lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMzD94S87BD0HnjjHVmhMPQ3UijS+oNu+H7NtMN8z8EAexgFtg@mail.gmail.com>
Date:   Thu, 29 Aug 2019 16:13:59 -0700
From:   Brian Vazquez <brianvv@...gle.com>
To:     Jakub Kicinski <jakub.kicinski@...ronome.com>
Cc:     Yonghong Song <yhs@...com>, Alexei Starovoitov <ast@...com>,
        bpf@...r.kernel.org, netdev@...r.kernel.org,
        Daniel Borkmann <daniel@...earbox.net>, kernel-team@...com
Subject: Re: [PATCH bpf-next 00/13] bpf: adding map batch processing support

On Thu, Aug 29, 2019 at 11:40 AM Jakub Kicinski
<jakub.kicinski@...ronome.com> wrote:
>
> On Wed, 28 Aug 2019 23:45:02 -0700, Yonghong Song wrote:
> > Brian Vazquez has proposed BPF_MAP_DUMP command to look up more than one
> > map entries per syscall.
> >   https://lore.kernel.org/bpf/CABCgpaU3xxX6CMMxD+1knApivtc2jLBHysDXw-0E9bQEL0qC3A@mail.gmail.com/T/#t
> >
> > During discussion, we found more use cases can be supported in a similar
> > map operation batching framework. For example, batched map lookup and delete,
> > which can be really helpful for bcc.
> >   https://github.com/iovisor/bcc/blob/master/tools/tcptop.py#L233-L243
> >   https://github.com/iovisor/bcc/blob/master/tools/slabratetop.py#L129-L138
> >
> > Also, in bcc, we have API to delete all entries in a map.
> >   https://github.com/iovisor/bcc/blob/master/src/cc/api/BPFTable.h#L257-L264
> >
> > For map update, batched operations also useful as sometimes applications need
> > to populate initial maps with more than one entry. For example, the below
> > example is from kernel/samples/bpf/xdp_redirect_cpu_user.c:
> >   https://github.com/torvalds/linux/blob/master/samples/bpf/xdp_redirect_cpu_user.c#L543-L550
> >
> > This patch addresses all the above use cases. To make uapi stable, it also
> > covers other potential use cases. Four bpf syscall subcommands are introduced:
> >     BPF_MAP_LOOKUP_BATCH
> >     BPF_MAP_LOOKUP_AND_DELETE_BATCH
> >     BPF_MAP_UPDATE_BATCH
> >     BPF_MAP_DELETE_BATCH
> >
> > In userspace, application can iterate through the whole map one batch
> > as a time, e.g., bpf_map_lookup_batch() in the below:
> >     p_key = NULL;
> >     p_next_key = &key;
> >     while (true) {
> >        err = bpf_map_lookup_batch(fd, p_key, &p_next_key, keys, values,
> >                                   &batch_size, elem_flags, flags);
> >        if (err) ...
> >        if (p_next_key) break; // done
> >        if (!p_key) p_key = p_next_key;
> >     }
> > Please look at individual patches for details of new syscall subcommands
> > and examples of user codes.
> >
> > The testing is also done in a qemu VM environment:
> >       measure_lookup: max_entries 1000000, batch 10, time 342ms
> >       measure_lookup: max_entries 1000000, batch 1000, time 295ms
> >       measure_lookup: max_entries 1000000, batch 1000000, time 270ms
> >       measure_lookup: max_entries 1000000, no batching, time 1346ms
> >       measure_lookup_delete: max_entries 1000000, batch 10, time 433ms
> >       measure_lookup_delete: max_entries 1000000, batch 1000, time 363ms
> >       measure_lookup_delete: max_entries 1000000, batch 1000000, time 357ms
> >       measure_lookup_delete: max_entries 1000000, not batch, time 1894ms
> >       measure_delete: max_entries 1000000, batch, time 220ms
> >       measure_delete: max_entries 1000000, not batch, time 1289ms
> > For a 1M entry hash table, batch size of 10 can reduce cpu time
> > by 70%. Please see patch "tools/bpf: measure map batching perf"
> > for details of test codes.
>
> Hi Yonghong!
>
> great to see this, we have been looking at implementing some way to
> speed up map walks as well.
>
> The direction we were looking in, after previous discussions [1],
> however, was to provide a BPF program which can run the logic entirely
> within the kernel.
>
> We have a rough PoC on the FW side (we can offload the program which
> walks the map, which is pretty neat), but the kernel verifier side
> hasn't really progressed. It will soon.
>
> The rough idea is that the user space provides two programs, "filter"
> and "dumper":
>
>         bpftool map exec id XYZ filter pinned /some/prog \
>                                 dumper pinned /some/other_prog
>
> Both programs get this context:
>
> struct map_op_ctx {
>         u64 key;
>         u64 value;
> }
>
> We need a per-map implementation of the exec side, but roughly maps
> would do:
>
>         LIST_HEAD(deleted);
>
>         for entry in map {
>                 struct map_op_ctx {
>                         .key    = entry->key,
>                         .value  = entry->value,
>                 };
>
>                 act = BPF_PROG_RUN(filter, &map_op_ctx);
>                 if (act & ~ACT_BITS)
>                         return -EINVAL;
>
>                 if (act & DELETE) {
>                         map_unlink(entry);
>                         list_add(entry, &deleted);
>                 }
>                 if (act & STOP)
>                         break;
>         }
>
>         synchronize_rcu();
>
>         for entry in deleted {
>                 struct map_op_ctx {
>                         .key    = entry->key,
>                         .value  = entry->value,
>                 };
>
>                 BPF_PROG_RUN(dumper, &map_op_ctx);
>                 map_free(entry);
>         }
>
Hi Jakub,

how would that approach support percpu maps?

I'm thinking of a scenario where you want to do some calculations on
percpu maps and you are interested on the info on all the cpus not
just the one that is running the bpf program. Currently on a pcpu map
the bpf_map_lookup_elem helper only returns the pointer to the data of
the executing cpu.

> The filter program can't perform any map operations other than lookup,
> otherwise we won't be able to guarantee that we'll walk the entire map
> (if the filter program deletes some entries in a unfortunate order).
>
> If user space just wants a pure dump it can simply load a program which
> dumps the entries into a perf ring.
>
> I'm bringing this up because that mechanism should cover what is
> achieved with this patch set and much more.
>
> In particular for networking workloads where old flows have to be
> pruned from the map periodically it's far more efficient to communicate
> to user space only the flows which timed out (the delete batching from
> this set won't help at all).
>
> With a 2M entry map and this patch set we still won't be able to prune
> once a second on one core.
>
> [1]
> https://lore.kernel.org/netdev/20190813130921.10704-4-quentin.monnet@netronome.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ