[Acked] [xenial, yakkety] [patch] UBUNTU: SAUCE: apparmor: fix sleep in critical section

Andy Whitcroft apw at canonical.com
Wed Oct 19 09:17:30 UTC 2016 

On Wed, Oct 19, 2016 at 08:17:20AM +0200, John Johansen wrote:
> UBUNTU: SAUCE: apparmor: fix sleep in critical section
> 
> path_put() call dput() which might sleep on some paths. When it does
> sleep from these code paths, the per cpu work buffer may get reused
> overwriting the data that was just placed in the buffer.
> 
> This causes the following mediation to fail as the work buffer no
> longer has valid data for the current operation.
> 
> BugLink: http://bugs.launchpad.net/bugs/1634753
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> 
> diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
> index b380e32..ee07f76 100644
> --- a/security/apparmor/mount.c
> +++ b/security/apparmor/mount.c
> @@ -405,7 +405,6 @@ int aa_bind_mount(struct aa_label *label, struct path *path,
>  						   &old_path),
>  			     old_buffer, &old_name, &info,
>  			     labels_profile(label)->disconnected);
> -	path_put(&old_path);
>  	if (error)
>  		goto error;
>  
> @@ -415,6 +414,7 @@ int aa_bind_mount(struct aa_label *label, struct path *path,
>  
>  out:
>  	put_buffers(buffer, old_buffer);
> +	path_put(&old_path);
>  
>  	return error;
>  
> @@ -494,7 +494,6 @@ int aa_move_mount(struct aa_label *label, struct path *path,
>  						   &old_path),
>  			     old_buffer, &old_name, &info,
>  			     labels_profile(label)->disconnected);
> -	path_put(&old_path);
>  	if (error)
>  		goto error;
>  
> @@ -504,6 +503,7 @@ int aa_move_mount(struct aa_label *label, struct path *path,
>  
>  out:
>  	put_buffers(buffer, old_buffer);
> +	path_put(&old_path);
>  
>  	return error;
>  
> @@ -557,7 +557,6 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
>  						&dev_path),
>  				     dev_buffer, &dev_name, &info,
>  				     labels_profile(label)->disconnected);
> -		path_put(&dev_path);
>  		if (error)
>  			goto error;
>  	}
> @@ -574,6 +573,8 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
>  
>  cleanup:
>  	put_buffers(buffer, dev_buffer);
> +	if (requires_dev)
> +		path_put(&dev_path);
>  
>  	return error;
>  

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

More information about the kernel-team mailing list