Loading...
1/* bpf/cpumap.c
2 *
3 * Copyright (c) 2017 Jesper Dangaard Brouer, Red Hat Inc.
4 * Released under terms in GPL version 2. See COPYING.
5 */
6
7/* The 'cpumap' is primarily used as a backend map for XDP BPF helper
8 * call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
9 *
10 * Unlike devmap which redirects XDP frames out another NIC device,
11 * this map type redirects raw XDP frames to another CPU. The remote
12 * CPU will do SKB-allocation and call the normal network stack.
13 *
14 * This is a scalability and isolation mechanism, that allow
15 * separating the early driver network XDP layer, from the rest of the
16 * netstack, and assigning dedicated CPUs for this stage. This
17 * basically allows for 10G wirespeed pre-filtering via bpf.
18 */
19#include <linux/bpf.h>
20#include <linux/filter.h>
21#include <linux/ptr_ring.h>
22
23#include <linux/sched.h>
24#include <linux/workqueue.h>
25#include <linux/kthread.h>
26#include <linux/capability.h>
27#include <trace/events/xdp.h>
28
29#include <linux/netdevice.h> /* netif_receive_skb_core */
30#include <linux/etherdevice.h> /* eth_type_trans */
31
32/* General idea: XDP packets getting XDP redirected to another CPU,
33 * will maximum be stored/queued for one driver ->poll() call. It is
34 * guaranteed that setting flush bit and flush operation happen on
35 * same CPU. Thus, cpu_map_flush operation can deduct via this_cpu_ptr()
36 * which queue in bpf_cpu_map_entry contains packets.
37 */
38
39#define CPU_MAP_BULK_SIZE 8 /* 8 == one cacheline on 64-bit archs */
40struct xdp_bulk_queue {
41 void *q[CPU_MAP_BULK_SIZE];
42 unsigned int count;
43};
44
45/* Struct for every remote "destination" CPU in map */
46struct bpf_cpu_map_entry {
47 u32 cpu; /* kthread CPU and map index */
48 int map_id; /* Back reference to map */
49 u32 qsize; /* Queue size placeholder for map lookup */
50
51 /* XDP can run multiple RX-ring queues, need __percpu enqueue store */
52 struct xdp_bulk_queue __percpu *bulkq;
53
54 /* Queue with potential multi-producers, and single-consumer kthread */
55 struct ptr_ring *queue;
56 struct task_struct *kthread;
57 struct work_struct kthread_stop_wq;
58
59 atomic_t refcnt; /* Control when this struct can be free'ed */
60 struct rcu_head rcu;
61};
62
63struct bpf_cpu_map {
64 struct bpf_map map;
65 /* Below members specific for map type */
66 struct bpf_cpu_map_entry **cpu_map;
67 unsigned long __percpu *flush_needed;
68};
69
70static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
71 struct xdp_bulk_queue *bq);
72
73static u64 cpu_map_bitmap_size(const union bpf_attr *attr)
74{
75 return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);
76}
77
78static struct bpf_map *cpu_map_alloc(union bpf_attr *attr)
79{
80 struct bpf_cpu_map *cmap;
81 int err = -ENOMEM;
82 u64 cost;
83 int ret;
84
85 if (!capable(CAP_SYS_ADMIN))
86 return ERR_PTR(-EPERM);
87
88 /* check sanity of attributes */
89 if (attr->max_entries == 0 || attr->key_size != 4 ||
90 attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE)
91 return ERR_PTR(-EINVAL);
92
93 cmap = kzalloc(sizeof(*cmap), GFP_USER);
94 if (!cmap)
95 return ERR_PTR(-ENOMEM);
96
97 bpf_map_init_from_attr(&cmap->map, attr);
98
99 /* Pre-limit array size based on NR_CPUS, not final CPU check */
100 if (cmap->map.max_entries > NR_CPUS) {
101 err = -E2BIG;
102 goto free_cmap;
103 }
104
105 /* make sure page count doesn't overflow */
106 cost = (u64) cmap->map.max_entries * sizeof(struct bpf_cpu_map_entry *);
107 cost += cpu_map_bitmap_size(attr) * num_possible_cpus();
108 if (cost >= U32_MAX - PAGE_SIZE)
109 goto free_cmap;
110 cmap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;
111
112 /* Notice returns -EPERM on if map size is larger than memlock limit */
113 ret = bpf_map_precharge_memlock(cmap->map.pages);
114 if (ret) {
115 err = ret;
116 goto free_cmap;
117 }
118
119 /* A per cpu bitfield with a bit per possible CPU in map */
120 cmap->flush_needed = __alloc_percpu(cpu_map_bitmap_size(attr),
121 __alignof__(unsigned long));
122 if (!cmap->flush_needed)
123 goto free_cmap;
124
125 /* Alloc array for possible remote "destination" CPUs */
126 cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
127 sizeof(struct bpf_cpu_map_entry *),
128 cmap->map.numa_node);
129 if (!cmap->cpu_map)
130 goto free_percpu;
131
132 return &cmap->map;
133free_percpu:
134 free_percpu(cmap->flush_needed);
135free_cmap:
136 kfree(cmap);
137 return ERR_PTR(err);
138}
139
140static void __cpu_map_queue_destructor(void *ptr)
141{
142 /* The tear-down procedure should have made sure that queue is
143 * empty. See __cpu_map_entry_replace() and work-queue
144 * invoked cpu_map_kthread_stop(). Catch any broken behaviour
145 * gracefully and warn once.
146 */
147 if (WARN_ON_ONCE(ptr))
148 page_frag_free(ptr);
149}
150
151static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
152{
153 if (atomic_dec_and_test(&rcpu->refcnt)) {
154 /* The queue should be empty at this point */
155 ptr_ring_cleanup(rcpu->queue, __cpu_map_queue_destructor);
156 kfree(rcpu->queue);
157 kfree(rcpu);
158 }
159}
160
161static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
162{
163 atomic_inc(&rcpu->refcnt);
164}
165
166/* called from workqueue, to workaround syscall using preempt_disable */
167static void cpu_map_kthread_stop(struct work_struct *work)
168{
169 struct bpf_cpu_map_entry *rcpu;
170
171 rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq);
172
173 /* Wait for flush in __cpu_map_entry_free(), via full RCU barrier,
174 * as it waits until all in-flight call_rcu() callbacks complete.
175 */
176 rcu_barrier();
177
178 /* kthread_stop will wake_up_process and wait for it to complete */
179 kthread_stop(rcpu->kthread);
180}
181
182/* For now, xdp_pkt is a cpumap internal data structure, with info
183 * carried between enqueue to dequeue. It is mapped into the top
184 * headroom of the packet, to avoid allocating separate mem.
185 */
186struct xdp_pkt {
187 void *data;
188 u16 len;
189 u16 headroom;
190 u16 metasize;
191 struct net_device *dev_rx;
192};
193
194/* Convert xdp_buff to xdp_pkt */
195static struct xdp_pkt *convert_to_xdp_pkt(struct xdp_buff *xdp)
196{
197 struct xdp_pkt *xdp_pkt;
198 int metasize;
199 int headroom;
200
201 /* Assure headroom is available for storing info */
202 headroom = xdp->data - xdp->data_hard_start;
203 metasize = xdp->data - xdp->data_meta;
204 metasize = metasize > 0 ? metasize : 0;
205 if (unlikely((headroom - metasize) < sizeof(*xdp_pkt)))
206 return NULL;
207
208 /* Store info in top of packet */
209 xdp_pkt = xdp->data_hard_start;
210
211 xdp_pkt->data = xdp->data;
212 xdp_pkt->len = xdp->data_end - xdp->data;
213 xdp_pkt->headroom = headroom - sizeof(*xdp_pkt);
214 xdp_pkt->metasize = metasize;
215
216 return xdp_pkt;
217}
218
219static struct sk_buff *cpu_map_build_skb(struct bpf_cpu_map_entry *rcpu,
220 struct xdp_pkt *xdp_pkt)
221{
222 unsigned int frame_size;
223 void *pkt_data_start;
224 struct sk_buff *skb;
225
226 /* build_skb need to place skb_shared_info after SKB end, and
227 * also want to know the memory "truesize". Thus, need to
228 * know the memory frame size backing xdp_buff.
229 *
230 * XDP was designed to have PAGE_SIZE frames, but this
231 * assumption is not longer true with ixgbe and i40e. It
232 * would be preferred to set frame_size to 2048 or 4096
233 * depending on the driver.
234 * frame_size = 2048;
235 * frame_len = frame_size - sizeof(*xdp_pkt);
236 *
237 * Instead, with info avail, skb_shared_info in placed after
238 * packet len. This, unfortunately fakes the truesize.
239 * Another disadvantage of this approach, the skb_shared_info
240 * is not at a fixed memory location, with mixed length
241 * packets, which is bad for cache-line hotness.
242 */
243 frame_size = SKB_DATA_ALIGN(xdp_pkt->len) + xdp_pkt->headroom +
244 SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
245
246 pkt_data_start = xdp_pkt->data - xdp_pkt->headroom;
247 skb = build_skb(pkt_data_start, frame_size);
248 if (!skb)
249 return NULL;
250
251 skb_reserve(skb, xdp_pkt->headroom);
252 __skb_put(skb, xdp_pkt->len);
253 if (xdp_pkt->metasize)
254 skb_metadata_set(skb, xdp_pkt->metasize);
255
256 /* Essential SKB info: protocol and skb->dev */
257 skb->protocol = eth_type_trans(skb, xdp_pkt->dev_rx);
258
259 /* Optional SKB info, currently missing:
260 * - HW checksum info (skb->ip_summed)
261 * - HW RX hash (skb_set_hash)
262 * - RX ring dev queue index (skb_record_rx_queue)
263 */
264
265 return skb;
266}
267
268static int cpu_map_kthread_run(void *data)
269{
270 struct bpf_cpu_map_entry *rcpu = data;
271
272 set_current_state(TASK_INTERRUPTIBLE);
273
274 /* When kthread gives stop order, then rcpu have been disconnected
275 * from map, thus no new packets can enter. Remaining in-flight
276 * per CPU stored packets are flushed to this queue. Wait honoring
277 * kthread_stop signal until queue is empty.
278 */
279 while (!kthread_should_stop() || !__ptr_ring_empty(rcpu->queue)) {
280 unsigned int processed = 0, drops = 0, sched = 0;
281 struct xdp_pkt *xdp_pkt;
282
283 /* Release CPU reschedule checks */
284 if (__ptr_ring_empty(rcpu->queue)) {
285 set_current_state(TASK_INTERRUPTIBLE);
286 /* Recheck to avoid lost wake-up */
287 if (__ptr_ring_empty(rcpu->queue)) {
288 schedule();
289 sched = 1;
290 } else {
291 __set_current_state(TASK_RUNNING);
292 }
293 } else {
294 sched = cond_resched();
295 }
296
297 /* Process packets in rcpu->queue */
298 local_bh_disable();
299 /*
300 * The bpf_cpu_map_entry is single consumer, with this
301 * kthread CPU pinned. Lockless access to ptr_ring
302 * consume side valid as no-resize allowed of queue.
303 */
304 while ((xdp_pkt = __ptr_ring_consume(rcpu->queue))) {
305 struct sk_buff *skb;
306 int ret;
307
308 skb = cpu_map_build_skb(rcpu, xdp_pkt);
309 if (!skb) {
310 page_frag_free(xdp_pkt);
311 continue;
312 }
313
314 /* Inject into network stack */
315 ret = netif_receive_skb_core(skb);
316 if (ret == NET_RX_DROP)
317 drops++;
318
319 /* Limit BH-disable period */
320 if (++processed == 8)
321 break;
322 }
323 /* Feedback loop via tracepoint */
324 trace_xdp_cpumap_kthread(rcpu->map_id, processed, drops, sched);
325
326 local_bh_enable(); /* resched point, may call do_softirq() */
327 }
328 __set_current_state(TASK_RUNNING);
329
330 put_cpu_map_entry(rcpu);
331 return 0;
332}
333
334static struct bpf_cpu_map_entry *__cpu_map_entry_alloc(u32 qsize, u32 cpu,
335 int map_id)
336{
337 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
338 struct bpf_cpu_map_entry *rcpu;
339 int numa, err;
340
341 /* Have map->numa_node, but choose node of redirect target CPU */
342 numa = cpu_to_node(cpu);
343
344 rcpu = kzalloc_node(sizeof(*rcpu), gfp, numa);
345 if (!rcpu)
346 return NULL;
347
348 /* Alloc percpu bulkq */
349 rcpu->bulkq = __alloc_percpu_gfp(sizeof(*rcpu->bulkq),
350 sizeof(void *), gfp);
351 if (!rcpu->bulkq)
352 goto free_rcu;
353
354 /* Alloc queue */
355 rcpu->queue = kzalloc_node(sizeof(*rcpu->queue), gfp, numa);
356 if (!rcpu->queue)
357 goto free_bulkq;
358
359 err = ptr_ring_init(rcpu->queue, qsize, gfp);
360 if (err)
361 goto free_queue;
362
363 rcpu->cpu = cpu;
364 rcpu->map_id = map_id;
365 rcpu->qsize = qsize;
366
367 /* Setup kthread */
368 rcpu->kthread = kthread_create_on_node(cpu_map_kthread_run, rcpu, numa,
369 "cpumap/%d/map:%d", cpu, map_id);
370 if (IS_ERR(rcpu->kthread))
371 goto free_ptr_ring;
372
373 get_cpu_map_entry(rcpu); /* 1-refcnt for being in cmap->cpu_map[] */
374 get_cpu_map_entry(rcpu); /* 1-refcnt for kthread */
375
376 /* Make sure kthread runs on a single CPU */
377 kthread_bind(rcpu->kthread, cpu);
378 wake_up_process(rcpu->kthread);
379
380 return rcpu;
381
382free_ptr_ring:
383 ptr_ring_cleanup(rcpu->queue, NULL);
384free_queue:
385 kfree(rcpu->queue);
386free_bulkq:
387 free_percpu(rcpu->bulkq);
388free_rcu:
389 kfree(rcpu);
390 return NULL;
391}
392
393static void __cpu_map_entry_free(struct rcu_head *rcu)
394{
395 struct bpf_cpu_map_entry *rcpu;
396 int cpu;
397
398 /* This cpu_map_entry have been disconnected from map and one
399 * RCU graze-period have elapsed. Thus, XDP cannot queue any
400 * new packets and cannot change/set flush_needed that can
401 * find this entry.
402 */
403 rcpu = container_of(rcu, struct bpf_cpu_map_entry, rcu);
404
405 /* Flush remaining packets in percpu bulkq */
406 for_each_online_cpu(cpu) {
407 struct xdp_bulk_queue *bq = per_cpu_ptr(rcpu->bulkq, cpu);
408
409 /* No concurrent bq_enqueue can run at this point */
410 bq_flush_to_queue(rcpu, bq);
411 }
412 free_percpu(rcpu->bulkq);
413 /* Cannot kthread_stop() here, last put free rcpu resources */
414 put_cpu_map_entry(rcpu);
415}
416
417/* After xchg pointer to bpf_cpu_map_entry, use the call_rcu() to
418 * ensure any driver rcu critical sections have completed, but this
419 * does not guarantee a flush has happened yet. Because driver side
420 * rcu_read_lock/unlock only protects the running XDP program. The
421 * atomic xchg and NULL-ptr check in __cpu_map_flush() makes sure a
422 * pending flush op doesn't fail.
423 *
424 * The bpf_cpu_map_entry is still used by the kthread, and there can
425 * still be pending packets (in queue and percpu bulkq). A refcnt
426 * makes sure to last user (kthread_stop vs. call_rcu) free memory
427 * resources.
428 *
429 * The rcu callback __cpu_map_entry_free flush remaining packets in
430 * percpu bulkq to queue. Due to caller map_delete_elem() disable
431 * preemption, cannot call kthread_stop() to make sure queue is empty.
432 * Instead a work_queue is started for stopping kthread,
433 * cpu_map_kthread_stop, which waits for an RCU graze period before
434 * stopping kthread, emptying the queue.
435 */
436static void __cpu_map_entry_replace(struct bpf_cpu_map *cmap,
437 u32 key_cpu, struct bpf_cpu_map_entry *rcpu)
438{
439 struct bpf_cpu_map_entry *old_rcpu;
440
441 old_rcpu = xchg(&cmap->cpu_map[key_cpu], rcpu);
442 if (old_rcpu) {
443 call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
444 INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
445 schedule_work(&old_rcpu->kthread_stop_wq);
446 }
447}
448
449static int cpu_map_delete_elem(struct bpf_map *map, void *key)
450{
451 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
452 u32 key_cpu = *(u32 *)key;
453
454 if (key_cpu >= map->max_entries)
455 return -EINVAL;
456
457 /* notice caller map_delete_elem() use preempt_disable() */
458 __cpu_map_entry_replace(cmap, key_cpu, NULL);
459 return 0;
460}
461
462static int cpu_map_update_elem(struct bpf_map *map, void *key, void *value,
463 u64 map_flags)
464{
465 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
466 struct bpf_cpu_map_entry *rcpu;
467
468 /* Array index key correspond to CPU number */
469 u32 key_cpu = *(u32 *)key;
470 /* Value is the queue size */
471 u32 qsize = *(u32 *)value;
472
473 if (unlikely(map_flags > BPF_EXIST))
474 return -EINVAL;
475 if (unlikely(key_cpu >= cmap->map.max_entries))
476 return -E2BIG;
477 if (unlikely(map_flags == BPF_NOEXIST))
478 return -EEXIST;
479 if (unlikely(qsize > 16384)) /* sanity limit on qsize */
480 return -EOVERFLOW;
481
482 /* Make sure CPU is a valid possible cpu */
483 if (!cpu_possible(key_cpu))
484 return -ENODEV;
485
486 if (qsize == 0) {
487 rcpu = NULL; /* Same as deleting */
488 } else {
489 /* Updating qsize cause re-allocation of bpf_cpu_map_entry */
490 rcpu = __cpu_map_entry_alloc(qsize, key_cpu, map->id);
491 if (!rcpu)
492 return -ENOMEM;
493 }
494 rcu_read_lock();
495 __cpu_map_entry_replace(cmap, key_cpu, rcpu);
496 rcu_read_unlock();
497 return 0;
498}
499
500static void cpu_map_free(struct bpf_map *map)
501{
502 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
503 int cpu;
504 u32 i;
505
506 /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
507 * so the bpf programs (can be more than one that used this map) were
508 * disconnected from events. Wait for outstanding critical sections in
509 * these programs to complete. The rcu critical section only guarantees
510 * no further "XDP/bpf-side" reads against bpf_cpu_map->cpu_map.
511 * It does __not__ ensure pending flush operations (if any) are
512 * complete.
513 */
514 synchronize_rcu();
515
516 /* To ensure all pending flush operations have completed wait for flush
517 * bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
518 * Because the above synchronize_rcu() ensures the map is disconnected
519 * from the program we can assume no new bits will be set.
520 */
521 for_each_online_cpu(cpu) {
522 unsigned long *bitmap = per_cpu_ptr(cmap->flush_needed, cpu);
523
524 while (!bitmap_empty(bitmap, cmap->map.max_entries))
525 cond_resched();
526 }
527
528 /* For cpu_map the remote CPUs can still be using the entries
529 * (struct bpf_cpu_map_entry).
530 */
531 for (i = 0; i < cmap->map.max_entries; i++) {
532 struct bpf_cpu_map_entry *rcpu;
533
534 rcpu = READ_ONCE(cmap->cpu_map[i]);
535 if (!rcpu)
536 continue;
537
538 /* bq flush and cleanup happens after RCU graze-period */
539 __cpu_map_entry_replace(cmap, i, NULL); /* call_rcu */
540 }
541 free_percpu(cmap->flush_needed);
542 bpf_map_area_free(cmap->cpu_map);
543 kfree(cmap);
544}
545
546struct bpf_cpu_map_entry *__cpu_map_lookup_elem(struct bpf_map *map, u32 key)
547{
548 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
549 struct bpf_cpu_map_entry *rcpu;
550
551 if (key >= map->max_entries)
552 return NULL;
553
554 rcpu = READ_ONCE(cmap->cpu_map[key]);
555 return rcpu;
556}
557
558static void *cpu_map_lookup_elem(struct bpf_map *map, void *key)
559{
560 struct bpf_cpu_map_entry *rcpu =
561 __cpu_map_lookup_elem(map, *(u32 *)key);
562
563 return rcpu ? &rcpu->qsize : NULL;
564}
565
566static int cpu_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
567{
568 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
569 u32 index = key ? *(u32 *)key : U32_MAX;
570 u32 *next = next_key;
571
572 if (index >= cmap->map.max_entries) {
573 *next = 0;
574 return 0;
575 }
576
577 if (index == cmap->map.max_entries - 1)
578 return -ENOENT;
579 *next = index + 1;
580 return 0;
581}
582
583const struct bpf_map_ops cpu_map_ops = {
584 .map_alloc = cpu_map_alloc,
585 .map_free = cpu_map_free,
586 .map_delete_elem = cpu_map_delete_elem,
587 .map_update_elem = cpu_map_update_elem,
588 .map_lookup_elem = cpu_map_lookup_elem,
589 .map_get_next_key = cpu_map_get_next_key,
590};
591
592static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
593 struct xdp_bulk_queue *bq)
594{
595 unsigned int processed = 0, drops = 0;
596 const int to_cpu = rcpu->cpu;
597 struct ptr_ring *q;
598 int i;
599
600 if (unlikely(!bq->count))
601 return 0;
602
603 q = rcpu->queue;
604 spin_lock(&q->producer_lock);
605
606 for (i = 0; i < bq->count; i++) {
607 void *xdp_pkt = bq->q[i];
608 int err;
609
610 err = __ptr_ring_produce(q, xdp_pkt);
611 if (err) {
612 drops++;
613 page_frag_free(xdp_pkt); /* Free xdp_pkt */
614 }
615 processed++;
616 }
617 bq->count = 0;
618 spin_unlock(&q->producer_lock);
619
620 /* Feedback loop via tracepoints */
621 trace_xdp_cpumap_enqueue(rcpu->map_id, processed, drops, to_cpu);
622 return 0;
623}
624
625/* Runs under RCU-read-side, plus in softirq under NAPI protection.
626 * Thus, safe percpu variable access.
627 */
628static int bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_pkt *xdp_pkt)
629{
630 struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);
631
632 if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
633 bq_flush_to_queue(rcpu, bq);
634
635 /* Notice, xdp_buff/page MUST be queued here, long enough for
636 * driver to code invoking us to finished, due to driver
637 * (e.g. ixgbe) recycle tricks based on page-refcnt.
638 *
639 * Thus, incoming xdp_pkt is always queued here (else we race
640 * with another CPU on page-refcnt and remaining driver code).
641 * Queue time is very short, as driver will invoke flush
642 * operation, when completing napi->poll call.
643 */
644 bq->q[bq->count++] = xdp_pkt;
645 return 0;
646}
647
648int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_buff *xdp,
649 struct net_device *dev_rx)
650{
651 struct xdp_pkt *xdp_pkt;
652
653 xdp_pkt = convert_to_xdp_pkt(xdp);
654 if (unlikely(!xdp_pkt))
655 return -EOVERFLOW;
656
657 /* Info needed when constructing SKB on remote CPU */
658 xdp_pkt->dev_rx = dev_rx;
659
660 bq_enqueue(rcpu, xdp_pkt);
661 return 0;
662}
663
664void __cpu_map_insert_ctx(struct bpf_map *map, u32 bit)
665{
666 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
667 unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
668
669 __set_bit(bit, bitmap);
670}
671
672void __cpu_map_flush(struct bpf_map *map)
673{
674 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
675 unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
676 u32 bit;
677
678 /* The napi->poll softirq makes sure __cpu_map_insert_ctx()
679 * and __cpu_map_flush() happen on same CPU. Thus, the percpu
680 * bitmap indicate which percpu bulkq have packets.
681 */
682 for_each_set_bit(bit, bitmap, map->max_entries) {
683 struct bpf_cpu_map_entry *rcpu = READ_ONCE(cmap->cpu_map[bit]);
684 struct xdp_bulk_queue *bq;
685
686 /* This is possible if entry is removed by user space
687 * between xdp redirect and flush op.
688 */
689 if (unlikely(!rcpu))
690 continue;
691
692 __clear_bit(bit, bitmap);
693
694 /* Flush all frames in bulkq to real queue */
695 bq = this_cpu_ptr(rcpu->bulkq);
696 bq_flush_to_queue(rcpu, bq);
697
698 /* If already running, costs spin_lock_irqsave + smb_mb */
699 wake_up_process(rcpu->kthread);
700 }
701}
1// SPDX-License-Identifier: GPL-2.0-only
2/* bpf/cpumap.c
3 *
4 * Copyright (c) 2017 Jesper Dangaard Brouer, Red Hat Inc.
5 */
6
7/**
8 * DOC: cpu map
9 * The 'cpumap' is primarily used as a backend map for XDP BPF helper
10 * call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
11 *
12 * Unlike devmap which redirects XDP frames out to another NIC device,
13 * this map type redirects raw XDP frames to another CPU. The remote
14 * CPU will do SKB-allocation and call the normal network stack.
15 */
16/*
17 * This is a scalability and isolation mechanism, that allow
18 * separating the early driver network XDP layer, from the rest of the
19 * netstack, and assigning dedicated CPUs for this stage. This
20 * basically allows for 10G wirespeed pre-filtering via bpf.
21 */
22#include <linux/bitops.h>
23#include <linux/bpf.h>
24#include <linux/filter.h>
25#include <linux/ptr_ring.h>
26#include <net/xdp.h>
27
28#include <linux/sched.h>
29#include <linux/workqueue.h>
30#include <linux/kthread.h>
31#include <linux/capability.h>
32#include <trace/events/xdp.h>
33#include <linux/btf_ids.h>
34
35#include <linux/netdevice.h> /* netif_receive_skb_list */
36#include <linux/etherdevice.h> /* eth_type_trans */
37
38/* General idea: XDP packets getting XDP redirected to another CPU,
39 * will maximum be stored/queued for one driver ->poll() call. It is
40 * guaranteed that queueing the frame and the flush operation happen on
41 * same CPU. Thus, cpu_map_flush operation can deduct via this_cpu_ptr()
42 * which queue in bpf_cpu_map_entry contains packets.
43 */
44
45#define CPU_MAP_BULK_SIZE 8 /* 8 == one cacheline on 64-bit archs */
46struct bpf_cpu_map_entry;
47struct bpf_cpu_map;
48
49struct xdp_bulk_queue {
50 void *q[CPU_MAP_BULK_SIZE];
51 struct list_head flush_node;
52 struct bpf_cpu_map_entry *obj;
53 unsigned int count;
54};
55
56/* Struct for every remote "destination" CPU in map */
57struct bpf_cpu_map_entry {
58 u32 cpu; /* kthread CPU and map index */
59 int map_id; /* Back reference to map */
60
61 /* XDP can run multiple RX-ring queues, need __percpu enqueue store */
62 struct xdp_bulk_queue __percpu *bulkq;
63
64 struct bpf_cpu_map *cmap;
65
66 /* Queue with potential multi-producers, and single-consumer kthread */
67 struct ptr_ring *queue;
68 struct task_struct *kthread;
69
70 struct bpf_cpumap_val value;
71 struct bpf_prog *prog;
72
73 atomic_t refcnt; /* Control when this struct can be free'ed */
74 struct rcu_head rcu;
75
76 struct work_struct kthread_stop_wq;
77};
78
79struct bpf_cpu_map {
80 struct bpf_map map;
81 /* Below members specific for map type */
82 struct bpf_cpu_map_entry __rcu **cpu_map;
83};
84
85static DEFINE_PER_CPU(struct list_head, cpu_map_flush_list);
86
87static struct bpf_map *cpu_map_alloc(union bpf_attr *attr)
88{
89 u32 value_size = attr->value_size;
90 struct bpf_cpu_map *cmap;
91
92 if (!bpf_capable())
93 return ERR_PTR(-EPERM);
94
95 /* check sanity of attributes */
96 if (attr->max_entries == 0 || attr->key_size != 4 ||
97 (value_size != offsetofend(struct bpf_cpumap_val, qsize) &&
98 value_size != offsetofend(struct bpf_cpumap_val, bpf_prog.fd)) ||
99 attr->map_flags & ~BPF_F_NUMA_NODE)
100 return ERR_PTR(-EINVAL);
101
102 /* Pre-limit array size based on NR_CPUS, not final CPU check */
103 if (attr->max_entries > NR_CPUS)
104 return ERR_PTR(-E2BIG);
105
106 cmap = bpf_map_area_alloc(sizeof(*cmap), NUMA_NO_NODE);
107 if (!cmap)
108 return ERR_PTR(-ENOMEM);
109
110 bpf_map_init_from_attr(&cmap->map, attr);
111
112 /* Alloc array for possible remote "destination" CPUs */
113 cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
114 sizeof(struct bpf_cpu_map_entry *),
115 cmap->map.numa_node);
116 if (!cmap->cpu_map) {
117 bpf_map_area_free(cmap);
118 return ERR_PTR(-ENOMEM);
119 }
120
121 return &cmap->map;
122}
123
124static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
125{
126 atomic_inc(&rcpu->refcnt);
127}
128
129/* called from workqueue, to workaround syscall using preempt_disable */
130static void cpu_map_kthread_stop(struct work_struct *work)
131{
132 struct bpf_cpu_map_entry *rcpu;
133
134 rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq);
135
136 /* Wait for flush in __cpu_map_entry_free(), via full RCU barrier,
137 * as it waits until all in-flight call_rcu() callbacks complete.
138 */
139 rcu_barrier();
140
141 /* kthread_stop will wake_up_process and wait for it to complete */
142 kthread_stop(rcpu->kthread);
143}
144
145static void __cpu_map_ring_cleanup(struct ptr_ring *ring)
146{
147 /* The tear-down procedure should have made sure that queue is
148 * empty. See __cpu_map_entry_replace() and work-queue
149 * invoked cpu_map_kthread_stop(). Catch any broken behaviour
150 * gracefully and warn once.
151 */
152 struct xdp_frame *xdpf;
153
154 while ((xdpf = ptr_ring_consume(ring)))
155 if (WARN_ON_ONCE(xdpf))
156 xdp_return_frame(xdpf);
157}
158
159static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
160{
161 if (atomic_dec_and_test(&rcpu->refcnt)) {
162 if (rcpu->prog)
163 bpf_prog_put(rcpu->prog);
164 /* The queue should be empty at this point */
165 __cpu_map_ring_cleanup(rcpu->queue);
166 ptr_ring_cleanup(rcpu->queue, NULL);
167 kfree(rcpu->queue);
168 kfree(rcpu);
169 }
170}
171
172static void cpu_map_bpf_prog_run_skb(struct bpf_cpu_map_entry *rcpu,
173 struct list_head *listp,
174 struct xdp_cpumap_stats *stats)
175{
176 struct sk_buff *skb, *tmp;
177 struct xdp_buff xdp;
178 u32 act;
179 int err;
180
181 list_for_each_entry_safe(skb, tmp, listp, list) {
182 act = bpf_prog_run_generic_xdp(skb, &xdp, rcpu->prog);
183 switch (act) {
184 case XDP_PASS:
185 break;
186 case XDP_REDIRECT:
187 skb_list_del_init(skb);
188 err = xdp_do_generic_redirect(skb->dev, skb, &xdp,
189 rcpu->prog);
190 if (unlikely(err)) {
191 kfree_skb(skb);
192 stats->drop++;
193 } else {
194 stats->redirect++;
195 }
196 return;
197 default:
198 bpf_warn_invalid_xdp_action(NULL, rcpu->prog, act);
199 fallthrough;
200 case XDP_ABORTED:
201 trace_xdp_exception(skb->dev, rcpu->prog, act);
202 fallthrough;
203 case XDP_DROP:
204 skb_list_del_init(skb);
205 kfree_skb(skb);
206 stats->drop++;
207 return;
208 }
209 }
210}
211
212static int cpu_map_bpf_prog_run_xdp(struct bpf_cpu_map_entry *rcpu,
213 void **frames, int n,
214 struct xdp_cpumap_stats *stats)
215{
216 struct xdp_rxq_info rxq;
217 struct xdp_buff xdp;
218 int i, nframes = 0;
219
220 xdp_set_return_frame_no_direct();
221 xdp.rxq = &rxq;
222
223 for (i = 0; i < n; i++) {
224 struct xdp_frame *xdpf = frames[i];
225 u32 act;
226 int err;
227
228 rxq.dev = xdpf->dev_rx;
229 rxq.mem = xdpf->mem;
230 /* TODO: report queue_index to xdp_rxq_info */
231
232 xdp_convert_frame_to_buff(xdpf, &xdp);
233
234 act = bpf_prog_run_xdp(rcpu->prog, &xdp);
235 switch (act) {
236 case XDP_PASS:
237 err = xdp_update_frame_from_buff(&xdp, xdpf);
238 if (err < 0) {
239 xdp_return_frame(xdpf);
240 stats->drop++;
241 } else {
242 frames[nframes++] = xdpf;
243 stats->pass++;
244 }
245 break;
246 case XDP_REDIRECT:
247 err = xdp_do_redirect(xdpf->dev_rx, &xdp,
248 rcpu->prog);
249 if (unlikely(err)) {
250 xdp_return_frame(xdpf);
251 stats->drop++;
252 } else {
253 stats->redirect++;
254 }
255 break;
256 default:
257 bpf_warn_invalid_xdp_action(NULL, rcpu->prog, act);
258 fallthrough;
259 case XDP_DROP:
260 xdp_return_frame(xdpf);
261 stats->drop++;
262 break;
263 }
264 }
265
266 xdp_clear_return_frame_no_direct();
267
268 return nframes;
269}
270
271#define CPUMAP_BATCH 8
272
273static int cpu_map_bpf_prog_run(struct bpf_cpu_map_entry *rcpu, void **frames,
274 int xdp_n, struct xdp_cpumap_stats *stats,
275 struct list_head *list)
276{
277 int nframes;
278
279 if (!rcpu->prog)
280 return xdp_n;
281
282 rcu_read_lock_bh();
283
284 nframes = cpu_map_bpf_prog_run_xdp(rcpu, frames, xdp_n, stats);
285
286 if (stats->redirect)
287 xdp_do_flush();
288
289 if (unlikely(!list_empty(list)))
290 cpu_map_bpf_prog_run_skb(rcpu, list, stats);
291
292 rcu_read_unlock_bh(); /* resched point, may call do_softirq() */
293
294 return nframes;
295}
296
297
298static int cpu_map_kthread_run(void *data)
299{
300 struct bpf_cpu_map_entry *rcpu = data;
301
302 set_current_state(TASK_INTERRUPTIBLE);
303
304 /* When kthread gives stop order, then rcpu have been disconnected
305 * from map, thus no new packets can enter. Remaining in-flight
306 * per CPU stored packets are flushed to this queue. Wait honoring
307 * kthread_stop signal until queue is empty.
308 */
309 while (!kthread_should_stop() || !__ptr_ring_empty(rcpu->queue)) {
310 struct xdp_cpumap_stats stats = {}; /* zero stats */
311 unsigned int kmem_alloc_drops = 0, sched = 0;
312 gfp_t gfp = __GFP_ZERO | GFP_ATOMIC;
313 int i, n, m, nframes, xdp_n;
314 void *frames[CPUMAP_BATCH];
315 void *skbs[CPUMAP_BATCH];
316 LIST_HEAD(list);
317
318 /* Release CPU reschedule checks */
319 if (__ptr_ring_empty(rcpu->queue)) {
320 set_current_state(TASK_INTERRUPTIBLE);
321 /* Recheck to avoid lost wake-up */
322 if (__ptr_ring_empty(rcpu->queue)) {
323 schedule();
324 sched = 1;
325 } else {
326 __set_current_state(TASK_RUNNING);
327 }
328 } else {
329 sched = cond_resched();
330 }
331
332 /*
333 * The bpf_cpu_map_entry is single consumer, with this
334 * kthread CPU pinned. Lockless access to ptr_ring
335 * consume side valid as no-resize allowed of queue.
336 */
337 n = __ptr_ring_consume_batched(rcpu->queue, frames,
338 CPUMAP_BATCH);
339 for (i = 0, xdp_n = 0; i < n; i++) {
340 void *f = frames[i];
341 struct page *page;
342
343 if (unlikely(__ptr_test_bit(0, &f))) {
344 struct sk_buff *skb = f;
345
346 __ptr_clear_bit(0, &skb);
347 list_add_tail(&skb->list, &list);
348 continue;
349 }
350
351 frames[xdp_n++] = f;
352 page = virt_to_page(f);
353
354 /* Bring struct page memory area to curr CPU. Read by
355 * build_skb_around via page_is_pfmemalloc(), and when
356 * freed written by page_frag_free call.
357 */
358 prefetchw(page);
359 }
360
361 /* Support running another XDP prog on this CPU */
362 nframes = cpu_map_bpf_prog_run(rcpu, frames, xdp_n, &stats, &list);
363 if (nframes) {
364 m = kmem_cache_alloc_bulk(skbuff_head_cache, gfp, nframes, skbs);
365 if (unlikely(m == 0)) {
366 for (i = 0; i < nframes; i++)
367 skbs[i] = NULL; /* effect: xdp_return_frame */
368 kmem_alloc_drops += nframes;
369 }
370 }
371
372 local_bh_disable();
373 for (i = 0; i < nframes; i++) {
374 struct xdp_frame *xdpf = frames[i];
375 struct sk_buff *skb = skbs[i];
376
377 skb = __xdp_build_skb_from_frame(xdpf, skb,
378 xdpf->dev_rx);
379 if (!skb) {
380 xdp_return_frame(xdpf);
381 continue;
382 }
383
384 list_add_tail(&skb->list, &list);
385 }
386 netif_receive_skb_list(&list);
387
388 /* Feedback loop via tracepoint */
389 trace_xdp_cpumap_kthread(rcpu->map_id, n, kmem_alloc_drops,
390 sched, &stats);
391
392 local_bh_enable(); /* resched point, may call do_softirq() */
393 }
394 __set_current_state(TASK_RUNNING);
395
396 put_cpu_map_entry(rcpu);
397 return 0;
398}
399
400static int __cpu_map_load_bpf_program(struct bpf_cpu_map_entry *rcpu,
401 struct bpf_map *map, int fd)
402{
403 struct bpf_prog *prog;
404
405 prog = bpf_prog_get_type(fd, BPF_PROG_TYPE_XDP);
406 if (IS_ERR(prog))
407 return PTR_ERR(prog);
408
409 if (prog->expected_attach_type != BPF_XDP_CPUMAP ||
410 !bpf_prog_map_compatible(map, prog)) {
411 bpf_prog_put(prog);
412 return -EINVAL;
413 }
414
415 rcpu->value.bpf_prog.id = prog->aux->id;
416 rcpu->prog = prog;
417
418 return 0;
419}
420
421static struct bpf_cpu_map_entry *
422__cpu_map_entry_alloc(struct bpf_map *map, struct bpf_cpumap_val *value,
423 u32 cpu)
424{
425 int numa, err, i, fd = value->bpf_prog.fd;
426 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
427 struct bpf_cpu_map_entry *rcpu;
428 struct xdp_bulk_queue *bq;
429
430 /* Have map->numa_node, but choose node of redirect target CPU */
431 numa = cpu_to_node(cpu);
432
433 rcpu = bpf_map_kmalloc_node(map, sizeof(*rcpu), gfp | __GFP_ZERO, numa);
434 if (!rcpu)
435 return NULL;
436
437 /* Alloc percpu bulkq */
438 rcpu->bulkq = bpf_map_alloc_percpu(map, sizeof(*rcpu->bulkq),
439 sizeof(void *), gfp);
440 if (!rcpu->bulkq)
441 goto free_rcu;
442
443 for_each_possible_cpu(i) {
444 bq = per_cpu_ptr(rcpu->bulkq, i);
445 bq->obj = rcpu;
446 }
447
448 /* Alloc queue */
449 rcpu->queue = bpf_map_kmalloc_node(map, sizeof(*rcpu->queue), gfp,
450 numa);
451 if (!rcpu->queue)
452 goto free_bulkq;
453
454 err = ptr_ring_init(rcpu->queue, value->qsize, gfp);
455 if (err)
456 goto free_queue;
457
458 rcpu->cpu = cpu;
459 rcpu->map_id = map->id;
460 rcpu->value.qsize = value->qsize;
461
462 if (fd > 0 && __cpu_map_load_bpf_program(rcpu, map, fd))
463 goto free_ptr_ring;
464
465 /* Setup kthread */
466 rcpu->kthread = kthread_create_on_node(cpu_map_kthread_run, rcpu, numa,
467 "cpumap/%d/map:%d", cpu,
468 map->id);
469 if (IS_ERR(rcpu->kthread))
470 goto free_prog;
471
472 get_cpu_map_entry(rcpu); /* 1-refcnt for being in cmap->cpu_map[] */
473 get_cpu_map_entry(rcpu); /* 1-refcnt for kthread */
474
475 /* Make sure kthread runs on a single CPU */
476 kthread_bind(rcpu->kthread, cpu);
477 wake_up_process(rcpu->kthread);
478
479 return rcpu;
480
481free_prog:
482 if (rcpu->prog)
483 bpf_prog_put(rcpu->prog);
484free_ptr_ring:
485 ptr_ring_cleanup(rcpu->queue, NULL);
486free_queue:
487 kfree(rcpu->queue);
488free_bulkq:
489 free_percpu(rcpu->bulkq);
490free_rcu:
491 kfree(rcpu);
492 return NULL;
493}
494
495static void __cpu_map_entry_free(struct rcu_head *rcu)
496{
497 struct bpf_cpu_map_entry *rcpu;
498
499 /* This cpu_map_entry have been disconnected from map and one
500 * RCU grace-period have elapsed. Thus, XDP cannot queue any
501 * new packets and cannot change/set flush_needed that can
502 * find this entry.
503 */
504 rcpu = container_of(rcu, struct bpf_cpu_map_entry, rcu);
505
506 free_percpu(rcpu->bulkq);
507 /* Cannot kthread_stop() here, last put free rcpu resources */
508 put_cpu_map_entry(rcpu);
509}
510
511/* After xchg pointer to bpf_cpu_map_entry, use the call_rcu() to
512 * ensure any driver rcu critical sections have completed, but this
513 * does not guarantee a flush has happened yet. Because driver side
514 * rcu_read_lock/unlock only protects the running XDP program. The
515 * atomic xchg and NULL-ptr check in __cpu_map_flush() makes sure a
516 * pending flush op doesn't fail.
517 *
518 * The bpf_cpu_map_entry is still used by the kthread, and there can
519 * still be pending packets (in queue and percpu bulkq). A refcnt
520 * makes sure to last user (kthread_stop vs. call_rcu) free memory
521 * resources.
522 *
523 * The rcu callback __cpu_map_entry_free flush remaining packets in
524 * percpu bulkq to queue. Due to caller map_delete_elem() disable
525 * preemption, cannot call kthread_stop() to make sure queue is empty.
526 * Instead a work_queue is started for stopping kthread,
527 * cpu_map_kthread_stop, which waits for an RCU grace period before
528 * stopping kthread, emptying the queue.
529 */
530static void __cpu_map_entry_replace(struct bpf_cpu_map *cmap,
531 u32 key_cpu, struct bpf_cpu_map_entry *rcpu)
532{
533 struct bpf_cpu_map_entry *old_rcpu;
534
535 old_rcpu = unrcu_pointer(xchg(&cmap->cpu_map[key_cpu], RCU_INITIALIZER(rcpu)));
536 if (old_rcpu) {
537 call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
538 INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
539 schedule_work(&old_rcpu->kthread_stop_wq);
540 }
541}
542
543static int cpu_map_delete_elem(struct bpf_map *map, void *key)
544{
545 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
546 u32 key_cpu = *(u32 *)key;
547
548 if (key_cpu >= map->max_entries)
549 return -EINVAL;
550
551 /* notice caller map_delete_elem() use preempt_disable() */
552 __cpu_map_entry_replace(cmap, key_cpu, NULL);
553 return 0;
554}
555
556static int cpu_map_update_elem(struct bpf_map *map, void *key, void *value,
557 u64 map_flags)
558{
559 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
560 struct bpf_cpumap_val cpumap_value = {};
561 struct bpf_cpu_map_entry *rcpu;
562 /* Array index key correspond to CPU number */
563 u32 key_cpu = *(u32 *)key;
564
565 memcpy(&cpumap_value, value, map->value_size);
566
567 if (unlikely(map_flags > BPF_EXIST))
568 return -EINVAL;
569 if (unlikely(key_cpu >= cmap->map.max_entries))
570 return -E2BIG;
571 if (unlikely(map_flags == BPF_NOEXIST))
572 return -EEXIST;
573 if (unlikely(cpumap_value.qsize > 16384)) /* sanity limit on qsize */
574 return -EOVERFLOW;
575
576 /* Make sure CPU is a valid possible cpu */
577 if (key_cpu >= nr_cpumask_bits || !cpu_possible(key_cpu))
578 return -ENODEV;
579
580 if (cpumap_value.qsize == 0) {
581 rcpu = NULL; /* Same as deleting */
582 } else {
583 /* Updating qsize cause re-allocation of bpf_cpu_map_entry */
584 rcpu = __cpu_map_entry_alloc(map, &cpumap_value, key_cpu);
585 if (!rcpu)
586 return -ENOMEM;
587 rcpu->cmap = cmap;
588 }
589 rcu_read_lock();
590 __cpu_map_entry_replace(cmap, key_cpu, rcpu);
591 rcu_read_unlock();
592 return 0;
593}
594
595static void cpu_map_free(struct bpf_map *map)
596{
597 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
598 u32 i;
599
600 /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
601 * so the bpf programs (can be more than one that used this map) were
602 * disconnected from events. Wait for outstanding critical sections in
603 * these programs to complete. The rcu critical section only guarantees
604 * no further "XDP/bpf-side" reads against bpf_cpu_map->cpu_map.
605 * It does __not__ ensure pending flush operations (if any) are
606 * complete.
607 */
608
609 synchronize_rcu();
610
611 /* For cpu_map the remote CPUs can still be using the entries
612 * (struct bpf_cpu_map_entry).
613 */
614 for (i = 0; i < cmap->map.max_entries; i++) {
615 struct bpf_cpu_map_entry *rcpu;
616
617 rcpu = rcu_dereference_raw(cmap->cpu_map[i]);
618 if (!rcpu)
619 continue;
620
621 /* bq flush and cleanup happens after RCU grace-period */
622 __cpu_map_entry_replace(cmap, i, NULL); /* call_rcu */
623 }
624 bpf_map_area_free(cmap->cpu_map);
625 bpf_map_area_free(cmap);
626}
627
628/* Elements are kept alive by RCU; either by rcu_read_lock() (from syscall) or
629 * by local_bh_disable() (from XDP calls inside NAPI). The
630 * rcu_read_lock_bh_held() below makes lockdep accept both.
631 */
632static void *__cpu_map_lookup_elem(struct bpf_map *map, u32 key)
633{
634 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
635 struct bpf_cpu_map_entry *rcpu;
636
637 if (key >= map->max_entries)
638 return NULL;
639
640 rcpu = rcu_dereference_check(cmap->cpu_map[key],
641 rcu_read_lock_bh_held());
642 return rcpu;
643}
644
645static void *cpu_map_lookup_elem(struct bpf_map *map, void *key)
646{
647 struct bpf_cpu_map_entry *rcpu =
648 __cpu_map_lookup_elem(map, *(u32 *)key);
649
650 return rcpu ? &rcpu->value : NULL;
651}
652
653static int cpu_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
654{
655 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
656 u32 index = key ? *(u32 *)key : U32_MAX;
657 u32 *next = next_key;
658
659 if (index >= cmap->map.max_entries) {
660 *next = 0;
661 return 0;
662 }
663
664 if (index == cmap->map.max_entries - 1)
665 return -ENOENT;
666 *next = index + 1;
667 return 0;
668}
669
670static int cpu_map_redirect(struct bpf_map *map, u64 index, u64 flags)
671{
672 return __bpf_xdp_redirect_map(map, index, flags, 0,
673 __cpu_map_lookup_elem);
674}
675
676BTF_ID_LIST_SINGLE(cpu_map_btf_ids, struct, bpf_cpu_map)
677const struct bpf_map_ops cpu_map_ops = {
678 .map_meta_equal = bpf_map_meta_equal,
679 .map_alloc = cpu_map_alloc,
680 .map_free = cpu_map_free,
681 .map_delete_elem = cpu_map_delete_elem,
682 .map_update_elem = cpu_map_update_elem,
683 .map_lookup_elem = cpu_map_lookup_elem,
684 .map_get_next_key = cpu_map_get_next_key,
685 .map_check_btf = map_check_no_btf,
686 .map_btf_id = &cpu_map_btf_ids[0],
687 .map_redirect = cpu_map_redirect,
688};
689
690static void bq_flush_to_queue(struct xdp_bulk_queue *bq)
691{
692 struct bpf_cpu_map_entry *rcpu = bq->obj;
693 unsigned int processed = 0, drops = 0;
694 const int to_cpu = rcpu->cpu;
695 struct ptr_ring *q;
696 int i;
697
698 if (unlikely(!bq->count))
699 return;
700
701 q = rcpu->queue;
702 spin_lock(&q->producer_lock);
703
704 for (i = 0; i < bq->count; i++) {
705 struct xdp_frame *xdpf = bq->q[i];
706 int err;
707
708 err = __ptr_ring_produce(q, xdpf);
709 if (err) {
710 drops++;
711 xdp_return_frame_rx_napi(xdpf);
712 }
713 processed++;
714 }
715 bq->count = 0;
716 spin_unlock(&q->producer_lock);
717
718 __list_del_clearprev(&bq->flush_node);
719
720 /* Feedback loop via tracepoints */
721 trace_xdp_cpumap_enqueue(rcpu->map_id, processed, drops, to_cpu);
722}
723
724/* Runs under RCU-read-side, plus in softirq under NAPI protection.
725 * Thus, safe percpu variable access.
726 */
727static void bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf)
728{
729 struct list_head *flush_list = this_cpu_ptr(&cpu_map_flush_list);
730 struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);
731
732 if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
733 bq_flush_to_queue(bq);
734
735 /* Notice, xdp_buff/page MUST be queued here, long enough for
736 * driver to code invoking us to finished, due to driver
737 * (e.g. ixgbe) recycle tricks based on page-refcnt.
738 *
739 * Thus, incoming xdp_frame is always queued here (else we race
740 * with another CPU on page-refcnt and remaining driver code).
741 * Queue time is very short, as driver will invoke flush
742 * operation, when completing napi->poll call.
743 */
744 bq->q[bq->count++] = xdpf;
745
746 if (!bq->flush_node.prev)
747 list_add(&bq->flush_node, flush_list);
748}
749
750int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf,
751 struct net_device *dev_rx)
752{
753 /* Info needed when constructing SKB on remote CPU */
754 xdpf->dev_rx = dev_rx;
755
756 bq_enqueue(rcpu, xdpf);
757 return 0;
758}
759
760int cpu_map_generic_redirect(struct bpf_cpu_map_entry *rcpu,
761 struct sk_buff *skb)
762{
763 int ret;
764
765 __skb_pull(skb, skb->mac_len);
766 skb_set_redirected(skb, false);
767 __ptr_set_bit(0, &skb);
768
769 ret = ptr_ring_produce(rcpu->queue, skb);
770 if (ret < 0)
771 goto trace;
772
773 wake_up_process(rcpu->kthread);
774trace:
775 trace_xdp_cpumap_enqueue(rcpu->map_id, !ret, !!ret, rcpu->cpu);
776 return ret;
777}
778
779void __cpu_map_flush(void)
780{
781 struct list_head *flush_list = this_cpu_ptr(&cpu_map_flush_list);
782 struct xdp_bulk_queue *bq, *tmp;
783
784 list_for_each_entry_safe(bq, tmp, flush_list, flush_node) {
785 bq_flush_to_queue(bq);
786
787 /* If already running, costs spin_lock_irqsave + smb_mb */
788 wake_up_process(bq->obj->kthread);
789 }
790}
791
792static int __init cpu_map_init(void)
793{
794 int cpu;
795
796 for_each_possible_cpu(cpu)
797 INIT_LIST_HEAD(&per_cpu(cpu_map_flush_list, cpu));
798 return 0;
799}
800
801subsys_initcall(cpu_map_init);