[PATCH AUTOSEL 7.0-5.10] rculist: add list_splice_rcu() for private lists

[Sasha Levin <sashal@kernel.org>]

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit f902877b635551513729bdf9a8d1422c4aab7741 ]

This patch adds a helper function, list_splice_rcu(), to safely splice
a private (non-RCU-protected) list into an RCU-protected list.

The function ensures that only the pointer visible to RCU readers
(prev->next) is updated using rcu_assign_pointer(), while the rest of
the list manipulations are performed with regular assignments, as the
source list is private and not visible to concurrent RCU readers.

This is useful for moving elements from a private list into a global
RCU-protected list, ensuring safe publication for RCU readers.
Subsystems with some sort of batching mechanism from userspace can
benefit from this new function.

The function __list_splice_rcu() has been added for clarity and to
follow the same pattern as in the existing list_splice*() interfaces,
where there is a check to ensure that the list to splice is not
empty. Note that __list_splice_rcu() has no documentation for this
reason.

Reviewed-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

LLM Generated explanations, may be completely bogus:

## Phase Walkthrough

Phase 1 Record: Subject subsystem is `rculist`; action verb is `add`;
claimed intent is adding `list_splice_rcu()` for splicing private lists
into RCU-protected lists. Tags verified: `Reviewed-by: Paul E.
McKenney`, `Signed-off-by: Pablo Neira Ayuso`. No `Fixes:`, `Reported-
by:`, `Tested-by:`, `Cc: stable`, or bug-report `Link:` in this commit.
The body describes an RCU publication helper, not a direct user-visible
failure. Hidden-fix assessment: as a standalone commit, it is an
internal helper; as verified from the series, it is required by the
following `nf_tables` RCU list fix.

Phase 2 Record: One file changed, `include/linux/rculist.h`, 29
insertions. New functions: `__list_splice_rcu()` and
`list_splice_rcu()`. Before: no helper for private-list-to-RCU-list
splice. After: list links are prepared with normal stores, then
`prev->next` is published with `rcu_assign_pointer()`. Bug category: RCU
synchronization/publication correctness, but the direct behavioral fix
is in the dependent `nf_tables` patch. Fix quality: small and clear;
regression risk low, because it is unused unless paired with callers.

Phase 3 Record: `git blame` showed neighboring RCU list helpers are
long-standing code; new lines have no prior blame. The dependent fix
targets `78d9f48f7f44` first contained by `v5.8-rc1` and `b9703ed44ffb`
first contained by `v6.4-rc1`. Local blame confirms the unsafe
`nf_tables` `list_splice()` sites came from those commits. Recent
history shows the helper is paired with `netfilter: nf_tables: join hook
list via splice_list_rcu() in commit phase`. Author context verified:
Pablo is listed as `NETFILTER` maintainer in `MAINTAINERS`.

Phase 4 Record: `b4 dig -c b93a4320874cf` found the original patch
discussion by patch-id, with the applied upstream helper as `[PATCH net
10/11]`. `b4 dig -a` found multiple revisions/submissions, including
v2/v3 and net pull submissions. `b4 dig -w` showed netfilter/netdev
maintainers and lists were included. Lore/Patchwork review verified Paul
requested documentation/order changes in early review, then gave
`Reviewed-by`; no NAK found for the helper. The cover letter explicitly
says this helper is required to fix unsafe splice into RCU-protected
hook lists. Stable lore search was blocked/ inconclusive.

Phase 5 Record: Key functions are `list_splice_rcu()` and
`__list_splice_rcu()`. Verified call sites on the candidate branch are
only the two `nf_tables_commit()` updates from the dependent patch.
`nf_tables_commit()` is the `nfnetlink` batch commit callback;
`NFT_MSG_NEWCHAIN` and `NFT_MSG_NEWFLOWTABLE` are batch netlink
operations, while `GETCHAIN`/`GETFLOWTABLE` callbacks are RCU readers.
`nfnetlink_rcv()` requires `CAP_NET_ADMIN`, so this is reachable from
privileged userspace netlink operations, not verified as unprivileged.

Phase 6 Record: The helper itself is not present in checked-out
`v7.0.3`. The unsafe `list_splice()` patterns exist in active stable-
family branches checked: `5.10`, `5.15`, `6.1`, `6.6`, `6.12`, and
`6.19`, with chain-specific sites appearing from `6.6` onward and
flowtable sites in older branches. `git apply --check` verified both the
helper patch and dependent `nf_tables` patch apply cleanly to the
current checkout. Backport difficulty for this helper is low; older
branches may need only the relevant dependent fix subset.

Phase 7 Record: Subsystem is core RCU list infrastructure plus netfilter
usage context. Criticality: `include/linux/rculist.h` is core
infrastructure, but runtime impact here is limited to future callers;
the verified caller is `nf_tables`, an important networking subsystem.
Subsystem activity is active, with many recent `nf_tables` fixes in
history.

Phase 8 Record: Affected users are systems using nftables netdev
chain/flowtable hook updates and concurrent netlink dumps. Trigger is
privileged nftables batch update plus concurrent RCU dump traversal.
Verified severity is RCU list publication correctness; no concrete crash
report was found for this exact helper/dependent patch, so I do not rate
it as proven crash/security. Benefit is high when paired with the
dependent `nf_tables` fix; standalone benefit is none. Risk is low: 29
lines, internal static inline helper, no userspace API.

Phase 9 Record: Evidence for backporting: small helper, reviewed,
required by an actual `nf_tables` RCU correctness fix, clean apply
verified, bug-introducing commits exist in stable lines. Evidence
against: standalone commit does not fix runtime behavior and adds a new
internal helper API. Stable rules: obviously correct yes; tested only by
review/apply-check here, no runtime test verified; fixes a real bug only
as dependency; important issue is RCU list safety but no concrete crash
report verified; small/contained yes; no userspace API yes; applies
cleanly to current stable checkout yes. Exception category:
dependency/helper for a small bug fix, not a device ID/quirk/build/doc
exception.

## Verification

- Phase 1: Parsed `git show`/provided commit message; verified tags and
  absence of bug tags.
- Phase 2: Inspected diff; verified 29 insertions in
  `include/linux/rculist.h`.
- Phase 3: Ran `git blame` on `rculist.h` and `nf_tables_api.c`;
  verified introducers and `git describe --contains` versions for
  dependent fix targets.
- Phase 4: Ran `b4 dig -c`, `-a`, and `-w`; fetched lore/Patchwork
  mirrors; verified series context, review, and dependency statement.
- Phase 5: Used `git grep`, `rg`, and file reads; verified helper call
  sites, netlink callback paths, RCU dump traversal, and `CAP_NET_ADMIN`
  gate.
- Phase 6: Checked stable branches with `git grep`; verified helper
  absence and unsafe splice presence; ran `git apply --check` for helper
  and dependent fix.
- Phase 7: Verified maintainer entry in `MAINTAINERS` and recent
  netfilter history.
- Phase 8: Verified trigger path from nfnetlink batch operations; no
  concrete crash report was found.
- Unverified: Runtime testing was not performed; stable-specific lore
  discussion could not be fetched due bot protection.

This should be backported only together with the dependent `nf_tables`
fix. As that dependency, it is small, reviewed, cleanly applicable, and
enables a real RCU list publication fix without userspace-visible API
changes.

**YES**

 include/linux/rculist.h | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/include/linux/rculist.h b/include/linux/rculist.h
index 2abba7552605c..e3bc442256922 100644
--- a/include/linux/rculist.h
+++ b/include/linux/rculist.h
@@ -261,6 +261,35 @@ static inline void list_replace_rcu(struct list_head *old,
 	old->prev = LIST_POISON2;
 }
 
+static inline void __list_splice_rcu(struct list_head *list,
+				     struct list_head *prev,
+				     struct list_head *next)
+{
+	struct list_head *first = list->next;
+	struct list_head *last = list->prev;
+
+	last->next = next;
+	first->prev = prev;
+	next->prev = last;
+	rcu_assign_pointer(list_next_rcu(prev), first);
+}
+
+/**
+ * list_splice_rcu - splice a non-RCU list into an RCU-protected list,
+ *                   designed for stacks.
+ * @list:	the non RCU-protected list to splice
+ * @head:	the place in the existing RCU-protected list to splice
+ *
+ * The list pointed to by @head can be RCU-read traversed concurrently with
+ * this function.
+ */
+static inline void list_splice_rcu(struct list_head *list,
+				   struct list_head *head)
+{
+	if (!list_empty(list))
+		__list_splice_rcu(list, head, head->next);
+}
+
 /**
  * __list_splice_init_rcu - join an RCU-protected list into an existing list.
  * @list:	the RCU-protected list to splice
-- 
2.53.0