On Wed, Dec 13, 2023 at 2:24 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> D. Wythe <alibuda@xxxxxxxxxxxxxxxxx> wrote:
> > From: "D. Wythe" <alibuda@xxxxxxxxxxxxxxxxx>
> >
> > To support the prog update, we need to ensure that the prog seen
> > within the hook is always valid. Considering that hooks are always
> > protected by rcu_read_lock(), which provide us the ability to use a
> > new RCU-protected context to access the prog.
> >
> > Signed-off-by: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx>
> > ---
> > net/netfilter/nf_bpf_link.c | 124 +++++++++++++++++++++++++++++++++++++++-----
> > 1 file changed, 111 insertions(+), 13 deletions(-)
> >
> > diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c
> > index e502ec0..918c470 100644
> > --- a/net/netfilter/nf_bpf_link.c
> > +++ b/net/netfilter/nf_bpf_link.c
> > @@ -8,17 +8,11 @@
> > #include <net/netfilter/nf_bpf_link.h>
> > #include <uapi/linux/netfilter_ipv4.h>
> >
> > -static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb,
> > - const struct nf_hook_state *s)
> > +struct bpf_nf_hook_ctx
> > {
> > - const struct bpf_prog *prog = bpf_prog;
> > - struct bpf_nf_ctx ctx = {
> > - .state = s,
> > - .skb = skb,
> > - };
> > -
> > - return bpf_prog_run(prog, &ctx);
> > -}
> > + struct bpf_prog *prog;
> > + struct rcu_head rcu;
> > +};
>
> I don't understand the need for this structure. AFAICS bpf_prog_put()
> will always release the program via call_rcu()?
>
> If it doesn't, we are probably already in trouble as-is without this
> patch, I don't think anything that prevents us from ending up calling already
> released bpf prog, or releasing it while another cpu is still running it
> if bpf_prog_put releases the actual underlying prog instantly.
>
> A BPF expert could confirm bpf-prog-put-is-call-rcu.
+1
These patches look unnecessary.
It seems that they accidently fix something else.
