bpf: Use bpf_prog_run_pin_on_cpu() at simple call sites.

All of these cases are strictly of the form:

	preempt_disable();
	BPF_PROG_RUN(...);
	preempt_enable();

Replace this with bpf_prog_run_pin_on_cpu() which wraps BPF_PROG_RUN()
with:

	migrate_disable();
	BPF_PROG_RUN(...);
	migrate_enable();

On non RT enabled kernels this maps to preempt_disable/enable() and on RT
enabled kernels this solely prevents migration, which is sufficient as
there is no requirement to prevent reentrancy to any BPF program from a
preempting task. The only requirement is that the program stays on the same
CPU.

Therefore, this is a trivially correct transformation.

The seccomp loop does not need protection over the loop. It only needs
protection per BPF filter program

[ tglx: Converted to bpf_prog_run_pin_on_cpu() ]

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200224145643.691493094@linutronix.de

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 1982a52eb4c9e1b63bcf01934f069fadb1d18bd0..9270de2a0df8effd53699a47eaa8b919548734c3 100644 (file)
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -717,9 +717,7 @@ static inline u32 bpf_prog_run_clear_cb(const struct bpf_prog *prog,
        if (unlikely(prog->cb_access))
                memset(cb_data, 0, BPF_SKB_CB_LEN);
 
-       preempt_disable();
-       res = BPF_PROG_RUN(prog, skb);
-       preempt_enable();
+       res = bpf_prog_run_pin_on_cpu(prog, skb);
        return res;
 }
 

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index b6ea3dcb57bfefa47233ada64d74f822b6666ab6..787041eb011b0fd6bf572c1dc80c3362ca855d8f 100644 (file)
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -268,16 +268,14 @@ static u32 seccomp_run_filters(const struct seccomp_data *sd,
         * All filters in the list are evaluated and the lowest BPF return
         * value always takes priority (ignoring the DATA).
         */
-       preempt_disable();
        for (; f; f = f->prev) {
-               u32 cur_ret = BPF_PROG_RUN(f->prog, sd);
+               u32 cur_ret = bpf_prog_run_pin_on_cpu(f->prog, sd);
 
                if (ACTION_ONLY(cur_ret) < ACTION_ONLY(ret)) {
                        ret = cur_ret;
                        *match = f;
                }
        }
-       preempt_enable();
        return ret;
 }
 #endif /* CONFIG_SECCOMP_FILTER */

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index a1670dff0629f13cbc83e371a876d61763e41c67..3eff84824c8b451144fab6be6c772bf29d1c5345 100644 (file)
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -920,9 +920,7 @@ bool bpf_flow_dissect(struct bpf_prog *prog, struct bpf_flow_dissector *ctx,
                     (int)FLOW_DISSECTOR_F_STOP_AT_ENCAP);
        flow_keys->flags = flags;
 
-       preempt_disable();
-       result = BPF_PROG_RUN(prog, ctx);
-       preempt_enable();
+       result = bpf_prog_run_pin_on_cpu(prog, ctx);
 
        flow_keys->nhoff = clamp_t(u16, flow_keys->nhoff, nhoff, hlen);
        flow_keys->thoff = clamp_t(u16, flow_keys->thoff,

diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index eeb28cb85664123eb4b8b287ba4771c413228f03..c479372f2cd20b1b18a4115d6b99c9006a8d7d18 100644 (file)
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -628,7 +628,6 @@ int sk_psock_msg_verdict(struct sock *sk, struct sk_psock *psock,
        struct bpf_prog *prog;
        int ret;
 
-       preempt_disable();
        rcu_read_lock();
        prog = READ_ONCE(psock->progs.msg_parser);
        if (unlikely(!prog)) {
@@ -638,7 +637,7 @@ int sk_psock_msg_verdict(struct sock *sk, struct sk_psock *psock,
 
        sk_msg_compute_data_pointers(msg);
        msg->sk = sk;
-       ret = BPF_PROG_RUN(prog, msg);
+       ret = bpf_prog_run_pin_on_cpu(prog, msg);
        ret = sk_psock_map_verd(ret, msg->sk_redir);
        psock->apply_bytes = msg->apply_bytes;
        if (ret == __SK_REDIRECT) {
@@ -653,7 +652,6 @@ int sk_psock_msg_verdict(struct sock *sk, struct sk_psock *psock,
        }
 out:
        rcu_read_unlock();
-       preempt_enable();
        return ret;
 }
 EXPORT_SYMBOL_GPL(sk_psock_msg_verdict);
@@ -665,9 +663,7 @@ static int sk_psock_bpf_run(struct sk_psock *psock, struct bpf_prog *prog,
 
        skb->sk = psock->sk;
        bpf_compute_data_end_sk_skb(skb);
-       preempt_disable();
-       ret = BPF_PROG_RUN(prog, skb);
-       preempt_enable();
+       ret = bpf_prog_run_pin_on_cpu(prog, skb);
        /* strparser clones the skb before handing it to a upper layer,
         * meaning skb_orphan has been called. We NULL sk on the way out
         * to ensure we don't trigger a BUG_ON() in skb/sk operations

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index ea9e73428ed9c8b7bb3441947151c41f0c099185..56fac24a627a54b2a907aee48ae3c31fed70f129 100644 (file)
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -380,9 +380,7 @@ static int kcm_parse_func_strparser(struct strparser *strp, struct sk_buff *skb)
        struct bpf_prog *prog = psock->bpf_prog;
        int res;
 
-       preempt_disable();
-       res = BPF_PROG_RUN(prog, skb);
-       preempt_enable();
+       res = bpf_prog_run_pin_on_cpu(prog, skb);
        return res;
 }