Commit 92234c8f authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Alexei Starovoitov

xdp: Support specifying expected existing program when attaching XDP

While it is currently possible for userspace to specify that an existing
XDP program should not be replaced when attaching to an interface, there is
no mechanism to safely replace a specific XDP program with another.

This patch adds a new netlink attribute, IFLA_XDP_EXPECTED_FD, which can be
set along with IFLA_XDP_FD. If set, the kernel will check that the program
currently loaded on the interface matches the expected one, and fail the
operation if it does not. This corresponds to a 'cmpxchg' memory operation.
Setting the new attribute with a negative value means that no program is
expected to be attached, which corresponds to setting the UPDATE_IF_NOEXIST
flag.

A new companion flag, XDP_FLAGS_REPLACE, is also added to explicitly
request checking of the EXPECTED_FD attribute. This is needed for userspace
to discover whether the kernel supports the new attribute.
Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Reviewed-by: default avatarJakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/bpf/158515700640.92963.3551295145441017022.stgit@toke.dk
parent e9ff9d52
...@@ -3768,7 +3768,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev, ...@@ -3768,7 +3768,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
typedef int (*bpf_op_t)(struct net_device *dev, struct netdev_bpf *bpf); typedef int (*bpf_op_t)(struct net_device *dev, struct netdev_bpf *bpf);
int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack, int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
int fd, u32 flags); int fd, int expected_fd, u32 flags);
u32 __dev_xdp_query(struct net_device *dev, bpf_op_t xdp_op, u32 __dev_xdp_query(struct net_device *dev, bpf_op_t xdp_op,
enum bpf_netdev_command cmd); enum bpf_netdev_command cmd);
int xdp_umem_query(struct net_device *dev, u16 queue_id); int xdp_umem_query(struct net_device *dev, u16 queue_id);
......
...@@ -972,11 +972,12 @@ enum { ...@@ -972,11 +972,12 @@ enum {
#define XDP_FLAGS_SKB_MODE (1U << 1) #define XDP_FLAGS_SKB_MODE (1U << 1)
#define XDP_FLAGS_DRV_MODE (1U << 2) #define XDP_FLAGS_DRV_MODE (1U << 2)
#define XDP_FLAGS_HW_MODE (1U << 3) #define XDP_FLAGS_HW_MODE (1U << 3)
#define XDP_FLAGS_REPLACE (1U << 4)
#define XDP_FLAGS_MODES (XDP_FLAGS_SKB_MODE | \ #define XDP_FLAGS_MODES (XDP_FLAGS_SKB_MODE | \
XDP_FLAGS_DRV_MODE | \ XDP_FLAGS_DRV_MODE | \
XDP_FLAGS_HW_MODE) XDP_FLAGS_HW_MODE)
#define XDP_FLAGS_MASK (XDP_FLAGS_UPDATE_IF_NOEXIST | \ #define XDP_FLAGS_MASK (XDP_FLAGS_UPDATE_IF_NOEXIST | \
XDP_FLAGS_MODES) XDP_FLAGS_MODES | XDP_FLAGS_REPLACE)
/* These are stored into IFLA_XDP_ATTACHED on dump. */ /* These are stored into IFLA_XDP_ATTACHED on dump. */
enum { enum {
...@@ -996,6 +997,7 @@ enum { ...@@ -996,6 +997,7 @@ enum {
IFLA_XDP_DRV_PROG_ID, IFLA_XDP_DRV_PROG_ID,
IFLA_XDP_SKB_PROG_ID, IFLA_XDP_SKB_PROG_ID,
IFLA_XDP_HW_PROG_ID, IFLA_XDP_HW_PROG_ID,
IFLA_XDP_EXPECTED_FD,
__IFLA_XDP_MAX, __IFLA_XDP_MAX,
}; };
......
...@@ -8655,15 +8655,17 @@ static void dev_xdp_uninstall(struct net_device *dev) ...@@ -8655,15 +8655,17 @@ static void dev_xdp_uninstall(struct net_device *dev)
* @dev: device * @dev: device
* @extack: netlink extended ack * @extack: netlink extended ack
* @fd: new program fd or negative value to clear * @fd: new program fd or negative value to clear
* @expected_fd: old program fd that userspace expects to replace or clear
* @flags: xdp-related flags * @flags: xdp-related flags
* *
* Set or clear a bpf program for a device * Set or clear a bpf program for a device
*/ */
int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack, int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
int fd, u32 flags) int fd, int expected_fd, u32 flags)
{ {
const struct net_device_ops *ops = dev->netdev_ops; const struct net_device_ops *ops = dev->netdev_ops;
enum bpf_netdev_command query; enum bpf_netdev_command query;
u32 prog_id, expected_id = 0;
struct bpf_prog *prog = NULL; struct bpf_prog *prog = NULL;
bpf_op_t bpf_op, bpf_chk; bpf_op_t bpf_op, bpf_chk;
bool offload; bool offload;
...@@ -8684,15 +8686,29 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack, ...@@ -8684,15 +8686,29 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
if (bpf_op == bpf_chk) if (bpf_op == bpf_chk)
bpf_chk = generic_xdp_install; bpf_chk = generic_xdp_install;
if (fd >= 0) { prog_id = __dev_xdp_query(dev, bpf_op, query);
u32 prog_id; if (flags & XDP_FLAGS_REPLACE) {
if (expected_fd >= 0) {
prog = bpf_prog_get_type_dev(expected_fd,
BPF_PROG_TYPE_XDP,
bpf_op == ops->ndo_bpf);
if (IS_ERR(prog))
return PTR_ERR(prog);
expected_id = prog->aux->id;
bpf_prog_put(prog);
}
if (prog_id != expected_id) {
NL_SET_ERR_MSG(extack, "Active program does not match expected");
return -EEXIST;
}
}
if (fd >= 0) {
if (!offload && __dev_xdp_query(dev, bpf_chk, XDP_QUERY_PROG)) { if (!offload && __dev_xdp_query(dev, bpf_chk, XDP_QUERY_PROG)) {
NL_SET_ERR_MSG(extack, "native and generic XDP can't be active at the same time"); NL_SET_ERR_MSG(extack, "native and generic XDP can't be active at the same time");
return -EEXIST; return -EEXIST;
} }
prog_id = __dev_xdp_query(dev, bpf_op, query);
if ((flags & XDP_FLAGS_UPDATE_IF_NOEXIST) && prog_id) { if ((flags & XDP_FLAGS_UPDATE_IF_NOEXIST) && prog_id) {
NL_SET_ERR_MSG(extack, "XDP program already attached"); NL_SET_ERR_MSG(extack, "XDP program already attached");
return -EBUSY; return -EBUSY;
...@@ -8715,7 +8731,7 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack, ...@@ -8715,7 +8731,7 @@ int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
return 0; return 0;
} }
} else { } else {
if (!__dev_xdp_query(dev, bpf_op, query)) if (!prog_id)
return 0; return 0;
} }
......
...@@ -1872,7 +1872,9 @@ static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = { ...@@ -1872,7 +1872,9 @@ static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {
}; };
static const struct nla_policy ifla_xdp_policy[IFLA_XDP_MAX + 1] = { static const struct nla_policy ifla_xdp_policy[IFLA_XDP_MAX + 1] = {
[IFLA_XDP_UNSPEC] = { .strict_start_type = IFLA_XDP_EXPECTED_FD },
[IFLA_XDP_FD] = { .type = NLA_S32 }, [IFLA_XDP_FD] = { .type = NLA_S32 },
[IFLA_XDP_EXPECTED_FD] = { .type = NLA_S32 },
[IFLA_XDP_ATTACHED] = { .type = NLA_U8 }, [IFLA_XDP_ATTACHED] = { .type = NLA_U8 },
[IFLA_XDP_FLAGS] = { .type = NLA_U32 }, [IFLA_XDP_FLAGS] = { .type = NLA_U32 },
[IFLA_XDP_PROG_ID] = { .type = NLA_U32 }, [IFLA_XDP_PROG_ID] = { .type = NLA_U32 },
...@@ -2799,8 +2801,20 @@ static int do_setlink(const struct sk_buff *skb, ...@@ -2799,8 +2801,20 @@ static int do_setlink(const struct sk_buff *skb,
} }
if (xdp[IFLA_XDP_FD]) { if (xdp[IFLA_XDP_FD]) {
int expected_fd = -1;
if (xdp_flags & XDP_FLAGS_REPLACE) {
if (!xdp[IFLA_XDP_EXPECTED_FD]) {
err = -EINVAL;
goto errout;
}
expected_fd =
nla_get_s32(xdp[IFLA_XDP_EXPECTED_FD]);
}
err = dev_change_xdp_fd(dev, extack, err = dev_change_xdp_fd(dev, extack,
nla_get_s32(xdp[IFLA_XDP_FD]), nla_get_s32(xdp[IFLA_XDP_FD]),
expected_fd,
xdp_flags); xdp_flags);
if (err) if (err)
goto errout; goto errout;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment