Message ID | 20200702092416.11961-2-jakub@cloudflare.com |
---|---|
State | Changes Requested |
Delegated to: | BPF Maintainers |
Headers | show |
Series | Run a BPF program on socket lookup | expand |
On Thu, Jul 2, 2020 at 2:24 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: > > Extend the BPF netns link callbacks to rebuild (grow/shrink) or update the > prog_array at given position when link gets attached/updated/released. > > This let's us lift the limit of having just one link attached for the new > attach type introduced by subsequent patch. > > No functional changes intended. > > Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> > --- > > Notes: > v3: > - New in v3 to support multi-prog attachments. (Alexei) > > include/linux/bpf.h | 4 ++ > kernel/bpf/core.c | 22 ++++++++++ > kernel/bpf/net_namespace.c | 88 +++++++++++++++++++++++++++++++++++--- > 3 files changed, 107 insertions(+), 7 deletions(-) > > diff --git a/include/linux/bpf.h b/include/linux/bpf.h > index 3d2ade703a35..26bc70533db0 100644 > --- a/include/linux/bpf.h > +++ b/include/linux/bpf.h > @@ -928,6 +928,10 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array *progs, > > void bpf_prog_array_delete_safe(struct bpf_prog_array *progs, > struct bpf_prog *old_prog); > +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, > + unsigned int index); > +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, > + struct bpf_prog *prog); > int bpf_prog_array_copy_info(struct bpf_prog_array *array, > u32 *prog_ids, u32 request_cnt, > u32 *prog_cnt); > diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > index 9df4cc9a2907..d4b3b9ee6bf1 100644 > --- a/kernel/bpf/core.c > +++ b/kernel/bpf/core.c > @@ -1958,6 +1958,28 @@ void bpf_prog_array_delete_safe(struct bpf_prog_array *array, > } > } > > +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, > + unsigned int index) > +{ > + bpf_prog_array_update_at(array, index, &dummy_bpf_prog.prog); > +} > + > +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, > + struct bpf_prog *prog) it's a good idea to mention it in a comment for both delete_safe_at and update_at that slots with dummy entries are ignored. Also, given that index can be out of bounds, should these functions actually return error if the slot is not found? > +{ > + struct bpf_prog_array_item *item; > + > + for (item = array->items; item->prog; item++) { > + if (item->prog == &dummy_bpf_prog.prog) > + continue; > + if (!index) { > + WRITE_ONCE(item->prog, prog); > + break; > + } > + index--; > + } > +} > + > int bpf_prog_array_copy(struct bpf_prog_array *old_array, > struct bpf_prog *exclude_prog, > struct bpf_prog *include_prog, > diff --git a/kernel/bpf/net_namespace.c b/kernel/bpf/net_namespace.c > index 247543380fa6..6011122c35b6 100644 > --- a/kernel/bpf/net_namespace.c > +++ b/kernel/bpf/net_namespace.c > @@ -36,11 +36,51 @@ static void netns_bpf_run_array_detach(struct net *net, > bpf_prog_array_free(run_array); > } > > +static unsigned int link_index(struct net *net, > + enum netns_bpf_attach_type type, > + struct bpf_netns_link *link) > +{ > + struct bpf_netns_link *pos; > + unsigned int i = 0; > + > + list_for_each_entry(pos, &net->bpf.links[type], node) { > + if (pos == link) > + return i; > + i++; > + } > + return UINT_MAX; Why not return a negative error, if the slot is not found? Feels a bit unusual as far as error reporting goes. > +} > + [...]
On Thu, Jul 09, 2020 at 05:44 AM CEST, Andrii Nakryiko wrote: > On Thu, Jul 2, 2020 at 2:24 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: >> >> Extend the BPF netns link callbacks to rebuild (grow/shrink) or update the >> prog_array at given position when link gets attached/updated/released. >> >> This let's us lift the limit of having just one link attached for the new >> attach type introduced by subsequent patch. >> >> No functional changes intended. >> >> Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> >> --- >> >> Notes: >> v3: >> - New in v3 to support multi-prog attachments. (Alexei) >> >> include/linux/bpf.h | 4 ++ >> kernel/bpf/core.c | 22 ++++++++++ >> kernel/bpf/net_namespace.c | 88 +++++++++++++++++++++++++++++++++++--- >> 3 files changed, 107 insertions(+), 7 deletions(-) >> >> diff --git a/include/linux/bpf.h b/include/linux/bpf.h >> index 3d2ade703a35..26bc70533db0 100644 >> --- a/include/linux/bpf.h >> +++ b/include/linux/bpf.h >> @@ -928,6 +928,10 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array *progs, >> >> void bpf_prog_array_delete_safe(struct bpf_prog_array *progs, >> struct bpf_prog *old_prog); >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, >> + unsigned int index); >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, >> + struct bpf_prog *prog); >> int bpf_prog_array_copy_info(struct bpf_prog_array *array, >> u32 *prog_ids, u32 request_cnt, >> u32 *prog_cnt); >> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c >> index 9df4cc9a2907..d4b3b9ee6bf1 100644 >> --- a/kernel/bpf/core.c >> +++ b/kernel/bpf/core.c >> @@ -1958,6 +1958,28 @@ void bpf_prog_array_delete_safe(struct bpf_prog_array *array, >> } >> } >> >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, >> + unsigned int index) >> +{ >> + bpf_prog_array_update_at(array, index, &dummy_bpf_prog.prog); >> +} >> + >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, >> + struct bpf_prog *prog) > > it's a good idea to mention it in a comment for both delete_safe_at > and update_at that slots with dummy entries are ignored. I agree. These two need doc comments. update_at doesn't event hint that this is not a regular update operation. Will add in v4. > > Also, given that index can be out of bounds, should these functions > actually return error if the slot is not found? That won't hurt. I mean, from bpf-netns PoV getting such an error would indicate that there is a bug in the code that manages prog_array. But perhaps other future users of this new prog_array API can benefit. > >> +{ >> + struct bpf_prog_array_item *item; >> + >> + for (item = array->items; item->prog; item++) { >> + if (item->prog == &dummy_bpf_prog.prog) >> + continue; >> + if (!index) { >> + WRITE_ONCE(item->prog, prog); >> + break; >> + } >> + index--; >> + } >> +} >> + >> int bpf_prog_array_copy(struct bpf_prog_array *old_array, >> struct bpf_prog *exclude_prog, >> struct bpf_prog *include_prog, >> diff --git a/kernel/bpf/net_namespace.c b/kernel/bpf/net_namespace.c >> index 247543380fa6..6011122c35b6 100644 >> --- a/kernel/bpf/net_namespace.c >> +++ b/kernel/bpf/net_namespace.c >> @@ -36,11 +36,51 @@ static void netns_bpf_run_array_detach(struct net *net, >> bpf_prog_array_free(run_array); >> } >> >> +static unsigned int link_index(struct net *net, >> + enum netns_bpf_attach_type type, >> + struct bpf_netns_link *link) >> +{ >> + struct bpf_netns_link *pos; >> + unsigned int i = 0; >> + >> + list_for_each_entry(pos, &net->bpf.links[type], node) { >> + if (pos == link) >> + return i; >> + i++; >> + } >> + return UINT_MAX; > > Why not return a negative error, if the slot is not found? Feels a bit > unusual as far as error reporting goes. Returning uint played well with the consumer of link_index() return value, that is bpf_prog_array_update_at(). update at takes an index into the array, which must not be negative. But I don't have strong feelings toward it. Will switch to -ENOENT in v4. > >> +} >> + > > [...]
On Thu, Jul 9, 2020 at 5:49 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: > > On Thu, Jul 09, 2020 at 05:44 AM CEST, Andrii Nakryiko wrote: > > On Thu, Jul 2, 2020 at 2:24 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: > >> > >> Extend the BPF netns link callbacks to rebuild (grow/shrink) or update the > >> prog_array at given position when link gets attached/updated/released. > >> > >> This let's us lift the limit of having just one link attached for the new > >> attach type introduced by subsequent patch. > >> > >> No functional changes intended. > >> > >> Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> > >> --- > >> > >> Notes: > >> v3: > >> - New in v3 to support multi-prog attachments. (Alexei) > >> > >> include/linux/bpf.h | 4 ++ > >> kernel/bpf/core.c | 22 ++++++++++ > >> kernel/bpf/net_namespace.c | 88 +++++++++++++++++++++++++++++++++++--- > >> 3 files changed, 107 insertions(+), 7 deletions(-) > >> > >> diff --git a/include/linux/bpf.h b/include/linux/bpf.h > >> index 3d2ade703a35..26bc70533db0 100644 > >> --- a/include/linux/bpf.h > >> +++ b/include/linux/bpf.h > >> @@ -928,6 +928,10 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array *progs, > >> > >> void bpf_prog_array_delete_safe(struct bpf_prog_array *progs, > >> struct bpf_prog *old_prog); > >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, > >> + unsigned int index); > >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, > >> + struct bpf_prog *prog); > >> int bpf_prog_array_copy_info(struct bpf_prog_array *array, > >> u32 *prog_ids, u32 request_cnt, > >> u32 *prog_cnt); > >> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c > >> index 9df4cc9a2907..d4b3b9ee6bf1 100644 > >> --- a/kernel/bpf/core.c > >> +++ b/kernel/bpf/core.c > >> @@ -1958,6 +1958,28 @@ void bpf_prog_array_delete_safe(struct bpf_prog_array *array, > >> } > >> } > >> > >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, > >> + unsigned int index) > >> +{ > >> + bpf_prog_array_update_at(array, index, &dummy_bpf_prog.prog); > >> +} > >> + > >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, > >> + struct bpf_prog *prog) > > > > it's a good idea to mention it in a comment for both delete_safe_at > > and update_at that slots with dummy entries are ignored. > > I agree. These two need doc comments. update_at doesn't event hint that > this is not a regular update operation. Will add in v4. > > > > > Also, given that index can be out of bounds, should these functions > > actually return error if the slot is not found? > > That won't hurt. I mean, from bpf-netns PoV getting such an error would > indicate that there is a bug in the code that manages prog_array. But > perhaps other future users of this new prog_array API can benefit. > > > > >> +{ > >> + struct bpf_prog_array_item *item; > >> + > >> + for (item = array->items; item->prog; item++) { > >> + if (item->prog == &dummy_bpf_prog.prog) > >> + continue; > >> + if (!index) { > >> + WRITE_ONCE(item->prog, prog); > >> + break; > >> + } > >> + index--; > >> + } > >> +} > >> + > >> int bpf_prog_array_copy(struct bpf_prog_array *old_array, > >> struct bpf_prog *exclude_prog, > >> struct bpf_prog *include_prog, > >> diff --git a/kernel/bpf/net_namespace.c b/kernel/bpf/net_namespace.c > >> index 247543380fa6..6011122c35b6 100644 > >> --- a/kernel/bpf/net_namespace.c > >> +++ b/kernel/bpf/net_namespace.c > >> @@ -36,11 +36,51 @@ static void netns_bpf_run_array_detach(struct net *net, > >> bpf_prog_array_free(run_array); > >> } > >> > >> +static unsigned int link_index(struct net *net, > >> + enum netns_bpf_attach_type type, > >> + struct bpf_netns_link *link) > >> +{ > >> + struct bpf_netns_link *pos; > >> + unsigned int i = 0; > >> + > >> + list_for_each_entry(pos, &net->bpf.links[type], node) { > >> + if (pos == link) > >> + return i; > >> + i++; > >> + } > >> + return UINT_MAX; > > > > Why not return a negative error, if the slot is not found? Feels a bit > > unusual as far as error reporting goes. > > Returning uint played well with the consumer of link_index() return > value, that is bpf_prog_array_update_at(). update at takes an index into > the array, which must not be negative. Yeah, it did, but it's also quite implicit. I think just doing BUG_ON() for update_at or delete_at would be good enough there. > > But I don't have strong feelings toward it. Will switch to -ENOENT in > v4. > > > > >> +} > >> + > > > > [...]
On Fri, Jul 10, 2020 at 12:02 AM CEST, Andrii Nakryiko wrote: > On Thu, Jul 9, 2020 at 5:49 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: >> >> On Thu, Jul 09, 2020 at 05:44 AM CEST, Andrii Nakryiko wrote: >> > On Thu, Jul 2, 2020 at 2:24 AM Jakub Sitnicki <jakub@cloudflare.com> wrote: >> >> >> >> Extend the BPF netns link callbacks to rebuild (grow/shrink) or update the >> >> prog_array at given position when link gets attached/updated/released. >> >> >> >> This let's us lift the limit of having just one link attached for the new >> >> attach type introduced by subsequent patch. >> >> >> >> No functional changes intended. >> >> >> >> Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> >> >> --- >> >> >> >> Notes: >> >> v3: >> >> - New in v3 to support multi-prog attachments. (Alexei) >> >> >> >> include/linux/bpf.h | 4 ++ >> >> kernel/bpf/core.c | 22 ++++++++++ >> >> kernel/bpf/net_namespace.c | 88 +++++++++++++++++++++++++++++++++++--- >> >> 3 files changed, 107 insertions(+), 7 deletions(-) >> >> >> >> diff --git a/include/linux/bpf.h b/include/linux/bpf.h >> >> index 3d2ade703a35..26bc70533db0 100644 >> >> --- a/include/linux/bpf.h >> >> +++ b/include/linux/bpf.h >> >> @@ -928,6 +928,10 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array *progs, >> >> >> >> void bpf_prog_array_delete_safe(struct bpf_prog_array *progs, >> >> struct bpf_prog *old_prog); >> >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, >> >> + unsigned int index); >> >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, >> >> + struct bpf_prog *prog); >> >> int bpf_prog_array_copy_info(struct bpf_prog_array *array, >> >> u32 *prog_ids, u32 request_cnt, >> >> u32 *prog_cnt); >> >> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c >> >> index 9df4cc9a2907..d4b3b9ee6bf1 100644 >> >> --- a/kernel/bpf/core.c >> >> +++ b/kernel/bpf/core.c >> >> @@ -1958,6 +1958,28 @@ void bpf_prog_array_delete_safe(struct bpf_prog_array *array, >> >> } >> >> } >> >> >> >> +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, >> >> + unsigned int index) >> >> +{ >> >> + bpf_prog_array_update_at(array, index, &dummy_bpf_prog.prog); >> >> +} >> >> + >> >> +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, >> >> + struct bpf_prog *prog) >> > >> > it's a good idea to mention it in a comment for both delete_safe_at >> > and update_at that slots with dummy entries are ignored. >> >> I agree. These two need doc comments. update_at doesn't event hint that >> this is not a regular update operation. Will add in v4. >> >> > >> > Also, given that index can be out of bounds, should these functions >> > actually return error if the slot is not found? >> >> That won't hurt. I mean, from bpf-netns PoV getting such an error would >> indicate that there is a bug in the code that manages prog_array. But >> perhaps other future users of this new prog_array API can benefit. >> >> > >> >> +{ >> >> + struct bpf_prog_array_item *item; >> >> + >> >> + for (item = array->items; item->prog; item++) { >> >> + if (item->prog == &dummy_bpf_prog.prog) >> >> + continue; >> >> + if (!index) { >> >> + WRITE_ONCE(item->prog, prog); >> >> + break; >> >> + } >> >> + index--; >> >> + } >> >> +} >> >> + >> >> int bpf_prog_array_copy(struct bpf_prog_array *old_array, >> >> struct bpf_prog *exclude_prog, >> >> struct bpf_prog *include_prog, >> >> diff --git a/kernel/bpf/net_namespace.c b/kernel/bpf/net_namespace.c >> >> index 247543380fa6..6011122c35b6 100644 >> >> --- a/kernel/bpf/net_namespace.c >> >> +++ b/kernel/bpf/net_namespace.c >> >> @@ -36,11 +36,51 @@ static void netns_bpf_run_array_detach(struct net *net, >> >> bpf_prog_array_free(run_array); >> >> } >> >> >> >> +static unsigned int link_index(struct net *net, >> >> + enum netns_bpf_attach_type type, >> >> + struct bpf_netns_link *link) >> >> +{ >> >> + struct bpf_netns_link *pos; >> >> + unsigned int i = 0; >> >> + >> >> + list_for_each_entry(pos, &net->bpf.links[type], node) { >> >> + if (pos == link) >> >> + return i; >> >> + i++; >> >> + } >> >> + return UINT_MAX; >> > >> > Why not return a negative error, if the slot is not found? Feels a bit >> > unusual as far as error reporting goes. >> >> Returning uint played well with the consumer of link_index() return >> value, that is bpf_prog_array_update_at(). update at takes an index into >> the array, which must not be negative. > > Yeah, it did, but it's also quite implicit. I think just doing > BUG_ON() for update_at or delete_at would be good enough there. BUG_ON got deprecated [0], but I will WARN. [0] https://www.kernel.org/doc/html/latest/process/deprecated.html#bug-and-bug-on [...]
diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 3d2ade703a35..26bc70533db0 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -928,6 +928,10 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array *progs, void bpf_prog_array_delete_safe(struct bpf_prog_array *progs, struct bpf_prog *old_prog); +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, + unsigned int index); +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, + struct bpf_prog *prog); int bpf_prog_array_copy_info(struct bpf_prog_array *array, u32 *prog_ids, u32 request_cnt, u32 *prog_cnt); diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 9df4cc9a2907..d4b3b9ee6bf1 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1958,6 +1958,28 @@ void bpf_prog_array_delete_safe(struct bpf_prog_array *array, } } +void bpf_prog_array_delete_safe_at(struct bpf_prog_array *array, + unsigned int index) +{ + bpf_prog_array_update_at(array, index, &dummy_bpf_prog.prog); +} + +void bpf_prog_array_update_at(struct bpf_prog_array *array, unsigned int index, + struct bpf_prog *prog) +{ + struct bpf_prog_array_item *item; + + for (item = array->items; item->prog; item++) { + if (item->prog == &dummy_bpf_prog.prog) + continue; + if (!index) { + WRITE_ONCE(item->prog, prog); + break; + } + index--; + } +} + int bpf_prog_array_copy(struct bpf_prog_array *old_array, struct bpf_prog *exclude_prog, struct bpf_prog *include_prog, diff --git a/kernel/bpf/net_namespace.c b/kernel/bpf/net_namespace.c index 247543380fa6..6011122c35b6 100644 --- a/kernel/bpf/net_namespace.c +++ b/kernel/bpf/net_namespace.c @@ -36,11 +36,51 @@ static void netns_bpf_run_array_detach(struct net *net, bpf_prog_array_free(run_array); } +static unsigned int link_index(struct net *net, + enum netns_bpf_attach_type type, + struct bpf_netns_link *link) +{ + struct bpf_netns_link *pos; + unsigned int i = 0; + + list_for_each_entry(pos, &net->bpf.links[type], node) { + if (pos == link) + return i; + i++; + } + return UINT_MAX; +} + +static unsigned int link_count(struct net *net, + enum netns_bpf_attach_type type) +{ + struct list_head *pos; + unsigned int i = 0; + + list_for_each(pos, &net->bpf.links[type]) + i++; + return i; +} + +static void fill_prog_array(struct net *net, enum netns_bpf_attach_type type, + struct bpf_prog_array *prog_array) +{ + struct bpf_netns_link *pos; + unsigned int i = 0; + + list_for_each_entry(pos, &net->bpf.links[type], node) { + prog_array->items[i].prog = pos->link.prog; + i++; + } +} + static void bpf_netns_link_release(struct bpf_link *link) { struct bpf_netns_link *net_link = container_of(link, struct bpf_netns_link, link); enum netns_bpf_attach_type type = net_link->netns_type; + struct bpf_prog_array *old_array, *new_array; + unsigned int cnt, idx; struct net *net; mutex_lock(&netns_bpf_mutex); @@ -53,9 +93,27 @@ static void bpf_netns_link_release(struct bpf_link *link) if (!net) goto out_unlock; - netns_bpf_run_array_detach(net, type); + /* Remember link position in case of safe delete */ + idx = link_index(net, type, net_link); list_del(&net_link->node); + cnt = link_count(net, type); + if (!cnt) { + netns_bpf_run_array_detach(net, type); + goto out_unlock; + } + + old_array = rcu_dereference_protected(net->bpf.run_array[type], + lockdep_is_held(&netns_bpf_mutex)); + new_array = bpf_prog_array_alloc(cnt, GFP_KERNEL); + if (!new_array) { + bpf_prog_array_delete_safe_at(old_array, idx); + goto out_unlock; + } + fill_prog_array(net, type, new_array); + rcu_assign_pointer(net->bpf.run_array[type], new_array); + bpf_prog_array_free(old_array); + out_unlock: mutex_unlock(&netns_bpf_mutex); } @@ -76,6 +134,7 @@ static int bpf_netns_link_update_prog(struct bpf_link *link, container_of(link, struct bpf_netns_link, link); enum netns_bpf_attach_type type = net_link->netns_type; struct bpf_prog_array *run_array; + unsigned int idx; struct net *net; int ret = 0; @@ -95,7 +154,8 @@ static int bpf_netns_link_update_prog(struct bpf_link *link, run_array = rcu_dereference_protected(net->bpf.run_array[type], lockdep_is_held(&netns_bpf_mutex)); - WRITE_ONCE(run_array->items[0].prog, new_prog); + idx = link_index(net, type, net_link); + bpf_prog_array_update_at(run_array, idx, new_prog); old_prog = xchg(&link->prog, new_prog); bpf_prog_put(old_prog); @@ -295,18 +355,29 @@ int netns_bpf_prog_detach(const union bpf_attr *attr) return ret; } +static int netns_bpf_max_progs(enum netns_bpf_attach_type type) +{ + switch (type) { + case NETNS_BPF_FLOW_DISSECTOR: + return 1; + default: + return 0; + } +} + static int netns_bpf_link_attach(struct net *net, struct bpf_link *link, enum netns_bpf_attach_type type) { struct bpf_netns_link *net_link = container_of(link, struct bpf_netns_link, link); struct bpf_prog_array *run_array; + unsigned int cnt; int err; mutex_lock(&netns_bpf_mutex); - /* Allow attaching only one prog or link for now */ - if (!list_empty(&net->bpf.links[type])) { + cnt = link_count(net, type); + if (cnt >= netns_bpf_max_progs(type)) { err = -E2BIG; goto out_unlock; } @@ -327,16 +398,19 @@ static int netns_bpf_link_attach(struct net *net, struct bpf_link *link, if (err) goto out_unlock; - run_array = bpf_prog_array_alloc(1, GFP_KERNEL); + run_array = bpf_prog_array_alloc(cnt + 1, GFP_KERNEL); if (!run_array) { err = -ENOMEM; goto out_unlock; } - run_array->items[0].prog = link->prog; - rcu_assign_pointer(net->bpf.run_array[type], run_array); list_add_tail(&net_link->node, &net->bpf.links[type]); + fill_prog_array(net, type, run_array); + run_array = rcu_replace_pointer(net->bpf.run_array[type], run_array, + lockdep_is_held(&netns_bpf_mutex)); + bpf_prog_array_free(run_array); + out_unlock: mutex_unlock(&netns_bpf_mutex); return err;
Extend the BPF netns link callbacks to rebuild (grow/shrink) or update the prog_array at given position when link gets attached/updated/released. This let's us lift the limit of having just one link attached for the new attach type introduced by subsequent patch. No functional changes intended. Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> --- Notes: v3: - New in v3 to support multi-prog attachments. (Alexei) include/linux/bpf.h | 4 ++ kernel/bpf/core.c | 22 ++++++++++ kernel/bpf/net_namespace.c | 88 +++++++++++++++++++++++++++++++++++--- 3 files changed, 107 insertions(+), 7 deletions(-)