From: Jens Axboe <axboe@kernel.dk>
To: io-uring@vger.kernel.org
Cc: brauner@kernel.org, cyphar@cyphar.com, jannh@google.com,
kees@kernel.org, linux-kernel@vger.kernel.org,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4/7] io_uring/bpf_filter: cache lookup table in ctx->bpf_filters
Date: Tue, 27 Jan 2026 11:29:59 -0700 [thread overview]
Message-ID: <20260127183311.86505-5-axboe@kernel.dk> (raw)
In-Reply-To: <20260127183311.86505-1-axboe@kernel.dk>
Currently a few pointer dereferences need to be made to both check if
BPF filters are installed, and then also to retrieve the actual filter
for the opcode. Cache the table in ctx->bpf_filters to avoid that.
Add a bit of debug info on ring exit to show if we ever got this wrong.
Small risk of that given that the table is currently only updated in one
spot, but once task forking is enabled, that will add one more spot.
Reviewed-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
include/linux/io_uring_types.h | 2 ++
io_uring/bpf_filter.c | 7 ++++---
io_uring/bpf_filter.h | 10 +++++-----
io_uring/io_uring.c | 11 +++++++++--
io_uring/register.c | 3 +++
5 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h
index 74bf98362876..7617df247238 100644
--- a/include/linux/io_uring_types.h
+++ b/include/linux/io_uring_types.h
@@ -287,6 +287,8 @@ struct io_ring_ctx {
struct task_struct *submitter_task;
struct io_rings *rings;
+ /* cache of ->restrictions.bpf_filters->filters */
+ struct io_bpf_filter __rcu **bpf_filters;
struct percpu_ref refs;
clockid_t clockid;
diff --git a/io_uring/bpf_filter.c b/io_uring/bpf_filter.c
index ff723ec44828..1409d625b686 100644
--- a/io_uring/bpf_filter.c
+++ b/io_uring/bpf_filter.c
@@ -58,14 +58,15 @@ static void io_uring_populate_bpf_ctx(struct io_uring_bpf_ctx *bctx,
* __io_uring_run_bpf_filters() returns 0 on success, allow running the
* request, and -EACCES when a request is denied.
*/
-int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req)
+int __io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
+ struct io_kiocb *req)
{
struct io_bpf_filter *filter;
struct io_uring_bpf_ctx bpf_ctx;
int ret;
/* Fast check for existence of filters outside of RCU */
- if (!rcu_access_pointer(res->bpf_filters->filters[req->opcode]))
+ if (!rcu_access_pointer(filters[req->opcode]))
return 0;
/*
@@ -73,7 +74,7 @@ int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req)
* of what we expect, io_init_req() does this.
*/
guard(rcu)();
- filter = rcu_dereference(res->bpf_filters->filters[req->opcode]);
+ filter = rcu_dereference(filters[req->opcode]);
if (!filter)
return 0;
else if (filter == &dummy_filter)
diff --git a/io_uring/bpf_filter.h b/io_uring/bpf_filter.h
index 27eae9705473..9f3cdb92eb16 100644
--- a/io_uring/bpf_filter.h
+++ b/io_uring/bpf_filter.h
@@ -6,18 +6,18 @@
#ifdef CONFIG_IO_URING_BPF
-int __io_uring_run_bpf_filters(struct io_restriction *res, struct io_kiocb *req);
+int __io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters, struct io_kiocb *req);
int io_register_bpf_filter(struct io_restriction *res,
struct io_uring_bpf __user *arg);
void io_put_bpf_filters(struct io_restriction *res);
-static inline int io_uring_run_bpf_filters(struct io_restriction *res,
+static inline int io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
struct io_kiocb *req)
{
- if (res->bpf_filters)
- return __io_uring_run_bpf_filters(res, req);
+ if (filters)
+ return __io_uring_run_bpf_filters(filters, req);
return 0;
}
@@ -29,7 +29,7 @@ static inline int io_register_bpf_filter(struct io_restriction *res,
{
return -EINVAL;
}
-static inline int io_uring_run_bpf_filters(struct io_restriction *res,
+static inline int io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters,
struct io_kiocb *req)
{
return 0;
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 9b9794dfc27a..049454278563 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1875,8 +1875,8 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req,
if (unlikely(ret))
return io_submit_fail_init(sqe, req, ret);
- if (unlikely(ctx->restrictions.bpf_filters)) {
- ret = io_uring_run_bpf_filters(&ctx->restrictions, req);
+ if (unlikely(ctx->bpf_filters)) {
+ ret = io_uring_run_bpf_filters(ctx->bpf_filters, req);
if (ret)
return io_submit_fail_init(sqe, req, ret);
}
@@ -2168,6 +2168,13 @@ static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
percpu_ref_exit(&ctx->refs);
free_uid(ctx->user);
io_req_caches_free(ctx);
+
+ if (ctx->restrictions.bpf_filters) {
+ WARN_ON_ONCE(ctx->bpf_filters !=
+ ctx->restrictions.bpf_filters->filters);
+ } else {
+ WARN_ON_ONCE(ctx->bpf_filters);
+ }
io_put_bpf_filters(&ctx->restrictions);
WARN_ON_ONCE(ctx->nr_req_allocated);
diff --git a/io_uring/register.c b/io_uring/register.c
index 30957c2cb5eb..40de9b8924b9 100644
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -837,6 +837,9 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
if (nr_args != 1)
break;
ret = io_register_bpf_filter(&ctx->restrictions, arg);
+ if (!ret)
+ WRITE_ONCE(ctx->bpf_filters,
+ ctx->restrictions.bpf_filters->filters);
break;
default:
ret = -EINVAL;
--
2.51.0
next prev parent reply other threads:[~2026-01-27 18:33 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 18:29 [PATCHSET v7] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-27 18:29 ` [PATCH 1/7] io_uring: add support for BPF filtering for opcode restrictions Jens Axboe
2026-01-27 18:29 ` [PATCH 2/7] io_uring/net: allow filtering on IORING_OP_SOCKET data Jens Axboe
2026-01-27 18:29 ` [PATCH 3/7] io_uring/bpf_filter: allow filtering on contents of struct open_how Jens Axboe
2026-01-27 18:29 ` Jens Axboe [this message]
2026-01-27 18:30 ` [PATCH 5/7] io_uring/bpf_filter: add ref counts to struct io_bpf_filter Jens Axboe
2026-01-27 18:30 ` [PATCH 6/7] io_uring: add task fork hook Jens Axboe
2026-01-27 18:30 ` [PATCH 7/7] io_uring: allow registration of per-task restrictions Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2026-01-19 23:54 [PATCHSET v6] Inherited restrictions and BPF filtering for io_uring Jens Axboe
2026-01-19 23:54 ` [PATCH 4/7] io_uring/bpf_filter: cache lookup table in ctx->bpf_filters Jens Axboe
2026-01-27 9:33 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260127183311.86505-5-axboe@kernel.dk \
--to=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=cyphar@cyphar.com \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox