[PATCH 0/3] rcu: Detect accidental reuse of rcu head

[PATCH 0/3] rcu: Detect accidental reuse of rcu head

[Peter Xu]

This is an idea suggested by Peter Maydell:

https://lore.kernel.org/all/CAFEAcA--K0=EJNNvj98i=ewGY=tN3u4S0+fNb9kJpYynzjHEhw@mail.gmail.com/

After this small series applied, we should be able to assert on misuse of
accidental (wrong) re-use on a rcu head.

Please review, thanks.

Peter Xu (3):
  qht: Zero-initialize qht_map
  tests/test-rcu-*: Zero-initialize allocated elements
  rcu: Avoid double rcu frees

 tests/unit/test-rcu-list.c | 4 ++--
 util/qht.c                 | 2 +-
 util/rcu.c                 | 2 ++
 3 files changed, 5 insertions(+), 3 deletions(-)

-- 
2.50.1

[PATCH 1/3] qht: Zero-initialize qht_map

[Peter Xu]

QEMU almost always do this across the tree except QHT.  This prepares for
rcu to track double free.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 util/qht.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/util/qht.c b/util/qht.c
index 208c2f4b32..872d9f9cec 100644
--- a/util/qht.c
+++ b/util/qht.c
@@ -441,7 +441,7 @@ static struct qht_map *qht_map_create(size_t n_buckets)
     struct qht_map *map;
     size_t i;
 
-    map = g_malloc(sizeof(*map));
+    map = g_malloc0(sizeof(*map));
     map->n_buckets = n_buckets;
 
     map->n_added_buckets = 0;
-- 
2.50.1

[PATCH 2/3] tests/test-rcu-*: Zero-initialize allocated elements

[Peter Xu]

QEMU almost always do this, so do it too with the RCU unit tests.  It's
preparation work to start asserting on possible rcu double free.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 tests/unit/test-rcu-list.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/unit/test-rcu-list.c b/tests/unit/test-rcu-list.c
index 8f0adb8b00..853c9e33d9 100644
--- a/tests/unit/test-rcu-list.c
+++ b/tests/unit/test-rcu-list.c
@@ -233,7 +233,7 @@ static void *rcu_q_updater(void *arg)
         TEST_LIST_FOREACH_RCU(el, &Q_list_head, entry) {
             j++;
             if (target_el == j) {
-                struct list_element *new_el = g_new(struct list_element, 1);
+                struct list_element *new_el = g_new0(struct list_element, 1);
                 n_nodes_local++;
                 TEST_LIST_INSERT_AFTER_RCU(el, new_el, entry);
                 break;
@@ -259,7 +259,7 @@ static void rcu_qtest_init(void)
     nthreadsrunning = 0;
     srand(time(0));
     for (i = 0; i < RCU_Q_LEN; i++) {
-        new_el = g_new(struct list_element, 1);
+        new_el = g_new0(struct list_element, 1);
         TEST_LIST_INSERT_HEAD_RCU(&Q_list_head, new_el, entry);
     }
     qemu_mutex_lock(&counts_mutex);
-- 
2.50.1

[PATCH 3/3] rcu: Avoid double rcu frees

[Peter Xu]

Trap call_rcu1() to make sure it won't be invoked twice for one rcu head.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 util/rcu.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/util/rcu.c b/util/rcu.c
index b703c86f15..9272fe5796 100644
--- a/util/rcu.c
+++ b/util/rcu.c
@@ -307,6 +307,8 @@ static void *call_rcu_thread(void *opaque)
 
 void call_rcu1(struct rcu_head *node, void (*func)(struct rcu_head *node))
 {
+    /* Avoid double rcu frees */
+    assert(node->func == NULL);
     node->func = func;
     enqueue(node);
     qatomic_inc(&rcu_call_count);
-- 
2.50.1

Re: [PATCH 3/3] rcu: Avoid double rcu frees

[Peter Maydell]

On Mon, 29 Sept 2025 at 20:08, Peter Xu <peterx@redhat.com> wrote:
>
> Trap call_rcu1() to make sure it won't be invoked twice for one rcu head.
>
> Suggested-by: Peter Maydell <peter.maydell@linaro.org>
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  util/rcu.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/util/rcu.c b/util/rcu.c
> index b703c86f15..9272fe5796 100644
> --- a/util/rcu.c
> +++ b/util/rcu.c
> @@ -307,6 +307,8 @@ static void *call_rcu_thread(void *opaque)
>
>  void call_rcu1(struct rcu_head *node, void (*func)(struct rcu_head *node))
>  {
> +    /* Avoid double rcu frees */

I would maybe have this say "Catch accidental attempts to
use the same rcu node for two things at once", which
isn't the same as a "double free" in the usual sense.

> +    assert(node->func == NULL);
>      node->func = func;
>      enqueue(node);
>      qatomic_inc(&rcu_call_count);

thanks
-- PMM

Re: [PATCH 3/3] rcu: Avoid double rcu frees

[Peter Xu]

On Tue, Sep 30, 2025 at 10:19:54AM +0100, Peter Maydell wrote:
> On Mon, 29 Sept 2025 at 20:08, Peter Xu <peterx@redhat.com> wrote:
> >
> > Trap call_rcu1() to make sure it won't be invoked twice for one rcu head.
> >
> > Suggested-by: Peter Maydell <peter.maydell@linaro.org>
> > Signed-off-by: Peter Xu <peterx@redhat.com>
> > ---
> >  util/rcu.c | 2 ++
> >  1 file changed, 2 insertions(+)
> >
> > diff --git a/util/rcu.c b/util/rcu.c
> > index b703c86f15..9272fe5796 100644
> > --- a/util/rcu.c
> > +++ b/util/rcu.c
> > @@ -307,6 +307,8 @@ static void *call_rcu_thread(void *opaque)
> >
> >  void call_rcu1(struct rcu_head *node, void (*func)(struct rcu_head *node))
> >  {
> > +    /* Avoid double rcu frees */
> 
> I would maybe have this say "Catch accidental attempts to
> use the same rcu node for two things at once", which
> isn't the same as a "double free" in the usual sense.

Agree.  I'll also adjust the subject when repost, thanks.

> 
> > +    assert(node->func == NULL);
> >      node->func = func;
> >      enqueue(node);
> >      qatomic_inc(&rcu_call_count);
> 
> thanks
> -- PMM
> 

-- 
Peter Xu