Re: [PATCH] dmabuf: use spinlock to access dmabuf->name
On 6/17/2020 11:13 PM, Ruhl, Michael J wrote: >> -Original Message- >> From: charante=codeaurora@mg.codeaurora.org >> On Behalf Of Charan Teja >> Kalla >> Sent: Wednesday, June 17, 2020 2:29 AM >> To: Ruhl, Michael J ; Sumit Semwal >> ; open list:DMA BUFFER SHARING FRAMEWORK >> ; DRI mailing list > de...@lists.freedesktop.org> >> Cc: Linaro MM SIG ; >> vinme...@codeaurora.org; LKML ; >> sta...@vger.kernel.org >> Subject: Re: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >> Thanks Michael for the comments.. >> >> On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >>>> -Original Message- >>>> From: dri-devel On Behalf Of >>>> Ruhl, Michael J >>>> Sent: Tuesday, June 16, 2020 9:51 AM >>>> To: Charan Teja Kalla ; Sumit Semwal >>>> ; open list:DMA BUFFER SHARING >> FRAMEWORK >>>> ; DRI mailing list >>> de...@lists.freedesktop.org> >>>> Cc: Linaro MM SIG ; >>>> vinme...@codeaurora.org; LKML ; >>>> sta...@vger.kernel.org >>>> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>> >>>>> -Original Message- >>>>> From: dri-devel On Behalf Of >>>>> Charan Teja Kalla >>>>> Sent: Thursday, June 11, 2020 9:40 AM >>>>> To: Sumit Semwal ; open list:DMA BUFFER >>>>> SHARING FRAMEWORK ; DRI mailing list >> >>>> de...@lists.freedesktop.org> >>>>> Cc: Linaro MM SIG ; >>>>> vinme...@codeaurora.org; LKML ; >>>>> sta...@vger.kernel.org >>>>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>>> >>>>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>>>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>>>> permissions checks on a process where it tries to validate the inherited >>>>> files from fork() by traversing them through iterate_fd() (which >>>>> traverse files under spin_lock) and call >>>>> match_file(security/selinux/hooks.c) where the permission checks >> happen. >>>>> This audit information is logged using dump_common_audit_data() >> where it >>>>> calls d_path() to get the file path name. If the file check happen on >>>>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex >> to >>>>> access dmabuf->name. The flow will be like below: >>>>> flush_unauthorized_files() >>>>> iterate_fd() >>>>>spin_lock() --> Start of the atomic section. >>>>> match_file() >>>>>file_has_perm() >>>>> avc_has_perm() >>>>>avc_audit() >>>>> slow_avc_audit() >>>>> common_lsm_audit() >>>>> dump_common_audit_data() >>>>> audit_log_d_path() >>>>> d_path() >>>>>dmabuffs_dname() >>>>> mutex_lock()--> Sleep while atomic. >>>>> >>>>> Call trace captured (on 4.19 kernels) is below: >>>>> ___might_sleep+0x204/0x208 >>>>> __might_sleep+0x50/0x88 >>>>> __mutex_lock_common+0x5c/0x1068 >>>>> __mutex_lock_common+0x5c/0x1068 >>>>> mutex_lock_nested+0x40/0x50 >>>>> dmabuffs_dname+0xa0/0x170 >>>>> d_path+0x84/0x290 >>>>> audit_log_d_path+0x74/0x130 >>>>> common_lsm_audit+0x334/0x6e8 >>>>> slow_avc_audit+0xb8/0xf8 >>>>> avc_has_perm+0x154/0x218 >>>>> file_has_perm+0x70/0x180 >>>>> match_file+0x60/0x78 >>>>> iterate_fd+0x128/0x168 >>>>> selinux_bprm_committing_creds+0x178/0x248 >>>>> security_bprm_committing_creds+0x30/0x48 >>>>> install_exec_creds+0x1c/0x68 >>>>> load_elf_binary+0x3a4/0x14e0 >>>>> search_binary_handler+0xb0/0x1e0 >>>>> >>>>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>>>> >>>>> Cc: [5.3+] >>>>> Signed-off-by: Charan Teja Reddy >>>>> --- >>>>> drivers/dma-buf/dma-buf.c | 13 +++-- >>>>> include/linux/dma-buf.h | 1 + >>>>> 2 files changed, 8 ins
Re: [PATCH] dmabuf: use spinlock to access dmabuf->name
On 6/17/2020 1:51 PM, David Laight wrote: > From: Charan Teja Kalla >> Sent: 17 June 2020 07:29 > ... If name is freed you will copy garbage, but the only way for that to happen is that _set_name or _release have to be called at just the right time. And the above would probably only be an issue if the set_name was called, so you will get NULL or a real name. >> >> And there exists a use-after-free to avoid which requires the lock. Say >> that memcpy() in dmabuffs_dname is in progress and in parallel _set_name >> will free the same buffer that memcpy is operating on. > > If the name is being looked at while the item is being freed > you almost certainly have much bigger problems that just > the name being a 'junk' pointer. True, thus needs the lock. > > David. > > - > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 > 1PT, UK > Registration No: 1397386 (Wales) > -- The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
RE: [PATCH] dmabuf: use spinlock to access dmabuf->name
From: Charan Teja Kalla > Sent: 17 June 2020 07:29 ... > >> If name is freed you will copy garbage, but the only way > >> for that to happen is that _set_name or _release have to be called > >> at just the right time. > >> > >> And the above would probably only be an issue if the set_name > >> was called, so you will get NULL or a real name. > > And there exists a use-after-free to avoid which requires the lock. Say > that memcpy() in dmabuffs_dname is in progress and in parallel _set_name > will free the same buffer that memcpy is operating on. If the name is being looked at while the item is being freed you almost certainly have much bigger problems that just the name being a 'junk' pointer. David. - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales) ___ dri-devel mailing list dri-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/dri-devel
RE: [PATCH] dmabuf: use spinlock to access dmabuf->name
>-Original Message- >From: charante=codeaurora@mg.codeaurora.org > On Behalf Of Charan Teja >Kalla >Sent: Wednesday, June 17, 2020 2:29 AM >To: Ruhl, Michael J ; Sumit Semwal >; open list:DMA BUFFER SHARING FRAMEWORK >; DRI mailing list de...@lists.freedesktop.org> >Cc: Linaro MM SIG ; >vinme...@codeaurora.org; LKML ; >sta...@vger.kernel.org >Subject: Re: [PATCH] dmabuf: use spinlock to access dmabuf->name > >Thanks Michael for the comments.. > >On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >>> -Original Message- >>> From: dri-devel On Behalf Of >>> Ruhl, Michael J >>> Sent: Tuesday, June 16, 2020 9:51 AM >>> To: Charan Teja Kalla ; Sumit Semwal >>> ; open list:DMA BUFFER SHARING >FRAMEWORK >>> ; DRI mailing list >> de...@lists.freedesktop.org> >>> Cc: Linaro MM SIG ; >>> vinme...@codeaurora.org; LKML ; >>> sta...@vger.kernel.org >>> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >>> >>>> -Original Message- >>>> From: dri-devel On Behalf Of >>>> Charan Teja Kalla >>>> Sent: Thursday, June 11, 2020 9:40 AM >>>> To: Sumit Semwal ; open list:DMA BUFFER >>>> SHARING FRAMEWORK ; DRI mailing list >>>> de...@lists.freedesktop.org> >>>> Cc: Linaro MM SIG ; >>>> vinme...@codeaurora.org; LKML ; >>>> sta...@vger.kernel.org >>>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>> >>>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>>> permissions checks on a process where it tries to validate the inherited >>>> files from fork() by traversing them through iterate_fd() (which >>>> traverse files under spin_lock) and call >>>> match_file(security/selinux/hooks.c) where the permission checks >happen. >>>> This audit information is logged using dump_common_audit_data() >where it >>>> calls d_path() to get the file path name. If the file check happen on >>>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex >to >>>> access dmabuf->name. The flow will be like below: >>>> flush_unauthorized_files() >>>> iterate_fd() >>>>spin_lock() --> Start of the atomic section. >>>> match_file() >>>>file_has_perm() >>>> avc_has_perm() >>>>avc_audit() >>>> slow_avc_audit() >>>>common_lsm_audit() >>>> dump_common_audit_data() >>>>audit_log_d_path() >>>> d_path() >>>>dmabuffs_dname() >>>> mutex_lock()--> Sleep while atomic. >>>> >>>> Call trace captured (on 4.19 kernels) is below: >>>> ___might_sleep+0x204/0x208 >>>> __might_sleep+0x50/0x88 >>>> __mutex_lock_common+0x5c/0x1068 >>>> __mutex_lock_common+0x5c/0x1068 >>>> mutex_lock_nested+0x40/0x50 >>>> dmabuffs_dname+0xa0/0x170 >>>> d_path+0x84/0x290 >>>> audit_log_d_path+0x74/0x130 >>>> common_lsm_audit+0x334/0x6e8 >>>> slow_avc_audit+0xb8/0xf8 >>>> avc_has_perm+0x154/0x218 >>>> file_has_perm+0x70/0x180 >>>> match_file+0x60/0x78 >>>> iterate_fd+0x128/0x168 >>>> selinux_bprm_committing_creds+0x178/0x248 >>>> security_bprm_committing_creds+0x30/0x48 >>>> install_exec_creds+0x1c/0x68 >>>> load_elf_binary+0x3a4/0x14e0 >>>> search_binary_handler+0xb0/0x1e0 >>>> >>>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>>> >>>> Cc: [5.3+] >>>> Signed-off-by: Charan Teja Reddy >>>> --- >>>> drivers/dma-buf/dma-buf.c | 13 +++-- >>>> include/linux/dma-buf.h | 1 + >>>> 2 files changed, 8 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>>> index 01ce125..2e0456c 100644 >>>> --- a/drivers/dma-buf/dma-buf.c >>>> +++ b/drivers/dma-buf/dma-buf.c >>>> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry >*dentry, >>>> char *buffer, int buflen) >>>>size_t ret = 0; >>>>
Re: [PATCH] dmabuf: use spinlock to access dmabuf->name
Thanks Michael for the comments.. On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >> -Original Message- >> From: dri-devel On Behalf Of >> Ruhl, Michael J >> Sent: Tuesday, June 16, 2020 9:51 AM >> To: Charan Teja Kalla ; Sumit Semwal >> ; open list:DMA BUFFER SHARING FRAMEWORK >> ; DRI mailing list > de...@lists.freedesktop.org> >> Cc: Linaro MM SIG ; >> vinme...@codeaurora.org; LKML ; >> sta...@vger.kernel.org >> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >>> -Original Message- >>> From: dri-devel On Behalf Of >>> Charan Teja Kalla >>> Sent: Thursday, June 11, 2020 9:40 AM >>> To: Sumit Semwal ; open list:DMA BUFFER >>> SHARING FRAMEWORK ; DRI mailing list >> de...@lists.freedesktop.org> >>> Cc: Linaro MM SIG ; >>> vinme...@codeaurora.org; LKML ; >>> sta...@vger.kernel.org >>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>> >>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>> permissions checks on a process where it tries to validate the inherited >>> files from fork() by traversing them through iterate_fd() (which >>> traverse files under spin_lock) and call >>> match_file(security/selinux/hooks.c) where the permission checks happen. >>> This audit information is logged using dump_common_audit_data() where it >>> calls d_path() to get the file path name. If the file check happen on >>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to >>> access dmabuf->name. The flow will be like below: >>> flush_unauthorized_files() >>> iterate_fd() >>>spin_lock() --> Start of the atomic section. >>> match_file() >>>file_has_perm() >>> avc_has_perm() >>>avc_audit() >>> slow_avc_audit() >>> common_lsm_audit() >>> dump_common_audit_data() >>> audit_log_d_path() >>> d_path() >>>dmabuffs_dname() >>> mutex_lock()--> Sleep while atomic. >>> >>> Call trace captured (on 4.19 kernels) is below: >>> ___might_sleep+0x204/0x208 >>> __might_sleep+0x50/0x88 >>> __mutex_lock_common+0x5c/0x1068 >>> __mutex_lock_common+0x5c/0x1068 >>> mutex_lock_nested+0x40/0x50 >>> dmabuffs_dname+0xa0/0x170 >>> d_path+0x84/0x290 >>> audit_log_d_path+0x74/0x130 >>> common_lsm_audit+0x334/0x6e8 >>> slow_avc_audit+0xb8/0xf8 >>> avc_has_perm+0x154/0x218 >>> file_has_perm+0x70/0x180 >>> match_file+0x60/0x78 >>> iterate_fd+0x128/0x168 >>> selinux_bprm_committing_creds+0x178/0x248 >>> security_bprm_committing_creds+0x30/0x48 >>> install_exec_creds+0x1c/0x68 >>> load_elf_binary+0x3a4/0x14e0 >>> search_binary_handler+0xb0/0x1e0 >>> >>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>> >>> Cc: [5.3+] >>> Signed-off-by: Charan Teja Reddy >>> --- >>> drivers/dma-buf/dma-buf.c | 13 +++-- >>> include/linux/dma-buf.h | 1 + >>> 2 files changed, 8 insertions(+), 6 deletions(-) >>> >>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>> index 01ce125..2e0456c 100644 >>> --- a/drivers/dma-buf/dma-buf.c >>> +++ b/drivers/dma-buf/dma-buf.c >>> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, >>> char *buffer, int buflen) >>> size_t ret = 0; >>> >>> dmabuf = dentry->d_fsdata; >>> - dma_resv_lock(dmabuf->resv, NULL); >>> + spin_lock(&dmabuf->name_lock); >>> if (dmabuf->name) >>> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>> - dma_resv_unlock(dmabuf->resv); >>> + spin_unlock(&dmabuf->name_lock); >> >> I am not really clear on why you need this lock. >> >> If name == NULL you have no issues. >> If name is real, you have no issues. Yeah, ideal cases... >> >> If name is freed you will copy garbage, but the only way >> for that to happen is that _set_name or _release have to be called >> at just the right time. >> >> And the above would probably only be an issue if the set_name >&
RE: [PATCH] dmabuf: use spinlock to access dmabuf->name
>-Original Message- >From: dri-devel On Behalf Of >Ruhl, Michael J >Sent: Tuesday, June 16, 2020 9:51 AM >To: Charan Teja Kalla ; Sumit Semwal >; open list:DMA BUFFER SHARING FRAMEWORK >; DRI mailing list de...@lists.freedesktop.org> >Cc: Linaro MM SIG ; >vinme...@codeaurora.org; LKML ; >sta...@vger.kernel.org >Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name > >>-Original Message- >>From: dri-devel On Behalf Of >>Charan Teja Kalla >>Sent: Thursday, June 11, 2020 9:40 AM >>To: Sumit Semwal ; open list:DMA BUFFER >>SHARING FRAMEWORK ; DRI mailing list >de...@lists.freedesktop.org> >>Cc: Linaro MM SIG ; >>vinme...@codeaurora.org; LKML ; >>sta...@vger.kernel.org >>Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >>There exists a sleep-while-atomic bug while accessing the dmabuf->name >>under mutex in the dmabuffs_dname(). This is caused from the SELinux >>permissions checks on a process where it tries to validate the inherited >>files from fork() by traversing them through iterate_fd() (which >>traverse files under spin_lock) and call >>match_file(security/selinux/hooks.c) where the permission checks happen. >>This audit information is logged using dump_common_audit_data() where it >>calls d_path() to get the file path name. If the file check happen on >>the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to >>access dmabuf->name. The flow will be like below: >>flush_unauthorized_files() >> iterate_fd() >>spin_lock() --> Start of the atomic section. >> match_file() >>file_has_perm() >> avc_has_perm() >>avc_audit() >> slow_avc_audit() >> common_lsm_audit() >>dump_common_audit_data() >> audit_log_d_path() >>d_path() >>dmabuffs_dname() >> mutex_lock()--> Sleep while atomic. >> >>Call trace captured (on 4.19 kernels) is below: >>___might_sleep+0x204/0x208 >>__might_sleep+0x50/0x88 >>__mutex_lock_common+0x5c/0x1068 >>__mutex_lock_common+0x5c/0x1068 >>mutex_lock_nested+0x40/0x50 >>dmabuffs_dname+0xa0/0x170 >>d_path+0x84/0x290 >>audit_log_d_path+0x74/0x130 >>common_lsm_audit+0x334/0x6e8 >>slow_avc_audit+0xb8/0xf8 >>avc_has_perm+0x154/0x218 >>file_has_perm+0x70/0x180 >>match_file+0x60/0x78 >>iterate_fd+0x128/0x168 >>selinux_bprm_committing_creds+0x178/0x248 >>security_bprm_committing_creds+0x30/0x48 >>install_exec_creds+0x1c/0x68 >>load_elf_binary+0x3a4/0x14e0 >>search_binary_handler+0xb0/0x1e0 >> >>So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >> >>Cc: [5.3+] >>Signed-off-by: Charan Teja Reddy >>--- >> drivers/dma-buf/dma-buf.c | 13 +++-- >> include/linux/dma-buf.h | 1 + >> 2 files changed, 8 insertions(+), 6 deletions(-) >> >>diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>index 01ce125..2e0456c 100644 >>--- a/drivers/dma-buf/dma-buf.c >>+++ b/drivers/dma-buf/dma-buf.c >>@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, >>char *buffer, int buflen) >> size_t ret = 0; >> >> dmabuf = dentry->d_fsdata; >>- dma_resv_lock(dmabuf->resv, NULL); >>+ spin_lock(&dmabuf->name_lock); >> if (dmabuf->name) >> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>- dma_resv_unlock(dmabuf->resv); >>+ spin_unlock(&dmabuf->name_lock); > >I am not really clear on why you need this lock. > >If name == NULL you have no issues. >If name is real, you have no issues. > >If name is freed you will copy garbage, but the only way >for that to happen is that _set_name or _release have to be called >at just the right time. > >And the above would probably only be an issue if the set_name >was called, so you will get NULL or a real name. > >Is there a reason for the lock here? > >Mike Maybe dmabuf->name = NULL after the kfree(dmabuf->name) in: dma_buf_release() Would be sufficient? M >> return dynamic_dname(dentry, buffer, buflen, "/%s:%s", >> dentry->d_name.name, ret > 0 ? name : ""); >>@@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >>*dmabuf, const char __user *buf) >> if (IS_ERR(name)) >> return PTR_ERR(name); >> >>-
RE: [PATCH] dmabuf: use spinlock to access dmabuf->name
>-Original Message-
>From: dri-devel On Behalf Of
>Charan Teja Kalla
>Sent: Thursday, June 11, 2020 9:40 AM
>To: Sumit Semwal ; open list:DMA BUFFER
>SHARING FRAMEWORK ; DRI mailing list de...@lists.freedesktop.org>
>Cc: Linaro MM SIG ;
>vinme...@codeaurora.org; LKML ;
>sta...@vger.kernel.org
>Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name
>
>There exists a sleep-while-atomic bug while accessing the dmabuf->name
>under mutex in the dmabuffs_dname(). This is caused from the SELinux
>permissions checks on a process where it tries to validate the inherited
>files from fork() by traversing them through iterate_fd() (which
>traverse files under spin_lock) and call
>match_file(security/selinux/hooks.c) where the permission checks happen.
>This audit information is logged using dump_common_audit_data() where it
>calls d_path() to get the file path name. If the file check happen on
>the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
>access dmabuf->name. The flow will be like below:
>flush_unauthorized_files()
> iterate_fd()
>spin_lock() --> Start of the atomic section.
> match_file()
>file_has_perm()
> avc_has_perm()
>avc_audit()
> slow_avc_audit()
> common_lsm_audit()
> dump_common_audit_data()
> audit_log_d_path()
> d_path()
>dmabuffs_dname()
> mutex_lock()--> Sleep while atomic.
>
>Call trace captured (on 4.19 kernels) is below:
>___might_sleep+0x204/0x208
>__might_sleep+0x50/0x88
>__mutex_lock_common+0x5c/0x1068
>__mutex_lock_common+0x5c/0x1068
>mutex_lock_nested+0x40/0x50
>dmabuffs_dname+0xa0/0x170
>d_path+0x84/0x290
>audit_log_d_path+0x74/0x130
>common_lsm_audit+0x334/0x6e8
>slow_avc_audit+0xb8/0xf8
>avc_has_perm+0x154/0x218
>file_has_perm+0x70/0x180
>match_file+0x60/0x78
>iterate_fd+0x128/0x168
>selinux_bprm_committing_creds+0x178/0x248
>security_bprm_committing_creds+0x30/0x48
>install_exec_creds+0x1c/0x68
>load_elf_binary+0x3a4/0x14e0
>search_binary_handler+0xb0/0x1e0
>
>So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
>
>Cc: [5.3+]
>Signed-off-by: Charan Teja Reddy
>---
> drivers/dma-buf/dma-buf.c | 13 +++--
> include/linux/dma-buf.h | 1 +
> 2 files changed, 8 insertions(+), 6 deletions(-)
>
>diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
>index 01ce125..2e0456c 100644
>--- a/drivers/dma-buf/dma-buf.c
>+++ b/drivers/dma-buf/dma-buf.c
>@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry,
>char *buffer, int buflen)
> size_t ret = 0;
>
> dmabuf = dentry->d_fsdata;
>- dma_resv_lock(dmabuf->resv, NULL);
>+ spin_lock(&dmabuf->name_lock);
> if (dmabuf->name)
> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
>- dma_resv_unlock(dmabuf->resv);
>+ spin_unlock(&dmabuf->name_lock);
I am not really clear on why you need this lock.
If name == NULL you have no issues.
If name is real, you have no issues.
If name is freed you will copy garbage, but the only way
for that to happen is that _set_name or _release have to be called
at just the right time.
And the above would probably only be an issue if the set_name
was called, so you will get NULL or a real name.
Is there a reason for the lock here?
Mike
> return dynamic_dname(dentry, buffer, buflen, "/%s:%s",
>dentry->d_name.name, ret > 0 ? name : "");
>@@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf
>*dmabuf, const char __user *buf)
> if (IS_ERR(name))
> return PTR_ERR(name);
>
>- dma_resv_lock(dmabuf->resv, NULL);
>+ spin_lock(&dmabuf->name_lock);
> if (!list_empty(&dmabuf->attachments)) {
> ret = -EBUSY;
> kfree(name);
>@@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf
>*dmabuf, const char __user *buf)
> dmabuf->name = name;
>
> out_unlock:
>- dma_resv_unlock(dmabuf->resv);
>+ spin_unlock(&dmabuf->name_lock);
> return ret;
> }
>
>@@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file
>*m, struct file *file)
> /* Don't count the temporary reference taken inside procfs seq_show
>*/
> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
>- dma_resv_lock(dmabuf->resv, NULL);
>+ spin_lock(&dmabuf->name_lock);
> if (dmabuf->name)
> seq_printf(m, "name:\t%s\n", dmabuf->name);
>- dma_resv_unlock(dmabuf->resv);
>+ spin_unlock(&dmabuf->name_lock);
> }
>
> static const struct file_operations dma_buf_fops = {
>@@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct
>dma_buf_export_info *exp_info)
> dmabuf->size = exp_info->size;
> dmabuf->exp_name = exp_info->exp_name;
> dmabuf->owner = exp_info->owner;
>+ spin_lock_init(&dmabuf-
Re: [PATCH] dmabuf: use spinlock to access dmabuf->name
Hi Daniel, Chris,
On Thu, 11 Jun 2020 at 19:10, Charan Teja Kalla wrote:
>
> There exists a sleep-while-atomic bug while accessing the dmabuf->name
> under mutex in the dmabuffs_dname(). This is caused from the SELinux
> permissions checks on a process where it tries to validate the inherited
> files from fork() by traversing them through iterate_fd() (which
> traverse files under spin_lock) and call
> match_file(security/selinux/hooks.c) where the permission checks happen.
> This audit information is logged using dump_common_audit_data() where it
> calls d_path() to get the file path name. If the file check happen on
> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
> access dmabuf->name. The flow will be like below:
> flush_unauthorized_files()
> iterate_fd()
> spin_lock() --> Start of the atomic section.
> match_file()
> file_has_perm()
> avc_has_perm()
> avc_audit()
> slow_avc_audit()
> common_lsm_audit()
> dump_common_audit_data()
> audit_log_d_path()
> d_path()
> dmabuffs_dname()
> mutex_lock()--> Sleep while atomic.
>
> Call trace captured (on 4.19 kernels) is below:
> ___might_sleep+0x204/0x208
> __might_sleep+0x50/0x88
> __mutex_lock_common+0x5c/0x1068
> __mutex_lock_common+0x5c/0x1068
> mutex_lock_nested+0x40/0x50
> dmabuffs_dname+0xa0/0x170
> d_path+0x84/0x290
> audit_log_d_path+0x74/0x130
> common_lsm_audit+0x334/0x6e8
> slow_avc_audit+0xb8/0xf8
> avc_has_perm+0x154/0x218
> file_has_perm+0x70/0x180
> match_file+0x60/0x78
> iterate_fd+0x128/0x168
> selinux_bprm_committing_creds+0x178/0x248
> security_bprm_committing_creds+0x30/0x48
> install_exec_creds+0x1c/0x68
> load_elf_binary+0x3a4/0x14e0
> search_binary_handler+0xb0/0x1e0
>
> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
Any objections to this change? This changes protection only for
dmabuf->name field, but I'd request either of you to review it,
please?
>
> Cc: [5.3+]
> Signed-off-by: Charan Teja Reddy
> ---
> drivers/dma-buf/dma-buf.c | 13 +++--
> include/linux/dma-buf.h | 1 +
> 2 files changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
> index 01ce125..2e0456c 100644
> --- a/drivers/dma-buf/dma-buf.c
> +++ b/drivers/dma-buf/dma-buf.c
> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, char
> *buffer, int buflen)
> size_t ret = 0;
>
> dmabuf = dentry->d_fsdata;
> - dma_resv_lock(dmabuf->resv, NULL);
> + spin_lock(&dmabuf->name_lock);
> if (dmabuf->name)
> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN);
> - dma_resv_unlock(dmabuf->resv);
> + spin_unlock(&dmabuf->name_lock);
>
> return dynamic_dname(dentry, buffer, buflen, "/%s:%s",
> dentry->d_name.name, ret > 0 ? name : "");
> @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf,
> const char __user *buf)
> if (IS_ERR(name))
> return PTR_ERR(name);
>
> - dma_resv_lock(dmabuf->resv, NULL);
> + spin_lock(&dmabuf->name_lock);
> if (!list_empty(&dmabuf->attachments)) {
> ret = -EBUSY;
> kfree(name);
> @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf,
> const char __user *buf)
> dmabuf->name = name;
>
> out_unlock:
> - dma_resv_unlock(dmabuf->resv);
> + spin_unlock(&dmabuf->name_lock);
> return ret;
> }
>
> @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file *m,
> struct file *file)
> /* Don't count the temporary reference taken inside procfs seq_show */
> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1);
> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name);
> - dma_resv_lock(dmabuf->resv, NULL);
> + spin_lock(&dmabuf->name_lock);
> if (dmabuf->name)
> seq_printf(m, "name:\t%s\n", dmabuf->name);
> - dma_resv_unlock(dmabuf->resv);
> + spin_unlock(&dmabuf->name_lock);
> }
>
> static const struct file_operations dma_buf_fops = {
> @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct
> dma_buf_export_info *exp_info)
> dmabuf->size = exp_info->size;
> dmabuf->exp_name = exp_info->exp_name;
> dmabuf->owner = exp_info->owner;
> + spin_lock_init(&dmabuf->name_lock);
> init_waitqueue_head(&dmabuf->poll);
> dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll;
> dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0;
> diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h
> index ab0c156..93108fd 100644
> --- a/include/linux/dma-buf.h
> +++ b/include/linux/dma-buf.h
> @@ -311,6 +311,7 @@ struct dma_buf {
> void *vmap_ptr;
> cons
