io_uring/napi: fix io_napi_entry RCU accesses

[Upstream commit 45b3941d09d13b3503309be1f023b83deaf69b4d ]

correct 3 RCU structures modifications that were not using the RCU
functions to make their update.

Cc: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>
Cc: io-uring@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: lvc-project@linuxtesting.org
Signed-off-by: Olivier Langlois <olivier@trillion01.com>
Link: https://lore.kernel.org/r/9f53b5169afa8c7bf3665a0b19dc2f7061173530.1728828877.git.olivier@trillion01.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[Stepan Artuhov: cherry-picked a commit]
Signed-off-by: Stepan Artuhov <s.artuhov@tssltd.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/io_uring/napi.c b/io_uring/napi.c
index d0cf694d0172d4f10f30f541e69b3924420db60f..fa959fd320429b6642876e6297df29561283d587 100644 (file)
--- a/io_uring/napi.c
+++ b/io_uring/napi.c
@@ -81,19 +81,24 @@ void __io_napi_add(struct io_ring_ctx *ctx, struct socket *sock)
        }
 
        hlist_add_tail_rcu(&e->node, hash_list);
-       list_add_tail(&e->list, &ctx->napi_list);
+       list_add_tail_rcu(&e->list, &ctx->napi_list);
        spin_unlock(&ctx->napi_lock);
 }
 
 static void __io_napi_remove_stale(struct io_ring_ctx *ctx)
 {
        struct io_napi_entry *e;
-       unsigned int i;
 
        spin_lock(&ctx->napi_lock);
-       hash_for_each(ctx->napi_ht, i, e, node) {
-               if (time_after(jiffies, e->timeout)) {
-                       list_del(&e->list);
+       /*
+        * list_for_each_entry_safe() is not required as long as:
+        * 1. list_del_rcu() does not reset the deleted node next pointer
+        * 2. kfree_rcu() delays the memory freeing until the next quiescent
+        *    state
+        */
+       list_for_each_entry(e, &ctx->napi_list, list) {
+               if (time_after(jiffies, READ_ONCE(e->timeout))) {
+                       list_del_rcu(&e->list);
                        hash_del_rcu(&e->node);
                        kfree_rcu(e, rcu);
                }
@@ -204,13 +209,13 @@ void io_napi_init(struct io_ring_ctx *ctx)
 void io_napi_free(struct io_ring_ctx *ctx)
 {
        struct io_napi_entry *e;
-       unsigned int i;
 
        spin_lock(&ctx->napi_lock);
-       hash_for_each(ctx->napi_ht, i, e, node) {
+       list_for_each_entry(e, &ctx->napi_list, list) {
                hash_del_rcu(&e->node);
                kfree_rcu(e, rcu);
        }
+       INIT_LIST_HEAD_RCU(&ctx->napi_list);
        spin_unlock(&ctx->napi_lock);
 }