; 796 797 if (unlikely(map_flags > BPF_EXIST)) 798 /* unknown flags */ 799 return -EINVAL; 800 801 WARN_ON_ONCE(!rcu_read_lock_held()); 802 803 key_size = map->key_size; 804 805 hash = htab_map_hash(key, key_size); 806 807 b = __select_bucket(htab, hash); 808 head = &b->head; 809 810 /* bpf_map_update_elem() can be called in_irq() */ 811 raw_spin_lock_irqsave(&b->lock, flags); 812 813 l_old = lookup_elem_raw(head, hash, key, key_size); 814 815 ret = check_flags(htab, l_old, map_flags); 816 if (ret) 817 goto err; 818 819 l_new = alloc_htab_elem(htab, key, value, key_size, hash, false, false, 820 l_old); 821 if (IS_ERR(l_new)) { 822 /* all pre-allocated elements are in use or memory exhausted */ 823 ret = PTR_ERR(l_new); 824 goto err; 825 } 826 827 /* add new element to the head of the list, so that 828 * concurrent search will find it before old elem 829 */ 830 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 831 if (l_old) { 832 hlist_nulls_del_rcu(&l_old->hash_node); 833 if (!htab_is_prealloc(htab)) 834 free_htab_elem(htab, l_old); 835 } 836 ret = 0; 837 err: 838 raw_spin_unlock_irqrestore(&b->lock, flags); 839 return ret; 840 } 841 842 static int htab_lru_map_update_elem(struct bpf_map *map, void *key, void *value, 843 u64 map_flags) 844 { 845 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 846 struct htab_elem *l_new, *l_old = NULL; 847 struct hlist_nulls_head *head; 848 unsigned long flags; 849 struct bucket *b; 850 u32 key_size, hash; 851 int ret; 852 853 if (unlikely(map_flags > BPF_EXIST)) 854 /* unknown flags */ 855 return -EINVAL; 856 857 WARN_ON_ONCE(!rcu_read_lock_held()); 858 859 key_size = map->key_size; 860 861 hash = htab_map_hash(key, key_size); 862 863 b = __select_bucket(htab, hash); 864 head = &b->head; 865 866 /* For LRU, we need to alloc before taking bucket's 867 * spinlock because getting free nodes from LRU may need 868 * to remove older elements from htab and this removal 869 * operation will need a bucket lock. 870 */ 871 l_new = prealloc_lru_pop(htab, key, hash); 872 if (!l_new) 873 return -ENOMEM; 874 memcpy(l_new->key + round_up(map->key_size, 8), value, map->value_size); 875 876 /* bpf_map_update_elem() can be called in_irq() */ 877 raw_spin_lock_irqsave(&b->lock, flags); 878 879 l_old = lookup_elem_raw(head, hash, key, key_size); 880 881 ret = check_flags(htab, l_old, map_flags); 882 if (ret) 883 goto err; 884 885 /* add new element to the head of the list, so that 886 * concurrent search will find it before old elem 887 */ 888 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 889 if (l_old) { 890 bpf_lru_node_set_ref(&l_new->lru_node); 891 hlist_nulls_del_rcu(&l_old->hash_node); 892 } 893 ret = 0; 894 895 err: 896 raw_spin_unlock_irqrestore(&b->lock, flags); 897 898 if (ret) 899 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 900 else if (l_old) 901 bpf_lru_push_free(&htab->lru, &l_old->lru_node); 902 903 return ret; 904 } 905 906 static int __htab_percpu_map_update_elem(struct bpf_map *map, void *key, 907 void *value, u64 map_flags, 908 bool onallcpus) 909 { 910 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 911 struct htab_elem *l_new = NULL, *l_old; 912 struct hlist_nulls_head *head; 913 unsigned long flags; 914 struct bucket *b; 915 u32 key_size, hash; 916 int ret; 917 918 if (unlikely(map_flags > BPF_EXIST)) 919 /* unknown flags */ 920 return -EINVAL; 921 922 WARN_ON_ONCE(!rcu_read_lock_held()); 923 924 key_size = map->key_size; 925 926 hash = htab_map_hash(key, key_size); 927 928 b = __select_bucket(htab, hash); 929 head = &b->head; 930 931 /* bpf_map_update_elem() can be called in_irq() */ 932 raw_spin_lock_irqsave(&b->lock, flags); 933 934 l_old = lookup_elem_raw(head, hash, key, key_size); 935 936 ret = check_flags(htab, l_old, map_flags); 937 if (ret) 938 goto err; 939 940 if (l_old) { 941 /* per-cpu hash map can update value in-place */ 942 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 943 value, onallcpus); 944 } else { 945 l_new = alloc_htab_elem(htab, key, value, key_size, 946 hash, true, onallcpus, NULL); 947 if (IS_ERR(l_new)) { 948 ret = PTR_ERR(l_new); 949 goto err; 950 } 951 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 952 } 953 ret = 0; 954 err: 955 raw_spin_unlock_irqrestore(&b->lock, flags); 956 return ret; 957 } 958 959 static int __htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 960 void *value, u64 map_flags, 961 bool onallcpus) 962 { 963 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 964 struct htab_elem *l_new = NULL, *l_old; 965 struct hlist_nulls_head *head; 966 unsigned long flags; 967 struct bucket *b; 968 u32 key_size, hash; 969 int ret; 970 971 if (unlikely(map_flags > BPF_EXIST)) 972 /* unknown flags */ 973 return -EINVAL; 974 975 WARN_ON_ONCE(!rcu_read_lock_held()); 976 977 key_size = map->key_size; 978 979 hash = htab_map_hash(key, key_size); 980 981 b = __select_bucket(htab, hash); 982 head = &b->head; 983 984 /* For LRU, we need to alloc before taking bucket's 985 * spinlock because LRU's elem alloc may need 986 * to remove older elem from htab and this removal 987 * operation will need a bucket lock. 988 */ 989 if (map_flags != BPF_EXIST) { 990 l_new = prealloc_lru_pop(htab, key, hash); 991 if (!l_new) 992 return -ENOMEM; 993 } 994 995 /* bpf_map_update_elem() can be called in_irq() */ 996 raw_spin_lock_irqsave(&b->lock, flags); 997 998 l_old = lookup_elem_raw(head, hash, key, key_size); 999 1000 ret = check_flags(htab, l_old, map_flags); 1001 if (ret) 1002 goto err; 1003 1004 if (l_old) { 1005 bpf_lru_node_set_ref(&l_old->lru_node); 1006 1007 /* per-cpu hash map can update value in-place */ 1008 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 1009 value, onallcpus); 1010 } else { 1011 pcpu_copy_value(htab, htab_elem_get_ptr(l_new, key_size), 1012 value, onallcpus); 1013 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 1014 l_new = NULL; 1015 } 1016 ret = 0; 1017 err: 1018 raw_spin_unlock_irqrestore(&b->lock, flags); 1019 if (l_new) 1020 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 1021 return ret; 1022 } 1023 1024 static int htab_percpu_map_update_elem(struct bpf_map *map, void *key, 1025 void *value, u64 map_flags) 1026 { 1027 return __htab_percpu_map_update_elem(map, key, value, map_flags, false); 1028 } 1029 1030 static int htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 1031 void *value, u64 map_flags) 1032 { 1033 return __htab_lru_percpu_map_update_elem(map, key, value, map_flags, 1034 false); 1035 } 1036 1037 /* Called from syscall or from eBPF program */ 1038 static int htab_map_delete_elem(struct bpf_map *map, void *key) 1039 { 1040 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1041 struct hlist_nulls_head *head; 1042 struct bucket *b; 1043 struct htab_elem *l; 1044 unsigned long flags; 1045 u32 hash, key_size; 1046 int ret = -ENOENT; 1047 1048 WARN_ON_ONCE(!rcu_read_lock_held()); 1049 1050 key_size = map->key_size; 1051 1052 hash = htab_map_hash(key, key_size); 1053 b = __select_bucket(htab, hash); 1054 head = &b->head; 1055 1056 raw_spin_lock_irqsave(&b->lock, flags); 1057 1058 l = lookup_elem_raw(head, hash, key, key_size); 1059 1060 if (l) { 1061 hlist_nulls_del_rcu(&l->hash_node); 1062 free_htab_elem(htab, l); 1063 ret = 0; 1064 } 1065 1066 raw_spin_unlock_irqrestore(&b->lock, flags); 1067 return ret; 1068 } 1069 1070 static int htab_lru_map_delete_elem(struct bpf_map *map, void *key) 1071 { 1072 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1073 struct hlist_nulls_head *head; 1074 struct bucket *b; 1075 struct htab_elem *l; 1076 unsigned long flags; 1077 u32 hash, key_size; 1078 int ret = -ENOENT; 1079 1080 WARN_ON_ONCE(!rcu_read_lock_held()); 1081 1082 key_size = map->key_size; 1083 1084 hash = htab_map_hash(key, key_size); 1085 b = __select_bucket(htab, hash); 1086 head = &b->head; 1087 1088 raw_spin_lock_irqsave(&b->lock, flags); 1089 1090 l = lookup_elem_raw(head, hash, key, key_size); 1091 1092 if (l) { 1093 hlist_nulls_del_rcu(&l->hash_node); 1094 ret = 0; 1095 } 1096 1097 raw_spin_unlock_irqrestore(&b->lock, flags); 1098 if (l) 1099 bpf_lru_push_free(&htab->lru, &l->lru_node); 1100 return ret; 1101 } 1102 1103 static void delete_all_elements(struct bpf_htab *htab) 1104 { 1105 int i; 1106 1107 for (i = 0; i < htab->n_buckets; i++) { 1108 struct hlist_nulls_head *head = select_bucket(htab, i); 1109 struct hlist_nulls_node *n; 1110 struct htab_elem *l; 1111 1112 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1113 hlist_nulls_del_rcu(&l->hash_node); 1114 htab_elem_free(htab, l); 1115 } 1116 } 1117 } 1118 1119 /* Called when map->refcnt goes to zero, either from workqueue or from syscall */ 1120 static void htab_map_free(struct bpf_map *map) 1121 { 1122 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1123 1124 /* at this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, 1125 * so the programs (can be more than one that used this map) were 1126 * disconnected from events. Wait for outstanding critical sections in 1127 * these programs to complete 1128 */ 1129 synchronize_rcu(); 1130 1131 /* some of free_htab_elem() callbacks for elements of this map may 1132 * not have executed. Wait for them. 1133 */ 1134 rcu_barrier(); 1135 if (!htab_is_prealloc(htab)) 1136 delete_all_elements(htab); 1137 else 1138 prealloc_destroy(htab); 1139 1140 free_percpu(htab->extra_elems); 1141 bpf_map_area_free(htab->buckets); 1142 kfree(htab); 1143 } 1144 1145 const struct bpf_map_ops htab_map_ops = { 1146 .map_alloc = htab_map_alloc, 1147 .map_free = htab_map_free, 1148 .map_get_next_key = htab_map_get_next_key, 1149 .map_lookup_elem = htab_map_lookup_elem, 1150 .map_update_elem = htab_map_update_elem, 1151 .map_delete_elem = htab_map_delete_elem, 1152 .map_gen_lookup = htab_map_gen_lookup, 1153 }; 1154 1155 const struct bpf_map_ops htab_lru_map_ops = { 1156 .map_alloc = htab_map_alloc, 1157 .map_free = htab_map_free, 1158 .map_get_next_key = htab_map_get_next_key, 1159 .map_lookup_elem = htab_lru_map_lookup_elem, 1160 .map_update_elem = htab_lru_map_update_elem, 1161 .map_delete_elem = htab_lru_map_delete_elem, 1162 .map_gen_lookup = htab_lru_map_gen_lookup, 1163 }; 1164 1165 /* Called from eBPF program */ 1166 static void *htab_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1167 { 1168 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1169 1170 if (l) 1171 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1172 else 1173 return NULL; 1174 } 1175 1176 static void *htab_lru_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1177 { 1178 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1179 1180 if (l) { 1181 bpf_lru_node_set_ref(&l->lru_node); 1182 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1183 } 1184 1185 return NULL; 1186 } 1187 1188 int bpf_percpu_hash_copy(struct bpf_map *map, void *key, void *value) 1189 { 1190 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1191 struct htab_elem *l; 1192 void __percpu *pptr; 1193 int ret = -ENOENT; 1194 int cpu, off = 0; 1195 u32 size; 1196 1197 /* per_cpu areas are zero-filled and bpf programs can only 1198 * access 'value_size' of them, so copying rounded areas 1199 * will not leak any kernel data 1200 */ 1201 size = round_up(map->value_size, 8); 1202 rcu_read_lock(); 1203 l = __htab_map_lookup_elem(map, key); 1204 if (!l) 1205 goto out; 1206 if (htab_is_lru(htab)) 1207 bpf_lru_node_set_ref(&l->lru_node); 1208 pptr = htab_elem_get_ptr(l, map->key_size); 1209 for_each_possible_cpu(cpu) { 1210 bpf_long_memcpy(value + off, 1211 per_cpu_ptr(pptr, cpu), size); 1212 off += size; 1213 } 1214 ret = 0; 1215 out: 1216 rcu_read_unlock(); 1217 return ret; 1218 } 1219 1220 int bpf_percpu_hash_update(struct bpf_map *map, void *key, void *value, 1221 u64 map_flags) 1222 { 1223 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1224 int ret; 1225 1226 rcu_read_lock(); 1227 if (htab_is_lru(htab)) 1228 ret = __htab_lru_percpu_map_update_elem(map, key, value, 1229 map_flags, true); 1230 else 1231 ret = __htab_percpu_map_update_elem(map, key, value, map_flags, 1232 true); 1233 rcu_read_unlock(); 1234 1235 return ret; 1236 } 1237 1238 const struct bpf_map_ops htab_percpu_map_ops = { 1239 .map_alloc = htab_map_alloc, 1240 .map_free = htab_map_free, 1241 .map_get_next_key = htab_map_get_next_key, 1242 .map_lookup_elem = htab_percpu_map_lookup_elem, 1243 .map_update_elem = htab_percpu_map_update_elem, 1244 .map_delete_elem = htab_map_delete_elem, 1245 }; 1246 1247 const struct bpf_map_ops htab_lru_percpu_map_ops = { 1248 .map_alloc = htab_map_alloc, 1249 .map_free = htab_map_free, 1250 .map_get_next_key = htab_map_get_next_key, 1251 .map_lookup_elem = htab_lru_percpu_map_lookup_elem, 1252 .map_update_elem = htab_lru_percpu_map_update_elem, 1253 .map_delete_elem = htab_lru_map_delete_elem, 1254 }; 1255 1256 static struct bpf_map *fd_htab_map_alloc(union bpf_attr *attr) 1257 { 1258 if (attr->value_size != sizeof(u32)) 1259 return ERR_PTR(-EINVAL); 1260 return htab_map_alloc(attr); 1261 } 1262 1263 static void fd_htab_map_free(struct bpf_map *map) 1264 { 1265 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1266 struct hlist_nulls_node *n; 1267 struct hlist_nulls_head *head; 1268 struct htab_elem *l; 1269 int i; 1270 1271 for (i = 0; i < htab->n_buckets; i++) { 1272 head = select_bucket(htab, i); 1273 1274 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1275 void *ptr = fd_htab_map_get_ptr(map, l); 1276 1277 map->ops->map_fd_put_ptr(ptr); 1278 } 1279 } 1280 1281 htab_map_free(map); 1282 } 1283 1284 /* only called from syscall */ 1285 int bpf_fd_htab_map_lookup_elem(struct bpf_map *map, void *key, u32 *value) 1286 { 1287 void **ptr; 1288 int ret = 0; 1289 1290 if (!map->ops->map_fd_sys_lookup_elem) 1291 return -ENOTSUPP; 1292 1293 rcu_read_lock(); 1294 ptr = htab_map_lookup_elem(map, key); 1295 if (ptr) 1296 *value = map->ops->map_fd_sys_lookup_elem(READ_ONCE(*ptr)); 1297 else 1298 ret = -ENOENT; 1299 rcu_read_unlock(); 1300 1301 return ret; 1302 } 1303 1304 /* only called from syscall */ 1305 int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, 1306 void *key, void *value, u64 map_flags) 1307 { 1308 void *ptr; 1309 int ret; 1310 u32 ufd = *(u32 *)value; 1311 1312 ptr = map->ops->map_fd_get_ptr(map, map_file, ufd); 1313 if (IS_ERR(ptr)) 1314 return PTR_ERR(ptr); 1315 1316 ret = htab_map_update_elem(map, key, &ptr, map_flags); 1317 if (ret) 1318 map->ops->map_fd_put_ptr(ptr); 1319 1320 return ret; 1321 } 1322 1323 static struct bpf_map *htab_of_map_alloc(union bpf_attr *attr) 1324 { 1325 struct bpf_map *map, *inner_map_meta; 1326 1327 inner_map_meta = bpf_map_meta_alloc(attr->inner_map_fd); 1328 if (IS_ERR(inner_map_meta)) 1329 return inner_map_meta; 1330 1331 map = fd_htab_map_alloc(attr); 1332 if (IS_ERR(map)) { 1333 bpf_map_meta_free(inner_map_meta); 1334 return map; 1335 } 1336 1337 map->inner_map_meta = inner_map_meta; 1338 1339 return map; 1340 } 1341 1342 static void *htab_of_map_lookup_elem(struct bpf_map *map, void *key) 1343 { 1344 struct bpf_map **inner_map = htab_map_lookup_elem(map, key); 1345 1346 if (!inner_map) 1347 return NULL; 1348 1349 return READ_ONCE(*inner_map); 1350 } 1351 1352 static u32 htab_of_map_gen_lookup(struct bpf_map *map, 1353 struct bpf_insn *insn_buf) 1354 { 1355 struct bpf_insn *insn = insn_buf; 1356 const int ret = BPF_REG_0; 1357 1358 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 1359 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 2); 1360 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 1361 offsetof(struct htab_elem, key) + 1362 round_up(map->key_size, 8)); 1363 *insn++ = BPF_LDX_MEM(BPF_DW, ret, ret, 0); 1364 1365 return insn - insn_buf; 1366 } 1367 1368 static void htab_of_map_free(struct bpf_map *map) 1369 { 1370 bpf_map_meta_free(map->inner_map_meta); 1371 fd_htab_map_free(map); 1372 } 1373 1374 const struct bpf_map_ops htab_of_maps_map_ops = { 1375 .map_alloc = htab_of_map_alloc, 1376 .map_free = htab_of_map_free, 1377 .map_get_next_key = htab_map_get_next_key, 1378 .map_lookup_elem = htab_of_map_lookup_elem, 1379 .map_delete_elem = htab_map_delete_elem, 1380 .map_fd_get_ptr = bpf_map_fd_get_ptr, 1381 .map_fd_put_ptr = bpf_map_fd_put_ptr, 1382 .map_fd_sys_lookup_elem = bpf_map_fd_sys_lookup_elem, 1383 .map_gen_lookup = htab_of_map_gen_lookup, 1384 }; 1385