3 * Copyright (c) 2017 Jesper Dangaard Brouer, Red Hat Inc.
4 * Released under terms in GPL version 2. See COPYING.
7 /* The 'cpumap' is primarily used as a backend map for XDP BPF helper
8 * call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
10 * Unlike devmap which redirects XDP frames out another NIC device,
11 * this map type redirects raw XDP frames to another CPU. The remote
12 * CPU will do SKB-allocation and call the normal network stack.
14 * This is a scalability and isolation mechanism, that allow
15 * separating the early driver network XDP layer, from the rest of the
16 * netstack, and assigning dedicated CPUs for this stage. This
17 * basically allows for 10G wirespeed pre-filtering via bpf.
19 #include <linux/bpf.h>
20 #include <linux/filter.h>
21 #include <linux/ptr_ring.h>
24 #include <linux/sched.h>
25 #include <linux/workqueue.h>
26 #include <linux/kthread.h>
27 #include <linux/capability.h>
28 #include <trace/events/xdp.h>
30 #include <linux/netdevice.h> /* netif_receive_skb_core */
31 #include <linux/etherdevice.h> /* eth_type_trans */
33 /* General idea: XDP packets getting XDP redirected to another CPU,
34 * will maximum be stored/queued for one driver ->poll() call. It is
35 * guaranteed that setting flush bit and flush operation happen on
36 * same CPU. Thus, cpu_map_flush operation can deduct via this_cpu_ptr()
37 * which queue in bpf_cpu_map_entry contains packets.
40 #define CPU_MAP_BULK_SIZE 8 /* 8 == one cacheline on 64-bit archs */
41 struct xdp_bulk_queue {
42 void *q[CPU_MAP_BULK_SIZE];
46 /* Struct for every remote "destination" CPU in map */
47 struct bpf_cpu_map_entry {
48 u32 cpu; /* kthread CPU and map index */
49 int map_id; /* Back reference to map */
50 u32 qsize; /* Queue size placeholder for map lookup */
52 /* XDP can run multiple RX-ring queues, need __percpu enqueue store */
53 struct xdp_bulk_queue __percpu *bulkq;
55 /* Queue with potential multi-producers, and single-consumer kthread */
56 struct ptr_ring *queue;
57 struct task_struct *kthread;
58 struct work_struct kthread_stop_wq;
60 atomic_t refcnt; /* Control when this struct can be free'ed */
66 /* Below members specific for map type */
67 struct bpf_cpu_map_entry **cpu_map;
68 unsigned long __percpu *flush_needed;
71 static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
72 struct xdp_bulk_queue *bq, bool in_napi_ctx);
74 static u64 cpu_map_bitmap_size(const union bpf_attr *attr)
76 return BITS_TO_LONGS(attr->max_entries) * sizeof(unsigned long);
79 static struct bpf_map *cpu_map_alloc(union bpf_attr *attr)
81 struct bpf_cpu_map *cmap;
86 if (!capable(CAP_SYS_ADMIN))
87 return ERR_PTR(-EPERM);
89 /* check sanity of attributes */
90 if (attr->max_entries == 0 || attr->key_size != 4 ||
91 attr->value_size != 4 || attr->map_flags & ~BPF_F_NUMA_NODE)
92 return ERR_PTR(-EINVAL);
94 cmap = kzalloc(sizeof(*cmap), GFP_USER);
96 return ERR_PTR(-ENOMEM);
98 bpf_map_init_from_attr(&cmap->map, attr);
100 /* Pre-limit array size based on NR_CPUS, not final CPU check */
101 if (cmap->map.max_entries > NR_CPUS) {
106 /* make sure page count doesn't overflow */
107 cost = (u64) cmap->map.max_entries * sizeof(struct bpf_cpu_map_entry *);
108 cost += cpu_map_bitmap_size(attr) * num_possible_cpus();
109 if (cost >= U32_MAX - PAGE_SIZE)
111 cmap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;
113 /* Notice returns -EPERM on if map size is larger than memlock limit */
114 ret = bpf_map_precharge_memlock(cmap->map.pages);
120 /* A per cpu bitfield with a bit per possible CPU in map */
121 cmap->flush_needed = __alloc_percpu(cpu_map_bitmap_size(attr),
122 __alignof__(unsigned long));
123 if (!cmap->flush_needed)
126 /* Alloc array for possible remote "destination" CPUs */
127 cmap->cpu_map = bpf_map_area_alloc(cmap->map.max_entries *
128 sizeof(struct bpf_cpu_map_entry *),
129 cmap->map.numa_node);
135 free_percpu(cmap->flush_needed);
141 static void get_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
143 atomic_inc(&rcpu->refcnt);
146 /* called from workqueue, to workaround syscall using preempt_disable */
147 static void cpu_map_kthread_stop(struct work_struct *work)
149 struct bpf_cpu_map_entry *rcpu;
151 rcpu = container_of(work, struct bpf_cpu_map_entry, kthread_stop_wq);
153 /* Wait for flush in __cpu_map_entry_free(), via full RCU barrier,
154 * as it waits until all in-flight call_rcu() callbacks complete.
158 /* kthread_stop will wake_up_process and wait for it to complete */
159 kthread_stop(rcpu->kthread);
162 static struct sk_buff *cpu_map_build_skb(struct bpf_cpu_map_entry *rcpu,
163 struct xdp_frame *xdpf)
165 unsigned int hard_start_headroom;
166 unsigned int frame_size;
167 void *pkt_data_start;
170 /* Part of headroom was reserved to xdpf */
171 hard_start_headroom = sizeof(struct xdp_frame) + xdpf->headroom;
173 /* build_skb need to place skb_shared_info after SKB end, and
174 * also want to know the memory "truesize". Thus, need to
175 * know the memory frame size backing xdp_buff.
177 * XDP was designed to have PAGE_SIZE frames, but this
178 * assumption is not longer true with ixgbe and i40e. It
179 * would be preferred to set frame_size to 2048 or 4096
180 * depending on the driver.
182 * frame_len = frame_size - sizeof(*xdp_frame);
184 * Instead, with info avail, skb_shared_info in placed after
185 * packet len. This, unfortunately fakes the truesize.
186 * Another disadvantage of this approach, the skb_shared_info
187 * is not at a fixed memory location, with mixed length
188 * packets, which is bad for cache-line hotness.
190 frame_size = SKB_DATA_ALIGN(xdpf->len + hard_start_headroom) +
191 SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
193 pkt_data_start = xdpf->data - hard_start_headroom;
194 skb = build_skb(pkt_data_start, frame_size);
198 skb_reserve(skb, hard_start_headroom);
199 __skb_put(skb, xdpf->len);
201 skb_metadata_set(skb, xdpf->metasize);
203 /* Essential SKB info: protocol and skb->dev */
204 skb->protocol = eth_type_trans(skb, xdpf->dev_rx);
206 /* Optional SKB info, currently missing:
207 * - HW checksum info (skb->ip_summed)
208 * - HW RX hash (skb_set_hash)
209 * - RX ring dev queue index (skb_record_rx_queue)
212 /* Allow SKB to reuse area used by xdp_frame */
213 xdp_scrub_frame(xdpf);
218 static void __cpu_map_ring_cleanup(struct ptr_ring *ring)
220 /* The tear-down procedure should have made sure that queue is
221 * empty. See __cpu_map_entry_replace() and work-queue
222 * invoked cpu_map_kthread_stop(). Catch any broken behaviour
223 * gracefully and warn once.
225 struct xdp_frame *xdpf;
227 while ((xdpf = ptr_ring_consume(ring)))
228 if (WARN_ON_ONCE(xdpf))
229 xdp_return_frame(xdpf);
232 static void put_cpu_map_entry(struct bpf_cpu_map_entry *rcpu)
234 if (atomic_dec_and_test(&rcpu->refcnt)) {
235 /* The queue should be empty at this point */
236 __cpu_map_ring_cleanup(rcpu->queue);
237 ptr_ring_cleanup(rcpu->queue, NULL);
243 static int cpu_map_kthread_run(void *data)
245 struct bpf_cpu_map_entry *rcpu = data;
247 set_current_state(TASK_INTERRUPTIBLE);
249 /* When kthread gives stop order, then rcpu have been disconnected
250 * from map, thus no new packets can enter. Remaining in-flight
251 * per CPU stored packets are flushed to this queue. Wait honoring
252 * kthread_stop signal until queue is empty.
254 while (!kthread_should_stop() || !__ptr_ring_empty(rcpu->queue)) {
255 unsigned int processed = 0, drops = 0, sched = 0;
256 struct xdp_frame *xdpf;
258 /* Release CPU reschedule checks */
259 if (__ptr_ring_empty(rcpu->queue)) {
260 set_current_state(TASK_INTERRUPTIBLE);
261 /* Recheck to avoid lost wake-up */
262 if (__ptr_ring_empty(rcpu->queue)) {
266 __set_current_state(TASK_RUNNING);
269 sched = cond_resched();
272 /* Process packets in rcpu->queue */
275 * The bpf_cpu_map_entry is single consumer, with this
276 * kthread CPU pinned. Lockless access to ptr_ring
277 * consume side valid as no-resize allowed of queue.
279 while ((xdpf = __ptr_ring_consume(rcpu->queue))) {
283 skb = cpu_map_build_skb(rcpu, xdpf);
285 xdp_return_frame(xdpf);
289 /* Inject into network stack */
290 ret = netif_receive_skb_core(skb);
291 if (ret == NET_RX_DROP)
294 /* Limit BH-disable period */
295 if (++processed == 8)
298 /* Feedback loop via tracepoint */
299 trace_xdp_cpumap_kthread(rcpu->map_id, processed, drops, sched);
301 local_bh_enable(); /* resched point, may call do_softirq() */
303 __set_current_state(TASK_RUNNING);
305 put_cpu_map_entry(rcpu);
309 static struct bpf_cpu_map_entry *__cpu_map_entry_alloc(u32 qsize, u32 cpu,
312 gfp_t gfp = GFP_KERNEL | __GFP_NOWARN;
313 struct bpf_cpu_map_entry *rcpu;
316 /* Have map->numa_node, but choose node of redirect target CPU */
317 numa = cpu_to_node(cpu);
319 rcpu = kzalloc_node(sizeof(*rcpu), gfp, numa);
323 /* Alloc percpu bulkq */
324 rcpu->bulkq = __alloc_percpu_gfp(sizeof(*rcpu->bulkq),
325 sizeof(void *), gfp);
330 rcpu->queue = kzalloc_node(sizeof(*rcpu->queue), gfp, numa);
334 err = ptr_ring_init(rcpu->queue, qsize, gfp);
339 rcpu->map_id = map_id;
343 rcpu->kthread = kthread_create_on_node(cpu_map_kthread_run, rcpu, numa,
344 "cpumap/%d/map:%d", cpu, map_id);
345 if (IS_ERR(rcpu->kthread))
348 get_cpu_map_entry(rcpu); /* 1-refcnt for being in cmap->cpu_map[] */
349 get_cpu_map_entry(rcpu); /* 1-refcnt for kthread */
351 /* Make sure kthread runs on a single CPU */
352 kthread_bind(rcpu->kthread, cpu);
353 wake_up_process(rcpu->kthread);
358 ptr_ring_cleanup(rcpu->queue, NULL);
362 free_percpu(rcpu->bulkq);
368 static void __cpu_map_entry_free(struct rcu_head *rcu)
370 struct bpf_cpu_map_entry *rcpu;
373 /* This cpu_map_entry have been disconnected from map and one
374 * RCU graze-period have elapsed. Thus, XDP cannot queue any
375 * new packets and cannot change/set flush_needed that can
378 rcpu = container_of(rcu, struct bpf_cpu_map_entry, rcu);
380 /* Flush remaining packets in percpu bulkq */
381 for_each_online_cpu(cpu) {
382 struct xdp_bulk_queue *bq = per_cpu_ptr(rcpu->bulkq, cpu);
384 /* No concurrent bq_enqueue can run at this point */
385 bq_flush_to_queue(rcpu, bq, false);
387 free_percpu(rcpu->bulkq);
388 /* Cannot kthread_stop() here, last put free rcpu resources */
389 put_cpu_map_entry(rcpu);
392 /* After xchg pointer to bpf_cpu_map_entry, use the call_rcu() to
393 * ensure any driver rcu critical sections have completed, but this
394 * does not guarantee a flush has happened yet. Because driver side
395 * rcu_read_lock/unlock only protects the running XDP program. The
396 * atomic xchg and NULL-ptr check in __cpu_map_flush() makes sure a
397 * pending flush op doesn't fail.
399 * The bpf_cpu_map_entry is still used by the kthread, and there can
400 * still be pending packets (in queue and percpu bulkq). A refcnt
401 * makes sure to last user (kthread_stop vs. call_rcu) free memory
404 * The rcu callback __cpu_map_entry_free flush remaining packets in
405 * percpu bulkq to queue. Due to caller map_delete_elem() disable
406 * preemption, cannot call kthread_stop() to make sure queue is empty.
407 * Instead a work_queue is started for stopping kthread,
408 * cpu_map_kthread_stop, which waits for an RCU graze period before
409 * stopping kthread, emptying the queue.
411 static void __cpu_map_entry_replace(struct bpf_cpu_map *cmap,
412 u32 key_cpu, struct bpf_cpu_map_entry *rcpu)
414 struct bpf_cpu_map_entry *old_rcpu;
416 old_rcpu = xchg(&cmap->cpu_map[key_cpu], rcpu);
418 call_rcu(&old_rcpu->rcu, __cpu_map_entry_free);
419 INIT_WORK(&old_rcpu->kthread_stop_wq, cpu_map_kthread_stop);
420 schedule_work(&old_rcpu->kthread_stop_wq);
424 static int cpu_map_delete_elem(struct bpf_map *map, void *key)
426 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
427 u32 key_cpu = *(u32 *)key;
429 if (key_cpu >= map->max_entries)
432 /* notice caller map_delete_elem() use preempt_disable() */
433 __cpu_map_entry_replace(cmap, key_cpu, NULL);
437 static int cpu_map_update_elem(struct bpf_map *map, void *key, void *value,
440 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
441 struct bpf_cpu_map_entry *rcpu;
443 /* Array index key correspond to CPU number */
444 u32 key_cpu = *(u32 *)key;
445 /* Value is the queue size */
446 u32 qsize = *(u32 *)value;
448 if (unlikely(map_flags > BPF_EXIST))
450 if (unlikely(key_cpu >= cmap->map.max_entries))
452 if (unlikely(map_flags == BPF_NOEXIST))
454 if (unlikely(qsize > 16384)) /* sanity limit on qsize */
457 /* Make sure CPU is a valid possible cpu */
458 if (key_cpu >= nr_cpumask_bits || !cpu_possible(key_cpu))
462 rcpu = NULL; /* Same as deleting */
464 /* Updating qsize cause re-allocation of bpf_cpu_map_entry */
465 rcpu = __cpu_map_entry_alloc(qsize, key_cpu, map->id);
470 __cpu_map_entry_replace(cmap, key_cpu, rcpu);
475 static void cpu_map_free(struct bpf_map *map)
477 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
481 /* At this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
482 * so the bpf programs (can be more than one that used this map) were
483 * disconnected from events. Wait for outstanding critical sections in
484 * these programs to complete. The rcu critical section only guarantees
485 * no further "XDP/bpf-side" reads against bpf_cpu_map->cpu_map.
486 * It does __not__ ensure pending flush operations (if any) are
490 bpf_clear_redirect_map(map);
493 /* To ensure all pending flush operations have completed wait for flush
494 * bitmap to indicate all flush_needed bits to be zero on _all_ cpus.
495 * Because the above synchronize_rcu() ensures the map is disconnected
496 * from the program we can assume no new bits will be set.
498 for_each_online_cpu(cpu) {
499 unsigned long *bitmap = per_cpu_ptr(cmap->flush_needed, cpu);
501 while (!bitmap_empty(bitmap, cmap->map.max_entries))
505 /* For cpu_map the remote CPUs can still be using the entries
506 * (struct bpf_cpu_map_entry).
508 for (i = 0; i < cmap->map.max_entries; i++) {
509 struct bpf_cpu_map_entry *rcpu;
511 rcpu = READ_ONCE(cmap->cpu_map[i]);
515 /* bq flush and cleanup happens after RCU graze-period */
516 __cpu_map_entry_replace(cmap, i, NULL); /* call_rcu */
518 free_percpu(cmap->flush_needed);
519 bpf_map_area_free(cmap->cpu_map);
523 struct bpf_cpu_map_entry *__cpu_map_lookup_elem(struct bpf_map *map, u32 key)
525 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
526 struct bpf_cpu_map_entry *rcpu;
528 if (key >= map->max_entries)
531 rcpu = READ_ONCE(cmap->cpu_map[key]);
535 static void *cpu_map_lookup_elem(struct bpf_map *map, void *key)
537 struct bpf_cpu_map_entry *rcpu =
538 __cpu_map_lookup_elem(map, *(u32 *)key);
540 return rcpu ? &rcpu->qsize : NULL;
543 static int cpu_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
545 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
546 u32 index = key ? *(u32 *)key : U32_MAX;
547 u32 *next = next_key;
549 if (index >= cmap->map.max_entries) {
554 if (index == cmap->map.max_entries - 1)
560 const struct bpf_map_ops cpu_map_ops = {
561 .map_alloc = cpu_map_alloc,
562 .map_free = cpu_map_free,
563 .map_delete_elem = cpu_map_delete_elem,
564 .map_update_elem = cpu_map_update_elem,
565 .map_lookup_elem = cpu_map_lookup_elem,
566 .map_get_next_key = cpu_map_get_next_key,
567 .map_check_btf = map_check_no_btf,
570 static int bq_flush_to_queue(struct bpf_cpu_map_entry *rcpu,
571 struct xdp_bulk_queue *bq, bool in_napi_ctx)
573 unsigned int processed = 0, drops = 0;
574 const int to_cpu = rcpu->cpu;
578 if (unlikely(!bq->count))
582 spin_lock(&q->producer_lock);
584 for (i = 0; i < bq->count; i++) {
585 struct xdp_frame *xdpf = bq->q[i];
588 err = __ptr_ring_produce(q, xdpf);
591 if (likely(in_napi_ctx))
592 xdp_return_frame_rx_napi(xdpf);
594 xdp_return_frame(xdpf);
599 spin_unlock(&q->producer_lock);
601 /* Feedback loop via tracepoints */
602 trace_xdp_cpumap_enqueue(rcpu->map_id, processed, drops, to_cpu);
606 /* Runs under RCU-read-side, plus in softirq under NAPI protection.
607 * Thus, safe percpu variable access.
609 static int bq_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_frame *xdpf)
611 struct xdp_bulk_queue *bq = this_cpu_ptr(rcpu->bulkq);
613 if (unlikely(bq->count == CPU_MAP_BULK_SIZE))
614 bq_flush_to_queue(rcpu, bq, true);
616 /* Notice, xdp_buff/page MUST be queued here, long enough for
617 * driver to code invoking us to finished, due to driver
618 * (e.g. ixgbe) recycle tricks based on page-refcnt.
620 * Thus, incoming xdp_frame is always queued here (else we race
621 * with another CPU on page-refcnt and remaining driver code).
622 * Queue time is very short, as driver will invoke flush
623 * operation, when completing napi->poll call.
625 bq->q[bq->count++] = xdpf;
629 int cpu_map_enqueue(struct bpf_cpu_map_entry *rcpu, struct xdp_buff *xdp,
630 struct net_device *dev_rx)
632 struct xdp_frame *xdpf;
634 xdpf = convert_to_xdp_frame(xdp);
638 /* Info needed when constructing SKB on remote CPU */
639 xdpf->dev_rx = dev_rx;
641 bq_enqueue(rcpu, xdpf);
645 void __cpu_map_insert_ctx(struct bpf_map *map, u32 bit)
647 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
648 unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
650 __set_bit(bit, bitmap);
653 void __cpu_map_flush(struct bpf_map *map)
655 struct bpf_cpu_map *cmap = container_of(map, struct bpf_cpu_map, map);
656 unsigned long *bitmap = this_cpu_ptr(cmap->flush_needed);
659 /* The napi->poll softirq makes sure __cpu_map_insert_ctx()
660 * and __cpu_map_flush() happen on same CPU. Thus, the percpu
661 * bitmap indicate which percpu bulkq have packets.
663 for_each_set_bit(bit, bitmap, map->max_entries) {
664 struct bpf_cpu_map_entry *rcpu = READ_ONCE(cmap->cpu_map[bit]);
665 struct xdp_bulk_queue *bq;
667 /* This is possible if entry is removed by user space
668 * between xdp redirect and flush op.
673 __clear_bit(bit, bitmap);
675 /* Flush all frames in bulkq to real queue */
676 bq = this_cpu_ptr(rcpu->bulkq);
677 bq_flush_to_queue(rcpu, bq, true);
679 /* If already running, costs spin_lock_irqsave + smb_mb */
680 wake_up_process(rcpu->kthread);