From: Eric Paris <eparis@redhat.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Al Viro <viro@zeniv.linux.org.uk>,
Paul McKenney <paulmck@linux.vnet.ibm.com>,
Dave Chinner <david@fromorbit.com>,
linux-fsdevel@vger.kernel.org,
James Morris <james.l.morris@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Stephen Smalley <sds@tycho.nsa.gov>,
"Theodore Ts'o" <tytso@mit.edu>, stable <stable@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>,
LKML <linux-kernel@vger.kernel.org>,
Matthew Wilcox <matthew@wil.cx>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission()
Date: Thu, 09 Jan 2014 18:37:06 -0500 [thread overview]
Message-ID: <1389310626.15209.92.camel@localhost> (raw)
In-Reply-To: <20140109182756.17abaaa8@gandalf.local.home>
On Thu, 2014-01-09 at 18:27 -0500, Steven Rostedt wrote:
> On Thu, 9 Jan 2014 18:25:23 -0500
> Steven Rostedt <rostedt@goodmis.org> wrote:
>
> > On Fri, 10 Jan 2014 06:41:03 +0800
> > Linus Torvalds <torvalds@linux-foundation.org> wrote:
> >
> > > I think the sane short term fix is to make the kfree() of the i_security
> > > member be a rcu free, and not clear the member.
> >
> > You mean my first patch?
> >
> > https://lkml.org/lkml/2014/1/9/349
> >
>
> Oh wait, you said not to clear the member. Thus, the patch would look
> like this:
>
> Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
SMACK also needs this change somehow in smack_inode_free_security()
but at least from an SELinux PoV, I think it's quick and easy, but wrong
for maintainability...
> Index: linux-trace.git/security/selinux/hooks.c
> ===================================================================
> --- linux-trace.git.orig/security/selinux/hooks.c
> +++ linux-trace.git/security/selinux/hooks.c
> @@ -234,6 +234,14 @@ static int inode_alloc_security(struct i
> return 0;
> }
>
> +static void inode_free_rcu(struct rcu_head *head)
> +{
> + struct inode_security_struct *isec;
> +
> + isec = container_of(head, struct inode_security_struct, rcu);
> + kmem_cache_free(sel_inode_cache, isec);
> +}
> +
> static void inode_free_security(struct inode *inode)
> {
> struct inode_security_struct *isec = inode->i_security;
> @@ -244,8 +252,7 @@ static void inode_free_security(struct i
> list_del_init(&isec->list);
> spin_unlock(&sbsec->isec_lock);
>
> - inode->i_security = NULL;
> - kmem_cache_free(sel_inode_cache, isec);
> + call_rcu(&isec->rcu, inode_free_rcu);
> }
>
> static int file_alloc_security(struct file *file)
> Index: linux-trace.git/security/selinux/include/objsec.h
> ===================================================================
> --- linux-trace.git.orig/security/selinux/include/objsec.h
> +++ linux-trace.git/security/selinux/include/objsec.h
> @@ -38,7 +38,10 @@ struct task_security_struct {
>
> struct inode_security_struct {
> struct inode *inode; /* back pointer to inode object */
> - struct list_head list; /* list of inode_security_struct */
> + union {
> + struct list_head list; /* list of inode_security_struct */
> + struct rcu_head rcu; /* for freeing the inode_security_struct */
> + };
> u32 task_sid; /* SID of creating task */
> u32 sid; /* SID of this object */
> u16 sclass; /* security class of this object */
next prev parent reply other threads:[~2014-01-09 23:37 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-09 21:27 [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission() Steven Rostedt
2014-01-09 21:42 ` Matthew Wilcox
2014-01-09 21:50 ` Steven Rostedt
2014-01-09 22:31 ` Al Viro
[not found] ` <CA+55aFzCTPYEQCPnLBi1CwmMTocVqCFiCuJ391HkVx1CMw61ug@mail.gmail.com>
2014-01-09 23:10 ` Paul E. McKenney
2014-01-09 23:25 ` Steven Rostedt
2014-01-09 23:27 ` Steven Rostedt
2014-01-09 23:37 ` Eric Paris [this message]
2014-01-09 23:45 ` Steven Rostedt
2014-01-09 23:53 ` Linus Torvalds
2014-01-10 0:06 ` Al Viro
2014-01-10 0:09 ` Al Viro
2014-01-10 0:18 ` Linus Torvalds
2014-01-10 2:36 ` James Morris
2014-01-10 9:31 ` Christoph Hellwig
2014-01-10 9:31 ` Christoph Hellwig
2014-01-10 18:14 ` Ben Myers
2014-01-10 18:14 ` Ben Myers
2014-01-11 10:32 ` Christoph Hellwig
2014-01-11 10:32 ` Christoph Hellwig
2014-01-09 23:45 ` Paul E. McKenney
2014-01-09 23:59 ` Steven Rostedt
2014-01-10 0:44 ` Paul E. McKenney
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1389310626.15209.92.camel@localhost \
--to=eparis@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=james.l.morris@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matthew@wil.cx \
--cc=paul@paul-moore.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=rostedt@goodmis.org \
--cc=sds@tycho.nsa.gov \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.