lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 06 Apr 2010 20:31:34 +0100
From:	David Howells <dhowells@...hat.com>
To:	torvalds@...l.org, akpm@...ux-foundation.org, npiggin@...e.de
Cc:	paulmck@...ux.vnet.ibm.com, corbet@....net,
	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-mm@...ck.org, David Howells <dhowells@...hat.com>
Subject: [PATCH] radix_tree_tag_get() is not as safe as the docs make out

radix_tree_tag_get() is not safe to use concurrently with radix_tree_tag_set()
or radix_tree_tag_clear().  The problem is that the double tag_get() in
radix_tree_tag_get():

		if (!tag_get(node, tag, offset))
			saw_unset_tag = 1;
		if (height == 1) {
			int ret = tag_get(node, tag, offset);

may see the value change due to the action of set/clear.  RCU is no protection
against this as no pointers are being changed, no nodes are being replaced
according to a COW protocol - set/clear alter the node directly.

The documentation in linux/radix-tree.h, however, proclaims that
radix_tree_tag_get() is an exception to the rule that "any function modifying
the tree or tags (...) must exclude other modifications, and exclude any
functions reading the tree".

To this end, remove radix_tree_tag_get() from that list, and comment on its
definition that the caller is responsible for preventing concurrent access with
set/clear.

Furthermore, radix_tree_tag_get() is not safe with respect to
radix_tree_delete() either as that also modifies the tags directly.

An alternative would be to drop the BUG_ON() from radix_tree_tag_get() and note
that it may produce an untrustworthy answer if not so protected.

Signed-off-by: David Howells <dhowells@...hat.com>
---

 include/linux/radix-tree.h |    3 +--
 lib/radix-tree.c           |    4 ++++
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
index c5da749..33daa70 100644
--- a/include/linux/radix-tree.h
+++ b/include/linux/radix-tree.h
@@ -100,14 +100,13 @@ do {									\
  * The notable exceptions to this rule are the following functions:
  * radix_tree_lookup
  * radix_tree_lookup_slot
- * radix_tree_tag_get
  * radix_tree_gang_lookup
  * radix_tree_gang_lookup_slot
  * radix_tree_gang_lookup_tag
  * radix_tree_gang_lookup_tag_slot
  * radix_tree_tagged
  *
- * The first 7 functions are able to be called locklessly, using RCU. The
+ * The first 6 functions are able to be called locklessly, using RCU. The
  * caller must ensure calls to these functions are made within rcu_read_lock()
  * regions. Other readers (lock-free or otherwise) and modifications may be
  * running concurrently.
diff --git a/lib/radix-tree.c b/lib/radix-tree.c
index 6b9670d..795a3bb 100644
--- a/lib/radix-tree.c
+++ b/lib/radix-tree.c
@@ -556,6 +556,10 @@ EXPORT_SYMBOL(radix_tree_tag_clear);
  *
  *  0: tag not present or not set
  *  1: tag set
+ *
+ * The caller must make sure this function does not run concurrently with
+ * radix_tree_tag_set/clear() or radix_tree_delete() as these modify the nodes
+ * directly to alter the tags.
  */
 int radix_tree_tag_get(struct radix_tree_root *root,
 			unsigned long index, unsigned int tag)

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists