linux

History

Ondrej Mosnacek 39a706fbcf selinux: fix sidtab string cache locking Avoiding taking a lock in an IRQ context is not enough to prevent deadlocks, as discovered by syzbot: === WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected 5.5.0-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.0/8927 [HC0[0]:SC0[2]:HE1:SE0] is trying to acquire: ffff888027c94098 (&(&s->cache_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffff888027c94098 (&(&s->cache_lock)->rlock){+.+.}, at: sidtab_sid2str_put.part.0+0x36/0x880 security/selinux/ss/sidtab.c:533 and this task is already holding: ffffffff898639b0 (&(&nf_conntrack_locks[i])->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffffffff898639b0 (&(&nf_conntrack_locks[i])->rlock){+.-.}, at: nf_conntrack_lock+0x17/0x70 net/netfilter/nf_conntrack_core.c:91 which would create a new lock dependency: (&(&nf_conntrack_locks[i])->rlock){+.-.} -> (&(&s->cache_lock)->rlock){+.+.} but this new dependency connects a SOFTIRQ-irq-safe lock: (&(&nf_conntrack_locks[i])->rlock){+.-.} [...] other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&s->cache_lock)->rlock); local_irq_disable(); lock(&(&nf_conntrack_locks[i])->rlock); lock(&(&s->cache_lock)->rlock); <Interrupt> lock(&(&nf_conntrack_locks[i])->rlock); * DEADLOCK * [...] === Fix this by simply locking with irqsave/irqrestore and stop giving up on !in_task(). It makes the locking a bit slower, but it shouldn't make a big difference in real workloads. Under the scenario from [1] (only cache hits) it only increased the runtime overhead from the security_secid_to_secctx() function from ~2% to ~3% (it was ~5-65% before introducing the cache). [1] https://bugzilla.redhat.com/show_bug.cgi?id=1733259 Fixes: `d97bd23c2d` ("selinux: cache the SID -> context string translation") Reported-by: syzbot+61cba5033e2072d61806@syzkaller.appspotmail.com Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>		2020-02-05 18:31:10 -05:00
..
apparmor	+ Features	2019-12-03 12:51:35 -08:00
integrity	x86/efi: remove unused variables	2019-11-29 22:23:46 +11:00
keys	KEYS: trusted: Remove set but not used variable 'keyhndl'	2019-11-12 21:45:37 +02:00
loadpin	proc/sysctl: add shared variables for range check	2019-07-18 17:08:07 -07:00
lockdown	security,lockdown,selinux: implement SELinux lockdown	2019-12-09 17:53:58 -05:00
safesetid	security/safesetid: Replace rcu_swap_protected() with rcu_replace_pointer()	2019-10-30 08:45:57 -07:00
selinux	selinux: fix sidtab string cache locking	2020-02-05 18:31:10 -05:00
smack	pipe: Reduce #inclusion of pipe_fs_i.h	2019-10-23 17:02:34 +01:00
tomoyo	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
yama	proc/sysctl: add shared variables for range check	2019-07-18 17:08:07 -07:00
commoncap.c	Merge branch 'next-lsm' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security	2019-07-09 12:24:21 -07:00
device_cgroup.c	device_cgroup: Export devcgroup_check_permission	2019-10-07 15:11:38 -05:00
inode.c	Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2019-07-19 10:42:02 -07:00
Kconfig	Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security	2019-09-28 08:14:15 -07:00
Kconfig.hardening	meminit fix	2019-07-28 12:33:15 -07:00
lsm_audit.c	security,lockdown,selinux: implement SELinux lockdown	2019-12-09 17:53:58 -05:00
Makefile	security: only build lsm_audit if CONFIG_SECURITY=y	2019-12-10 13:51:42 -05:00
min_addr.c	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
security.c	security,lockdown,selinux: implement SELinux lockdown	2019-12-09 17:53:58 -05:00