1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com 2 * Copyright (c) 2016 Facebook 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of version 2 of the GNU General Public 6 * License as published by the Free Software Foundation. 7 * 8 * This program is distributed in the hope that it will be useful, but 9 * WITHOUT ANY WARRANTY; without even the implied warranty of 10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 11 * General Public License for more details. 12 */ 13 #include <linux/bpf.h> 14 #include <linux/jhash.h> 15 #include <linux/filter.h> 16 #include <linux/rculist_nulls.h> 17 #include "percpu_freelist.h" 18 #include "bpf_lru_list.h" 19 #include "map_in_map.h" 20 21 #define HTAB_CREATE_FLAG_MASK \ 22 (BPF_F_NO_PREALLOC | BPF_F_NO_COMMON_LRU | BPF_F_NUMA_NODE | \ 23 BPF_F_RDONLY | BPF_F_WRONLY) 24 25 struct bucket { 26 struct hlist_nulls_head head; 27 raw_spinlock_t lock; 28 }; 29 30 struct bpf_htab { 31 struct bpf_map map; 32 struct bucket *buckets; 33 void *elems; 34 union { 35 struct pcpu_freelist freelist; 36 struct bpf_lru lru; 37 }; 38 struct htab_elem *__percpu *extra_elems; 39 atomic_t count; /* number of elements in this hashtable */ 40 u32 n_buckets; /* number of hash buckets */ 41 u32 elem_size; /* size of each element in bytes */ 42 }; 43 44 /* each htab element is struct htab_elem + key + value */ 45 struct htab_elem { 46 union { 47 struct hlist_nulls_node hash_node; 48 struct { 49 void *padding; 50 union { 51 struct bpf_htab *htab; 52 struct pcpu_freelist_node fnode; 53 }; 54 }; 55 }; 56 union { 57 struct rcu_head rcu; 58 struct bpf_lru_node lru_node; 59 }; 60 u32 hash; 61 char key[0] __aligned(8); 62 }; 63 64 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node); 65 66 static bool htab_is_lru(const struct bpf_htab *htab) 67 { 68 return htab->map.map_type == BPF_MAP_TYPE_LRU_HASH || 69 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 70 } 71 72 static bool htab_is_percpu(const struct bpf_htab *htab) 73 { 74 return htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH || 75 htab->map.map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH; 76 } 77 78 static bool htab_is_prealloc(const struct bpf_htab *htab) 79 { 80 return !(htab->map.map_flags & BPF_F_NO_PREALLOC); 81 } 82 83 static inline void htab_elem_set_ptr(struct htab_elem *l, u32 key_size, 84 void __percpu *pptr) 85 { 86 *(void __percpu **)(l->key + key_size) = pptr; 87 } 88 89 static inline void __percpu *htab_elem_get_ptr(struct htab_elem *l, u32 key_size) 90 { 91 return *(void __percpu **)(l->key + key_size); 92 } 93 94 static void *fd_htab_map_get_ptr(const struct bpf_map *map, struct htab_elem *l) 95 { 96 return *(void **)(l->key + roundup(map->key_size, 8)); 97 } 98 99 static struct htab_elem *get_htab_elem(struct bpf_htab *htab, int i) 100 { 101 return (struct htab_elem *) (htab->elems + i * htab->elem_size); 102 } 103 104 static void htab_free_elems(struct bpf_htab *htab) 105 { 106 int i; 107 108 if (!htab_is_percpu(htab)) 109 goto free_elems; 110 111 for (i = 0; i < htab->map.max_entries; i++) { 112 void __percpu *pptr; 113 114 pptr = htab_elem_get_ptr(get_htab_elem(htab, i), 115 htab->map.key_size); 116 free_percpu(pptr); 117 } 118 free_elems: 119 bpf_map_area_free(htab->elems); 120 } 121 122 static struct htab_elem *prealloc_lru_pop(struct bpf_htab *htab, void *key, 123 u32 hash) 124 { 125 struct bpf_lru_node *node = bpf_lru_pop_free(&htab->lru, hash); 126 struct htab_elem *l; 127 128 if (node) { 129 l = container_of(node, struct htab_elem, lru_node); 130 memcpy(l->key, key, htab->map.key_size); 131 return l; 132 } 133 134 return NULL; 135 } 136 137 static int prealloc_init(struct bpf_htab *htab) 138 { 139 u32 num_entries = htab->map.max_entries; 140 int err = -ENOMEM, i; 141 142 if (!htab_is_percpu(htab) && !htab_is_lru(htab)) 143 num_entries += num_possible_cpus(); 144 145 htab->elems = bpf_map_area_alloc(htab->elem_size * num_entries, 146 htab->map.numa_node); 147 if (!htab->elems) 148 return -ENOMEM; 149 150 if (!htab_is_percpu(htab)) 151 goto skip_percpu_elems; 152 153 for (i = 0; i < num_entries; i++) { 154 u32 size = round_up(htab->map.value_size, 8); 155 void __percpu *pptr; 156 157 pptr = __alloc_percpu_gfp(size, 8, GFP_USER | __GFP_NOWARN); 158 if (!pptr) 159 goto free_elems; 160 htab_elem_set_ptr(get_htab_elem(htab, i), htab->map.key_size, 161 pptr); 162 } 163 164 skip_percpu_elems: 165 if (htab_is_lru(htab)) 166 err = bpf_lru_init(&htab->lru, 167 htab->map.map_flags & BPF_F_NO_COMMON_LRU, 168 offsetof(struct htab_elem, hash) - 169 offsetof(struct htab_elem, lru_node), 170 htab_lru_map_delete_node, 171 htab); 172 else 173 err = pcpu_freelist_init(&htab->freelist); 174 175 if (err) 176 goto free_elems; 177 178 if (htab_is_lru(htab)) 179 bpf_lru_populate(&htab->lru, htab->elems, 180 offsetof(struct htab_elem, lru_node), 181 htab->elem_size, num_entries); 182 else 183 pcpu_freelist_populate(&htab->freelist, 184 htab->elems + offsetof(struct htab_elem, fnode), 185 htab->elem_size, num_entries); 186 187 return 0; 188 189 free_elems: 190 htab_free_elems(htab); 191 return err; 192 } 193 194 static void prealloc_destroy(struct bpf_htab *htab) 195 { 196 htab_free_elems(htab); 197 198 if (htab_is_lru(htab)) 199 bpf_lru_destroy(&htab->lru); 200 else 201 pcpu_freelist_destroy(&htab->freelist); 202 } 203 204 static int alloc_extra_elems(struct bpf_htab *htab) 205 { 206 struct htab_elem *__percpu *pptr, *l_new; 207 struct pcpu_freelist_node *l; 208 int cpu; 209 210 pptr = __alloc_percpu_gfp(sizeof(struct htab_elem *), 8, 211 GFP_USER | __GFP_NOWARN); 212 if (!pptr) 213 return -ENOMEM; 214 215 for_each_possible_cpu(cpu) { 216 l = pcpu_freelist_pop(&htab->freelist); 217 /* pop will succeed, since prealloc_init() 218 * preallocated extra num_possible_cpus elements 219 */ 220 l_new = container_of(l, struct htab_elem, fnode); 221 *per_cpu_ptr(pptr, cpu) = l_new; 222 } 223 htab->extra_elems = pptr; 224 return 0; 225 } 226 227 /* Called from syscall */ 228 static struct bpf_map *htab_map_alloc(union bpf_attr *attr) 229 { 230 bool percpu = (attr->map_type == BPF_MAP_TYPE_PERCPU_HASH || 231 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 232 bool lru = (attr->map_type == BPF_MAP_TYPE_LRU_HASH || 233 attr->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH); 234 /* percpu_lru means each cpu has its own LRU list. 235 * it is different from BPF_MAP_TYPE_PERCPU_HASH where 236 * the map's value itself is percpu. percpu_lru has 237 * nothing to do with the map's value. 238 */ 239 bool percpu_lru = (attr->map_flags & BPF_F_NO_COMMON_LRU); 240 bool prealloc = !(attr->map_flags & BPF_F_NO_PREALLOC); 241 int numa_node = bpf_map_attr_numa_node(attr); 242 struct bpf_htab *htab; 243 int err, i; 244 u64 cost; 245 246 BUILD_BUG_ON(offsetof(struct htab_elem, htab) != 247 offsetof(struct htab_elem, hash_node.pprev)); 248 BUILD_BUG_ON(offsetof(struct htab_elem, fnode.next) != 249 offsetof(struct htab_elem, hash_node.pprev)); 250 251 if (lru && !capable(CAP_SYS_ADMIN)) 252 /* LRU implementation is much complicated than other 253 * maps. Hence, limit to CAP_SYS_ADMIN for now. 254 */ 255 return ERR_PTR(-EPERM); 256 257 if (attr->map_flags & ~HTAB_CREATE_FLAG_MASK) 258 /* reserved bits should not be used */ 259 return ERR_PTR(-EINVAL); 260 261 if (!lru && percpu_lru) 262 return ERR_PTR(-EINVAL); 263 264 if (lru && !prealloc) 265 return ERR_PTR(-ENOTSUPP); 266 267 if (numa_node != NUMA_NO_NODE && (percpu || percpu_lru)) 268 return ERR_PTR(-EINVAL); 269 270 htab = kzalloc(sizeof(*htab), GFP_USER); 271 if (!htab) 272 return ERR_PTR(-ENOMEM); 273 274 /* mandatory map attributes */ 275 htab->map.map_type = attr->map_type; 276 htab->map.key_size = attr->key_size; 277 htab->map.value_size = attr->value_size; 278 htab->map.max_entries = attr->max_entries; 279 htab->map.map_flags = attr->map_flags; 280 htab->map.numa_node = numa_node; 281 282 /* check sanity of attributes. 283 * value_size == 0 may be allowed in the future to use map as a set 284 */ 285 err = -EINVAL; 286 if (htab->map.max_entries == 0 || htab->map.key_size == 0 || 287 htab->map.value_size == 0) 288 goto free_htab; 289 290 if (percpu_lru) { 291 /* ensure each CPU's lru list has >=1 elements. 292 * since we are at it, make each lru list has the same 293 * number of elements. 294 */ 295 htab->map.max_entries = roundup(attr->max_entries, 296 num_possible_cpus()); 297 if (htab->map.max_entries < attr->max_entries) 298 htab->map.max_entries = rounddown(attr->max_entries, 299 num_possible_cpus()); 300 } 301 302 /* hash table size must be power of 2 */ 303 htab->n_buckets = roundup_pow_of_two(htab->map.max_entries); 304 305 err = -E2BIG; 306 if (htab->map.key_size > MAX_BPF_STACK) 307 /* eBPF programs initialize keys on stack, so they cannot be 308 * larger than max stack size 309 */ 310 goto free_htab; 311 312 if (htab->map.value_size >= KMALLOC_MAX_SIZE - 313 MAX_BPF_STACK - sizeof(struct htab_elem)) 314 /* if value_size is bigger, the user space won't be able to 315 * access the elements via bpf syscall. This check also makes 316 * sure that the elem_size doesn't overflow and it's 317 * kmalloc-able later in htab_map_update_elem() 318 */ 319 goto free_htab; 320 321 htab->elem_size = sizeof(struct htab_elem) + 322 round_up(htab->map.key_size, 8); 323 if (percpu) 324 htab->elem_size += sizeof(void *); 325 else 326 htab->elem_size += round_up(htab->map.value_size, 8); 327 328 /* prevent zero size kmalloc and check for u32 overflow */ 329 if (htab->n_buckets == 0 || 330 htab->n_buckets > U32_MAX / sizeof(struct bucket)) 331 goto free_htab; 332 333 cost = (u64) htab->n_buckets * sizeof(struct bucket) + 334 (u64) htab->elem_size * htab->map.max_entries; 335 336 if (percpu) 337 cost += (u64) round_up(htab->map.value_size, 8) * 338 num_possible_cpus() * htab->map.max_entries; 339 else 340 cost += (u64) htab->elem_size * num_possible_cpus(); 341 342 if (cost >= U32_MAX - PAGE_SIZE) 343 /* make sure page count doesn't overflow */ 344 goto free_htab; 345 346 htab->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT; 347 348 /* if map size is larger than memlock limit, reject it early */ 349 err = bpf_map_precharge_memlock(htab->map.pages); 350 if (err) 351 goto free_htab; 352 353 err = -ENOMEM; 354 htab->buckets = bpf_map_area_alloc(htab->n_buckets * 355 sizeof(struct bucket), 356 htab->map.numa_node); 357 if (!htab->buckets) 358 goto free_htab; 359 360 for (i = 0; i < htab->n_buckets; i++) { 361 INIT_HLIST_NULLS_HEAD(&htab->buckets[i].head, i); 362 raw_spin_lock_init(&htab->buckets[i].lock); 363 } 364 365 if (prealloc) { 366 err = prealloc_init(htab); 367 if (err) 368 goto free_buckets; 369 370 if (!percpu && !lru) { 371 /* lru itself can remove the least used element, so 372 * there is no need for an extra elem during map_update. 373 */ 374 err = alloc_extra_elems(htab); 375 if (err) 376 goto free_prealloc; 377 } 378 } 379 380 return &htab->map; 381 382 free_prealloc: 383 prealloc_destroy(htab); 384 free_buckets: 385 bpf_map_area_free(htab->buckets); 386 free_htab: 387 kfree(htab); 388 return ERR_PTR(err); 389 } 390 391 static inline u32 htab_map_hash(const void *key, u32 key_len) 392 { 393 return jhash(key, key_len, 0); 394 } 395 396 static inline struct bucket *__select_bucket(struct bpf_htab *htab, u32 hash) 397 { 398 return &htab->buckets[hash & (htab->n_buckets - 1)]; 399 } 400 401 static inline struct hlist_nulls_head *select_bucket(struct bpf_htab *htab, u32 hash) 402 { 403 return &__select_bucket(htab, hash)->head; 404 } 405 406 /* this lookup function can only be called with bucket lock taken */ 407 static struct htab_elem *lookup_elem_raw(struct hlist_nulls_head *head, u32 hash, 408 void *key, u32 key_size) 409 { 410 struct hlist_nulls_node *n; 411 struct htab_elem *l; 412 413 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 414 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 415 return l; 416 417 return NULL; 418 } 419 420 /* can be called without bucket lock. it will repeat the loop in 421 * the unlikely event when elements moved from one bucket into another 422 * while link list is being walked 423 */ 424 static struct htab_elem *lookup_nulls_elem_raw(struct hlist_nulls_head *head, 425 u32 hash, void *key, 426 u32 key_size, u32 n_buckets) 427 { 428 struct hlist_nulls_node *n; 429 struct htab_elem *l; 430 431 again: 432 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 433 if (l->hash == hash && !memcmp(&l->key, key, key_size)) 434 return l; 435 436 if (unlikely(get_nulls_value(n) != (hash & (n_buckets - 1)))) 437 goto again; 438 439 return NULL; 440 } 441 442 /* Called from syscall or from eBPF program directly, so 443 * arguments have to match bpf_map_lookup_elem() exactly. 444 * The return value is adjusted by BPF instructions 445 * in htab_map_gen_lookup(). 446 */ 447 static void *__htab_map_lookup_elem(struct bpf_map *map, void *key) 448 { 449 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 450 struct hlist_nulls_head *head; 451 struct htab_elem *l; 452 u32 hash, key_size; 453 454 /* Must be called with rcu_read_lock. */ 455 WARN_ON_ONCE(!rcu_read_lock_held()); 456 457 key_size = map->key_size; 458 459 hash = htab_map_hash(key, key_size); 460 461 head = select_bucket(htab, hash); 462 463 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 464 465 return l; 466 } 467 468 static void *htab_map_lookup_elem(struct bpf_map *map, void *key) 469 { 470 struct htab_elem *l = __htab_map_lookup_elem(map, key); 471 472 if (l) 473 return l->key + round_up(map->key_size, 8); 474 475 return NULL; 476 } 477 478 /* inline bpf_map_lookup_elem() call. 479 * Instead of: 480 * bpf_prog 481 * bpf_map_lookup_elem 482 * map->ops->map_lookup_elem 483 * htab_map_lookup_elem 484 * __htab_map_lookup_elem 485 * do: 486 * bpf_prog 487 * __htab_map_lookup_elem 488 */ 489 static u32 htab_map_gen_lookup(struct bpf_map *map, struct bpf_insn *insn_buf) 490 { 491 struct bpf_insn *insn = insn_buf; 492 const int ret = BPF_REG_0; 493 494 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 495 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 1); 496 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 497 offsetof(struct htab_elem, key) + 498 round_up(map->key_size, 8)); 499 return insn - insn_buf; 500 } 501 502 static void *htab_lru_map_lookup_elem(struct bpf_map *map, void *key) 503 { 504 struct htab_elem *l = __htab_map_lookup_elem(map, key); 505 506 if (l) { 507 bpf_lru_node_set_ref(&l->lru_node); 508 return l->key + round_up(map->key_size, 8); 509 } 510 511 return NULL; 512 } 513 514 static u32 htab_lru_map_gen_lookup(struct bpf_map *map, 515 struct bpf_insn *insn_buf) 516 { 517 struct bpf_insn *insn = insn_buf; 518 const int ret = BPF_REG_0; 519 const int ref_reg = BPF_REG_1; 520 521 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 522 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 4); 523 *insn++ = BPF_LDX_MEM(BPF_B, ref_reg, ret, 524 offsetof(struct htab_elem, lru_node) + 525 offsetof(struct bpf_lru_node, ref)); 526 *insn++ = BPF_JMP_IMM(BPF_JNE, ref_reg, 0, 1); 527 *insn++ = BPF_ST_MEM(BPF_B, ret, 528 offsetof(struct htab_elem, lru_node) + 529 offsetof(struct bpf_lru_node, ref), 530 1); 531 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 532 offsetof(struct htab_elem, key) + 533 round_up(map->key_size, 8)); 534 return insn - insn_buf; 535 } 536 537 /* It is called from the bpf_lru_list when the LRU needs to delete 538 * older elements from the htab. 539 */ 540 static bool htab_lru_map_delete_node(void *arg, struct bpf_lru_node *node) 541 { 542 struct bpf_htab *htab = (struct bpf_htab *)arg; 543 struct htab_elem *l = NULL, *tgt_l; 544 struct hlist_nulls_head *head; 545 struct hlist_nulls_node *n; 546 unsigned long flags; 547 struct bucket *b; 548 549 tgt_l = container_of(node, struct htab_elem, lru_node); 550 b = __select_bucket(htab, tgt_l->hash); 551 head = &b->head; 552 553 raw_spin_lock_irqsave(&b->lock, flags); 554 555 hlist_nulls_for_each_entry_rcu(l, n, head, hash_node) 556 if (l == tgt_l) { 557 hlist_nulls_del_rcu(&l->hash_node); 558 break; 559 } 560 561 raw_spin_unlock_irqrestore(&b->lock, flags); 562 563 return l == tgt_l; 564 } 565 566 /* Called from syscall */ 567 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key) 568 { 569 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 570 struct hlist_nulls_head *head; 571 struct htab_elem *l, *next_l; 572 u32 hash, key_size; 573 int i = 0; 574 575 WARN_ON_ONCE(!rcu_read_lock_held()); 576 577 key_size = map->key_size; 578 579 if (!key) 580 goto find_first_elem; 581 582 hash = htab_map_hash(key, key_size); 583 584 head = select_bucket(htab, hash); 585 586 /* lookup the key */ 587 l = lookup_nulls_elem_raw(head, hash, key, key_size, htab->n_buckets); 588 589 if (!l) 590 goto find_first_elem; 591 592 /* key was found, get next key in the same bucket */ 593 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_next_rcu(&l->hash_node)), 594 struct htab_elem, hash_node); 595 596 if (next_l) { 597 /* if next elem in this hash list is non-zero, just return it */ 598 memcpy(next_key, next_l->key, key_size); 599 return 0; 600 } 601 602 /* no more elements in this hash list, go to the next bucket */ 603 i = hash & (htab->n_buckets - 1); 604 i++; 605 606 find_first_elem: 607 /* iterate over buckets */ 608 for (; i < htab->n_buckets; i++) { 609 head = select_bucket(htab, i); 610 611 /* pick first element in the bucket */ 612 next_l = hlist_nulls_entry_safe(rcu_dereference_raw(hlist_nulls_first_rcu(head)), 613 struct htab_elem, hash_node); 614 if (next_l) { 615 /* if it's not empty, just return it */ 616 memcpy(next_key, next_l->key, key_size); 617 return 0; 618 } 619 } 620 621 /* iterated over all buckets and all elements */ 622 return -ENOENT; 623 } 624 625 static void htab_elem_free(struct bpf_htab *htab, struct htab_elem *l) 626 { 627 if (htab->map.map_type == BPF_MAP_TYPE_PERCPU_HASH) 628 free_percpu(htab_elem_get_ptr(l, htab->map.key_size)); 629 kfree(l); 630 } 631 632 static void htab_elem_free_rcu(struct rcu_head *head) 633 { 634 struct htab_elem *l = container_of(head, struct htab_elem, rcu); 635 struct bpf_htab *htab = l->htab; 636 637 /* must increment bpf_prog_active to avoid kprobe+bpf triggering while 638 * we're calling kfree, otherwise deadlock is possible if kprobes 639 * are placed somewhere inside of slub 640 */ 641 preempt_disable(); 642 __this_cpu_inc(bpf_prog_active); 643 htab_elem_free(htab, l); 644 __this_cpu_dec(bpf_prog_active); 645 preempt_enable(); 646 } 647 648 static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l) 649 { 650 struct bpf_map *map = &htab->map; 651 652 if (map->ops->map_fd_put_ptr) { 653 void *ptr = fd_htab_map_get_ptr(map, l); 654 655 map->ops->map_fd_put_ptr(ptr); 656 } 657 658 if (htab_is_prealloc(htab)) { 659 pcpu_freelist_push(&htab->freelist, &l->fnode); 660 } else { 661 atomic_dec(&htab->count); 662 l->htab = htab; 663 call_rcu(&l->rcu, htab_elem_free_rcu); 664 } 665 } 666 667 static void pcpu_copy_value(struct bpf_htab *htab, void __percpu *pptr, 668 void *value, bool onallcpus) 669 { 670 if (!onallcpus) { 671 /* copy true value_size bytes */ 672 memcpy(this_cpu_ptr(pptr), value, htab->map.value_size); 673 } else { 674 u32 size = round_up(htab->map.value_size, 8); 675 int off = 0, cpu; 676 677 for_each_possible_cpu(cpu) { 678 bpf_long_memcpy(per_cpu_ptr(pptr, cpu), 679 value + off, size); 680 off += size; 681 } 682 } 683 } 684 685 static bool fd_htab_map_needs_adjust(const struct bpf_htab *htab) 686 { 687 return htab->map.map_type == BPF_MAP_TYPE_HASH_OF_MAPS && 688 BITS_PER_LONG == 64; 689 } 690 691 static u32 htab_size_value(const struct bpf_htab *htab, bool percpu) 692 { 693 u32 size = htab->map.value_size; 694 695 if (percpu || fd_htab_map_needs_adjust(htab)) 696 size = round_up(size, 8); 697 return size; 698 } 699 700 static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key, 701 void *value, u32 key_size, u32 hash, 702 bool percpu, bool onallcpus, 703 struct htab_elem *old_elem) 704 { 705 u32 size = htab_size_value(htab, percpu); 706 bool prealloc = htab_is_prealloc(htab); 707 struct htab_elem *l_new, **pl_new; 708 void __percpu *pptr; 709 710 if (prealloc) { 711 if (old_elem) { 712 /* if we're updating the existing element, 713 * use per-cpu extra elems to avoid freelist_pop/push 714 */ 715 pl_new = this_cpu_ptr(htab->extra_elems); 716 l_new = *pl_new; 717 *pl_new = old_elem; 718 } else { 719 struct pcpu_freelist_node *l; 720 721 l = pcpu_freelist_pop(&htab->freelist); 722 if (!l) 723 return ERR_PTR(-E2BIG); 724 l_new = container_of(l, struct htab_elem, fnode); 725 } 726 } else { 727 if (atomic_inc_return(&htab->count) > htab->map.max_entries) 728 if (!old_elem) { 729 /* when map is full and update() is replacing 730 * old element, it's ok to allocate, since 731 * old element will be freed immediately. 732 * Otherwise return an error 733 */ 734 atomic_dec(&htab->count); 735 return ERR_PTR(-E2BIG); 736 } 737 l_new = kmalloc_node(htab->elem_size, GFP_ATOMIC | __GFP_NOWARN, 738 htab->map.numa_node); 739 if (!l_new) 740 return ERR_PTR(-ENOMEM); 741 } 742 743 memcpy(l_new->key, key, key_size); 744 if (percpu) { 745 if (prealloc) { 746 pptr = htab_elem_get_ptr(l_new, key_size); 747 } else { 748 /* alloc_percpu zero-fills */ 749 pptr = __alloc_percpu_gfp(size, 8, 750 GFP_ATOMIC | __GFP_NOWARN); 751 if (!pptr) { 752 kfree(l_new); 753 return ERR_PTR(-ENOMEM); 754 } 755 } 756 757 pcpu_copy_value(htab, pptr, value, onallcpus); 758 759 if (!prealloc) 760 htab_elem_set_ptr(l_new, key_size, pptr); 761 } else { 762 memcpy(l_new->key + round_up(key_size, 8), value, size); 763 } 764 765 l_new->hash = hash; 766 return l_new; 767 } 768 769 static int check_flags(struct bpf_htab *htab, struct htab_elem *l_old, 770 u64 map_flags) 771 { 772 if (l_old && map_flags == BPF_NOEXIST) 773 /* elem already exists */ 774 return -EEXIST; 775 776 if (!l_old && map_flags == BPF_EXIST) 777 /* elem doesn't exist, cannot update it */ 778 return -ENOENT; 779 780 return 0; 781 } 782 783 /* Called from syscall or from eBPF program */ 784 static int htab_map_update_elem(struct bpf_map *map, void *key, void *value, 785 u64 map_flags) 786 { 787 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 788 struct htab_elem *l_new = NULL, *l_old; 789 struct hlist_nulls_head *head; 790 unsigned long flags; 791 struct bucket *b; 792 u32 key_size, hash; 793 int ret; 794 795 if (unlikely(map_flags > BPF_EXIST)) 796 /* unknown flags */ 797 return -EINVAL; 798 799 WARN_ON_ONCE(!rcu_read_lock_held()); 800 801 key_size = map->key_size; 802 803 hash = htab_map_hash(key, key_size); 804 805 b = __select_bucket(htab, hash); 806 head = &b->head; 807 808 /* bpf_map_update_elem() can be called in_irq() */ 809 raw_spin_lock_irqsave(&b->lock, flags); 810 811 l_old = lookup_elem_raw(head, hash, key, key_size); 812 813 ret = check_flags(htab, l_old, map_flags); 814 if (ret) 815 goto err; 816 817 l_new = alloc_htab_elem(htab, key, value, key_size, hash, false, false, 818 l_old); 819 if (IS_ERR(l_new)) { 820 /* all pre-allocated elements are in use or memory exhausted */ 821 ret = PTR_ERR(l_new); 822 goto err; 823 } 824 825 /* add new element to the head of the list, so that 826 * concurrent search will find it before old elem 827 */ 828 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 829 if (l_old) { 830 hlist_nulls_del_rcu(&l_old->hash_node); 831 if (!htab_is_prealloc(htab)) 832 free_htab_elem(htab, l_old); 833 } 834 ret = 0; 835 err: 836 raw_spin_unlock_irqrestore(&b->lock, flags); 837 return ret; 838 } 839 840 static int htab_lru_map_update_elem(struct bpf_map *map, void *key, void *value, 841 u64 map_flags) 842 { 843 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 844 struct htab_elem *l_new, *l_old = NULL; 845 struct hlist_nulls_head *head; 846 unsigned long flags; 847 struct bucket *b; 848 u32 key_size, hash; 849 int ret; 850 851 if (unlikely(map_flags > BPF_EXIST)) 852 /* unknown flags */ 853 return -EINVAL; 854 855 WARN_ON_ONCE(!rcu_read_lock_held()); 856 857 key_size = map->key_size; 858 859 hash = htab_map_hash(key, key_size); 860 861 b = __select_bucket(htab, hash); 862 head = &b->head; 863 864 /* For LRU, we need to alloc before taking bucket's 865 * spinlock because getting free nodes from LRU may need 866 * to remove older elements from htab and this removal 867 * operation will need a bucket lock. 868 */ 869 l_new = prealloc_lru_pop(htab, key, hash); 870 if (!l_new) 871 return -ENOMEM; 872 memcpy(l_new->key + round_up(map->key_size, 8), value, map->value_size); 873 874 /* bpf_map_update_elem() can be called in_irq() */ 875 raw_spin_lock_irqsave(&b->lock, flags); 876 877 l_old = lookup_elem_raw(head, hash, key, key_size); 878 879 ret = check_flags(htab, l_old, map_flags); 880 if (ret) 881 goto err; 882 883 /* add new element to the head of the list, so that 884 * concurrent search will find it before old elem 885 */ 886 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 887 if (l_old) { 888 bpf_lru_node_set_ref(&l_new->lru_node); 889 hlist_nulls_del_rcu(&l_old->hash_node); 890 } 891 ret = 0; 892 893 err: 894 raw_spin_unlock_irqrestore(&b->lock, flags); 895 896 if (ret) 897 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 898 else if (l_old) 899 bpf_lru_push_free(&htab->lru, &l_old->lru_node); 900 901 return ret; 902 } 903 904 static int __htab_percpu_map_update_elem(struct bpf_map *map, void *key, 905 void *value, u64 map_flags, 906 bool onallcpus) 907 { 908 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 909 struct htab_elem *l_new = NULL, *l_old; 910 struct hlist_nulls_head *head; 911 unsigned long flags; 912 struct bucket *b; 913 u32 key_size, hash; 914 int ret; 915 916 if (unlikely(map_flags > BPF_EXIST)) 917 /* unknown flags */ 918 return -EINVAL; 919 920 WARN_ON_ONCE(!rcu_read_lock_held()); 921 922 key_size = map->key_size; 923 924 hash = htab_map_hash(key, key_size); 925 926 b = __select_bucket(htab, hash); 927 head = &b->head; 928 929 /* bpf_map_update_elem() can be called in_irq() */ 930 raw_spin_lock_irqsave(&b->lock, flags); 931 932 l_old = lookup_elem_raw(head, hash, key, key_size); 933 934 ret = check_flags(htab, l_old, map_flags); 935 if (ret) 936 goto err; 937 938 if (l_old) { 939 /* per-cpu hash map can update value in-place */ 940 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 941 value, onallcpus); 942 } else { 943 l_new = alloc_htab_elem(htab, key, value, key_size, 944 hash, true, onallcpus, NULL); 945 if (IS_ERR(l_new)) { 946 ret = PTR_ERR(l_new); 947 goto err; 948 } 949 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 950 } 951 ret = 0; 952 err: 953 raw_spin_unlock_irqrestore(&b->lock, flags); 954 return ret; 955 } 956 957 static int __htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 958 void *value, u64 map_flags, 959 bool onallcpus) 960 { 961 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 962 struct htab_elem *l_new = NULL, *l_old; 963 struct hlist_nulls_head *head; 964 unsigned long flags; 965 struct bucket *b; 966 u32 key_size, hash; 967 int ret; 968 969 if (unlikely(map_flags > BPF_EXIST)) 970 /* unknown flags */ 971 return -EINVAL; 972 973 WARN_ON_ONCE(!rcu_read_lock_held()); 974 975 key_size = map->key_size; 976 977 hash = htab_map_hash(key, key_size); 978 979 b = __select_bucket(htab, hash); 980 head = &b->head; 981 982 /* For LRU, we need to alloc before taking bucket's 983 * spinlock because LRU's elem alloc may need 984 * to remove older elem from htab and this removal 985 * operation will need a bucket lock. 986 */ 987 if (map_flags != BPF_EXIST) { 988 l_new = prealloc_lru_pop(htab, key, hash); 989 if (!l_new) 990 return -ENOMEM; 991 } 992 993 /* bpf_map_update_elem() can be called in_irq() */ 994 raw_spin_lock_irqsave(&b->lock, flags); 995 996 l_old = lookup_elem_raw(head, hash, key, key_size); 997 998 ret = check_flags(htab, l_old, map_flags); 999 if (ret) 1000 goto err; 1001 1002 if (l_old) { 1003 bpf_lru_node_set_ref(&l_old->lru_node); 1004 1005 /* per-cpu hash map can update value in-place */ 1006 pcpu_copy_value(htab, htab_elem_get_ptr(l_old, key_size), 1007 value, onallcpus); 1008 } else { 1009 pcpu_copy_value(htab, htab_elem_get_ptr(l_new, key_size), 1010 value, onallcpus); 1011 hlist_nulls_add_head_rcu(&l_new->hash_node, head); 1012 l_new = NULL; 1013 } 1014 ret = 0; 1015 err: 1016 raw_spin_unlock_irqrestore(&b->lock, flags); 1017 if (l_new) 1018 bpf_lru_push_free(&htab->lru, &l_new->lru_node); 1019 return ret; 1020 } 1021 1022 static int htab_percpu_map_update_elem(struct bpf_map *map, void *key, 1023 void *value, u64 map_flags) 1024 { 1025 return __htab_percpu_map_update_elem(map, key, value, map_flags, false); 1026 } 1027 1028 static int htab_lru_percpu_map_update_elem(struct bpf_map *map, void *key, 1029 void *value, u64 map_flags) 1030 { 1031 return __htab_lru_percpu_map_update_elem(map, key, value, map_flags, 1032 false); 1033 } 1034 1035 /* Called from syscall or from eBPF program */ 1036 static int htab_map_delete_elem(struct bpf_map *map, void *key) 1037 { 1038 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1039 struct hlist_nulls_head *head; 1040 struct bucket *b; 1041 struct htab_elem *l; 1042 unsigned long flags; 1043 u32 hash, key_size; 1044 int ret = -ENOENT; 1045 1046 WARN_ON_ONCE(!rcu_read_lock_held()); 1047 1048 key_size = map->key_size; 1049 1050 hash = htab_map_hash(key, key_size); 1051 b = __select_bucket(htab, hash); 1052 head = &b->head; 1053 1054 raw_spin_lock_irqsave(&b->lock, flags); 1055 1056 l = lookup_elem_raw(head, hash, key, key_size); 1057 1058 if (l) { 1059 hlist_nulls_del_rcu(&l->hash_node); 1060 free_htab_elem(htab, l); 1061 ret = 0; 1062 } 1063 1064 raw_spin_unlock_irqrestore(&b->lock, flags); 1065 return ret; 1066 } 1067 1068 static int htab_lru_map_delete_elem(struct bpf_map *map, void *key) 1069 { 1070 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1071 struct hlist_nulls_head *head; 1072 struct bucket *b; 1073 struct htab_elem *l; 1074 unsigned long flags; 1075 u32 hash, key_size; 1076 int ret = -ENOENT; 1077 1078 WARN_ON_ONCE(!rcu_read_lock_held()); 1079 1080 key_size = map->key_size; 1081 1082 hash = htab_map_hash(key, key_size); 1083 b = __select_bucket(htab, hash); 1084 head = &b->head; 1085 1086 raw_spin_lock_irqsave(&b->lock, flags); 1087 1088 l = lookup_elem_raw(head, hash, key, key_size); 1089 1090 if (l) { 1091 hlist_nulls_del_rcu(&l->hash_node); 1092 ret = 0; 1093 } 1094 1095 raw_spin_unlock_irqrestore(&b->lock, flags); 1096 if (l) 1097 bpf_lru_push_free(&htab->lru, &l->lru_node); 1098 return ret; 1099 } 1100 1101 static void delete_all_elements(struct bpf_htab *htab) 1102 { 1103 int i; 1104 1105 for (i = 0; i < htab->n_buckets; i++) { 1106 struct hlist_nulls_head *head = select_bucket(htab, i); 1107 struct hlist_nulls_node *n; 1108 struct htab_elem *l; 1109 1110 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1111 hlist_nulls_del_rcu(&l->hash_node); 1112 htab_elem_free(htab, l); 1113 } 1114 } 1115 } 1116 1117 /* Called when map->refcnt goes to zero, either from workqueue or from syscall */ 1118 static void htab_map_free(struct bpf_map *map) 1119 { 1120 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1121 1122 /* at this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0, 1123 * so the programs (can be more than one that used this map) were 1124 * disconnected from events. Wait for outstanding critical sections in 1125 * these programs to complete 1126 */ 1127 synchronize_rcu(); 1128 1129 /* some of free_htab_elem() callbacks for elements of this map may 1130 * not have executed. Wait for them. 1131 */ 1132 rcu_barrier(); 1133 if (!htab_is_prealloc(htab)) 1134 delete_all_elements(htab); 1135 else 1136 prealloc_destroy(htab); 1137 1138 free_percpu(htab->extra_elems); 1139 bpf_map_area_free(htab->buckets); 1140 kfree(htab); 1141 } 1142 1143 const struct bpf_map_ops htab_map_ops = { 1144 .map_alloc = htab_map_alloc, 1145 .map_free = htab_map_free, 1146 .map_get_next_key = htab_map_get_next_key, 1147 .map_lookup_elem = htab_map_lookup_elem, 1148 .map_update_elem = htab_map_update_elem, 1149 .map_delete_elem = htab_map_delete_elem, 1150 .map_gen_lookup = htab_map_gen_lookup, 1151 }; 1152 1153 const struct bpf_map_ops htab_lru_map_ops = { 1154 .map_alloc = htab_map_alloc, 1155 .map_free = htab_map_free, 1156 .map_get_next_key = htab_map_get_next_key, 1157 .map_lookup_elem = htab_lru_map_lookup_elem, 1158 .map_update_elem = htab_lru_map_update_elem, 1159 .map_delete_elem = htab_lru_map_delete_elem, 1160 .map_gen_lookup = htab_lru_map_gen_lookup, 1161 }; 1162 1163 /* Called from eBPF program */ 1164 static void *htab_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1165 { 1166 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1167 1168 if (l) 1169 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1170 else 1171 return NULL; 1172 } 1173 1174 static void *htab_lru_percpu_map_lookup_elem(struct bpf_map *map, void *key) 1175 { 1176 struct htab_elem *l = __htab_map_lookup_elem(map, key); 1177 1178 if (l) { 1179 bpf_lru_node_set_ref(&l->lru_node); 1180 return this_cpu_ptr(htab_elem_get_ptr(l, map->key_size)); 1181 } 1182 1183 return NULL; 1184 } 1185 1186 int bpf_percpu_hash_copy(struct bpf_map *map, void *key, void *value) 1187 { 1188 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1189 struct htab_elem *l; 1190 void __percpu *pptr; 1191 int ret = -ENOENT; 1192 int cpu, off = 0; 1193 u32 size; 1194 1195 /* per_cpu areas are zero-filled and bpf programs can only 1196 * access 'value_size' of them, so copying rounded areas 1197 * will not leak any kernel data 1198 */ 1199 size = round_up(map->value_size, 8); 1200 rcu_read_lock(); 1201 l = __htab_map_lookup_elem(map, key); 1202 if (!l) 1203 goto out; 1204 if (htab_is_lru(htab)) 1205 bpf_lru_node_set_ref(&l->lru_node); 1206 pptr = htab_elem_get_ptr(l, map->key_size); 1207 for_each_possible_cpu(cpu) { 1208 bpf_long_memcpy(value + off, 1209 per_cpu_ptr(pptr, cpu), size); 1210 off += size; 1211 } 1212 ret = 0; 1213 out: 1214 rcu_read_unlock(); 1215 return ret; 1216 } 1217 1218 int bpf_percpu_hash_update(struct bpf_map *map, void *key, void *value, 1219 u64 map_flags) 1220 { 1221 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1222 int ret; 1223 1224 rcu_read_lock(); 1225 if (htab_is_lru(htab)) 1226 ret = __htab_lru_percpu_map_update_elem(map, key, value, 1227 map_flags, true); 1228 else 1229 ret = __htab_percpu_map_update_elem(map, key, value, map_flags, 1230 true); 1231 rcu_read_unlock(); 1232 1233 return ret; 1234 } 1235 1236 const struct bpf_map_ops htab_percpu_map_ops = { 1237 .map_alloc = htab_map_alloc, 1238 .map_free = htab_map_free, 1239 .map_get_next_key = htab_map_get_next_key, 1240 .map_lookup_elem = htab_percpu_map_lookup_elem, 1241 .map_update_elem = htab_percpu_map_update_elem, 1242 .map_delete_elem = htab_map_delete_elem, 1243 }; 1244 1245 const struct bpf_map_ops htab_lru_percpu_map_ops = { 1246 .map_alloc = htab_map_alloc, 1247 .map_free = htab_map_free, 1248 .map_get_next_key = htab_map_get_next_key, 1249 .map_lookup_elem = htab_lru_percpu_map_lookup_elem, 1250 .map_update_elem = htab_lru_percpu_map_update_elem, 1251 .map_delete_elem = htab_lru_map_delete_elem, 1252 }; 1253 1254 static struct bpf_map *fd_htab_map_alloc(union bpf_attr *attr) 1255 { 1256 if (attr->value_size != sizeof(u32)) 1257 return ERR_PTR(-EINVAL); 1258 return htab_map_alloc(attr); 1259 } 1260 1261 static void fd_htab_map_free(struct bpf_map *map) 1262 { 1263 struct bpf_htab *htab = container_of(map, struct bpf_htab, map); 1264 struct hlist_nulls_node *n; 1265 struct hlist_nulls_head *head; 1266 struct htab_elem *l; 1267 int i; 1268 1269 for (i = 0; i < htab->n_buckets; i++) { 1270 head = select_bucket(htab, i); 1271 1272 hlist_nulls_for_each_entry_safe(l, n, head, hash_node) { 1273 void *ptr = fd_htab_map_get_ptr(map, l); 1274 1275 map->ops->map_fd_put_ptr(ptr); 1276 } 1277 } 1278 1279 htab_map_free(map); 1280 } 1281 1282 /* only called from syscall */ 1283 int bpf_fd_htab_map_lookup_elem(struct bpf_map *map, void *key, u32 *value) 1284 { 1285 void **ptr; 1286 int ret = 0; 1287 1288 if (!map->ops->map_fd_sys_lookup_elem) 1289 return -ENOTSUPP; 1290 1291 rcu_read_lock(); 1292 ptr = htab_map_lookup_elem(map, key); 1293 if (ptr) 1294 *value = map->ops->map_fd_sys_lookup_elem(READ_ONCE(*ptr)); 1295 else 1296 ret = -ENOENT; 1297 rcu_read_unlock(); 1298 1299 return ret; 1300 } 1301 1302 /* only called from syscall */ 1303 int bpf_fd_htab_map_update_elem(struct bpf_map *map, struct file *map_file, 1304 void *key, void *value, u64 map_flags) 1305 { 1306 void *ptr; 1307 int ret; 1308 u32 ufd = *(u32 *)value; 1309 1310 ptr = map->ops->map_fd_get_ptr(map, map_file, ufd); 1311 if (IS_ERR(ptr)) 1312 return PTR_ERR(ptr); 1313 1314 ret = htab_map_update_elem(map, key, &ptr, map_flags); 1315 if (ret) 1316 map->ops->map_fd_put_ptr(ptr); 1317 1318 return ret; 1319 } 1320 1321 static struct bpf_map *htab_of_map_alloc(union bpf_attr *attr) 1322 { 1323 struct bpf_map *map, *inner_map_meta; 1324 1325 inner_map_meta = bpf_map_meta_alloc(attr->inner_map_fd); 1326 if (IS_ERR(inner_map_meta)) 1327 return inner_map_meta; 1328 1329 map = fd_htab_map_alloc(attr); 1330 if (IS_ERR(map)) { 1331 bpf_map_meta_free(inner_map_meta); 1332 return map; 1333 } 1334 1335 map->inner_map_meta = inner_map_meta; 1336 1337 return map; 1338 } 1339 1340 static void *htab_of_map_lookup_elem(struct bpf_map *map, void *key) 1341 { 1342 struct bpf_map **inner_map = htab_map_lookup_elem(map, key); 1343 1344 if (!inner_map) 1345 return NULL; 1346 1347 return READ_ONCE(*inner_map); 1348 } 1349 1350 static u32 htab_of_map_gen_lookup(struct bpf_map *map, 1351 struct bpf_insn *insn_buf) 1352 { 1353 struct bpf_insn *insn = insn_buf; 1354 const int ret = BPF_REG_0; 1355 1356 *insn++ = BPF_EMIT_CALL((u64 (*)(u64, u64, u64, u64, u64))__htab_map_lookup_elem); 1357 *insn++ = BPF_JMP_IMM(BPF_JEQ, ret, 0, 2); 1358 *insn++ = BPF_ALU64_IMM(BPF_ADD, ret, 1359 offsetof(struct htab_elem, key) + 1360 round_up(map->key_size, 8)); 1361 *insn++ = BPF_LDX_MEM(BPF_DW, ret, ret, 0); 1362 1363 return insn - insn_buf; 1364 } 1365 1366 static void htab_of_map_free(struct bpf_map *map) 1367 { 1368 bpf_map_meta_free(map->inner_map_meta); 1369 fd_htab_map_free(map); 1370 } 1371 1372 const struct bpf_map_ops htab_of_maps_map_ops = { 1373 .map_alloc = htab_of_map_alloc, 1374 .map_free = htab_of_map_free, 1375 .map_get_next_key = htab_map_get_next_key, 1376 .map_lookup_elem = htab_of_map_lookup_elem, 1377 .map_delete_elem = htab_map_delete_elem, 1378 .map_fd_get_ptr = bpf_map_fd_get_ptr, 1379 .map_fd_put_ptr = bpf_map_fd_put_ptr, 1380 .map_fd_sys_lookup_elem = bpf_map_fd_sys_lookup_elem, 1381 .map_gen_lookup = htab_of_map_gen_lookup, 1382 }; 1383