io_uring/napi: fix io_napi_entry RCU accesses

Olivier Langlois · axboe · commit 45b3941d09d1 · 2024-11-06T13:55:38.000-07:00
correct 3 RCU structures modifications that were not using the RCU functions to make their update. Signed-off-by: Olivier Langlois <olivier@trillion01.com> Link: https://lore.kernel.org/r/9f53b5169afa8c7bf3665a0b19dc2f7061173530.1728828877.git.olivier@trillion01.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/napi.c b/io_uring/napi.c
@@ -81,19 +81,24 @@ void __io_napi_add(struct io_ring_ctx *ctx, struct socket *sock)
 	}
 
 	hlist_add_tail_rcu(&e->node, hash_list);
-	list_add_tail(&e->list, &ctx->napi_list);
+	list_add_tail_rcu(&e->list, &ctx->napi_list);
 	spin_unlock(&ctx->napi_lock);
 }
 
 static void __io_napi_remove_stale(struct io_ring_ctx *ctx)
 {
 	struct io_napi_entry *e;
-	unsigned int i;
 
 	spin_lock(&ctx->napi_lock);
-	hash_for_each(ctx->napi_ht, i, e, node) {
+	/*
+	 * list_for_each_entry_safe() is not required as long as:
+	 * 1. list_del_rcu() does not reset the deleted node next pointer
+	 * 2. kfree_rcu() delays the memory freeing until the next quiescent
+	 *    state
+	 */
+	list_for_each_entry(e, &ctx->napi_list, list) {
 		if (time_after(jiffies, READ_ONCE(e->timeout))) {
-			list_del(&e->list);
+			list_del_rcu(&e->list);
 			hash_del_rcu(&e->node);
 			kfree_rcu(e, rcu);
 		}
@@ -204,13 +209,13 @@ void io_napi_init(struct io_ring_ctx *ctx)
 void io_napi_free(struct io_ring_ctx *ctx)
 {
 	struct io_napi_entry *e;
-	unsigned int i;
 
 	spin_lock(&ctx->napi_lock);
-	hash_for_each(ctx->napi_ht, i, e, node) {
+	list_for_each_entry(e, &ctx->napi_list, list) {
 		hash_del_rcu(&e->node);
 		kfree_rcu(e, rcu);
 	}
+	INIT_LIST_HEAD_RCU(&ctx->napi_list);
 	spin_unlock(&ctx->napi_lock);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -81,19 +81,24 @@ void __io_napi_add(struct io_ring_ctx ctx, struct socket sock)`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`hlist_add_tail_rcu(&e->node, hash_list);`
`84`		`- list_add_tail(&e->list, &ctx->napi_list);`
	`84`	`+ list_add_tail_rcu(&e->list, &ctx->napi_list);`
`85`	`85`	`spin_unlock(&ctx->napi_lock);`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`static void __io_napi_remove_stale(struct io_ring_ctx *ctx)`
`89`	`89`	`{`
`90`	`90`	`struct io_napi_entry *e;`
`91`		`- unsigned int i;`
`92`	`91`
`93`	`92`	`spin_lock(&ctx->napi_lock);`
`94`		`- hash_for_each(ctx->napi_ht, i, e, node) {`
	`93`	`+ /*`
	`94`	`+ * list_for_each_entry_safe() is not required as long as:`
	`95`	`+ * 1. list_del_rcu() does not reset the deleted node next pointer`
	`96`	`+ * 2. kfree_rcu() delays the memory freeing until the next quiescent`
	`97`	`+ * state`
	`98`	`+ */`
	`99`	`+ list_for_each_entry(e, &ctx->napi_list, list) {`
`95`	`100`	`if (time_after(jiffies, READ_ONCE(e->timeout))) {`
`96`		`- list_del(&e->list);`
	`101`	`+ list_del_rcu(&e->list);`
`97`	`102`	`hash_del_rcu(&e->node);`
`98`	`103`	`kfree_rcu(e, rcu);`
`99`	`104`	`}`
`@@ -204,13 +209,13 @@ void io_napi_init(struct io_ring_ctx *ctx)`
`204`	`209`	`void io_napi_free(struct io_ring_ctx *ctx)`
`205`	`210`	`{`
`206`	`211`	`struct io_napi_entry *e;`
`207`		`- unsigned int i;`
`208`	`212`
`209`	`213`	`spin_lock(&ctx->napi_lock);`
`210`		`- hash_for_each(ctx->napi_ht, i, e, node) {`
	`214`	`+ list_for_each_entry(e, &ctx->napi_list, list) {`
`211`	`215`	`hash_del_rcu(&e->node);`
`212`	`216`	`kfree_rcu(e, rcu);`
`213`	`217`	`}`
	`218`	`+ INIT_LIST_HEAD_RCU(&ctx->napi_list);`
`214`	`219`	`spin_unlock(&ctx->napi_lock);`
`215`	`220`	`}`
`216`	`221`