| Message ID | 20210623110727.221922-1-toke@redhat.com |
|---|---|
| Headers | show |
| Series | Clean up and document RCU-based object protection for XDP and TC BPF | expand |
On 6/23/21 1:07 PM, Toke Høiland-Jørgensen wrote: > XDP_REDIRECT works by a three-step process: the bpf_redirect() and > bpf_redirect_map() helpers will lookup the target of the redirect and store > it (along with some other metadata) in a per-CPU struct bpf_redirect_info. > Next, when the program returns the XDP_REDIRECT return code, the driver > will call xdp_do_redirect() which will use the information thus stored to > actually enqueue the frame into a bulk queue structure (that differs > slightly by map type, but shares the same principle). Finally, before > exiting its NAPI poll loop, the driver will call xdp_do_flush(), which will > flush all the different bulk queues, thus completing the redirect. [...] > > Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> [...] > diff --git a/include/linux/filter.h b/include/linux/filter.h > index c5ad7df029ed..b01e266dad9e 100644 > --- a/include/linux/filter.h > +++ b/include/linux/filter.h > @@ -762,12 +762,10 @@ DECLARE_BPF_DISPATCHER(xdp) > > static __always_inline u32 bpf_prog_run_xdp(const struct bpf_prog *prog, > struct xdp_buff *xdp) > -{ > - /* Caller needs to hold rcu_read_lock() (!), otherwise program > - * can be released while still running, or map elements could be > - * freed early while still having concurrent users. XDP fastpath > - * already takes rcu_read_lock() when fetching the program, so > - * it's not necessary here anymore. > + > + /* Driver XDP hooks are invoked within a single NAPI poll cycle and thus > + * under local_bh_disable(), which provides the needed RCU protection > + * for accessing map entries. > */ > return __BPF_PROG_RUN(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); > } I just went over the series to manually fix up merge conflicts in the driver patches since they didn't apply cleanly against bpf-next. But as it turned out that extra work was needless, since you didn't even compile test the series before submission, sigh. Please fix (and only submit compile- & runtime-tested code in future). Thanks, Daniel
Daniel Borkmann <daniel@iogearbox.net> writes: > On 6/23/21 1:07 PM, Toke Høiland-Jørgensen wrote: >> XDP_REDIRECT works by a three-step process: the bpf_redirect() and >> bpf_redirect_map() helpers will lookup the target of the redirect and store >> it (along with some other metadata) in a per-CPU struct bpf_redirect_info. >> Next, when the program returns the XDP_REDIRECT return code, the driver >> will call xdp_do_redirect() which will use the information thus stored to >> actually enqueue the frame into a bulk queue structure (that differs >> slightly by map type, but shares the same principle). Finally, before >> exiting its NAPI poll loop, the driver will call xdp_do_flush(), which will >> flush all the different bulk queues, thus completing the redirect. > [...] >> >> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> > [...] >> diff --git a/include/linux/filter.h b/include/linux/filter.h >> index c5ad7df029ed..b01e266dad9e 100644 >> --- a/include/linux/filter.h >> +++ b/include/linux/filter.h >> @@ -762,12 +762,10 @@ DECLARE_BPF_DISPATCHER(xdp) >> >> static __always_inline u32 bpf_prog_run_xdp(const struct bpf_prog *prog, >> struct xdp_buff *xdp) >> -{ >> - /* Caller needs to hold rcu_read_lock() (!), otherwise program >> - * can be released while still running, or map elements could be >> - * freed early while still having concurrent users. XDP fastpath >> - * already takes rcu_read_lock() when fetching the program, so >> - * it's not necessary here anymore. >> + >> + /* Driver XDP hooks are invoked within a single NAPI poll cycle and thus >> + * under local_bh_disable(), which provides the needed RCU protection >> + * for accessing map entries. >> */ >> return __BPF_PROG_RUN(prog, xdp, BPF_DISPATCHER_FUNC(xdp)); >> } > > I just went over the series to manually fix up merge conflicts in the driver > patches since they didn't apply cleanly against bpf-next. > > But as it turned out that extra work was needless, since you didn't even compile > test the series before submission, sigh. > > Please fix (and only submit compile- & runtime-tested code in future). Yikes! I was too much in a hurry with to re-submit and neglected to re-do the compile check before hitting send. Apologies, that was sloppy of me - I will do better in the future. Will rebase and send a v5 that doesn't blow up on compile :) -Toke
During the discussion[0] of Hangbin's multicast patch series, Martin pointed out that the lifetime of the RCU-protected map entries used by XDP_REDIRECT is by no means obvious. I promised to look into cleaning this up, and Paul helpfully provided some hints and a new unrcu_pointer() helper to aid in this. It seems[1] that back in the early days of XDP, local_bh_disable() did not provide RCU protection, which is why the rcu_read_lock() calls were added to drivers in the first place. But according to Paul[2], in recent kernels a local_bh_disable()/local_bh_enable() pair functions as one big RCU read-side section, so no further protection is needed. This even applies to -rt kernels, which has an explicit rcu_read_lock() in place as part of the local_bh_disable()[3]. This patch series is mostly a documentation exercise, cleaning up the description of the lifetime expectations and adding __rcu annotations so sparse and lockdep can help verify it. Patches 1-4 are preparatory: Patch 1 adds Paul's unrcu_pointer() helper (which has already been added to his tree), which we need for some of the operations in devmap, patches 2 and 3 update the RCU documentation and patch 4 adds bh context as a valid condition for map lookups. Patch 5 is the main bit that adds the __rcu annotations and updates documentation comments. Finally, patch 6 removes unneeded rcu_read_lock()s from TC BPF, and the rest are patches updating the drivers, with one patch per distinct maintainer. Unfortunately I don't have any hardware to test any of the driver patches; Jesper helpfully verified that it doesn't break anything on i40e, but the rest of the driver patches are only compile-tested. [0] https://lore.kernel.org/bpf/20210415173551.7ma4slcbqeyiba2r@kafai-mbp.dhcp.thefacebook.com/ [1] https://lore.kernel.org/bpf/c5192ab3-1c05-8679-79f2-59d98299095b@iogearbox.net/ [2] https://lore.kernel.org/bpf/20210417002301.GO4212@paulmck-ThinkPad-P17-Gen-1/ [3] https://lore.kernel.org/bpf/20210419165837.GA975577@paulmck-ThinkPad-P17-Gen-1/ Changelog: v4: - Move comment about RCU protection into core instead of leaving it in drivers - Also remove rcu_read_lock() around TC BPF program execution - Fold in a couple of patches from Paul updating the RCU documentation v3: - Remove one other unnecessary change to hlist_for_each_entry_rcu() - Carry forward another ACK v2: - Add a comment about RCU protection to the drivers where rcu_read_lock() is removed - Drop unnecessary patch 3 which changed dev_get_by_index_rcu() - Add some more text with the history to cover letter - Fix a few places where the wrong RCU checks were used in cpumap and xskmap code - Carry forward ACKs Paul E. McKenney (2): rcu: Create an unrcu_pointer() to remove __rcu from a pointer doc: Clarify and expand RCU updaters and corresponding readers Toke Høiland-Jørgensen (17): doc: Give XDP as example of non-obvious RCU reader/updater pairing bpf: allow RCU-protected lookups to happen from bh context xdp: add proper __rcu annotations to redirect map entries sched: remove unneeded rcu_read_lock() around BPF program invocation ena: remove rcu_read_lock() around XDP program invocation bnxt: remove rcu_read_lock() around XDP program invocation thunderx: remove rcu_read_lock() around XDP program invocation freescale: remove rcu_read_lock() around XDP program invocation net: intel: remove rcu_read_lock() around XDP program invocation marvell: remove rcu_read_lock() around XDP program invocation mlx4: remove rcu_read_lock() around XDP program invocation nfp: remove rcu_read_lock() around XDP program invocation qede: remove rcu_read_lock() around XDP program invocation sfc: remove rcu_read_lock() around XDP program invocation netsec: remove rcu_read_lock() around XDP program invocation stmmac: remove rcu_read_lock() around XDP program invocation net: ti: remove rcu_read_lock() around XDP program invocation Documentation/RCU/checklist.rst | 55 ++++++++++++------- drivers/net/ethernet/amazon/ena/ena_netdev.c | 3 - drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c | 2 - .../net/ethernet/cavium/thunder/nicvf_main.c | 2 - .../net/ethernet/freescale/dpaa/dpaa_eth.c | 8 +-- .../net/ethernet/freescale/dpaa2/dpaa2-eth.c | 3 - drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 - drivers/net/ethernet/intel/i40e/i40e_xsk.c | 6 +- drivers/net/ethernet/intel/ice/ice_txrx.c | 6 +- drivers/net/ethernet/intel/ice/ice_xsk.c | 6 +- drivers/net/ethernet/intel/igb/igb_main.c | 2 - drivers/net/ethernet/intel/igc/igc_main.c | 7 +-- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 - drivers/net/ethernet/intel/ixgbe/ixgbe_xsk.c | 6 +- .../net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 - drivers/net/ethernet/marvell/mvneta.c | 2 - .../net/ethernet/marvell/mvpp2/mvpp2_main.c | 4 -- drivers/net/ethernet/mellanox/mlx4/en_rx.c | 8 +-- .../ethernet/netronome/nfp/nfp_net_common.c | 2 - drivers/net/ethernet/qlogic/qede/qede_fp.c | 6 -- drivers/net/ethernet/sfc/rx.c | 9 +-- drivers/net/ethernet/socionext/netsec.c | 3 - .../net/ethernet/stmicro/stmmac/stmmac_main.c | 10 +--- drivers/net/ethernet/ti/cpsw_priv.c | 10 +--- include/linux/filter.h | 10 ++-- include/linux/rcupdate.h | 14 +++++ include/net/xdp_sock.h | 2 +- kernel/bpf/cpumap.c | 13 +++-- kernel/bpf/devmap.c | 49 +++++++---------- kernel/bpf/hashtab.c | 21 ++++--- kernel/bpf/helpers.c | 6 +- kernel/bpf/lpm_trie.c | 6 +- net/core/filter.c | 28 ++++++++++ net/sched/act_bpf.c | 2 - net/sched/cls_bpf.c | 3 - net/xdp/xsk.c | 4 +- net/xdp/xsk.h | 4 +- net/xdp/xskmap.c | 29 ++++++---- 38 files changed, 168 insertions(+), 189 deletions(-)