From patchwork Wed Nov 23 06:29:19 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Himanshu Shukla X-Patchwork-Id: 9442651 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8F3666075F for ; Wed, 23 Nov 2016 06:34:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8176A212BE for ; Wed, 23 Nov 2016 06:34:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7603920951; Wed, 23 Nov 2016 06:34:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 60DD6212BE for ; Wed, 23 Nov 2016 06:34:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932751AbcKWGe3 (ORCPT ); Wed, 23 Nov 2016 01:34:29 -0500 Received: from mailout3.samsung.com ([203.254.224.33]:36855 "EHLO mailout3.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932541AbcKWGe1 (ORCPT ); Wed, 23 Nov 2016 01:34:27 -0500 Received: from epcpsbgm2new.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout3.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTP id <0OH300OHS0W84690@mailout3.samsung.com> for linux-security-module@vger.kernel.org; Wed, 23 Nov 2016 15:33:44 +0900 (KST) X-AuditID: cbfee61b-f796f6d000004092-d6-583538480c6f Received: from epmmp2 ( [203.254.227.17]) by epcpsbgm2new.samsung.com (EPCPMTA) with SMTP id F7.C6.16530.84835385; Wed, 23 Nov 2016 15:33:44 +0900 (KST) Received: from localhost.localdomain ([107.108.92.210]) by mmp2.samsung.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPA id <0OH300CQE0W28280@mmp2.samsung.com>; Wed, 23 Nov 2016 15:33:44 +0900 (KST) From: Himanshu Shukla To: casey@schaufler-ca.com, linux-security-module@vger.kernel.org Cc: himanshu.sh@samsung.com, vishal.goel@samsung.com Subject: [PATCH] SMACK: Free the i_security blob in inode using RCU Date: Wed, 23 Nov 2016 11:59:19 +0530 Message-id: <1479882559-34854-1-git-send-email-himanshu.sh@samsung.com> X-Mailer: git-send-email 1.9.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsVy+t9jQV0PC9MIg/bzKhb3tv1is9j7pIXV 4kPPIzaLdbdPMzqwePRtWcXocXT/IjaPz5vkApij3GwyUhNTUosUUvOS81My89JtlUJD3HQt lBTyEnNTbZUidH1DgpQUyhJzSoE8IwM04OAc4B6spG+X4JaxbM9cxoIpYhWPHs1ia2D8K9jF yMkhIWAicWHOXhYIW0ziwr31bF2MXBxCArMYJSbMessE4fwEctb3MYJUsQnoS7R0TGIDsUUE HCUaTy1nArGZgSbd3X4GrEZYwFliysIGsKksAqoS92/9B7N5Bdwlvv85yg6xTU7i5LHJrBMY uRcwMqxilEgtSC4oTkrPNcpLLdcrTswtLs1L10vOz93ECA65Z9I7GA/vcj/EKMDBqMTDq7HF JEKINbGsuDL3EKMEB7OSCO9VU9MIId6UxMqq1KL8+KLSnNTiQ4ymQAdMZJYSTc4HxkNeSbyh ibmJubGBhbmlpYmRkjhv4+xn4UIC6YklqdmpqQWpRTB9TBycUg2MvS+eWnHMar501K/6s03E Ecfrha1vHzmtfpmiGcm294FCYlS83PfavM6nSc9qnvCv+XT3o3b/1htza6YW+lS9uzRfZ/rN ssBNL7ZsfKOu89j/2IaYy8/n9cT37CyqWJkQNfXKkz9K8yYFPmnknzKz9hBr4aK7xo7GwfFz J7zhCXgwa/3Lv5vnWimxFGckGmoxFxUnAgBt0vZOTwIAAA== X-MTR: 20000000000000000@CPGS Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP There is race condition issue while freeing the i_security blob in SMACK module. There is existing condition where i_security can be freed while inode_permission is called from path lookup on second CPU. There has been observed the page fault with such condition. VFS code and Selinux module takes care of this condition by freeing the inode and i_security field using RCU via call_rcu(). But in SMACK directly the i_secuirty blob is being freed. Use call_rcu() to fix this race condition issue. Signed-off-by: Himanshu Shukla Signed-off-by: Vishal Goel Acked-by: Casey Schaufler --- security/smack/smack.h | 1 + security/smack/smack_lsm.c | 32 ++++++++++++++++++++++++++++---- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/security/smack/smack.h b/security/smack/smack.h index 51fd301..22f816e 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h @@ -114,6 +114,7 @@ struct inode_smack { struct smack_known *smk_mmap; /* label of the mmap domain */ struct mutex smk_lock; /* initialization lock */ int smk_flags; /* smack inode flags */ + struct rcu_head rcu; /* for freeing the inode_smack */ }; struct task_smack { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 1cb0602..67f8708 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -1009,15 +1009,39 @@ static int smack_inode_alloc_security(struct inode *inode) } /** - * smack_inode_free_security - free an inode blob + * smack_inode_free_rcu - Free inode_smack blob from cache + * @head: the rcu_head for getting inode_smack pointer + * + * Call back function called from call_rcu() to free + * the i_security blob pointer in inode + */ +static void smack_inode_free_rcu(struct rcu_head *head) +{ + struct inode_smack *issp; + + issp = container_of(head, struct inode_smack, rcu); + kmem_cache_free(smack_inode_cache, issp); +} + +/** + * smack_inode_free_security - free an inode blob using call_rcu() * @inode: the inode with a blob * - * Clears the blob pointer in inode + * Clears the blob pointer in inode using RCU */ static void smack_inode_free_security(struct inode *inode) { - kmem_cache_free(smack_inode_cache, inode->i_security); - inode->i_security = NULL; + struct inode_smack *issp = inode->i_security; + + /* + * The inode may still be referenced in a path walk and + * a call to smack_inode_permission() can be made + * after smack_inode_free_security() is called. + * To avoid race condition free the i_security via RCU + * and leave the current inode->i_security pointer intact. + * The inode will be freed after the RCU grace period too. + */ + call_rcu(&issp->rcu, smack_inode_free_rcu); } /**