| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Mar 2016 21:21:33 +0800
From: zhong jiang <zhongjiang@...wei.com>
To: Matthew Wilcox <matthew.r.wilcox@...el.com>
CC: Andrew Morton <akpm@...ux-foundation.org>,
Hugh Dickins <hughd@...gle.com>,
Ohad Ben-Cohen <ohad@...ery.com>,
Matthew Wilcox <willy@...ux.intel.com>,
Konstantin Khlebnikov <khlebnikov@...nvz.org>,
<linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
<linux-mm@...ck.org>, <stable@...r.kernel.org>
Subject: Re: [PATCH 1/5] radix-tree: Fix race in gang lookup
On 2016/1/28 5:17, Matthew Wilcox wrote:
> From: Matthew Wilcox <willy@...ux.intel.com>
>
> If the indirect_ptr bit is set on a slot, that indicates we need to
> redo the lookup. Introduce a new function radix_tree_iter_retry()
> which forces the loop to retry the lookup by setting 'slot' to NULL and
> turning the iterator back to point at the problematic entry.
>
> This is a pretty rare problem to hit at the moment; the lookup has to
> race with a grow of the radix tree from a height of 0. The consequences
> of hitting this race are that gang lookup could return a pointer to a
> radix_tree_node instead of a pointer to whatever the user had inserted
> in the tree.
>
> Fixes: cebbd29e1c2f ("radix-tree: rewrite gang lookup using iterator")
> Signed-off-by: Matthew Wilcox <willy@...ux.intel.com>
> Cc: stable@...r.kernel.org
> ---
> include/linux/radix-tree.h | 16 ++++++++++++++++
> lib/radix-tree.c | 12 ++++++++++--
> 2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/radix-tree.h b/include/linux/radix-tree.h
> index f9a3da5bf892..db0ed595749b 100644
> --- a/include/linux/radix-tree.h
> +++ b/include/linux/radix-tree.h
> @@ -387,6 +387,22 @@ void **radix_tree_next_chunk(struct radix_tree_root *root,
> struct radix_tree_iter *iter, unsigned flags);
>
> /**
> + * radix_tree_iter_retry - retry this chunk of the iteration
> + * @iter: iterator state
> + *
> + * If we iterate over a tree protected only by the RCU lock, a race
> + * against deletion or creation may result in seeing a slot for which
> + * radix_tree_deref_retry() returns true. If so, call this function
> + * and continue the iteration.
> + */
> +static inline __must_check
> +void **radix_tree_iter_retry(struct radix_tree_iter *iter)
> +{
> + iter->next_index = iter->index;
> + return NULL;
> +}
> +
> +/**
> * radix_tree_chunk_size - get current chunk size
> *
> * @iter: pointer to radix tree iterator
> diff --git a/lib/radix-tree.c b/lib/radix-tree.c
> index a25f635dcc56..65422ac17114 100644
> --- a/lib/radix-tree.c
> +++ b/lib/radix-tree.c
> @@ -1105,9 +1105,13 @@ radix_tree_gang_lookup(struct radix_tree_root *root, void **results,
> return 0;
>
> radix_tree_for_each_slot(slot, root, &iter, first_index) {
> - results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
> + results[ret] = rcu_dereference_raw(*slot);
> if (!results[ret])
> continue;
> + if (radix_tree_is_indirect_ptr(results[ret])) {
> + slot = radix_tree_iter_retry(&iter);
> + continue;
> + }
> if (++ret == max_items)
> break;
> }
according to your patch, after A race occur, slot equals to null. radix_tree_next_slot() will continue
to work. Therefore, it will not return the problematic entry.
> @@ -1184,9 +1188,13 @@ radix_tree_gang_lookup_tag(struct radix_tree_root *root, void **results,
> return 0;
>
> radix_tree_for_each_tagged(slot, root, &iter, first_index, tag) {
> - results[ret] = indirect_to_ptr(rcu_dereference_raw(*slot));
> + results[ret] = rcu_dereference_raw(*slot);
> if (!results[ret])
> continue;
> + if (radix_tree_is_indirect_ptr(results[ret])) {
> + slot = radix_tree_iter_retry(&iter);
> + continue;
> + }
> if (++ret == max_items)
> break;
> }
Powered by blists - more mailing lists