mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git
synced 2025-01-10 07:50:04 +00:00
649f11dcd1
We are currently only allowing attachment of device-bound cls_bpf and XDP programs. Make this restriction explicit in the BPF offload code. This way we can potentially reuse the ifindex field in the future. Since XDP and cls_bpf programs can only be loaded by admin, we can drop the explicit capability check from offload code. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
200 lines
4.2 KiB
C
200 lines
4.2 KiB
C
#include <linux/bpf.h>
|
|
#include <linux/bpf_verifier.h>
|
|
#include <linux/bug.h>
|
|
#include <linux/list.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/printk.h>
|
|
#include <linux/rtnetlink.h>
|
|
|
|
/* protected by RTNL */
|
|
static LIST_HEAD(bpf_prog_offload_devs);
|
|
|
|
int bpf_prog_offload_init(struct bpf_prog *prog, union bpf_attr *attr)
|
|
{
|
|
struct net *net = current->nsproxy->net_ns;
|
|
struct bpf_dev_offload *offload;
|
|
|
|
if (attr->prog_type != BPF_PROG_TYPE_SCHED_CLS &&
|
|
attr->prog_type != BPF_PROG_TYPE_XDP)
|
|
return -EINVAL;
|
|
|
|
if (attr->prog_flags)
|
|
return -EINVAL;
|
|
|
|
offload = kzalloc(sizeof(*offload), GFP_USER);
|
|
if (!offload)
|
|
return -ENOMEM;
|
|
|
|
offload->prog = prog;
|
|
init_waitqueue_head(&offload->verifier_done);
|
|
|
|
rtnl_lock();
|
|
offload->netdev = __dev_get_by_index(net, attr->prog_target_ifindex);
|
|
if (!offload->netdev) {
|
|
rtnl_unlock();
|
|
kfree(offload);
|
|
return -EINVAL;
|
|
}
|
|
|
|
prog->aux->offload = offload;
|
|
list_add_tail(&offload->offloads, &bpf_prog_offload_devs);
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int __bpf_offload_ndo(struct bpf_prog *prog, enum bpf_netdev_command cmd,
|
|
struct netdev_bpf *data)
|
|
{
|
|
struct net_device *netdev = prog->aux->offload->netdev;
|
|
|
|
ASSERT_RTNL();
|
|
|
|
if (!netdev)
|
|
return -ENODEV;
|
|
if (!netdev->netdev_ops->ndo_bpf)
|
|
return -EOPNOTSUPP;
|
|
|
|
data->command = cmd;
|
|
|
|
return netdev->netdev_ops->ndo_bpf(netdev, data);
|
|
}
|
|
|
|
int bpf_prog_offload_verifier_prep(struct bpf_verifier_env *env)
|
|
{
|
|
struct netdev_bpf data = {};
|
|
int err;
|
|
|
|
data.verifier.prog = env->prog;
|
|
|
|
rtnl_lock();
|
|
err = __bpf_offload_ndo(env->prog, BPF_OFFLOAD_VERIFIER_PREP, &data);
|
|
if (err)
|
|
goto exit_unlock;
|
|
|
|
env->dev_ops = data.verifier.ops;
|
|
|
|
env->prog->aux->offload->dev_state = true;
|
|
env->prog->aux->offload->verifier_running = true;
|
|
exit_unlock:
|
|
rtnl_unlock();
|
|
return err;
|
|
}
|
|
|
|
static void __bpf_prog_offload_destroy(struct bpf_prog *prog)
|
|
{
|
|
struct bpf_dev_offload *offload = prog->aux->offload;
|
|
struct netdev_bpf data = {};
|
|
|
|
/* Caution - if netdev is destroyed before the program, this function
|
|
* will be called twice.
|
|
*/
|
|
|
|
data.offload.prog = prog;
|
|
|
|
if (offload->verifier_running)
|
|
wait_event(offload->verifier_done, !offload->verifier_running);
|
|
|
|
if (offload->dev_state)
|
|
WARN_ON(__bpf_offload_ndo(prog, BPF_OFFLOAD_DESTROY, &data));
|
|
|
|
offload->dev_state = false;
|
|
list_del_init(&offload->offloads);
|
|
offload->netdev = NULL;
|
|
}
|
|
|
|
void bpf_prog_offload_destroy(struct bpf_prog *prog)
|
|
{
|
|
struct bpf_dev_offload *offload = prog->aux->offload;
|
|
|
|
offload->verifier_running = false;
|
|
wake_up(&offload->verifier_done);
|
|
|
|
rtnl_lock();
|
|
__bpf_prog_offload_destroy(prog);
|
|
rtnl_unlock();
|
|
|
|
kfree(offload);
|
|
}
|
|
|
|
static int bpf_prog_offload_translate(struct bpf_prog *prog)
|
|
{
|
|
struct bpf_dev_offload *offload = prog->aux->offload;
|
|
struct netdev_bpf data = {};
|
|
int ret;
|
|
|
|
data.offload.prog = prog;
|
|
|
|
offload->verifier_running = false;
|
|
wake_up(&offload->verifier_done);
|
|
|
|
rtnl_lock();
|
|
ret = __bpf_offload_ndo(prog, BPF_OFFLOAD_TRANSLATE, &data);
|
|
rtnl_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
static unsigned int bpf_prog_warn_on_exec(const void *ctx,
|
|
const struct bpf_insn *insn)
|
|
{
|
|
WARN(1, "attempt to execute device eBPF program on the host!");
|
|
return 0;
|
|
}
|
|
|
|
int bpf_prog_offload_compile(struct bpf_prog *prog)
|
|
{
|
|
prog->bpf_func = bpf_prog_warn_on_exec;
|
|
|
|
return bpf_prog_offload_translate(prog);
|
|
}
|
|
|
|
u32 bpf_prog_offload_ifindex(struct bpf_prog *prog)
|
|
{
|
|
struct bpf_dev_offload *offload = prog->aux->offload;
|
|
u32 ifindex;
|
|
|
|
rtnl_lock();
|
|
ifindex = offload->netdev ? offload->netdev->ifindex : 0;
|
|
rtnl_unlock();
|
|
|
|
return ifindex;
|
|
}
|
|
|
|
const struct bpf_prog_ops bpf_offload_prog_ops = {
|
|
};
|
|
|
|
static int bpf_offload_notification(struct notifier_block *notifier,
|
|
ulong event, void *ptr)
|
|
{
|
|
struct net_device *netdev = netdev_notifier_info_to_dev(ptr);
|
|
struct bpf_dev_offload *offload, *tmp;
|
|
|
|
ASSERT_RTNL();
|
|
|
|
switch (event) {
|
|
case NETDEV_UNREGISTER:
|
|
list_for_each_entry_safe(offload, tmp, &bpf_prog_offload_devs,
|
|
offloads) {
|
|
if (offload->netdev == netdev)
|
|
__bpf_prog_offload_destroy(offload->prog);
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
return NOTIFY_OK;
|
|
}
|
|
|
|
static struct notifier_block bpf_offload_notifier = {
|
|
.notifier_call = bpf_offload_notification,
|
|
};
|
|
|
|
static int __init bpf_offload_init(void)
|
|
{
|
|
register_netdevice_notifier(&bpf_offload_notifier);
|
|
return 0;
|
|
}
|
|
|
|
subsys_initcall(bpf_offload_init);
|