bpf: multi program support for cgroup+bpf

introduce BPF_F_ALLOW_MULTI flag that can be used to attach multiple bpf programs to a cgroup. The difference between three possible flags for BPF_PROG_ATTACH command: - NONE(default): No further bpf programs allowed in the subtree. - BPF_F_ALLOW_OVERRIDE: If a sub-cgroup installs some bpf program, the program in this cgroup yields to sub-cgroup program. - BPF_F_ALLOW_MULTI: If a sub-cgroup installs some bpf program, that cgroup program gets run in addition to the program in this cgroup. NONE and BPF_F_ALLOW_OVERRIDE existed before. This patch doesn't change their behavior. It only clarifies the semantics in relation to new flag. Only one program is allowed to be attached to a cgroup with NONE or BPF_F_ALLOW_OVERRIDE flag. Multiple programs are allowed to be attached to a cgroup with BPF_F_ALLOW_MULTI flag. They are executed in FIFO order (those that were attached first, run first) The programs of sub-cgroup are executed first, then programs of this cgroup and then programs of parent cgroup. All eligible programs are executed regardless of return code from earlier programs. To allow efficient execution of multiple programs attached to a cgroup and to avoid penalizing cgroups without any programs attached introduce 'struct bpf_prog_array' which is RCU protected array of pointers to bpf programs. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Martin KaFai Lau <kafai@fb.com> for cgroup bits Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alexei Starovoitov <ast@fb.com> 2017-10-03 01:50:21 -0400
committer: David S. Miller <davem@davemloft.net> 2017-10-04 19:05:05 -0400
commit: 324bda9e6c5add86ba2e1066476481c48132aca0 (patch)
tree: 31d4267d10e934e6b3c180556c91aff8ea6dd990 /include/linux/bpf.h
parent: c818fa9e288be5be7e360c33cf4f5e30f9fa206e (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 252f4bc9eb25..a6964b75f070 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -241,6 +241,38 @@ int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr,
 int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
                          union bpf_attr __user *uattr);
+/* an array of programs to be executed under rcu_lock.
+ *
+ * Typical usage:
+ * ret = BPF_PROG_RUN_ARRAY(&bpf_prog_array, ctx, BPF_PROG_RUN);
+ *
+ * the structure returned by bpf_prog_array_alloc() should be populated
+ * with program pointers and the last pointer must be NULL.
+ * The user has to keep refcnt on the program and make sure the program
+ * is removed from the array before bpf_prog_put().
+ * The 'struct bpf_prog_array *' should only be replaced with xchg()
+ * since other cpus are walking the array of pointers in parallel.
+ */
+struct bpf_prog_array {
+        struct rcu_head rcu;
+        struct bpf_prog *progs[0];
+};
+struct bpf_prog_array __rcu *bpf_prog_array_alloc(u32 prog_cnt, gfp_t flags);
+void bpf_prog_array_free(struct bpf_prog_array __rcu *progs);
+#define BPF_PROG_RUN_ARRAY(array, ctx, func)            \
+        ({                                              \
+                struct bpf_prog **_prog;                \
+                u32 _ret = 1;                           \
+                rcu_read_lock();                        \
+                _prog = rcu_dereference(array)->progs;  \
+                for (; *_prog; _prog++)                 \
+                        _ret &= func(*_prog, ctx);      \
+                rcu_read_unlock();                      \
+                _ret;                                   \
+         })
 #ifdef CONFIG_BPF_SYSCALL
 DECLARE_PER_CPU(int, bpf_prog_active);
author	Alexei Starovoitov <ast@fb.com>	2017-10-03 01:50:21 -0400
committer	David S. Miller <davem@davemloft.net>	2017-10-04 19:05:05 -0400
commit	324bda9e6c5add86ba2e1066476481c48132aca0 (patch)
tree	31d4267d10e934e6b3c180556c91aff8ea6dd990 /include/linux/bpf.h
parent	c818fa9e288be5be7e360c33cf4f5e30f9fa206e (diff)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h index 252f4bc9eb25..a6964b75f070 100644 --- a/include/linux/bpf.h +++ b/include/linux/bpf.h
@@ -241,6 +241,38 @@ int bpf_prog_test_run_xdp(struct bpf_prog prog, const union bpf_attr kattr,
241	int bpf_prog_test_run_skb(struct bpf_prog prog, const union bpf_attr kattr,	241	int bpf_prog_test_run_skb(struct bpf_prog prog, const union bpf_attr kattr,
242	union bpf_attr __user *uattr);	242	union bpf_attr __user *uattr);
243		243
		244	/* an array of programs to be executed under rcu_lock.
		245	*
		246	* Typical usage:
		247	* ret = BPF_PROG_RUN_ARRAY(&bpf_prog_array, ctx, BPF_PROG_RUN);
		248	*
		249	* the structure returned by bpf_prog_array_alloc() should be populated
		250	* with program pointers and the last pointer must be NULL.
		251	* The user has to keep refcnt on the program and make sure the program
		252	* is removed from the array before bpf_prog_put().
		253	* The 'struct bpf_prog_array *' should only be replaced with xchg()
		254	* since other cpus are walking the array of pointers in parallel.
		255	*/
		256	struct bpf_prog_array {
		257	struct rcu_head rcu;
		258	struct bpf_prog *progs[0];
		259	};
		260
		261	struct bpf_prog_array __rcu *bpf_prog_array_alloc(u32 prog_cnt, gfp_t flags);
		262	void bpf_prog_array_free(struct bpf_prog_array __rcu *progs);
		263
		264	#define BPF_PROG_RUN_ARRAY(array, ctx, func) \
		265	({ \
		266	struct bpf_prog **_prog; \
		267	u32 _ret = 1; \
		268	rcu_read_lock(); \
		269	_prog = rcu_dereference(array)->progs; \
		270	for (; *_prog; _prog++) \
		271	_ret &= func(*_prog, ctx); \
		272	rcu_read_unlock(); \
		273	_ret; \
		274	})
		275
244	#ifdef CONFIG_BPF_SYSCALL	276	#ifdef CONFIG_BPF_SYSCALL
245	DECLARE_PER_CPU(int, bpf_prog_active);	277	DECLARE_PER_CPU(int, bpf_prog_active);
246		278