[linux-2.6-block.git] / kernel / bpf / cpumap.c

/* bpf/cpumap.c
 *
 * Copyright (c) 2017 Jesper Dangaard Brouer, Red Hat Inc.
 * Released under terms in GPL version 2.  See COPYING.
 */

/* The 'cpumap' is primarily used as a backend map for XDP BPF helper
 * call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
 *
 * Unlike devmap which redirects XDP frames out another NIC device,
 * this map type redirects raw XDP frames to another CPU.  The remote
 * CPU will do SKB-allocation and call the normal network stack.
 *
 * This is a scalability and isolation mechanism, that allow
 * separating the early driver network XDP layer, from the rest of the
 * netstack, and assigning dedicated CPUs for this stage.  This
 * basically allows for 10G wirespeed pre-filtering via bpf.
 */
#include <linux/bpf.h>
#include <linux/filter.h>
#include <linux/ptr_ring.h>

#include <linux/sched.h>
#include <linux/workqueue.h>
#include <linux/kthread.h>
#include <linux/capability.h>

/* General idea: XDP packets getting XDP redirected to another CPU,
 * will maximum be stored/queued for one driver ->poll() call.  It is
 * guaranteed that setting flush bit and flush operation happen on
 * same CPU.  Thus, cpu_map_flush operation can deduct via this_cpu_ptr()
 * which queue in bpf_cpu_map_entry contains packets.
 */

#define CPU_MAP_BULK_SIZE 8  /* 8 == one cacheline on 64-bit archs */
struct xdp_bulk_queue {
	void *q[CPU_MAP_BULK_SIZE];
	unsigned int count;
};

/* Struct for every remote "destination" CPU in map */
struct bpf_cpu_map_entry {
	u32 qsize;  /* Queue size placeholder for map lookup */

	/* XDP can run multiple RX-ring queues, need __percpu enqueue store */
	struct xdp_bulk_queue __percpu *bulkq;

	/* Queue with potential multi-producers, and single-consumer kthread */
	struct ptr_ring *queue;
	struct task_struct *kthread;
	struct work_struct kthread_stop_wq;

	atomic_t refcnt; /* Control when this struct can be free'ed */
	struct rcu_head rcu;
};

struct bpf_cpu_map {
	struct bpf_map map;
	/* Below members specific for map type */
	struct bpf_cpu_map_entry **cpu_map;
	unsigned long __percpu *flush_needed;
};

static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
			     struct xdp_bulk_queue *bq);

static u64 cpu_map_bitmap_size(const union bpf_attr *attr)
{
	return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);
}

static struct bpf_map *cpu_map_alloc(union bpf_attr *attr)
{
	struct bpf_cpu_map *cmap;
	int err = -ENOMEM;
	u64 cost;
	int ret;

	if (!capable(CAP_SYS_ADMIN))
		return ERR_PTR(-EPERM);

	/* check sanity of attributes */
	if (attr->max_entries == 0 || attr->key_size != 4 ||
	    attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE)
		return ERR_PTR(-EINVAL);

	cmap = kzalloc(sizeof(*cmap), GFP_USER);
	if (!cmap)
		return ERR_PTR(-ENOMEM);

	/* mandatory map attributes */
	cmap->map.map_type = attr->map_type;
	cmap->map.key_size = attr->key_size;
	cmap->map.value_size = attr->value_size;
	cmap->map.max_entries = attr->max_entries;
	cmap->map.map_flags = attr->map_flags;
	cmap->map.numa_node = bpf_map_attr_numa_node(attr);

	/* Pre-limit array size based on NR_CPUS, not final CPU check */
	if (cmap->map.max_entries > NR_CPUS) {
		err = -E2BIG;
		goto free_cmap;
	}

	/* make sure page count doesn't overflow */
	cost = (u64) cmap->map.max_entries * sizeof(struct bpf_cpu_map_entry *);
	cost += cpu_map_bitmap_size(attr) * num_possible_cpus();
	if (cost >= U32_MAX - PAGE_SIZE)
		goto free_cmap;
	cmap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;

	/* Notice returns -EPERM on if map size is larger than memlock limit */
	ret = bpf_map_precharge_memlock(cmap->map.pages);
	if (ret) {
		err = ret;
		goto free_cmap;
	}

	/* A per cpu bitfield with a bit per possible CPU in map  */
	cmap->flush_needed = __alloc_percpu(cpu_map_bitmap_size(attr),
					    __alignof__(unsigned long));
	if (!cmap->flush_needed)
		goto free_cmap;

	/* Alloc array for possible remote "destination" CPUs */
	cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
					   sizeof(struct bpf_cpu_map_entry *),
					   cmap->map.numa_node);
	if (!cmap->cpu_map)
		goto free_percpu;

	return &cmap->map;
free_percpu:
	free_percpu(cmap->flush_needed);
free_cmap:
	kfree(cmap);
	return ERR_PTR(err);
}

void __cpu_map_queue_destructor(void *ptr)
{
	/* The tear-down procedure should have made sure that queue is
	 * empty.  See __cpu_map_entry_replace() and work-queue
	 * invoked cpu_map_kthread_stop(). Catch any broken behaviour
	 * gracefully and warn once.
	 */
	if (WARN_ON_ONCE(ptr))
		page_frag_free(ptr);
}

static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
{
	if (atomic_dec_and_test(&rcpu->refcnt)) {
		/* The queue should be empty at this point */
		ptr_ring_cleanup(rcpu->queue, __cpu_map_queue_destructor);
		kfree(rcpu->queue);
		kfree(rcpu);
	}
}

static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
{
	atomic_inc(&rcpu->refcnt);
}

/* called from workqueue, to workaround syscall using preempt_disable */
static void cpu_map_kthread_stop(struct work_struct *work)
{
	struct bpf_cpu_map_entry *rcpu;

	rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq);

	/* Wait for flush in __cpu_map_entry_free(), via full RCU barrier,
	 * as it waits until all in-flight call_rcu() callbacks complete.
	 */
	rcu_barrier();

	/* kthread_stop will wake_up_process and wait for it to complete */
	kthread_stop(rcpu->kthread);
}

static int cpu_map_kthread_run(void *data)
{
	struct bpf_cpu_map_entry *rcpu = data;

	set_current_state(TASK_INTERRUPTIBLE);

	/* When kthread gives stop order, then rcpu have been disconnected
	 * from map, thus no new packets can enter. Remaining in-flight
	 * per CPU stored packets are flushed to this queue.  Wait honoring
	 * kthread_stop signal until queue is empty.
	 */
	while (!kthread_should_stop() || !__ptr_ring_empty(rcpu->queue)) {
		struct xdp_pkt *xdp_pkt;

		schedule();
		/* Do work */
		while ((xdp_pkt = ptr_ring_consume(rcpu->queue))) {
			/* For now just "refcnt-free" */
			page_frag_free(xdp_pkt);
		}
		__set_current_state(TASK_INTERRUPTIBLE);
	}
	__set_current_state(TASK_RUNNING);

	put_cpu_map_entry(rcpu);
	return 0;
}

struct bpf_cpu_map_entry *__cpu_map_entry_alloc(u32 qsize, u32 cpu, int map_id)
{
	gfp_t gfp = GFP_ATOMIC|__GFP_NOWARN;
	struct bpf_cpu_map_entry *rcpu;
	int numa, err;

	/* Have map->numa_node, but choose node of redirect target CPU */
	numa = cpu_to_node(cpu);

	rcpu = kzalloc_node(sizeof(*rcpu), gfp, numa);
	if (!rcpu)
		return NULL;

	/* Alloc percpu bulkq */
	rcpu->bulkq = __alloc_percpu_gfp(sizeof(*rcpu->bulkq),
					 sizeof(void *), gfp);
	if (!rcpu->bulkq)
		goto free_rcu;

	/* Alloc queue */
	rcpu->queue = kzalloc_node(sizeof(*rcpu->queue), gfp, numa);
	if (!rcpu->queue)
		goto free_bulkq;

	err = ptr_ring_init(rcpu->queue, qsize, gfp);
	if (err)
		goto free_queue;

	rcpu->qsize = qsize;

	/* Setup kthread */
	rcpu->kthread = kthread_create_on_node(cpu_map_kthread_run, rcpu, numa,
					       "cpumap/%d/map:%d", cpu, map_id);
	if (IS_ERR(rcpu->kthread))
		goto free_ptr_ring;

	get_cpu_map_entry(rcpu); /* 1-refcnt for being in cmap->cpu_map[] */
	get_cpu_map_entry(rcpu); /* 1-refcnt for kthread */

	/* Make sure kthread runs on a single CPU */
	kthread_bind(rcpu->kthread, cpu);
	wake_up_process(rcpu->kthread);

	return rcpu;

free_ptr_ring:
	ptr_ring_cleanup(rcpu->queue, NULL);
free_queue:
	kfree(rcpu->queue);
free_bulkq:
	free_percpu(rcpu->bulkq);
free_rcu:
	kfree(rcpu);
	return NULL;
}

void __cpu_map_entry_free(struct rcu_head *rcu)
{
	struct bpf_cpu_map_entry *rcpu;
	int cpu;

	/* This cpu_map_entry have been disconnected from map and one
	 * RCU graze-period have elapsed.  Thus, XDP cannot queue any
	 * new packets and cannot change/set flush_needed that can
	 * find this entry.
	 */
	rcpu = container_of(rcu, struct bpf_cpu_map_entry, rcu);

	/* Flush remaining packets in percpu bulkq */
	for_each_online_cpu(cpu) {
		struct xdp_bulk_queue *bq = per_cpu_ptr(rcpu->bulkq, cpu);

		/* No concurrent bq_enqueue can run at this point */
		bq_flush_to_queue(rcpu, bq);
	}
	free_percpu(rcpu->bulkq);
	/* Cannot kthread_stop() here, last put free rcpu resources */
	put_cpu_map_entry(rcpu);
}

/* After xchg pointer to bpf_cpu_map_entry, use the call_rcu() to
 * ensure any driver rcu critical sections have completed, but this
 * does not guarantee a flush has happened yet. Because driver side
 * rcu_read_lock/unlock only protects the running XDP program.  The
 * atomic xchg and NULL-ptr check in __cpu_map_flush() makes sure a
 * pending flush op doesn't fail.
 *
 * The bpf_cpu_map_entry is still used by the kthread, and there can
 * still be pending packets (in queue and percpu bulkq).  A refcnt
 * makes sure to last user (kthread_stop vs. call_rcu) free memory
 * resources.
 *
 * The rcu callback __cpu_map_entry_free flush remaining packets in
 * percpu bulkq to queue.  Due to caller map_delete_elem() disable
 * preemption, cannot call kthread_stop() to make sure queue is empty.
 * Instead a work_queue is started for stopping kthread,
 * cpu_map_kthread_stop, which waits for an RCU graze period before
 * stopping kthread, emptying the queue.
 */
void __cpu_map_entry_replace(struct bpf_cpu_map *cmap,
			     u32 key_cpu, struct bpf_cpu_map_entry *rcpu)
{
	struct bpf_cpu_map_entry *old_rcpu;

	old_rcpu = xchg(&cmap->cpu_map[key_cpu], rcpu);
	if (old_rcpu) {
		call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
		INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
		schedule_work(&old_rcpu->kthread_stop_wq);
	}
}

int cpu_map_delete_elem(struct bpf_map *map, void *key)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	u32 key_cpu = *(u32 *)key;

	if (key_cpu >= map->max_entries)
		return -EINVAL;

	/* notice caller map_delete_elem() use preempt_disable() */
	__cpu_map_entry_replace(cmap, key_cpu, NULL);
	return 0;
}

int cpu_map_update_elem(struct bpf_map *map, void *key, void *value,
				u64 map_flags)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	struct bpf_cpu_map_entry *rcpu;

	/* Array index key correspond to CPU number */
	u32 key_cpu = *(u32 *)key;
	/* Value is the queue size */
	u32 qsize = *(u32 *)value;

	if (unlikely(map_flags > BPF_EXIST))
		return -EINVAL;
	if (unlikely(key_cpu >= cmap->map.max_entries))
		return -E2BIG;
	if (unlikely(map_flags == BPF_NOEXIST))
		return -EEXIST;
	if (unlikely(qsize > 16384)) /* sanity limit on qsize */
		return -EOVERFLOW;

	/* Make sure CPU is a valid possible cpu */
	if (!cpu_possible(key_cpu))
		return -ENODEV;

	if (qsize == 0) {
		rcpu = NULL; /* Same as deleting */
	} else {
		/* Updating qsize cause re-allocation of bpf_cpu_map_entry */
		rcpu = __cpu_map_entry_alloc(qsize, key_cpu, map->id);
		if (!rcpu)
			return -ENOMEM;
	}
	rcu_read_lock();
	__cpu_map_entry_replace(cmap, key_cpu, rcpu);
	rcu_read_unlock();
	return 0;
}

void cpu_map_free(struct bpf_map *map)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	int cpu;
	u32 i;

	/* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
	 * so the bpf programs (can be more than one that used this map) were
	 * disconnected from events. Wait for outstanding critical sections in
	 * these programs to complete. The rcu critical section only guarantees
	 * no further "XDP/bpf-side" reads against bpf_cpu_map->cpu_map.
	 * It does __not__ ensure pending flush operations (if any) are
	 * complete.
	 */
	synchronize_rcu();

	/* To ensure all pending flush operations have completed wait for flush
	 * bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
	 * Because the above synchronize_rcu() ensures the map is disconnected
	 * from the program we can assume no new bits will be set.
	 */
	for_each_online_cpu(cpu) {
		unsigned long *bitmap = per_cpu_ptr(cmap->flush_needed, cpu);

		while (!bitmap_empty(bitmap, cmap->map.max_entries))
			cond_resched();
	}

	/* For cpu_map the remote CPUs can still be using the entries
	 * (struct bpf_cpu_map_entry).
	 */
	for (i = 0; i < cmap->map.max_entries; i++) {
		struct bpf_cpu_map_entry *rcpu;

		rcpu = READ_ONCE(cmap->cpu_map[i]);
		if (!rcpu)
			continue;

		/* bq flush and cleanup happens after RCU graze-period */
		__cpu_map_entry_replace(cmap, i, NULL); /* call_rcu */
	}
	free_percpu(cmap->flush_needed);
	bpf_map_area_free(cmap->cpu_map);
	kfree(cmap);
}

struct bpf_cpu_map_entry *__cpu_map_lookup_elem(struct bpf_map *map, u32 key)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	struct bpf_cpu_map_entry *rcpu;

	if (key >= map->max_entries)
		return NULL;

	rcpu = READ_ONCE(cmap->cpu_map[key]);
	return rcpu;
}

static void *cpu_map_lookup_elem(struct bpf_map *map, void *key)
{
	struct bpf_cpu_map_entry *rcpu =
		__cpu_map_lookup_elem(map, *(u32 *)key);

	return rcpu ? &rcpu->qsize : NULL;
}

static int cpu_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	u32 index = key ? *(u32 *)key : U32_MAX;
	u32 *next = next_key;

	if (index >= cmap->map.max_entries) {
		*next = 0;
		return 0;
	}

	if (index == cmap->map.max_entries - 1)
		return -ENOENT;
	*next = index + 1;
	return 0;
}

const struct bpf_map_ops cpu_map_ops = {
	.map_alloc		= cpu_map_alloc,
	.map_free		= cpu_map_free,
	.map_delete_elem	= cpu_map_delete_elem,
	.map_update_elem	= cpu_map_update_elem,
	.map_lookup_elem	= cpu_map_lookup_elem,
	.map_get_next_key	= cpu_map_get_next_key,
};

static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
			     struct xdp_bulk_queue *bq)
{
	struct ptr_ring *q;
	int i;

	if (unlikely(!bq->count))
		return 0;

	q = rcpu->queue;
	spin_lock(&q->producer_lock);

	for (i = 0; i < bq->count; i++) {
		void *xdp_pkt = bq->q[i];
		int err;

		err = __ptr_ring_produce(q, xdp_pkt);
		if (err) {
			/* Free xdp_pkt */
			page_frag_free(xdp_pkt);
		}
	}
	bq->count = 0;
	spin_unlock(&q->producer_lock);

	return 0;
}

/* Notice: Will change in later patch */
struct xdp_pkt {
	void *data;
	u16 len;
	u16 headroom;
};

/* Runs under RCU-read-side, plus in softirq under NAPI protection.
 * Thus, safe percpu variable access.
 */
static int bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_pkt *xdp_pkt)
{
	struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);

	if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
		bq_flush_to_queue(rcpu, bq);

	/* Notice, xdp_buff/page MUST be queued here, long enough for
	 * driver to code invoking us to finished, due to driver
	 * (e.g. ixgbe) recycle tricks based on page-refcnt.
	 *
	 * Thus, incoming xdp_pkt is always queued here (else we race
	 * with another CPU on page-refcnt and remaining driver code).
	 * Queue time is very short, as driver will invoke flush
	 * operation, when completing napi->poll call.
	 */
	bq->q[bq->count++] = xdp_pkt;
	return 0;
}

int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_buff *xdp,
		    struct net_device *dev_rx)
{
	struct xdp_pkt *xdp_pkt;
	int headroom;

	/* For now this is just used as a void pointer to data_hard_start.
	 * Followup patch will generalize this.
	 */
	xdp_pkt = xdp->data_hard_start;

	/* Fake writing into xdp_pkt->data to measure overhead */
	headroom = xdp->data - xdp->data_hard_start;
	if (headroom < sizeof(*xdp_pkt))
		xdp_pkt->data = xdp->data;

	bq_enqueue(rcpu, xdp_pkt);
	return 0;
}

void __cpu_map_insert_ctx(struct bpf_map *map, u32 bit)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);

	__set_bit(bit, bitmap);
}

void __cpu_map_flush(struct bpf_map *map)
{
	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
	u32 bit;

	/* The napi->poll softirq makes sure __cpu_map_insert_ctx()
	 * and __cpu_map_flush() happen on same CPU. Thus, the percpu
	 * bitmap indicate which percpu bulkq have packets.
	 */
	for_each_set_bit(bit, bitmap, map->max_entries) {
		struct bpf_cpu_map_entry *rcpu = READ_ONCE(cmap->cpu_map[bit]);
		struct xdp_bulk_queue *bq;

		/* This is possible if entry is removed by user space
		 * between xdp redirect and flush op.
		 */
		if (unlikely(!rcpu))
			continue;

		__clear_bit(bit, bitmap);

		/* Flush all frames in bulkq to real queue */
		bq = this_cpu_ptr(rcpu->bulkq);
		bq_flush_to_queue(rcpu, bq);

		/* If already running, costs spin_lock_irqsave + smb_mb */
		wake_up_process(rcpu->kthread);
	}
}
Commit	Line	Data
6710e112 JDB	1	/* bpf/cpumap.c
	2	*
	3	* Copyright (c) 2017 Jesper Dangaard Brouer, Red Hat Inc.
	4	* Released under terms in GPL version 2. See COPYING.
	5	*/
	6
	7	/* The 'cpumap' is primarily used as a backend map for XDP BPF helper
	8	* call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
	9	*
	10	* Unlike devmap which redirects XDP frames out another NIC device,
	11	* this map type redirects raw XDP frames to another CPU. The remote
	12	* CPU will do SKB-allocation and call the normal network stack.
	13	*
	14	* This is a scalability and isolation mechanism, that allow
	15	* separating the early driver network XDP layer, from the rest of the
	16	* netstack, and assigning dedicated CPUs for this stage. This
	17	* basically allows for 10G wirespeed pre-filtering via bpf.
	18	*/
	19	#include <linux/bpf.h>
	20	#include <linux/filter.h>
	21	#include <linux/ptr_ring.h>
	22
	23	#include <linux/sched.h>
	24	#include <linux/workqueue.h>
	25	#include <linux/kthread.h>
	26	#include <linux/capability.h>
	27
	28	/* General idea: XDP packets getting XDP redirected to another CPU,
	29	* will maximum be stored/queued for one driver ->poll() call. It is
	30	* guaranteed that setting flush bit and flush operation happen on
	31	* same CPU. Thus, cpu_map_flush operation can deduct via this_cpu_ptr()
	32	* which queue in bpf_cpu_map_entry contains packets.
	33	*/
	34
	35	#define CPU_MAP_BULK_SIZE 8 /* 8 == one cacheline on 64-bit archs */
	36	struct xdp_bulk_queue {
	37	void *q[CPU_MAP_BULK_SIZE];
	38	unsigned int count;
	39	};
	40
	41	/* Struct for every remote "destination" CPU in map */
	42	struct bpf_cpu_map_entry {
	43	u32 qsize; /* Queue size placeholder for map lookup */
	44
	45	/* XDP can run multiple RX-ring queues, need __percpu enqueue store */
	46	struct xdp_bulk_queue __percpu *bulkq;
	47
	48	/* Queue with potential multi-producers, and single-consumer kthread */
	49	struct ptr_ring *queue;
	50	struct task_struct *kthread;
	51	struct work_struct kthread_stop_wq;
	52
	53	atomic_t refcnt; /* Control when this struct can be free'ed */
	54	struct rcu_head rcu;
	55	};
	56
	57	struct bpf_cpu_map {
	58	struct bpf_map map;
	59	/* Below members specific for map type */
	60	struct bpf_cpu_map_entry **cpu_map;
	61	unsigned long __percpu *flush_needed;
	62	};
	63
	64	static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
65	struct xdp_bulk_queue *bq);
66
67	static u64 cpu_map_bitmap_size(const union bpf_attr *attr)
68	{
69	return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);
70	}
71
72	static struct bpf_map cpu_map_alloc(union bpf_attr attr)
73	{
74	struct bpf_cpu_map *cmap;
75	int err = -ENOMEM;
76	u64 cost;
77	int ret;
78
79	if (!capable(CAP_SYS_ADMIN))
80	return ERR_PTR(-EPERM);
81
82	/* check sanity of attributes */
83	if (attr->max_entries == 0 \|\| attr->key_size != 4 \|\|
84	attr->value_size != 4 \|\| attr->map_flags & ~BPF_F_NUMA_NODE)
85	return ERR_PTR(-EINVAL);
86
87	cmap = kzalloc(sizeof(*cmap), GFP_USER);
88	if (!cmap)
89	return ERR_PTR(-ENOMEM);
90
91	/* mandatory map attributes */
92	cmap->map.map_type = attr->map_type;
93	cmap->map.key_size = attr->key_size;
94	cmap->map.value_size = attr->value_size;
95	cmap->map.max_entries = attr->max_entries;
96	cmap->map.map_flags = attr->map_flags;
97	cmap->map.numa_node = bpf_map_attr_numa_node(attr);
98
99	/* Pre-limit array size based on NR_CPUS, not final CPU check */
100	if (cmap->map.max_entries > NR_CPUS) {
101	err = -E2BIG;
102	goto free_cmap;
103	}
104
105	/* make sure page count doesn't overflow */
106	cost = (u64) cmap->map.max_entries * sizeof(struct bpf_cpu_map_entry *);
107	cost += cpu_map_bitmap_size(attr) * num_possible_cpus();
108	if (cost >= U32_MAX - PAGE_SIZE)
109	goto free_cmap;
110	cmap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;
111
112	/* Notice returns -EPERM on if map size is larger than memlock limit */
113	ret = bpf_map_precharge_memlock(cmap->map.pages);
114	if (ret) {
115	err = ret;
116	goto free_cmap;
117	}
118
119	/* A per cpu bitfield with a bit per possible CPU in map */
120	cmap->flush_needed = __alloc_percpu(cpu_map_bitmap_size(attr),
121	__alignof__(unsigned long));
122	if (!cmap->flush_needed)
123	goto free_cmap;
124
125	/* Alloc array for possible remote "destination" CPUs */
126	cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
127	sizeof(struct bpf_cpu_map_entry *),
128	cmap->map.numa_node);
129	if (!cmap->cpu_map)
130	goto free_percpu;
131
132	return &cmap->map;
133	free_percpu:
134	free_percpu(cmap->flush_needed);
135	free_cmap:
136	kfree(cmap);
137	return ERR_PTR(err);
138	}
139
140	void __cpu_map_queue_destructor(void *ptr)
141	{
142	/* The tear-down procedure should have made sure that queue is
143	* empty. See __cpu_map_entry_replace() and work-queue
144	* invoked cpu_map_kthread_stop(). Catch any broken behaviour
145	* gracefully and warn once.
146	*/
147	if (WARN_ON_ONCE(ptr))
148	page_frag_free(ptr);
149	}
150
151	static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
152	{
153	if (atomic_dec_and_test(&rcpu->refcnt)) {
154	/* The queue should be empty at this point */
155	ptr_ring_cleanup(rcpu->queue, __cpu_map_queue_destructor);
156	kfree(rcpu->queue);
157	kfree(rcpu);
158	}
159	}
160
161	static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
162	{
163	atomic_inc(&rcpu->refcnt);
164	}
165
166	/* called from workqueue, to workaround syscall using preempt_disable */
167	static void cpu_map_kthread_stop(struct work_struct *work)
168	{
169	struct bpf_cpu_map_entry *rcpu;
170
171	rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq);
172
173	/* Wait for flush in __cpu_map_entry_free(), via full RCU barrier,
174	* as it waits until all in-flight call_rcu() callbacks complete.
175	*/
176	rcu_barrier();
177
178	/* kthread_stop will wake_up_process and wait for it to complete */
179	kthread_stop(rcpu->kthread);
180	}
181
182	static int cpu_map_kthread_run(void *data)
183	{
184	struct bpf_cpu_map_entry *rcpu = data;
185
186	set_current_state(TASK_INTERRUPTIBLE);
187
188	/* When kthread gives stop order, then rcpu have been disconnected
189	* from map, thus no new packets can enter. Remaining in-flight
190	* per CPU stored packets are flushed to this queue. Wait honoring
191	* kthread_stop signal until queue is empty.
192	*/
193	while (!kthread_should_stop() \|\| !__ptr_ring_empty(rcpu->queue)) {
194	struct xdp_pkt *xdp_pkt;
195
196	schedule();
197	/* Do work */
198	while ((xdp_pkt = ptr_ring_consume(rcpu->queue))) {
199	/* For now just "refcnt-free" */
200	page_frag_free(xdp_pkt);
201	}
202	__set_current_state(TASK_INTERRUPTIBLE);
203	}
204	__set_current_state(TASK_RUNNING);
205
206	put_cpu_map_entry(rcpu);
207	return 0;
208	}
209
210	struct bpf_cpu_map_entry *__cpu_map_entry_alloc(u32 qsize, u32 cpu, int map_id)
211	{
212	gfp_t gfp = GFP_ATOMIC\|__GFP_NOWARN;
213	struct bpf_cpu_map_entry *rcpu;
214	int numa, err;
215
216	/* Have map->numa_node, but choose node of redirect target CPU */
217	numa = cpu_to_node(cpu);
218
219	rcpu = kzalloc_node(sizeof(*rcpu), gfp, numa);
220	if (!rcpu)
221	return NULL;
222
223	/* Alloc percpu bulkq */
224	rcpu->bulkq = __alloc_percpu_gfp(sizeof(*rcpu->bulkq),
225	sizeof(void *), gfp);
226	if (!rcpu->bulkq)
227	goto free_rcu;
228
229	/* Alloc queue */
230	rcpu->queue = kzalloc_node(sizeof(*rcpu->queue), gfp, numa);
231	if (!rcpu->queue)
232	goto free_bulkq;
233
234	err = ptr_ring_init(rcpu->queue, qsize, gfp);
235	if (err)
236	goto free_queue;
237
238	rcpu->qsize = qsize;
239
240	/* Setup kthread */
241	rcpu->kthread = kthread_create_on_node(cpu_map_kthread_run, rcpu, numa,
242	"cpumap/%d/map:%d", cpu, map_id);
243	if (IS_ERR(rcpu->kthread))
244	goto free_ptr_ring;
245
246	get_cpu_map_entry(rcpu); /* 1-refcnt for being in cmap->cpu_map[] */
247	get_cpu_map_entry(rcpu); /* 1-refcnt for kthread */
248
249	/* Make sure kthread runs on a single CPU */
250	kthread_bind(rcpu->kthread, cpu);
251	wake_up_process(rcpu->kthread);
252
253	return rcpu;
254
255	free_ptr_ring:
256	ptr_ring_cleanup(rcpu->queue, NULL);
257	free_queue:
258	kfree(rcpu->queue);
259	free_bulkq:
260	free_percpu(rcpu->bulkq);
261	free_rcu:
262	kfree(rcpu);
263	return NULL;
264	}
265
266	void __cpu_map_entry_free(struct rcu_head *rcu)
267	{
268	struct bpf_cpu_map_entry *rcpu;
269	int cpu;
270
271	/* This cpu_map_entry have been disconnected from map and one
272	* RCU graze-period have elapsed. Thus, XDP cannot queue any
273	* new packets and cannot change/set flush_needed that can
274	* find this entry.
275	*/
276	rcpu = container_of(rcu, struct bpf_cpu_map_entry, rcu);
277
278	/* Flush remaining packets in percpu bulkq */
279	for_each_online_cpu(cpu) {
280	struct xdp_bulk_queue *bq = per_cpu_ptr(rcpu->bulkq, cpu);
281
282	/* No concurrent bq_enqueue can run at this point */
283	bq_flush_to_queue(rcpu, bq);
284	}
285	free_percpu(rcpu->bulkq);
286	/* Cannot kthread_stop() here, last put free rcpu resources */
287	put_cpu_map_entry(rcpu);
288	}
289
290	/* After xchg pointer to bpf_cpu_map_entry, use the call_rcu() to
291	* ensure any driver rcu critical sections have completed, but this
292	* does not guarantee a flush has happened yet. Because driver side
293	* rcu_read_lock/unlock only protects the running XDP program. The
294	* atomic xchg and NULL-ptr check in __cpu_map_flush() makes sure a
295	* pending flush op doesn't fail.
296	*
297	* The bpf_cpu_map_entry is still used by the kthread, and there can
298	* still be pending packets (in queue and percpu bulkq). A refcnt
299	* makes sure to last user (kthread_stop vs. call_rcu) free memory
300	* resources.
301	*
302	* The rcu callback __cpu_map_entry_free flush remaining packets in
303	* percpu bulkq to queue. Due to caller map_delete_elem() disable
304	* preemption, cannot call kthread_stop() to make sure queue is empty.
305	* Instead a work_queue is started for stopping kthread,
306	* cpu_map_kthread_stop, which waits for an RCU graze period before
307	* stopping kthread, emptying the queue.
308	*/
309	void __cpu_map_entry_replace(struct bpf_cpu_map *cmap,
310	u32 key_cpu, struct bpf_cpu_map_entry *rcpu)
311	{
312	struct bpf_cpu_map_entry *old_rcpu;
313
314	old_rcpu = xchg(&cmap->cpu_map[key_cpu], rcpu);
315	if (old_rcpu) {
316	call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
317	INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
318	schedule_work(&old_rcpu->kthread_stop_wq);
319	}
320	}
321
322	int cpu_map_delete_elem(struct bpf_map map, void key)
323	{
324	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
325	u32 key_cpu = (u32 )key;
326
327	if (key_cpu >= map->max_entries)
328	return -EINVAL;
329
330	/* notice caller map_delete_elem() use preempt_disable() */
331	__cpu_map_entry_replace(cmap, key_cpu, NULL);
332	return 0;
333	}
334
335	int cpu_map_update_elem(struct bpf_map map, void key, void *value,
336	u64 map_flags)
337	{
338	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
339	struct bpf_cpu_map_entry *rcpu;
340
341	/* Array index key correspond to CPU number */
342	u32 key_cpu = (u32 )key;
343	/* Value is the queue size */
344	u32 qsize = (u32 )value;
345
346	if (unlikely(map_flags > BPF_EXIST))
347	return -EINVAL;
348	if (unlikely(key_cpu >= cmap->map.max_entries))
349	return -E2BIG;
350	if (unlikely(map_flags == BPF_NOEXIST))
351	return -EEXIST;
352	if (unlikely(qsize > 16384)) /* sanity limit on qsize */
353	return -EOVERFLOW;
354
355	/* Make sure CPU is a valid possible cpu */
356	if (!cpu_possible(key_cpu))
357	return -ENODEV;
358
359	if (qsize == 0) {
360	rcpu = NULL; /* Same as deleting */
361	} else {
362	/* Updating qsize cause re-allocation of bpf_cpu_map_entry */
363	rcpu = __cpu_map_entry_alloc(qsize, key_cpu, map->id);
364	if (!rcpu)
365	return -ENOMEM;
366	}
367	rcu_read_lock();
368	__cpu_map_entry_replace(cmap, key_cpu, rcpu);
369	rcu_read_unlock();
370	return 0;
371	}
372
373	void cpu_map_free(struct bpf_map *map)
374	{
375	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
376	int cpu;
377	u32 i;
378
379	/* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
380	* so the bpf programs (can be more than one that used this map) were
381	* disconnected from events. Wait for outstanding critical sections in
382	* these programs to complete. The rcu critical section only guarantees
383	* no further "XDP/bpf-side" reads against bpf_cpu_map->cpu_map.
384	* It does __not__ ensure pending flush operations (if any) are
385	* complete.
386	*/
387	synchronize_rcu();
388
389	/* To ensure all pending flush operations have completed wait for flush
390	* bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
391	* Because the above synchronize_rcu() ensures the map is disconnected
392	* from the program we can assume no new bits will be set.
393	*/
394	for_each_online_cpu(cpu) {
395	unsigned long *bitmap = per_cpu_ptr(cmap->flush_needed, cpu);
396
397	while (!bitmap_empty(bitmap, cmap->map.max_entries))
398	cond_resched();
399	}
400
401	/* For cpu_map the remote CPUs can still be using the entries
402	* (struct bpf_cpu_map_entry).
403	*/
404	for (i = 0; i < cmap->map.max_entries; i++) {
405	struct bpf_cpu_map_entry *rcpu;
406
407	rcpu = READ_ONCE(cmap->cpu_map[i]);
408	if (!rcpu)
409	continue;
410
411	/* bq flush and cleanup happens after RCU graze-period */
412	__cpu_map_entry_replace(cmap, i, NULL); /* call_rcu */
413	}
414	free_percpu(cmap->flush_needed);
415	bpf_map_area_free(cmap->cpu_map);
416	kfree(cmap);
417	}
418
419	struct bpf_cpu_map_entry __cpu_map_lookup_elem(struct bpf_map map, u32 key)
420	{
421	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
422	struct bpf_cpu_map_entry *rcpu;
423
424	if (key >= map->max_entries)
425	return NULL;
426
427	rcpu = READ_ONCE(cmap->cpu_map[key]);
428	return rcpu;
429	}
430
431	static void cpu_map_lookup_elem(struct bpf_map map, void *key)
432	{
433	struct bpf_cpu_map_entry *rcpu =
434	__cpu_map_lookup_elem(map, (u32 )key);
435
436	return rcpu ? &rcpu->qsize : NULL;
437	}
438
439	static int cpu_map_get_next_key(struct bpf_map map, void key, void *next_key)
440	{
441	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
442	u32 index = key ? (u32 )key : U32_MAX;
443	u32 *next = next_key;
444
445	if (index >= cmap->map.max_entries) {
446	*next = 0;
447	return 0;
448	}
449
450	if (index == cmap->map.max_entries - 1)
451	return -ENOENT;
452	*next = index + 1;
453	return 0;
454	}
455
456	const struct bpf_map_ops cpu_map_ops = {
457	.map_alloc = cpu_map_alloc,
458	.map_free = cpu_map_free,
459	.map_delete_elem = cpu_map_delete_elem,
460	.map_update_elem = cpu_map_update_elem,
461	.map_lookup_elem = cpu_map_lookup_elem,
462	.map_get_next_key = cpu_map_get_next_key,
463	};
464
465	static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
466	struct xdp_bulk_queue *bq)
467	{
468	struct ptr_ring *q;
469	int i;
470
471	if (unlikely(!bq->count))
472	return 0;
473
474	q = rcpu->queue;
475	spin_lock(&q->producer_lock);
476
477	for (i = 0; i < bq->count; i++) {
478	void *xdp_pkt = bq->q[i];
479	int err;
480
481	err = __ptr_ring_produce(q, xdp_pkt);
482	if (err) {
483	/* Free xdp_pkt */
484	page_frag_free(xdp_pkt);
485	}
486	}
487	bq->count = 0;
488	spin_unlock(&q->producer_lock);
489
490	return 0;
491	}
492
493	/* Notice: Will change in later patch */
494	struct xdp_pkt {
495	void *data;
496	u16 len;
497	u16 headroom;
498	};
499
500	/* Runs under RCU-read-side, plus in softirq under NAPI protection.
501	* Thus, safe percpu variable access.
502	*/
9c270af3	503	static int bq_enqueue(struct bpf_cpu_map_entry rcpu, struct xdp_pkt xdp_pkt)
6710e112 JDB	504	{
	505	struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);
	506
	507	if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
	508	bq_flush_to_queue(rcpu, bq);
	509
	510	/* Notice, xdp_buff/page MUST be queued here, long enough for
	511	* driver to code invoking us to finished, due to driver
	512	* (e.g. ixgbe) recycle tricks based on page-refcnt.
	513	*
	514	* Thus, incoming xdp_pkt is always queued here (else we race
	515	* with another CPU on page-refcnt and remaining driver code).
	516	* Queue time is very short, as driver will invoke flush
	517	* operation, when completing napi->poll call.
	518	*/
	519	bq->q[bq->count++] = xdp_pkt;
	520	return 0;
	521	}
	522
9c270af3 JDB	523	int cpu_map_enqueue(struct bpf_cpu_map_entry rcpu, struct xdp_buff xdp,
	524	struct net_device *dev_rx)
	525	{
	526	struct xdp_pkt *xdp_pkt;
	527	int headroom;
	528
	529	/* For now this is just used as a void pointer to data_hard_start.
	530	* Followup patch will generalize this.
	531	*/
	532	xdp_pkt = xdp->data_hard_start;
	533
	534	/* Fake writing into xdp_pkt->data to measure overhead */
	535	headroom = xdp->data - xdp->data_hard_start;
	536	if (headroom < sizeof(*xdp_pkt))
	537	xdp_pkt->data = xdp->data;
	538
	539	bq_enqueue(rcpu, xdp_pkt);
	540	return 0;
	541	}
	542
6710e112 JDB	543	void __cpu_map_insert_ctx(struct bpf_map *map, u32 bit)
	544	{
	545	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	546	unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
	547
	548	__set_bit(bit, bitmap);
	549	}
	550
	551	void __cpu_map_flush(struct bpf_map *map)
	552	{
	553	struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
	554	unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
	555	u32 bit;
	556
	557	/* The napi->poll softirq makes sure __cpu_map_insert_ctx()
	558	* and __cpu_map_flush() happen on same CPU. Thus, the percpu
	559	* bitmap indicate which percpu bulkq have packets.
	560	*/
	561	for_each_set_bit(bit, bitmap, map->max_entries) {
	562	struct bpf_cpu_map_entry *rcpu = READ_ONCE(cmap->cpu_map[bit]);
	563	struct xdp_bulk_queue *bq;
	564
	565	/* This is possible if entry is removed by user space
	566	* between xdp redirect and flush op.
	567	*/
	568	if (unlikely(!rcpu))
	569	continue;
	570
	571	__clear_bit(bit, bitmap);
	572
	573	/* Flush all frames in bulkq to real queue */
	574	bq = this_cpu_ptr(rcpu->bulkq);
	575	bq_flush_to_queue(rcpu, bq);
	576
	577	/* If already running, costs spin_lock_irqsave + smb_mb */
	578	wake_up_process(rcpu->kthread);
	579	}
	580	}