From patchwork Wed Oct 19 06:17:20 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Johansen X-Patchwork-Id: 683978 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3szMDZ4hmKz9sxS; Wed, 19 Oct 2016 17:17:34 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bwkBr-00032M-U6; Wed, 19 Oct 2016 06:17:27 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1bwkBn-000323-AR for kernel-team@lists.ubuntu.com; Wed, 19 Oct 2016 06:17:23 +0000 Received: from 1.general.jj.us.vpn ([10.172.64.30]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1bwkBm-00024O-Sz; Wed, 19 Oct 2016 06:17:23 +0000 To: Kernel team list From: John Johansen Subject: [xenial, yakkety] [patch] UBUNTU: SAUCE: apparmor: fix sleep in critical section Organization: Canonical Message-ID: Date: Wed, 19 Oct 2016 08:17:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Cc: Andy Whitcroft X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com UBUNTU: SAUCE: apparmor: fix sleep in critical section path_put() call dput() which might sleep on some paths. When it does sleep from these code paths, the per cpu work buffer may get reused overwriting the data that was just placed in the buffer. This causes the following mediation to fail as the work buffer no longer has valid data for the current operation. BugLink: http://bugs.launchpad.net/bugs/1634753 Signed-off-by: John Johansen Acked-by: Andy Whitcroft diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index b380e32..ee07f76 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -405,7 +405,6 @@ int aa_bind_mount(struct aa_label *label, struct path *path, &old_path), old_buffer, &old_name, &info, labels_profile(label)->disconnected); - path_put(&old_path); if (error) goto error; @@ -415,6 +414,7 @@ int aa_bind_mount(struct aa_label *label, struct path *path, out: put_buffers(buffer, old_buffer); + path_put(&old_path); return error; @@ -494,7 +494,6 @@ int aa_move_mount(struct aa_label *label, struct path *path, &old_path), old_buffer, &old_name, &info, labels_profile(label)->disconnected); - path_put(&old_path); if (error) goto error; @@ -504,6 +503,7 @@ int aa_move_mount(struct aa_label *label, struct path *path, out: put_buffers(buffer, old_buffer); + path_put(&old_path); return error; @@ -557,7 +557,6 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name, &dev_path), dev_buffer, &dev_name, &info, labels_profile(label)->disconnected); - path_put(&dev_path); if (error) goto error; } @@ -574,6 +573,8 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name, cleanup: put_buffers(buffer, dev_buffer); + if (requires_dev) + path_put(&dev_path); return error;