1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2019 Facebook */
3 #include <linux/rculist.h>
4 #include <linux/list.h>
5 #include <linux/hash.h>
6 #include <linux/types.h>
7 #include <linux/spinlock.h>
9 #include <net/bpf_sk_storage.h>
11 #include <uapi/linux/sock_diag.h>
12 #include <uapi/linux/btf.h>
14 static atomic_t cache_idx;
16 #define SK_STORAGE_CREATE_FLAG_MASK \
17 (BPF_F_NO_PREALLOC | BPF_F_CLONE)
20 struct hlist_head list;
24 /* Thp map is not the primary owner of a bpf_sk_storage_elem.
25 * Instead, the sk->sk_bpf_storage is.
27 * The map (bpf_sk_storage_map) is for two purposes
28 * 1. Define the size of the "sk local storage". It is
29 * the map's value_size.
31 * 2. Maintain a list to keep track of all elems such
32 * that they can be cleaned up during the map destruction.
34 * When a bpf local storage is being looked up for a
35 * particular sk, the "bpf_map" pointer is actually used
36 * as the "key" to search in the list of elem in
39 * Hence, consider sk->sk_bpf_storage is the mini-map
40 * with the "bpf_map" pointer as the searching key.
42 struct bpf_sk_storage_map {
44 /* Lookup elem does not require accessing the map.
46 * Updating/Deleting requires a bucket lock to
47 * link/unlink the elem from the map. Having
48 * multiple buckets to improve contention.
50 struct bucket *buckets;
56 struct bpf_sk_storage_data {
57 /* smap is used as the searching key when looking up
58 * from sk->sk_bpf_storage.
60 * Put it in the same cacheline as the data to minimize
61 * the number of cachelines access during the cache hit case.
63 struct bpf_sk_storage_map __rcu *smap;
64 u8 data[] __aligned(8);
67 /* Linked to bpf_sk_storage and bpf_sk_storage_map */
68 struct bpf_sk_storage_elem {
69 struct hlist_node map_node; /* Linked to bpf_sk_storage_map */
70 struct hlist_node snode; /* Linked to bpf_sk_storage */
71 struct bpf_sk_storage __rcu *sk_storage;
74 /* The data is stored in aother cacheline to minimize
75 * the number of cachelines access during a cache hit.
77 struct bpf_sk_storage_data sdata ____cacheline_aligned;
80 #define SELEM(_SDATA) container_of((_SDATA), struct bpf_sk_storage_elem, sdata)
81 #define SDATA(_SELEM) (&(_SELEM)->sdata)
82 #define BPF_SK_STORAGE_CACHE_SIZE 16
84 struct bpf_sk_storage {
85 struct bpf_sk_storage_data __rcu *cache[BPF_SK_STORAGE_CACHE_SIZE];
86 struct hlist_head list; /* List of bpf_sk_storage_elem */
87 struct sock *sk; /* The sk that owns the the above "list" of
88 * bpf_sk_storage_elem.
91 raw_spinlock_t lock; /* Protect adding/removing from the "list" */
94 static struct bucket *select_bucket(struct bpf_sk_storage_map *smap,
95 struct bpf_sk_storage_elem *selem)
97 return &smap->buckets[hash_ptr(selem, smap->bucket_log)];
100 static int omem_charge(struct sock *sk, unsigned int size)
102 /* same check as in sock_kmalloc() */
103 if (size <= sysctl_optmem_max &&
104 atomic_read(&sk->sk_omem_alloc) + size < sysctl_optmem_max) {
105 atomic_add(size, &sk->sk_omem_alloc);
112 static bool selem_linked_to_sk(const struct bpf_sk_storage_elem *selem)
114 return !hlist_unhashed(&selem->snode);
117 static bool selem_linked_to_map(const struct bpf_sk_storage_elem *selem)
119 return !hlist_unhashed(&selem->map_node);
122 static struct bpf_sk_storage_elem *selem_alloc(struct bpf_sk_storage_map *smap,
123 struct sock *sk, void *value,
126 struct bpf_sk_storage_elem *selem;
128 if (charge_omem && omem_charge(sk, smap->elem_size))
131 selem = kzalloc(smap->elem_size, GFP_ATOMIC | __GFP_NOWARN);
134 memcpy(SDATA(selem)->data, value, smap->map.value_size);
139 atomic_sub(smap->elem_size, &sk->sk_omem_alloc);
144 /* sk_storage->lock must be held and selem->sk_storage == sk_storage.
145 * The caller must ensure selem->smap is still valid to be
146 * dereferenced for its smap->elem_size and smap->cache_idx.
148 static bool __selem_unlink_sk(struct bpf_sk_storage *sk_storage,
149 struct bpf_sk_storage_elem *selem,
152 struct bpf_sk_storage_map *smap;
153 bool free_sk_storage;
156 smap = rcu_dereference(SDATA(selem)->smap);
159 /* All uncharging on sk->sk_omem_alloc must be done first.
160 * sk may be freed once the last selem is unlinked from sk_storage.
163 atomic_sub(smap->elem_size, &sk->sk_omem_alloc);
165 free_sk_storage = hlist_is_singular_node(&selem->snode,
167 if (free_sk_storage) {
168 atomic_sub(sizeof(struct bpf_sk_storage), &sk->sk_omem_alloc);
169 sk_storage->sk = NULL;
170 /* After this RCU_INIT, sk may be freed and cannot be used */
171 RCU_INIT_POINTER(sk->sk_bpf_storage, NULL);
173 /* sk_storage is not freed now. sk_storage->lock is
174 * still held and raw_spin_unlock_bh(&sk_storage->lock)
175 * will be done by the caller.
177 * Although the unlock will be done under
178 * rcu_read_lock(), it is more intutivie to
179 * read if kfree_rcu(sk_storage, rcu) is done
180 * after the raw_spin_unlock_bh(&sk_storage->lock).
182 * Hence, a "bool free_sk_storage" is returned
183 * to the caller which then calls the kfree_rcu()
187 hlist_del_init_rcu(&selem->snode);
188 if (rcu_access_pointer(sk_storage->cache[smap->cache_idx]) ==
190 RCU_INIT_POINTER(sk_storage->cache[smap->cache_idx], NULL);
192 kfree_rcu(selem, rcu);
194 return free_sk_storage;
197 static void selem_unlink_sk(struct bpf_sk_storage_elem *selem)
199 struct bpf_sk_storage *sk_storage;
200 bool free_sk_storage = false;
202 if (unlikely(!selem_linked_to_sk(selem)))
203 /* selem has already been unlinked from sk */
206 sk_storage = rcu_dereference(selem->sk_storage);
207 raw_spin_lock_bh(&sk_storage->lock);
208 if (likely(selem_linked_to_sk(selem)))
209 free_sk_storage = __selem_unlink_sk(sk_storage, selem, true);
210 raw_spin_unlock_bh(&sk_storage->lock);
213 kfree_rcu(sk_storage, rcu);
216 static void __selem_link_sk(struct bpf_sk_storage *sk_storage,
217 struct bpf_sk_storage_elem *selem)
219 RCU_INIT_POINTER(selem->sk_storage, sk_storage);
220 hlist_add_head(&selem->snode, &sk_storage->list);
223 static void selem_unlink_map(struct bpf_sk_storage_elem *selem)
225 struct bpf_sk_storage_map *smap;
228 if (unlikely(!selem_linked_to_map(selem)))
229 /* selem has already be unlinked from smap */
232 smap = rcu_dereference(SDATA(selem)->smap);
233 b = select_bucket(smap, selem);
234 raw_spin_lock_bh(&b->lock);
235 if (likely(selem_linked_to_map(selem)))
236 hlist_del_init_rcu(&selem->map_node);
237 raw_spin_unlock_bh(&b->lock);
240 static void selem_link_map(struct bpf_sk_storage_map *smap,
241 struct bpf_sk_storage_elem *selem)
243 struct bucket *b = select_bucket(smap, selem);
245 raw_spin_lock_bh(&b->lock);
246 RCU_INIT_POINTER(SDATA(selem)->smap, smap);
247 hlist_add_head_rcu(&selem->map_node, &b->list);
248 raw_spin_unlock_bh(&b->lock);
251 static void selem_unlink(struct bpf_sk_storage_elem *selem)
253 /* Always unlink from map before unlinking from sk_storage
254 * because selem will be freed after successfully unlinked from
257 selem_unlink_map(selem);
258 selem_unlink_sk(selem);
261 static struct bpf_sk_storage_data *
262 __sk_storage_lookup(struct bpf_sk_storage *sk_storage,
263 struct bpf_sk_storage_map *smap,
266 struct bpf_sk_storage_data *sdata;
267 struct bpf_sk_storage_elem *selem;
269 /* Fast path (cache hit) */
270 sdata = rcu_dereference(sk_storage->cache[smap->cache_idx]);
271 if (sdata && rcu_access_pointer(sdata->smap) == smap)
274 /* Slow path (cache miss) */
275 hlist_for_each_entry_rcu(selem, &sk_storage->list, snode)
276 if (rcu_access_pointer(SDATA(selem)->smap) == smap)
282 sdata = SDATA(selem);
283 if (cacheit_lockit) {
284 /* spinlock is needed to avoid racing with the
285 * parallel delete. Otherwise, publishing an already
286 * deleted sdata to the cache will become a use-after-free
287 * problem in the next __sk_storage_lookup().
289 raw_spin_lock_bh(&sk_storage->lock);
290 if (selem_linked_to_sk(selem))
291 rcu_assign_pointer(sk_storage->cache[smap->cache_idx],
293 raw_spin_unlock_bh(&sk_storage->lock);
299 static struct bpf_sk_storage_data *
300 sk_storage_lookup(struct sock *sk, struct bpf_map *map, bool cacheit_lockit)
302 struct bpf_sk_storage *sk_storage;
303 struct bpf_sk_storage_map *smap;
305 sk_storage = rcu_dereference(sk->sk_bpf_storage);
309 smap = (struct bpf_sk_storage_map *)map;
310 return __sk_storage_lookup(sk_storage, smap, cacheit_lockit);
313 static int check_flags(const struct bpf_sk_storage_data *old_sdata,
316 if (old_sdata && (map_flags & ~BPF_F_LOCK) == BPF_NOEXIST)
317 /* elem already exists */
320 if (!old_sdata && (map_flags & ~BPF_F_LOCK) == BPF_EXIST)
321 /* elem doesn't exist, cannot update it */
327 static int sk_storage_alloc(struct sock *sk,
328 struct bpf_sk_storage_map *smap,
329 struct bpf_sk_storage_elem *first_selem)
331 struct bpf_sk_storage *prev_sk_storage, *sk_storage;
334 err = omem_charge(sk, sizeof(*sk_storage));
338 sk_storage = kzalloc(sizeof(*sk_storage), GFP_ATOMIC | __GFP_NOWARN);
343 INIT_HLIST_HEAD(&sk_storage->list);
344 raw_spin_lock_init(&sk_storage->lock);
347 __selem_link_sk(sk_storage, first_selem);
348 selem_link_map(smap, first_selem);
349 /* Publish sk_storage to sk. sk->sk_lock cannot be acquired.
350 * Hence, atomic ops is used to set sk->sk_bpf_storage
351 * from NULL to the newly allocated sk_storage ptr.
353 * From now on, the sk->sk_bpf_storage pointer is protected
354 * by the sk_storage->lock. Hence, when freeing
355 * the sk->sk_bpf_storage, the sk_storage->lock must
356 * be held before setting sk->sk_bpf_storage to NULL.
358 prev_sk_storage = cmpxchg((struct bpf_sk_storage **)&sk->sk_bpf_storage,
360 if (unlikely(prev_sk_storage)) {
361 selem_unlink_map(first_selem);
365 /* Note that even first_selem was linked to smap's
366 * bucket->list, first_selem can be freed immediately
367 * (instead of kfree_rcu) because
368 * bpf_sk_storage_map_free() does a
369 * synchronize_rcu() before walking the bucket->list.
370 * Hence, no one is accessing selem from the
371 * bucket->list under rcu_read_lock().
379 atomic_sub(sizeof(*sk_storage), &sk->sk_omem_alloc);
383 /* sk cannot be going away because it is linking new elem
384 * to sk->sk_bpf_storage. (i.e. sk->sk_refcnt cannot be 0).
385 * Otherwise, it will become a leak (and other memory issues
386 * during map destruction).
388 static struct bpf_sk_storage_data *sk_storage_update(struct sock *sk,
393 struct bpf_sk_storage_data *old_sdata = NULL;
394 struct bpf_sk_storage_elem *selem;
395 struct bpf_sk_storage *sk_storage;
396 struct bpf_sk_storage_map *smap;
399 /* BPF_EXIST and BPF_NOEXIST cannot be both set */
400 if (unlikely((map_flags & ~BPF_F_LOCK) > BPF_EXIST) ||
401 /* BPF_F_LOCK can only be used in a value with spin_lock */
402 unlikely((map_flags & BPF_F_LOCK) && !map_value_has_spin_lock(map)))
403 return ERR_PTR(-EINVAL);
405 smap = (struct bpf_sk_storage_map *)map;
406 sk_storage = rcu_dereference(sk->sk_bpf_storage);
407 if (!sk_storage || hlist_empty(&sk_storage->list)) {
408 /* Very first elem for this sk */
409 err = check_flags(NULL, map_flags);
413 selem = selem_alloc(smap, sk, value, true);
415 return ERR_PTR(-ENOMEM);
417 err = sk_storage_alloc(sk, smap, selem);
420 atomic_sub(smap->elem_size, &sk->sk_omem_alloc);
427 if ((map_flags & BPF_F_LOCK) && !(map_flags & BPF_NOEXIST)) {
428 /* Hoping to find an old_sdata to do inline update
429 * such that it can avoid taking the sk_storage->lock
430 * and changing the lists.
432 old_sdata = __sk_storage_lookup(sk_storage, smap, false);
433 err = check_flags(old_sdata, map_flags);
436 if (old_sdata && selem_linked_to_sk(SELEM(old_sdata))) {
437 copy_map_value_locked(map, old_sdata->data,
443 raw_spin_lock_bh(&sk_storage->lock);
445 /* Recheck sk_storage->list under sk_storage->lock */
446 if (unlikely(hlist_empty(&sk_storage->list))) {
447 /* A parallel del is happening and sk_storage is going
448 * away. It has just been checked before, so very
449 * unlikely. Return instead of retry to keep things
456 old_sdata = __sk_storage_lookup(sk_storage, smap, false);
457 err = check_flags(old_sdata, map_flags);
461 if (old_sdata && (map_flags & BPF_F_LOCK)) {
462 copy_map_value_locked(map, old_sdata->data, value, false);
463 selem = SELEM(old_sdata);
467 /* sk_storage->lock is held. Hence, we are sure
468 * we can unlink and uncharge the old_sdata successfully
469 * later. Hence, instead of charging the new selem now
470 * and then uncharge the old selem later (which may cause
471 * a potential but unnecessary charge failure), avoid taking
472 * a charge at all here (the "!old_sdata" check) and the
473 * old_sdata will not be uncharged later during __selem_unlink_sk().
475 selem = selem_alloc(smap, sk, value, !old_sdata);
481 /* First, link the new selem to the map */
482 selem_link_map(smap, selem);
484 /* Second, link (and publish) the new selem to sk_storage */
485 __selem_link_sk(sk_storage, selem);
487 /* Third, remove old selem, SELEM(old_sdata) */
489 selem_unlink_map(SELEM(old_sdata));
490 __selem_unlink_sk(sk_storage, SELEM(old_sdata), false);
494 raw_spin_unlock_bh(&sk_storage->lock);
498 raw_spin_unlock_bh(&sk_storage->lock);
502 static int sk_storage_delete(struct sock *sk, struct bpf_map *map)
504 struct bpf_sk_storage_data *sdata;
506 sdata = sk_storage_lookup(sk, map, false);
510 selem_unlink(SELEM(sdata));
515 /* Called by __sk_destruct() & bpf_sk_storage_clone() */
516 void bpf_sk_storage_free(struct sock *sk)
518 struct bpf_sk_storage_elem *selem;
519 struct bpf_sk_storage *sk_storage;
520 bool free_sk_storage = false;
521 struct hlist_node *n;
524 sk_storage = rcu_dereference(sk->sk_bpf_storage);
530 /* Netiher the bpf_prog nor the bpf-map's syscall
531 * could be modifying the sk_storage->list now.
532 * Thus, no elem can be added-to or deleted-from the
533 * sk_storage->list by the bpf_prog or by the bpf-map's syscall.
535 * It is racing with bpf_sk_storage_map_free() alone
536 * when unlinking elem from the sk_storage->list and
537 * the map's bucket->list.
539 raw_spin_lock_bh(&sk_storage->lock);
540 hlist_for_each_entry_safe(selem, n, &sk_storage->list, snode) {
541 /* Always unlink from map before unlinking from
544 selem_unlink_map(selem);
545 free_sk_storage = __selem_unlink_sk(sk_storage, selem, true);
547 raw_spin_unlock_bh(&sk_storage->lock);
551 kfree_rcu(sk_storage, rcu);
554 static void bpf_sk_storage_map_free(struct bpf_map *map)
556 struct bpf_sk_storage_elem *selem;
557 struct bpf_sk_storage_map *smap;
561 smap = (struct bpf_sk_storage_map *)map;
563 /* Note that this map might be concurrently cloned from
564 * bpf_sk_storage_clone. Wait for any existing bpf_sk_storage_clone
565 * RCU read section to finish before proceeding. New RCU
566 * read sections should be prevented via bpf_map_inc_not_zero.
570 /* bpf prog and the userspace can no longer access this map
571 * now. No new selem (of this map) can be added
572 * to the sk->sk_bpf_storage or to the map bucket's list.
574 * The elem of this map can be cleaned up here
576 * by bpf_sk_storage_free() during __sk_destruct().
578 for (i = 0; i < (1U << smap->bucket_log); i++) {
579 b = &smap->buckets[i];
582 /* No one is adding to b->list now */
583 while ((selem = hlist_entry_safe(rcu_dereference_raw(hlist_first_rcu(&b->list)),
584 struct bpf_sk_storage_elem,
592 /* bpf_sk_storage_free() may still need to access the map.
593 * e.g. bpf_sk_storage_free() has unlinked selem from the map
594 * which then made the above while((selem = ...)) loop
595 * exited immediately.
597 * However, the bpf_sk_storage_free() still needs to access
598 * the smap->elem_size to do the uncharging in
599 * __selem_unlink_sk().
601 * Hence, wait another rcu grace period for the
602 * bpf_sk_storage_free() to finish.
606 kvfree(smap->buckets);
610 /* U16_MAX is much more than enough for sk local storage
611 * considering a tcp_sock is ~2k.
613 #define MAX_VALUE_SIZE \
615 (KMALLOC_MAX_SIZE - MAX_BPF_STACK - sizeof(struct bpf_sk_storage_elem)), \
616 (U16_MAX - sizeof(struct bpf_sk_storage_elem)))
618 static int bpf_sk_storage_map_alloc_check(union bpf_attr *attr)
620 if (attr->map_flags & ~SK_STORAGE_CREATE_FLAG_MASK ||
621 !(attr->map_flags & BPF_F_NO_PREALLOC) ||
623 attr->key_size != sizeof(int) || !attr->value_size ||
624 /* Enforce BTF for userspace sk dumping */
625 !attr->btf_key_type_id || !attr->btf_value_type_id)
628 if (!capable(CAP_SYS_ADMIN))
631 if (attr->value_size > MAX_VALUE_SIZE)
637 static struct bpf_map *bpf_sk_storage_map_alloc(union bpf_attr *attr)
639 struct bpf_sk_storage_map *smap;
645 smap = kzalloc(sizeof(*smap), GFP_USER | __GFP_NOWARN);
647 return ERR_PTR(-ENOMEM);
648 bpf_map_init_from_attr(&smap->map, attr);
650 nbuckets = roundup_pow_of_two(num_possible_cpus());
651 /* Use at least 2 buckets, select_bucket() is undefined behavior with 1 bucket */
652 nbuckets = max_t(u32, 2, nbuckets);
653 smap->bucket_log = ilog2(nbuckets);
654 cost = sizeof(*smap->buckets) * nbuckets + sizeof(*smap);
656 ret = bpf_map_charge_init(&smap->map.memory, cost);
662 smap->buckets = kvcalloc(sizeof(*smap->buckets), nbuckets,
663 GFP_USER | __GFP_NOWARN);
664 if (!smap->buckets) {
665 bpf_map_charge_finish(&smap->map.memory);
667 return ERR_PTR(-ENOMEM);
670 for (i = 0; i < nbuckets; i++) {
671 INIT_HLIST_HEAD(&smap->buckets[i].list);
672 raw_spin_lock_init(&smap->buckets[i].lock);
675 smap->elem_size = sizeof(struct bpf_sk_storage_elem) + attr->value_size;
676 smap->cache_idx = (unsigned int)atomic_inc_return(&cache_idx) %
677 BPF_SK_STORAGE_CACHE_SIZE;
682 static int notsupp_get_next_key(struct bpf_map *map, void *key,
688 static int bpf_sk_storage_map_check_btf(const struct bpf_map *map,
689 const struct btf *btf,
690 const struct btf_type *key_type,
691 const struct btf_type *value_type)
695 if (BTF_INFO_KIND(key_type->info) != BTF_KIND_INT)
698 int_data = *(u32 *)(key_type + 1);
699 if (BTF_INT_BITS(int_data) != 32 || BTF_INT_OFFSET(int_data))
705 static void *bpf_fd_sk_storage_lookup_elem(struct bpf_map *map, void *key)
707 struct bpf_sk_storage_data *sdata;
712 sock = sockfd_lookup(fd, &err);
714 sdata = sk_storage_lookup(sock->sk, map, true);
716 return sdata ? sdata->data : NULL;
722 static int bpf_fd_sk_storage_update_elem(struct bpf_map *map, void *key,
723 void *value, u64 map_flags)
725 struct bpf_sk_storage_data *sdata;
730 sock = sockfd_lookup(fd, &err);
732 sdata = sk_storage_update(sock->sk, map, value, map_flags);
734 return PTR_ERR_OR_ZERO(sdata);
740 static int bpf_fd_sk_storage_delete_elem(struct bpf_map *map, void *key)
746 sock = sockfd_lookup(fd, &err);
748 err = sk_storage_delete(sock->sk, map);
756 static struct bpf_sk_storage_elem *
757 bpf_sk_storage_clone_elem(struct sock *newsk,
758 struct bpf_sk_storage_map *smap,
759 struct bpf_sk_storage_elem *selem)
761 struct bpf_sk_storage_elem *copy_selem;
763 copy_selem = selem_alloc(smap, newsk, NULL, true);
767 if (map_value_has_spin_lock(&smap->map))
768 copy_map_value_locked(&smap->map, SDATA(copy_selem)->data,
769 SDATA(selem)->data, true);
771 copy_map_value(&smap->map, SDATA(copy_selem)->data,
777 int bpf_sk_storage_clone(const struct sock *sk, struct sock *newsk)
779 struct bpf_sk_storage *new_sk_storage = NULL;
780 struct bpf_sk_storage *sk_storage;
781 struct bpf_sk_storage_elem *selem;
784 RCU_INIT_POINTER(newsk->sk_bpf_storage, NULL);
787 sk_storage = rcu_dereference(sk->sk_bpf_storage);
789 if (!sk_storage || hlist_empty(&sk_storage->list))
792 hlist_for_each_entry_rcu(selem, &sk_storage->list, snode) {
793 struct bpf_sk_storage_elem *copy_selem;
794 struct bpf_sk_storage_map *smap;
797 smap = rcu_dereference(SDATA(selem)->smap);
798 if (!(smap->map.map_flags & BPF_F_CLONE))
801 /* Note that for lockless listeners adding new element
802 * here can race with cleanup in bpf_sk_storage_map_free.
803 * Try to grab map refcnt to make sure that it's still
804 * alive and prevent concurrent removal.
806 map = bpf_map_inc_not_zero(&smap->map);
810 copy_selem = bpf_sk_storage_clone_elem(newsk, smap, selem);
817 if (new_sk_storage) {
818 selem_link_map(smap, copy_selem);
819 __selem_link_sk(new_sk_storage, copy_selem);
821 ret = sk_storage_alloc(newsk, smap, copy_selem);
824 atomic_sub(smap->elem_size,
825 &newsk->sk_omem_alloc);
830 new_sk_storage = rcu_dereference(copy_selem->sk_storage);
838 /* In case of an error, don't free anything explicitly here, the
839 * caller is responsible to call bpf_sk_storage_free.
845 BPF_CALL_4(bpf_sk_storage_get, struct bpf_map *, map, struct sock *, sk,
846 void *, value, u64, flags)
848 struct bpf_sk_storage_data *sdata;
850 if (flags > BPF_SK_STORAGE_GET_F_CREATE)
851 return (unsigned long)NULL;
853 sdata = sk_storage_lookup(sk, map, true);
855 return (unsigned long)sdata->data;
857 if (flags == BPF_SK_STORAGE_GET_F_CREATE &&
858 /* Cannot add new elem to a going away sk.
859 * Otherwise, the new elem may become a leak
860 * (and also other memory issues during map
863 refcount_inc_not_zero(&sk->sk_refcnt)) {
864 sdata = sk_storage_update(sk, map, value, BPF_NOEXIST);
865 /* sk must be a fullsock (guaranteed by verifier),
866 * so sock_gen_put() is unnecessary.
869 return IS_ERR(sdata) ?
870 (unsigned long)NULL : (unsigned long)sdata->data;
873 return (unsigned long)NULL;
876 BPF_CALL_2(bpf_sk_storage_delete, struct bpf_map *, map, struct sock *, sk)
878 if (refcount_inc_not_zero(&sk->sk_refcnt)) {
881 err = sk_storage_delete(sk, map);
889 const struct bpf_map_ops sk_storage_map_ops = {
890 .map_alloc_check = bpf_sk_storage_map_alloc_check,
891 .map_alloc = bpf_sk_storage_map_alloc,
892 .map_free = bpf_sk_storage_map_free,
893 .map_get_next_key = notsupp_get_next_key,
894 .map_lookup_elem = bpf_fd_sk_storage_lookup_elem,
895 .map_update_elem = bpf_fd_sk_storage_update_elem,
896 .map_delete_elem = bpf_fd_sk_storage_delete_elem,
897 .map_check_btf = bpf_sk_storage_map_check_btf,
900 const struct bpf_func_proto bpf_sk_storage_get_proto = {
901 .func = bpf_sk_storage_get,
903 .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
904 .arg1_type = ARG_CONST_MAP_PTR,
905 .arg2_type = ARG_PTR_TO_SOCKET,
906 .arg3_type = ARG_PTR_TO_MAP_VALUE_OR_NULL,
907 .arg4_type = ARG_ANYTHING,
910 const struct bpf_func_proto bpf_sk_storage_delete_proto = {
911 .func = bpf_sk_storage_delete,
913 .ret_type = RET_INTEGER,
914 .arg1_type = ARG_CONST_MAP_PTR,
915 .arg2_type = ARG_PTR_TO_SOCKET,
918 struct bpf_sk_storage_diag {
920 struct bpf_map *maps[];
923 /* The reply will be like:
924 * INET_DIAG_BPF_SK_STORAGES (nla_nest)
925 * SK_DIAG_BPF_STORAGE (nla_nest)
926 * SK_DIAG_BPF_STORAGE_MAP_ID (nla_put_u32)
927 * SK_DIAG_BPF_STORAGE_MAP_VALUE (nla_reserve_64bit)
928 * SK_DIAG_BPF_STORAGE (nla_nest)
929 * SK_DIAG_BPF_STORAGE_MAP_ID (nla_put_u32)
930 * SK_DIAG_BPF_STORAGE_MAP_VALUE (nla_reserve_64bit)
933 static int nla_value_size(u32 value_size)
935 /* SK_DIAG_BPF_STORAGE (nla_nest)
936 * SK_DIAG_BPF_STORAGE_MAP_ID (nla_put_u32)
937 * SK_DIAG_BPF_STORAGE_MAP_VALUE (nla_reserve_64bit)
939 return nla_total_size(0) + nla_total_size(sizeof(u32)) +
940 nla_total_size_64bit(value_size);
943 void bpf_sk_storage_diag_free(struct bpf_sk_storage_diag *diag)
950 for (i = 0; i < diag->nr_maps; i++)
951 bpf_map_put(diag->maps[i]);
955 EXPORT_SYMBOL_GPL(bpf_sk_storage_diag_free);
957 static bool diag_check_dup(const struct bpf_sk_storage_diag *diag,
958 const struct bpf_map *map)
962 for (i = 0; i < diag->nr_maps; i++) {
963 if (diag->maps[i] == map)
970 struct bpf_sk_storage_diag *
971 bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs)
973 struct bpf_sk_storage_diag *diag;
978 /* bpf_sk_storage_map is currently limited to CAP_SYS_ADMIN as
979 * the map_alloc_check() side also does.
981 if (!capable(CAP_SYS_ADMIN))
982 return ERR_PTR(-EPERM);
984 nla_for_each_nested(nla, nla_stgs, rem) {
985 if (nla_type(nla) == SK_DIAG_BPF_STORAGE_REQ_MAP_FD)
989 diag = kzalloc(sizeof(*diag) + sizeof(diag->maps[0]) * nr_maps,
992 return ERR_PTR(-ENOMEM);
994 nla_for_each_nested(nla, nla_stgs, rem) {
998 if (nla_type(nla) != SK_DIAG_BPF_STORAGE_REQ_MAP_FD)
1001 map_fd = nla_get_u32(nla);
1002 map = bpf_map_get(map_fd);
1007 if (map->map_type != BPF_MAP_TYPE_SK_STORAGE) {
1012 if (diag_check_dup(diag, map)) {
1017 diag->maps[diag->nr_maps++] = map;
1023 bpf_sk_storage_diag_free(diag);
1024 return ERR_PTR(err);
1026 EXPORT_SYMBOL_GPL(bpf_sk_storage_diag_alloc);
1028 static int diag_get(struct bpf_sk_storage_data *sdata, struct sk_buff *skb)
1030 struct nlattr *nla_stg, *nla_value;
1031 struct bpf_sk_storage_map *smap;
1033 /* It cannot exceed max nlattr's payload */
1034 BUILD_BUG_ON(U16_MAX - NLA_HDRLEN < MAX_VALUE_SIZE);
1036 nla_stg = nla_nest_start(skb, SK_DIAG_BPF_STORAGE);
1040 smap = rcu_dereference(sdata->smap);
1041 if (nla_put_u32(skb, SK_DIAG_BPF_STORAGE_MAP_ID, smap->map.id))
1044 nla_value = nla_reserve_64bit(skb, SK_DIAG_BPF_STORAGE_MAP_VALUE,
1045 smap->map.value_size,
1046 SK_DIAG_BPF_STORAGE_PAD);
1050 if (map_value_has_spin_lock(&smap->map))
1051 copy_map_value_locked(&smap->map, nla_data(nla_value),
1054 copy_map_value(&smap->map, nla_data(nla_value), sdata->data);
1056 nla_nest_end(skb, nla_stg);
1060 nla_nest_cancel(skb, nla_stg);
1064 static int bpf_sk_storage_diag_put_all(struct sock *sk, struct sk_buff *skb,
1066 unsigned int *res_diag_size)
1068 /* stg_array_type (e.g. INET_DIAG_BPF_SK_STORAGES) */
1069 unsigned int diag_size = nla_total_size(0);
1070 struct bpf_sk_storage *sk_storage;
1071 struct bpf_sk_storage_elem *selem;
1072 struct bpf_sk_storage_map *smap;
1073 struct nlattr *nla_stgs;
1074 unsigned int saved_len;
1079 sk_storage = rcu_dereference(sk->sk_bpf_storage);
1080 if (!sk_storage || hlist_empty(&sk_storage->list)) {
1085 nla_stgs = nla_nest_start(skb, stg_array_type);
1087 /* Continue to learn diag_size */
1090 saved_len = skb->len;
1091 hlist_for_each_entry_rcu(selem, &sk_storage->list, snode) {
1092 smap = rcu_dereference(SDATA(selem)->smap);
1093 diag_size += nla_value_size(smap->map.value_size);
1095 if (nla_stgs && diag_get(SDATA(selem), skb))
1096 /* Continue to learn diag_size */
1103 if (saved_len == skb->len)
1104 nla_nest_cancel(skb, nla_stgs);
1106 nla_nest_end(skb, nla_stgs);
1109 if (diag_size == nla_total_size(0)) {
1114 *res_diag_size = diag_size;
1118 int bpf_sk_storage_diag_put(struct bpf_sk_storage_diag *diag,
1119 struct sock *sk, struct sk_buff *skb,
1121 unsigned int *res_diag_size)
1123 /* stg_array_type (e.g. INET_DIAG_BPF_SK_STORAGES) */
1124 unsigned int diag_size = nla_total_size(0);
1125 struct bpf_sk_storage *sk_storage;
1126 struct bpf_sk_storage_data *sdata;
1127 struct nlattr *nla_stgs;
1128 unsigned int saved_len;
1134 /* No map has been specified. Dump all. */
1136 return bpf_sk_storage_diag_put_all(sk, skb, stg_array_type,
1140 sk_storage = rcu_dereference(sk->sk_bpf_storage);
1141 if (!sk_storage || hlist_empty(&sk_storage->list)) {
1146 nla_stgs = nla_nest_start(skb, stg_array_type);
1148 /* Continue to learn diag_size */
1151 saved_len = skb->len;
1152 for (i = 0; i < diag->nr_maps; i++) {
1153 sdata = __sk_storage_lookup(sk_storage,
1154 (struct bpf_sk_storage_map *)diag->maps[i],
1160 diag_size += nla_value_size(diag->maps[i]->value_size);
1162 if (nla_stgs && diag_get(sdata, skb))
1163 /* Continue to learn diag_size */
1169 if (saved_len == skb->len)
1170 nla_nest_cancel(skb, nla_stgs);
1172 nla_nest_end(skb, nla_stgs);
1175 if (diag_size == nla_total_size(0)) {
1180 *res_diag_size = diag_size;
1183 EXPORT_SYMBOL_GPL(bpf_sk_storage_diag_put);
projects / linux-2.6-microblaze.git / blob