1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
4 #include <linux/llist.h>
6 #include <linux/irq_work.h>
7 #include <linux/bpf_mem_alloc.h>
8 #include <linux/memcontrol.h>
11 /* Any context (including NMI) BPF specific memory allocator.
13 * Tracing BPF programs can attach to kprobe and fentry. Hence they
14 * run in unknown context where calling plain kmalloc() might not be safe.
16 * Front-end kmalloc() with per-cpu per-bucket cache of free elements.
17 * Refill this cache asynchronously from irq_work.
20 * 16 32 64 96 128 196 256 512 1024 2048 4096
23 * 16 32 64 96 128 196 256 512 1024 2048 4096
25 * The buckets are prefilled at the start.
26 * BPF programs always run with migration disabled.
27 * It's safe to allocate from cache of the current cpu with irqs disabled.
28 * Free-ing is always done into bucket of the current cpu as well.
29 * irq_work trims extra free elements from buckets with kfree
30 * and refills them with kmalloc, so global kmalloc logic takes care
31 * of freeing objects allocated by one cpu and freed on another.
33 * Every allocated objected is padded with extra 8 bytes that contains
36 #define LLIST_NODE_SZ sizeof(struct llist_node)
38 /* similar to kmalloc, but sizeof == 8 bucket is gone */
39 static u8 size_index[24] __ro_after_init = {
66 static int bpf_mem_cache_idx(size_t size)
68 if (!size || size > 4096)
72 return size_index[(size - 1) / 8] - 1;
74 return fls(size - 1) - 2;
79 struct bpf_mem_cache {
80 /* per-cpu list of free objects of size 'unit_size'.
81 * All accesses are done with interrupts disabled and 'active' counter
82 * protection with __llist_add() and __llist_del_first().
84 struct llist_head free_llist;
87 /* Operations on the free_list from unit_alloc/unit_free/bpf_mem_refill
88 * are sequenced by per-cpu 'active' counter. But unit_free() cannot
89 * fail. When 'active' is busy the unit_free() will add an object to
92 struct llist_head free_llist_extra;
94 struct irq_work refill_work;
95 struct obj_cgroup *objcg;
97 /* count of objects in free_llist */
99 int low_watermark, high_watermark, batch;
102 struct bpf_mem_cache *tgt;
104 /* list of objects to be freed after RCU GP */
105 struct llist_head free_by_rcu;
106 struct llist_node *free_by_rcu_tail;
107 struct llist_head waiting_for_gp;
108 struct llist_node *waiting_for_gp_tail;
110 atomic_t call_rcu_in_progress;
111 struct llist_head free_llist_extra_rcu;
113 /* list of objects to be freed after RCU tasks trace GP */
114 struct llist_head free_by_rcu_ttrace;
115 struct llist_head waiting_for_gp_ttrace;
116 struct rcu_head rcu_ttrace;
117 atomic_t call_rcu_ttrace_in_progress;
120 struct bpf_mem_caches {
121 struct bpf_mem_cache cache[NUM_CACHES];
124 static const u16 sizes[NUM_CACHES] = {96, 192, 16, 32, 64, 128, 256, 512, 1024, 2048, 4096};
126 static struct llist_node notrace *__llist_del_first(struct llist_head *head)
128 struct llist_node *entry, *next;
138 static void *__alloc(struct bpf_mem_cache *c, int node, gfp_t flags)
140 if (c->percpu_size) {
141 void **obj = kmalloc_node(c->percpu_size, flags, node);
142 void *pptr = __alloc_percpu_gfp(c->unit_size, 8, flags);
153 return kmalloc_node(c->unit_size, flags | __GFP_ZERO, node);
156 static struct mem_cgroup *get_memcg(const struct bpf_mem_cache *c)
158 #ifdef CONFIG_MEMCG_KMEM
160 return get_mem_cgroup_from_objcg(c->objcg);
164 return root_mem_cgroup;
170 static void inc_active(struct bpf_mem_cache *c, unsigned long *flags)
172 if (IS_ENABLED(CONFIG_PREEMPT_RT))
173 /* In RT irq_work runs in per-cpu kthread, so disable
174 * interrupts to avoid preemption and interrupts and
175 * reduce the chance of bpf prog executing on this cpu
176 * when active counter is busy.
178 local_irq_save(*flags);
179 /* alloc_bulk runs from irq_work which will not preempt a bpf
180 * program that does unit_alloc/unit_free since IRQs are
181 * disabled there. There is no race to increment 'active'
182 * counter. It protects free_llist from corruption in case NMI
183 * bpf prog preempted this loop.
185 WARN_ON_ONCE(local_inc_return(&c->active) != 1);
188 static void dec_active(struct bpf_mem_cache *c, unsigned long *flags)
190 local_dec(&c->active);
191 if (IS_ENABLED(CONFIG_PREEMPT_RT))
192 local_irq_restore(*flags);
195 static void add_obj_to_free_list(struct bpf_mem_cache *c, void *obj)
199 inc_active(c, &flags);
200 __llist_add(obj, &c->free_llist);
202 dec_active(c, &flags);
205 /* Mostly runs from irq_work except __init phase. */
206 static void alloc_bulk(struct bpf_mem_cache *c, int cnt, int node, bool atomic)
208 struct mem_cgroup *memcg = NULL, *old_memcg;
213 gfp = __GFP_NOWARN | __GFP_ACCOUNT;
214 gfp |= atomic ? GFP_NOWAIT : GFP_KERNEL;
216 for (i = 0; i < cnt; i++) {
218 * For every 'c' llist_del_first(&c->free_by_rcu_ttrace); is
219 * done only by one CPU == current CPU. Other CPUs might
220 * llist_add() and llist_del_all() in parallel.
222 obj = llist_del_first(&c->free_by_rcu_ttrace);
225 add_obj_to_free_list(c, obj);
230 for (; i < cnt; i++) {
231 obj = llist_del_first(&c->waiting_for_gp_ttrace);
234 add_obj_to_free_list(c, obj);
239 memcg = get_memcg(c);
240 old_memcg = set_active_memcg(memcg);
241 for (; i < cnt; i++) {
242 /* Allocate, but don't deplete atomic reserves that typical
243 * GFP_ATOMIC would do. irq_work runs on this cpu and kmalloc
244 * will allocate from the current numa node which is what we
247 obj = __alloc(c, node, gfp);
250 add_obj_to_free_list(c, obj);
252 set_active_memcg(old_memcg);
253 mem_cgroup_put(memcg);
256 static void free_one(void *obj, bool percpu)
259 free_percpu(((void **)obj)[1]);
267 static int free_all(struct llist_node *llnode, bool percpu)
269 struct llist_node *pos, *t;
272 llist_for_each_safe(pos, t, llnode) {
273 free_one(pos, percpu);
279 static void __free_rcu(struct rcu_head *head)
281 struct bpf_mem_cache *c = container_of(head, struct bpf_mem_cache, rcu_ttrace);
283 free_all(llist_del_all(&c->waiting_for_gp_ttrace), !!c->percpu_size);
284 atomic_set(&c->call_rcu_ttrace_in_progress, 0);
287 static void __free_rcu_tasks_trace(struct rcu_head *head)
289 /* If RCU Tasks Trace grace period implies RCU grace period,
290 * there is no need to invoke call_rcu().
292 if (rcu_trace_implies_rcu_gp())
295 call_rcu(head, __free_rcu);
298 static void enque_to_free(struct bpf_mem_cache *c, void *obj)
300 struct llist_node *llnode = obj;
302 /* bpf_mem_cache is a per-cpu object. Freeing happens in irq_work.
303 * Nothing races to add to free_by_rcu_ttrace list.
305 llist_add(llnode, &c->free_by_rcu_ttrace);
308 static void do_call_rcu_ttrace(struct bpf_mem_cache *c)
310 struct llist_node *llnode, *t;
312 if (atomic_xchg(&c->call_rcu_ttrace_in_progress, 1)) {
313 if (unlikely(READ_ONCE(c->draining))) {
314 llnode = llist_del_all(&c->free_by_rcu_ttrace);
315 free_all(llnode, !!c->percpu_size);
320 WARN_ON_ONCE(!llist_empty(&c->waiting_for_gp_ttrace));
321 llist_for_each_safe(llnode, t, llist_del_all(&c->free_by_rcu_ttrace))
322 llist_add(llnode, &c->waiting_for_gp_ttrace);
324 if (unlikely(READ_ONCE(c->draining))) {
325 __free_rcu(&c->rcu_ttrace);
329 /* Use call_rcu_tasks_trace() to wait for sleepable progs to finish.
330 * If RCU Tasks Trace grace period implies RCU grace period, free
331 * these elements directly, else use call_rcu() to wait for normal
332 * progs to finish and finally do free_one() on each element.
334 call_rcu_tasks_trace(&c->rcu_ttrace, __free_rcu_tasks_trace);
337 static void free_bulk(struct bpf_mem_cache *c)
339 struct bpf_mem_cache *tgt = c->tgt;
340 struct llist_node *llnode, *t;
344 WARN_ON_ONCE(tgt->unit_size != c->unit_size);
345 WARN_ON_ONCE(tgt->percpu_size != c->percpu_size);
348 inc_active(c, &flags);
349 llnode = __llist_del_first(&c->free_llist);
354 dec_active(c, &flags);
356 enque_to_free(tgt, llnode);
357 } while (cnt > (c->high_watermark + c->low_watermark) / 2);
359 /* and drain free_llist_extra */
360 llist_for_each_safe(llnode, t, llist_del_all(&c->free_llist_extra))
361 enque_to_free(tgt, llnode);
362 do_call_rcu_ttrace(tgt);
365 static void __free_by_rcu(struct rcu_head *head)
367 struct bpf_mem_cache *c = container_of(head, struct bpf_mem_cache, rcu);
368 struct bpf_mem_cache *tgt = c->tgt;
369 struct llist_node *llnode;
371 WARN_ON_ONCE(tgt->unit_size != c->unit_size);
372 WARN_ON_ONCE(tgt->percpu_size != c->percpu_size);
374 llnode = llist_del_all(&c->waiting_for_gp);
378 llist_add_batch(llnode, c->waiting_for_gp_tail, &tgt->free_by_rcu_ttrace);
380 /* Objects went through regular RCU GP. Send them to RCU tasks trace */
381 do_call_rcu_ttrace(tgt);
383 atomic_set(&c->call_rcu_in_progress, 0);
386 static void check_free_by_rcu(struct bpf_mem_cache *c)
388 struct llist_node *llnode, *t;
391 /* drain free_llist_extra_rcu */
392 if (unlikely(!llist_empty(&c->free_llist_extra_rcu))) {
393 inc_active(c, &flags);
394 llist_for_each_safe(llnode, t, llist_del_all(&c->free_llist_extra_rcu))
395 if (__llist_add(llnode, &c->free_by_rcu))
396 c->free_by_rcu_tail = llnode;
397 dec_active(c, &flags);
400 if (llist_empty(&c->free_by_rcu))
403 if (atomic_xchg(&c->call_rcu_in_progress, 1)) {
405 * Instead of kmalloc-ing new rcu_head and triggering 10k
406 * call_rcu() to hit rcutree.qhimark and force RCU to notice
407 * the overload just ask RCU to hurry up. There could be many
408 * objects in free_by_rcu list.
409 * This hint reduces memory consumption for an artificial
410 * benchmark from 2 Gbyte to 150 Mbyte.
412 rcu_request_urgent_qs_task(current);
416 WARN_ON_ONCE(!llist_empty(&c->waiting_for_gp));
418 inc_active(c, &flags);
419 WRITE_ONCE(c->waiting_for_gp.first, __llist_del_all(&c->free_by_rcu));
420 c->waiting_for_gp_tail = c->free_by_rcu_tail;
421 dec_active(c, &flags);
423 if (unlikely(READ_ONCE(c->draining))) {
424 free_all(llist_del_all(&c->waiting_for_gp), !!c->percpu_size);
425 atomic_set(&c->call_rcu_in_progress, 0);
427 call_rcu_hurry(&c->rcu, __free_by_rcu);
431 static void bpf_mem_refill(struct irq_work *work)
433 struct bpf_mem_cache *c = container_of(work, struct bpf_mem_cache, refill_work);
436 /* Racy access to free_cnt. It doesn't need to be 100% accurate */
438 if (cnt < c->low_watermark)
439 /* irq_work runs on this cpu and kmalloc will allocate
440 * from the current numa node which is what we want here.
442 alloc_bulk(c, c->batch, NUMA_NO_NODE, true);
443 else if (cnt > c->high_watermark)
446 check_free_by_rcu(c);
449 static void notrace irq_work_raise(struct bpf_mem_cache *c)
451 irq_work_queue(&c->refill_work);
454 /* For typical bpf map case that uses bpf_mem_cache_alloc and single bucket
455 * the freelist cache will be elem_size * 64 (or less) on each cpu.
457 * For bpf programs that don't have statically known allocation sizes and
458 * assuming (low_mark + high_mark) / 2 as an average number of elements per
459 * bucket and all buckets are used the total amount of memory in freelists
460 * on each cpu will be:
461 * 64*16 + 64*32 + 64*64 + 64*96 + 64*128 + 64*196 + 64*256 + 32*512 + 16*1024 + 8*2048 + 4*4096
462 * == ~ 116 Kbyte using below heuristic.
463 * Initialized, but unused bpf allocator (not bpf map specific one) will
464 * consume ~ 11 Kbyte per cpu.
465 * Typical case will be between 11K and 116K closer to 11K.
466 * bpf progs can and should share bpf_mem_cache when possible.
468 * Percpu allocation is typically rare. To avoid potential unnecessary large
469 * memory consumption, set low_mark = 1 and high_mark = 3, resulting in c->batch = 1.
471 static void init_refill_work(struct bpf_mem_cache *c)
473 init_irq_work(&c->refill_work, bpf_mem_refill);
474 if (c->percpu_size) {
475 c->low_watermark = 1;
476 c->high_watermark = 3;
477 } else if (c->unit_size <= 256) {
478 c->low_watermark = 32;
479 c->high_watermark = 96;
481 /* When page_size == 4k, order-0 cache will have low_mark == 2
482 * and high_mark == 6 with batch alloc of 3 individual pages at
484 * 8k allocs and above low == 1, high == 3, batch == 1.
486 c->low_watermark = max(32 * 256 / c->unit_size, 1);
487 c->high_watermark = max(96 * 256 / c->unit_size, 3);
489 c->batch = max((c->high_watermark - c->low_watermark) / 4 * 3, 1);
492 static void prefill_mem_cache(struct bpf_mem_cache *c, int cpu)
496 /* To avoid consuming memory, for non-percpu allocation, assume that
497 * 1st run of bpf prog won't be doing more than 4 map_update_elem from
498 * irq disabled region if unit size is less than or equal to 256.
499 * For all other cases, let us just do one allocation.
501 if (!c->percpu_size && c->unit_size <= 256)
503 alloc_bulk(c, cnt, cpu_to_node(cpu), false);
506 /* When size != 0 bpf_mem_cache for each cpu.
507 * This is typical bpf hash map use case when all elements have equal size.
509 * When size == 0 allocate 11 bpf_mem_cache-s for each cpu, then rely on
510 * kmalloc/kfree. Max allocation size is 4096 in this case.
511 * This is bpf_dynptr and bpf_kptr use case.
513 int bpf_mem_alloc_init(struct bpf_mem_alloc *ma, int size, bool percpu)
515 struct bpf_mem_caches *cc, __percpu *pcc;
516 struct bpf_mem_cache *c, __percpu *pc;
517 struct obj_cgroup *objcg = NULL;
518 int cpu, i, unit_size, percpu_size = 0;
520 if (percpu && size == 0)
523 /* room for llist_node and per-cpu pointer */
525 percpu_size = LLIST_NODE_SZ + sizeof(void *);
529 pc = __alloc_percpu_gfp(sizeof(*pc), 8, GFP_KERNEL);
534 size += LLIST_NODE_SZ; /* room for llist_node */
537 #ifdef CONFIG_MEMCG_KMEM
538 if (memcg_bpf_enabled())
539 objcg = get_obj_cgroup_from_current();
543 for_each_possible_cpu(cpu) {
544 c = per_cpu_ptr(pc, cpu);
545 c->unit_size = unit_size;
547 c->percpu_size = percpu_size;
550 prefill_mem_cache(c, cpu);
556 pcc = __alloc_percpu_gfp(sizeof(*cc), 8, GFP_KERNEL);
559 #ifdef CONFIG_MEMCG_KMEM
560 objcg = get_obj_cgroup_from_current();
563 for_each_possible_cpu(cpu) {
564 cc = per_cpu_ptr(pcc, cpu);
565 for (i = 0; i < NUM_CACHES; i++) {
567 c->unit_size = sizes[i];
569 c->percpu_size = percpu_size;
573 prefill_mem_cache(c, cpu);
581 int bpf_mem_alloc_percpu_init(struct bpf_mem_alloc *ma, struct obj_cgroup *objcg)
583 struct bpf_mem_caches __percpu *pcc;
585 pcc = __alloc_percpu_gfp(sizeof(struct bpf_mem_caches), 8, GFP_KERNEL);
595 int bpf_mem_alloc_percpu_unit_init(struct bpf_mem_alloc *ma, int size)
597 struct bpf_mem_caches *cc, __percpu *pcc;
598 int cpu, i, unit_size, percpu_size;
599 struct obj_cgroup *objcg;
600 struct bpf_mem_cache *c;
602 i = bpf_mem_cache_idx(size);
606 /* room for llist_node and per-cpu pointer */
607 percpu_size = LLIST_NODE_SZ + sizeof(void *);
609 unit_size = sizes[i];
613 for_each_possible_cpu(cpu) {
614 cc = per_cpu_ptr(pcc, cpu);
619 c->unit_size = unit_size;
621 c->percpu_size = percpu_size;
625 prefill_mem_cache(c, cpu);
631 static void drain_mem_cache(struct bpf_mem_cache *c)
633 bool percpu = !!c->percpu_size;
635 /* No progs are using this bpf_mem_cache, but htab_map_free() called
636 * bpf_mem_cache_free() for all remaining elements and they can be in
637 * free_by_rcu_ttrace or in waiting_for_gp_ttrace lists, so drain those lists now.
639 * Except for waiting_for_gp_ttrace list, there are no concurrent operations
640 * on these lists, so it is safe to use __llist_del_all().
642 free_all(llist_del_all(&c->free_by_rcu_ttrace), percpu);
643 free_all(llist_del_all(&c->waiting_for_gp_ttrace), percpu);
644 free_all(__llist_del_all(&c->free_llist), percpu);
645 free_all(__llist_del_all(&c->free_llist_extra), percpu);
646 free_all(__llist_del_all(&c->free_by_rcu), percpu);
647 free_all(__llist_del_all(&c->free_llist_extra_rcu), percpu);
648 free_all(llist_del_all(&c->waiting_for_gp), percpu);
651 static void check_mem_cache(struct bpf_mem_cache *c)
653 WARN_ON_ONCE(!llist_empty(&c->free_by_rcu_ttrace));
654 WARN_ON_ONCE(!llist_empty(&c->waiting_for_gp_ttrace));
655 WARN_ON_ONCE(!llist_empty(&c->free_llist));
656 WARN_ON_ONCE(!llist_empty(&c->free_llist_extra));
657 WARN_ON_ONCE(!llist_empty(&c->free_by_rcu));
658 WARN_ON_ONCE(!llist_empty(&c->free_llist_extra_rcu));
659 WARN_ON_ONCE(!llist_empty(&c->waiting_for_gp));
662 static void check_leaked_objs(struct bpf_mem_alloc *ma)
664 struct bpf_mem_caches *cc;
665 struct bpf_mem_cache *c;
669 for_each_possible_cpu(cpu) {
670 c = per_cpu_ptr(ma->cache, cpu);
675 for_each_possible_cpu(cpu) {
676 cc = per_cpu_ptr(ma->caches, cpu);
677 for (i = 0; i < NUM_CACHES; i++) {
685 static void free_mem_alloc_no_barrier(struct bpf_mem_alloc *ma)
687 check_leaked_objs(ma);
688 free_percpu(ma->cache);
689 free_percpu(ma->caches);
694 static void free_mem_alloc(struct bpf_mem_alloc *ma)
696 /* waiting_for_gp[_ttrace] lists were drained, but RCU callbacks
697 * might still execute. Wait for them.
699 * rcu_barrier_tasks_trace() doesn't imply synchronize_rcu_tasks_trace(),
700 * but rcu_barrier_tasks_trace() and rcu_barrier() below are only used
701 * to wait for the pending __free_rcu_tasks_trace() and __free_rcu(),
702 * so if call_rcu(head, __free_rcu) is skipped due to
703 * rcu_trace_implies_rcu_gp(), it will be OK to skip rcu_barrier() by
704 * using rcu_trace_implies_rcu_gp() as well.
706 rcu_barrier(); /* wait for __free_by_rcu */
707 rcu_barrier_tasks_trace(); /* wait for __free_rcu */
708 if (!rcu_trace_implies_rcu_gp())
710 free_mem_alloc_no_barrier(ma);
713 static void free_mem_alloc_deferred(struct work_struct *work)
715 struct bpf_mem_alloc *ma = container_of(work, struct bpf_mem_alloc, work);
721 static void destroy_mem_alloc(struct bpf_mem_alloc *ma, int rcu_in_progress)
723 struct bpf_mem_alloc *copy;
725 if (!rcu_in_progress) {
726 /* Fast path. No callbacks are pending, hence no need to do
729 free_mem_alloc_no_barrier(ma);
733 copy = kmemdup(ma, sizeof(*ma), GFP_KERNEL);
735 /* Slow path with inline barrier-s */
740 /* Defer barriers into worker to let the rest of map memory to be freed */
741 memset(ma, 0, sizeof(*ma));
742 INIT_WORK(©->work, free_mem_alloc_deferred);
743 queue_work(system_unbound_wq, ©->work);
746 void bpf_mem_alloc_destroy(struct bpf_mem_alloc *ma)
748 struct bpf_mem_caches *cc;
749 struct bpf_mem_cache *c;
750 int cpu, i, rcu_in_progress;
754 for_each_possible_cpu(cpu) {
755 c = per_cpu_ptr(ma->cache, cpu);
756 WRITE_ONCE(c->draining, true);
757 irq_work_sync(&c->refill_work);
759 rcu_in_progress += atomic_read(&c->call_rcu_ttrace_in_progress);
760 rcu_in_progress += atomic_read(&c->call_rcu_in_progress);
763 obj_cgroup_put(ma->objcg);
764 destroy_mem_alloc(ma, rcu_in_progress);
768 for_each_possible_cpu(cpu) {
769 cc = per_cpu_ptr(ma->caches, cpu);
770 for (i = 0; i < NUM_CACHES; i++) {
772 WRITE_ONCE(c->draining, true);
773 irq_work_sync(&c->refill_work);
775 rcu_in_progress += atomic_read(&c->call_rcu_ttrace_in_progress);
776 rcu_in_progress += atomic_read(&c->call_rcu_in_progress);
780 obj_cgroup_put(ma->objcg);
781 destroy_mem_alloc(ma, rcu_in_progress);
785 /* notrace is necessary here and in other functions to make sure
786 * bpf programs cannot attach to them and cause llist corruptions.
788 static void notrace *unit_alloc(struct bpf_mem_cache *c)
790 struct llist_node *llnode = NULL;
794 /* Disable irqs to prevent the following race for majority of prog types:
797 * preemption or irq -> prog_B
800 * but prog_B could be a perf_event NMI prog.
801 * Use per-cpu 'active' counter to order free_list access between
802 * unit_alloc/unit_free/bpf_mem_refill.
804 local_irq_save(flags);
805 if (local_inc_return(&c->active) == 1) {
806 llnode = __llist_del_first(&c->free_llist);
809 *(struct bpf_mem_cache **)llnode = c;
812 local_dec(&c->active);
816 if (cnt < c->low_watermark)
818 /* Enable IRQ after the enqueue of irq work completes, so irq work
819 * will run after IRQ is enabled and free_llist may be refilled by
820 * irq work before other task preempts current task.
822 local_irq_restore(flags);
827 /* Though 'ptr' object could have been allocated on a different cpu
828 * add it to the free_llist of the current cpu.
829 * Let kfree() logic deal with it when it's later called from irq_work.
831 static void notrace unit_free(struct bpf_mem_cache *c, void *ptr)
833 struct llist_node *llnode = ptr - LLIST_NODE_SZ;
837 BUILD_BUG_ON(LLIST_NODE_SZ > 8);
840 * Remember bpf_mem_cache that allocated this object.
841 * The hint is not accurate.
843 c->tgt = *(struct bpf_mem_cache **)llnode;
845 local_irq_save(flags);
846 if (local_inc_return(&c->active) == 1) {
847 __llist_add(llnode, &c->free_llist);
850 /* unit_free() cannot fail. Therefore add an object to atomic
851 * llist. free_bulk() will drain it. Though free_llist_extra is
852 * a per-cpu list we have to use atomic llist_add here, since
853 * it also can be interrupted by bpf nmi prog that does another
854 * unit_free() into the same free_llist_extra.
856 llist_add(llnode, &c->free_llist_extra);
858 local_dec(&c->active);
860 if (cnt > c->high_watermark)
861 /* free few objects from current cpu into global kmalloc pool */
863 /* Enable IRQ after irq_work_raise() completes, otherwise when current
864 * task is preempted by task which does unit_alloc(), unit_alloc() may
865 * return NULL unexpectedly because irq work is already pending but can
866 * not been triggered and free_llist can not be refilled timely.
868 local_irq_restore(flags);
871 static void notrace unit_free_rcu(struct bpf_mem_cache *c, void *ptr)
873 struct llist_node *llnode = ptr - LLIST_NODE_SZ;
876 c->tgt = *(struct bpf_mem_cache **)llnode;
878 local_irq_save(flags);
879 if (local_inc_return(&c->active) == 1) {
880 if (__llist_add(llnode, &c->free_by_rcu))
881 c->free_by_rcu_tail = llnode;
883 llist_add(llnode, &c->free_llist_extra_rcu);
885 local_dec(&c->active);
887 if (!atomic_read(&c->call_rcu_in_progress))
889 local_irq_restore(flags);
892 /* Called from BPF program or from sys_bpf syscall.
893 * In both cases migration is disabled.
895 void notrace *bpf_mem_alloc(struct bpf_mem_alloc *ma, size_t size)
904 size += LLIST_NODE_SZ;
905 idx = bpf_mem_cache_idx(size);
909 ret = unit_alloc(this_cpu_ptr(ma->caches)->cache + idx);
910 return !ret ? NULL : ret + LLIST_NODE_SZ;
913 void notrace bpf_mem_free(struct bpf_mem_alloc *ma, void *ptr)
915 struct bpf_mem_cache *c;
921 c = *(void **)(ptr - LLIST_NODE_SZ);
922 idx = bpf_mem_cache_idx(c->unit_size);
923 if (WARN_ON_ONCE(idx < 0))
926 unit_free(this_cpu_ptr(ma->caches)->cache + idx, ptr);
929 void notrace bpf_mem_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
931 struct bpf_mem_cache *c;
937 c = *(void **)(ptr - LLIST_NODE_SZ);
938 idx = bpf_mem_cache_idx(c->unit_size);
939 if (WARN_ON_ONCE(idx < 0))
942 unit_free_rcu(this_cpu_ptr(ma->caches)->cache + idx, ptr);
945 void notrace *bpf_mem_cache_alloc(struct bpf_mem_alloc *ma)
949 ret = unit_alloc(this_cpu_ptr(ma->cache));
950 return !ret ? NULL : ret + LLIST_NODE_SZ;
953 void notrace bpf_mem_cache_free(struct bpf_mem_alloc *ma, void *ptr)
958 unit_free(this_cpu_ptr(ma->cache), ptr);
961 void notrace bpf_mem_cache_free_rcu(struct bpf_mem_alloc *ma, void *ptr)
966 unit_free_rcu(this_cpu_ptr(ma->cache), ptr);
969 /* Directly does a kfree() without putting 'ptr' back to the free_llist
970 * for reuse and without waiting for a rcu_tasks_trace gp.
971 * The caller must first go through the rcu_tasks_trace gp for 'ptr'
972 * before calling bpf_mem_cache_raw_free().
973 * It could be used when the rcu_tasks_trace callback does not have
974 * a hold on the original bpf_mem_alloc object that allocated the
975 * 'ptr'. This should only be used in the uncommon code path.
976 * Otherwise, the bpf_mem_alloc's free_llist cannot be refilled
977 * and may affect performance.
979 void bpf_mem_cache_raw_free(void *ptr)
984 kfree(ptr - LLIST_NODE_SZ);
987 /* When flags == GFP_KERNEL, it signals that the caller will not cause
988 * deadlock when using kmalloc. bpf_mem_cache_alloc_flags() will use
989 * kmalloc if the free_llist is empty.
991 void notrace *bpf_mem_cache_alloc_flags(struct bpf_mem_alloc *ma, gfp_t flags)
993 struct bpf_mem_cache *c;
996 c = this_cpu_ptr(ma->cache);
999 if (!ret && flags == GFP_KERNEL) {
1000 struct mem_cgroup *memcg, *old_memcg;
1002 memcg = get_memcg(c);
1003 old_memcg = set_active_memcg(memcg);
1004 ret = __alloc(c, NUMA_NO_NODE, GFP_KERNEL | __GFP_NOWARN | __GFP_ACCOUNT);
1006 *(struct bpf_mem_cache **)ret = c;
1007 set_active_memcg(old_memcg);
1008 mem_cgroup_put(memcg);
1011 return !ret ? NULL : ret + LLIST_NODE_SZ;
projects / releases.git / blob