| Using RCU to Protect Read-Mostly Linked Lists |
| |
| |
| One of the best applications of RCU is to protect read-mostly linked lists |
| ("struct list_head" in list.h). One big advantage of this approach |
| is that all of the required memory barriers are included for you in |
| the list macros. This document describes several applications of RCU, |
| with the best fits first. |
| |
| |
| Example 1: Read-Side Action Taken Outside of Lock, No In-Place Updates |
| |
| The best applications are cases where, if reader-writer locking were |
| used, the read-side lock would be dropped before taking any action |
| based on the results of the search. The most celebrated example is |
| the routing table. Because the routing table is tracking the state of |
| equipment outside of the computer, it will at times contain stale data. |
| Therefore, once the route has been computed, there is no need to hold |
| the routing table static during transmission of the packet. After all, |
| you can hold the routing table static all you want, but that won't keep |
| the external Internet from changing, and it is the state of the external |
| Internet that really matters. In addition, routing entries are typically |
| added or deleted, rather than being modified in place. |
| |
| A straightforward example of this use of RCU may be found in the |
| system-call auditing support. For example, a reader-writer locked |
| implementation of audit_filter_task() might be as follows: |
| |
| static enum audit_state audit_filter_task(struct task_struct *tsk) |
| { |
| struct audit_entry *e; |
| enum audit_state state; |
| |
| read_lock(&auditsc_lock); |
| /* Note: audit_netlink_sem held by caller. */ |
| list_for_each_entry(e, &audit_tsklist, list) { |
| if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { |
| read_unlock(&auditsc_lock); |
| return state; |
| } |
| } |
| read_unlock(&auditsc_lock); |
| return AUDIT_BUILD_CONTEXT; |
| } |
| |
| Here the list is searched under the lock, but the lock is dropped before |
| the corresponding value is returned. By the time that this value is acted |
| on, the list may well have been modified. This makes sense, since if |
| you are turning auditing off, it is OK to audit a few extra system calls. |
| |
| This means that RCU can be easily applied to the read side, as follows: |
| |
| static enum audit_state audit_filter_task(struct task_struct *tsk) |
| { |
| struct audit_entry *e; |
| enum audit_state state; |
| |
| rcu_read_lock(); |
| /* Note: audit_netlink_sem held by caller. */ |
| list_for_each_entry_rcu(e, &audit_tsklist, list) { |
| if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { |
| rcu_read_unlock(); |
| return state; |
| } |
| } |
| rcu_read_unlock(); |
| return AUDIT_BUILD_CONTEXT; |
| } |
| |
| The read_lock() and read_unlock() calls have become rcu_read_lock() |
| and rcu_read_unlock(), respectively, and the list_for_each_entry() has |
| become list_for_each_entry_rcu(). The _rcu() list-traversal primitives |
| insert the read-side memory barriers that are required on DEC Alpha CPUs. |
| |
| The changes to the update side are also straightforward. A reader-writer |
| lock might be used as follows for deletion and insertion: |
| |
| static inline int audit_del_rule(struct audit_rule *rule, |
| struct list_head *list) |
| { |
| struct audit_entry *e; |
| |
| write_lock(&auditsc_lock); |
| list_for_each_entry(e, list, list) { |
| if (!audit_compare_rule(rule, &e->rule)) { |
| list_del(&e->list); |
| write_unlock(&auditsc_lock); |
| return 0; |
| } |
| } |
| write_unlock(&auditsc_lock); |
| return -EFAULT; /* No matching rule */ |
| } |
| |
| static inline int audit_add_rule(struct audit_entry *entry, |
| struct list_head *list) |
| { |
| write_lock(&auditsc_lock); |
| if (entry->rule.flags & AUDIT_PREPEND) { |
| entry->rule.flags &= ~AUDIT_PREPEND; |
| list_add(&entry->list, list); |
| } else { |
| list_add_tail(&entry->list, list); |
| } |
| write_unlock(&auditsc_lock); |
| return 0; |
| } |
| |
| Following are the RCU equivalents for these two functions: |
| |
| static inline int audit_del_rule(struct audit_rule *rule, |
| struct list_head *list) |
| { |
| struct audit_entry *e; |
| |
| /* Do not use the _rcu iterator here, since this is the only |
| * deletion routine. */ |
| list_for_each_entry(e, list, list) { |
| if (!audit_compare_rule(rule, &e->rule)) { |
| list_del_rcu(&e->list); |
| call_rcu(&e->rcu, audit_free_rule, e); |
| return 0; |
| } |
| } |
| return -EFAULT; /* No matching rule */ |
| } |
| |
| static inline int audit_add_rule(struct audit_entry *entry, |
| struct list_head *list) |
| { |
| if (entry->rule.flags & AUDIT_PREPEND) { |
| entry->rule.flags &= ~AUDIT_PREPEND; |
| list_add_rcu(&entry->list, list); |
| } else { |
| list_add_tail_rcu(&entry->list, list); |
| } |
| return 0; |
| } |
| |
| Normally, the write_lock() and write_unlock() would be replaced by |
| a spin_lock() and a spin_unlock(), but in this case, all callers hold |
| audit_netlink_sem, so no additional locking is required. The auditsc_lock |
| can therefore be eliminated, since use of RCU eliminates the need for |
| writers to exclude readers. Normally, the write_lock() calls would |
| be converted into spin_lock() calls. |
| |
| The list_del(), list_add(), and list_add_tail() primitives have been |
| replaced by list_del_rcu(), list_add_rcu(), and list_add_tail_rcu(). |
| The _rcu() list-manipulation primitives add memory barriers that are |
| needed on weakly ordered CPUs (most of them!). The list_del_rcu() |
| primitive omits the pointer poisoning debug-assist code that would |
| otherwise cause concurrent readers to fail spectacularly. |
| |
| So, when readers can tolerate stale data and when entries are either added |
| or deleted, without in-place modification, it is very easy to use RCU! |
| |
| |
| Example 2: Handling In-Place Updates |
| |
| The system-call auditing code does not update auditing rules in place. |
| However, if it did, reader-writer-locked code to do so might look as |
| follows (presumably, the field_count is only permitted to decrease, |
| otherwise, the added fields would need to be filled in): |
| |
| static inline int audit_upd_rule(struct audit_rule *rule, |
| struct list_head *list, |
| __u32 newaction, |
| __u32 newfield_count) |
| { |
| struct audit_entry *e; |
| struct audit_newentry *ne; |
| |
| write_lock(&auditsc_lock); |
| /* Note: audit_netlink_sem held by caller. */ |
| list_for_each_entry(e, list, list) { |
| if (!audit_compare_rule(rule, &e->rule)) { |
| e->rule.action = newaction; |
| e->rule.file_count = newfield_count; |
| write_unlock(&auditsc_lock); |
| return 0; |
| } |
| } |
| write_unlock(&auditsc_lock); |
| return -EFAULT; /* No matching rule */ |
| } |
| |
| The RCU version creates a copy, updates the copy, then replaces the old |
| entry with the newly updated entry. This sequence of actions, allowing |
| concurrent reads while doing a copy to perform an update, is what gives |
| RCU ("read-copy update") its name. The RCU code is as follows: |
| |
| static inline int audit_upd_rule(struct audit_rule *rule, |
| struct list_head *list, |
| __u32 newaction, |
| __u32 newfield_count) |
| { |
| struct audit_entry *e; |
| struct audit_newentry *ne; |
| |
| list_for_each_entry(e, list, list) { |
| if (!audit_compare_rule(rule, &e->rule)) { |
| ne = kmalloc(sizeof(*entry), GFP_ATOMIC); |
| if (ne == NULL) |
| return -ENOMEM; |
| audit_copy_rule(&ne->rule, &e->rule); |
| ne->rule.action = newaction; |
| ne->rule.file_count = newfield_count; |
| list_replace_rcu(e, ne); |
| call_rcu(&e->rcu, audit_free_rule, e); |
| return 0; |
| } |
| } |
| return -EFAULT; /* No matching rule */ |
| } |
| |
| Again, this assumes that the caller holds audit_netlink_sem. Normally, |
| the reader-writer lock would become a spinlock in this sort of code. |
| |
| |
| Example 3: Eliminating Stale Data |
| |
| The auditing examples above tolerate stale data, as do most algorithms |
| that are tracking external state. Because there is a delay from the |
| time the external state changes before Linux becomes aware of the change, |
| additional RCU-induced staleness is normally not a problem. |
| |
| However, there are many examples where stale data cannot be tolerated. |
| One example in the Linux kernel is the System V IPC (see the ipc_lock() |
| function in ipc/util.c). This code checks a "deleted" flag under a |
| per-entry spinlock, and, if the "deleted" flag is set, pretends that the |
| entry does not exist. For this to be helpful, the search function must |
| return holding the per-entry spinlock, as ipc_lock() does in fact do. |
| |
| Quick Quiz: Why does the search function need to return holding the |
| per-entry lock for this deleted-flag technique to be helpful? |
| |
| If the system-call audit module were to ever need to reject stale data, |
| one way to accomplish this would be to add a "deleted" flag and a "lock" |
| spinlock to the audit_entry structure, and modify audit_filter_task() |
| as follows: |
| |
| static enum audit_state audit_filter_task(struct task_struct *tsk) |
| { |
| struct audit_entry *e; |
| enum audit_state state; |
| |
| rcu_read_lock(); |
| list_for_each_entry_rcu(e, &audit_tsklist, list) { |
| if (audit_filter_rules(tsk, &e->rule, NULL, &state)) { |
| spin_lock(&e->lock); |
| if (e->deleted) { |
| spin_unlock(&e->lock); |
| rcu_read_unlock(); |
| return AUDIT_BUILD_CONTEXT; |
| } |
| rcu_read_unlock(); |
| return state; |
| } |
| } |
| rcu_read_unlock(); |
| return AUDIT_BUILD_CONTEXT; |
| } |
| |
| Note that this example assumes that entries are only added and deleted. |
| Additional mechanism is required to deal correctly with the |
| update-in-place performed by audit_upd_rule(). For one thing, |
| audit_upd_rule() would need additional memory barriers to ensure |
| that the list_add_rcu() was really executed before the list_del_rcu(). |
| |
| The audit_del_rule() function would need to set the "deleted" |
| flag under the spinlock as follows: |
| |
| static inline int audit_del_rule(struct audit_rule *rule, |
| struct list_head *list) |
| { |
| struct audit_entry *e; |
| |
| /* Do not need to use the _rcu iterator here, since this |
| * is the only deletion routine. */ |
| list_for_each_entry(e, list, list) { |
| if (!audit_compare_rule(rule, &e->rule)) { |
| spin_lock(&e->lock); |
| list_del_rcu(&e->list); |
| e->deleted = 1; |
| spin_unlock(&e->lock); |
| call_rcu(&e->rcu, audit_free_rule, e); |
| return 0; |
| } |
| } |
| return -EFAULT; /* No matching rule */ |
| } |
| |
| |
| Summary |
| |
| Read-mostly list-based data structures that can tolerate stale data are |
| the most amenable to use of RCU. The simplest case is where entries are |
| either added or deleted from the data structure (or atomically modified |
| in place), but non-atomic in-place modifications can be handled by making |
| a copy, updating the copy, then replacing the original with the copy. |
| If stale data cannot be tolerated, then a "deleted" flag may be used |
| in conjunction with a per-entry spinlock in order to allow the search |
| function to reject newly deleted data. |
| |
| |
| Answer to Quick Quiz |
| Why does the search function need to return holding the per-entry |
| lock for this deleted-flag technique to be helpful? |
| |
| If the search function drops the per-entry lock before returning, |
| then the caller will be processing stale data in any case. If it |
| is really OK to be processing stale data, then you don't need a |
| "deleted" flag. If processing stale data really is a problem, |
| then you need to hold the per-entry lock across all of the code |
| that uses the value that was returned. |