[RFC PATCH net-next] netpoll: hold RCU while walking napi

All of lore.kernel.org
 help / color / mirror / Atom feed

* [RFC PATCH net-next] netpoll: hold RCU while walking napi_list
@ 2026-06-27 10:12 Runyu Xiao
  2026-06-27 21:21 ` Jakub Kicinski
  0 siblings, 1 reply; 2+ messages in thread
From: Runyu Xiao @ 2026-06-27 10:12 UTC (permalink / raw)
  To: davem, edumazet, kuba, pabeni
  Cc: horms, leitao, sashal, bigeasy, netdev, linux-kernel, runyu.xiao,
	jianhao.xu

poll_napi() walks dev->napi_list with list_for_each_entry_rcu(). Some
netpoll send paths are already inside an RCU read-side section, but the
helper itself does not document or enforce that contract.

CONFIG_PROVE_RCU_LIST reports the poll_napi() traversal when the helper
is exercised directly from netpoll_poll_dev(). The current source has
important lifetime defenses around NAPI deletion and netpoll device
close, so this is not presented as a proven use-after-free. The issue is
that the RCU-list reader contract is implicit at the helper boundary.

Take rcu_read_lock() locally while walking the NAPI list. This keeps the
contract with netif_napi_del() and synchronize_net() explicit and avoids
relying on every current or future caller to provide the read-side
section.

This was found by our static analysis tool and then manually reviewed
against the current tree. CONFIG_PROVE_RCU_LIST was used as
target-matched triage evidence; the RFC is limited to making the
helper's RCU-list reader contract explicit.

This is an RFC because maintainers may prefer to express the existing
netpoll dev_lock/NAPI-list lifetime contract instead of adding a local
RCU reader around the polling loop.

Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
 net/core/netpoll.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 5af14f14a362..2e13ca0d09fe 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -165,12 +165,14 @@ static void poll_napi(struct net_device *dev)
 	struct napi_struct *napi;
 	int cpu = smp_processor_id();

+	rcu_read_lock();
 	list_for_each_entry_rcu(napi, &dev->napi_list, dev_list) {
 		if (cmpxchg(&napi->poll_owner, -1, cpu) == -1) {
 			poll_one_napi(napi);
 			smp_store_release(&napi->poll_owner, -1);
 		}
 	}
+	rcu_read_unlock();
 }

 void netpoll_poll_dev(struct net_device *dev)
-- 
2.34.1

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [RFC PATCH net-next] netpoll: hold RCU while walking napi_list
  2026-06-27 10:12 [RFC PATCH net-next] netpoll: hold RCU while walking napi_list Runyu Xiao
@ 2026-06-27 21:21 ` Jakub Kicinski
  0 siblings, 0 replies; 2+ messages in thread
From: Jakub Kicinski @ 2026-06-27 21:21 UTC (permalink / raw)
  To: Runyu Xiao
  Cc: davem, edumazet, pabeni, horms, leitao, sashal, bigeasy, netdev,
	linux-kernel, jianhao.xu

On Sat, 27 Jun 2026 18:12:28 +0800 Runyu Xiao wrote:
> CONFIG_PROVE_RCU_LIST reports the poll_napi() traversal when the helper
> is exercised directly from netpoll_poll_dev(). The current source has
> important lifetime defenses around NAPI deletion and netpoll device
> close, so this is not presented as a proven use-after-free. The issue is
> that the RCU-list reader contract is implicit at the helper boundary.

Please provide the stack trace from the report, rather than just saying
that you can trigger it.
-- 
pw-bot: rfc

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-06-27 21:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-27 10:12 [RFC PATCH net-next] netpoll: hold RCU while walking napi_list Runyu Xiao
2026-06-27 21:21 ` Jakub Kicinski

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.