torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-22 07:27:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

io_uring/bpf_filter: cache lookup table in ctx->bpf_filters

Browse Source 
Currently a few pointer dereferences need to be made to both check if
BPF filters are installed, and then also to retrieve the actual filter
for the opcode. Cache the table in ctx->bpf_filters to avoid that.

Add a bit of debug info on ring exit to show if we ever got this wrong.
Small risk of that given that the table is currently only updated in one
spot, but once task forking is enabled, that will add one more spot.

Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
Jens Axboe
2026-01-17 08:27:23 -07:00
parent 8768770cf5
commit e7c30675a7
5 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/linux/io_uring_types.h
View File

@@ -287,6 +287,8 @@ struct io_ring_ctx {
struct task_struct *submitter_task;
struct io_rings *rings;
/* cache of ->restrictions.bpf_filters->filters */
struct io_bpf_filter __rcu **bpf_filters;
struct percpu_ref refs;
clockid_t clockid;

7
io_uring/bpf_filter.c
View File

@@ -58,14 +58,15 @@ static void io_uring_populate_bpf_ctx(struct io_uring_bpf_ctx *bctx,
* __io_uring_run_bpf_filters() returns 0 on success, allow running the
* request, and -EACCES when a request is denied.
*/
int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req)
int __io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
struct io_kiocb *req)
{
struct io_bpf_filter *filter;
struct io_uring_bpf_ctx bpf_ctx;
int ret;
/* Fast check for existence of filters outside of RCU */
if (!rcu_access_pointer(res->bpf_filters->filters[req->opcode]))
if (!rcu_access_pointer(filters[req->opcode]))
return 0;
/*
@@ -73,7 +74,7 @@ int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req)
* of what we expect, io_init_req() does this.
*/
guard(rcu)();
filter = rcu_dereference(res->bpf_filters->filters[req->opcode]);
filter = rcu_dereference(filters[req->opcode]);
if (!filter)
return 0;
else if (filter == &dummy_filter)

10
io_uring/bpf_filter.h
View File

@@ -6,18 +6,18 @@
#ifdef CONFIG_IO_URING_BPF
int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req);
int __io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters, struct io_kiocb *req);
int io_register_bpf_filter(struct io_restriction *res,
struct io_uring_bpf __user *arg);
void io_put_bpf_filters(struct io_restriction *res);
static inline int io_uring_run_bpf_filters(struct io_restriction *res,
static inline int io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
struct io_kiocb *req)
{
if (res->bpf_filters)
return __io_uring_run_bpf_filters(res, req);
if (filters)
return __io_uring_run_bpf_filters(filters, req);
return 0;
}
@@ -29,7 +29,7 @@ static inline int io_register_bpf_filter(struct io_restriction *res,
{
return -EINVAL;
}
static inline int io_uring_run_bpf_filters(struct io_restriction *res,
static inline int io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
struct io_kiocb *req)
{
return 0;

11
io_uring/io_uring.c
View File

@@ -1875,8 +1875,8 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,
if (unlikely(ret))
return io_submit_fail_init(sqe, req, ret);
if (unlikely(ctx->restrictions.bpf_filters)) {
ret = io_uring_run_bpf_filters(&ctx->restrictions, req);
if (unlikely(ctx->bpf_filters)) {
ret = io_uring_run_bpf_filters(ctx->bpf_filters, req);
if (ret)
return io_submit_fail_init(sqe, req, ret);
}
@@ -2168,6 +2168,13 @@ static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
percpu_ref_exit(&ctx->refs);
free_uid(ctx->user);
io_req_caches_free(ctx);
if (ctx->restrictions.bpf_filters) {
WARN_ON_ONCE(ctx->bpf_filters !=
ctx->restrictions.bpf_filters->filters);
} else {
WARN_ON_ONCE(ctx->bpf_filters);
}
io_put_bpf_filters(&ctx->restrictions);
WARN_ON_ONCE(ctx->nr_req_allocated);

3
io_uring/register.c
View File

@@ -837,6 +837,9 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
if (nr_args != 1)
break;
ret = io_register_bpf_filter(&ctx->restrictions, arg);
if (!ret)
WRITE_ONCE(ctx->bpf_filters,
ctx->restrictions.bpf_filters->filters);
break;
default:
ret = -EINVAL;