https://github.com/torvalds/linux
Revision 6348dd291e3653534a9e28e6917569bc9967b35b authored by Charan Teja Kalla on 19 June 2020, 11:57:19 UTC, committed by Sumit Semwal on 10 July 2020, 10:09:29 UTC
There exists a sleep-while-atomic bug while accessing the dmabuf->name
under mutex in the dmabuffs_dname(). This is caused from the SELinux
permissions checks on a process where it tries to validate the inherited
files from fork() by traversing them through iterate_fd() (which
traverse files under spin_lock) and call
match_file(security/selinux/hooks.c) where the permission checks happen.
This audit information is logged using dump_common_audit_data() where it
calls d_path() to get the file path name. If the file check happen on
the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
access dmabuf->name. The flow will be like below:
flush_unauthorized_files()
iterate_fd()
spin_lock() --> Start of the atomic section.
match_file()
file_has_perm()
avc_has_perm()
avc_audit()
slow_avc_audit()
common_lsm_audit()
dump_common_audit_data()
audit_log_d_path()
d_path()
dmabuffs_dname()
mutex_lock()--> Sleep while atomic.
Call trace captured (on 4.19 kernels) is below:
___might_sleep+0x204/0x208
__might_sleep+0x50/0x88
__mutex_lock_common+0x5c/0x1068
__mutex_lock_common+0x5c/0x1068
mutex_lock_nested+0x40/0x50
dmabuffs_dname+0xa0/0x170
d_path+0x84/0x290
audit_log_d_path+0x74/0x130
common_lsm_audit+0x334/0x6e8
slow_avc_audit+0xb8/0xf8
avc_has_perm+0x154/0x218
file_has_perm+0x70/0x180
match_file+0x60/0x78
iterate_fd+0x128/0x168
selinux_bprm_committing_creds+0x178/0x248
security_bprm_committing_creds+0x30/0x48
install_exec_creds+0x1c/0x68
load_elf_binary+0x3a4/0x14e0
search_binary_handler+0xb0/0x1e0
So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
Cc: <stable@vger.kernel.org> [5.3+]
Signed-off-by: Charan Teja Kalla <charante@codeaurora.org>
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Acked-by: Christian König <christian.koenig@amd.com>
[sumits: added comment to spinlock_t definition to avoid warning]
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/a83e7f0d-4e54-9848-4b58-e1acdbe06735@codeaurora.org
1 parent 2249357
Tip revision: 6348dd291e3653534a9e28e6917569bc9967b35b authored by Charan Teja Kalla on 19 June 2020, 11:57:19 UTC
dmabuf: use spinlock to access dmabuf->name
dmabuf: use spinlock to access dmabuf->name
Tip revision: 6348dd2
| File | Mode | Size |
|---|---|---|
| Documentation | ||
| LICENSES | ||
| arch | ||
| block | ||
| certs | ||
| crypto | ||
| drivers | ||
| fs | ||
| include | ||
| init | ||
| ipc | ||
| kernel | ||
| lib | ||
| mm | ||
| net | ||
| samples | ||
| scripts | ||
| security | ||
| sound | ||
| tools | ||
| usr | ||
| virt | ||
| .clang-format | -rw-r--r-- | 15.8 KB |
| .cocciconfig | -rw-r--r-- | 59 bytes |
| .get_maintainer.ignore | -rw-r--r-- | 71 bytes |
| .gitattributes | -rw-r--r-- | 62 bytes |
| .gitignore | -rw-r--r-- | 1.8 KB |
| .mailmap | -rw-r--r-- | 15.4 KB |
| COPYING | -rw-r--r-- | 496 bytes |
| CREDITS | -rw-r--r-- | 97.4 KB |
| Kbuild | -rw-r--r-- | 1.3 KB |
| Kconfig | -rw-r--r-- | 555 bytes |
| MAINTAINERS | -rw-r--r-- | 547.5 KB |
| Makefile | -rw-r--r-- | 60.6 KB |
| README | -rw-r--r-- | 727 bytes |
Computing file changes ...
