From: Casey Schaufler <casey@schaufler-ca.com>
To: Vishal Goel <goel.cool@gmail.com>,
linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: Casey Schaufler <casey@schaufler-ca.com>
Subject: Re: Fix for synchronization issue in IPV6 implementation in smack module(v3.18)
Date: Thu, 08 Jan 2015 16:09:30 -0800 [thread overview]
Message-ID: <54AF1C3A.3060104@schaufler-ca.com> (raw)
In-Reply-To: <CABP0=5eXSCW=yp8iqyXNzXMsYNM7L0T0TFefrOZsj2wpbakfXQ@mail.gmail.com>
On 1/8/2015 8:41 AM, Vishal Goel wrote:
> [PATCH] This patch fixes the synchronization issue in IPv6
> implementation. Previously there was no synchronization mechanism used while
> accessing(adding/reading/deletion) smk_ipv6_port_list. It could be possible
> that when one thread is reading the list, at the same time another thread is
> adding/deleting in the list.So it is possible that reader thread will read
> the inaccurate or incomplete list. So to make sure that reader thread will
> read the accurate list, rcu mechanism has been used while accessing the
> list.RCU allows readers to access a data structure even when it is in the
> process of being updated
>
> Signed-off-by: Vishal Goel <vishal.goel@samsung.com>
> Himanshu Shukla <himanshu.sh@samsung.com>
Your three patches are whitespace mangled.
They also need to be rebased on my current tree:
git://git.gitorious.org/smack-next/kernel.git
using the branch smack-for-3.20. They look OK, but I can't apply them as they are.
Thank you.
> ---
> security/smack/smack_lsm.c | 21 +++++++++++++++------
> 1 file changed, 15 insertions(+), 6 deletions(-)
>
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
> index d515ec2..b3427ee 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -52,6 +52,7 @@
> #define SMK_RECEIVING 1
> #define SMK_SENDING 2
>
> +DEFINE_MUTEX(smack_ipv6_lock);
> LIST_HEAD(smk_ipv6_port_list);
>
> #ifdef CONFIG_SECURITY_SMACK_BRINGUP
> @@ -2232,17 +2233,20 @@ static void smk_ipv6_port_label(struct socket
> *sock, struct sockaddr *address)
> * on the bound socket. Take the changes to the port
> * as well.
> */
> - list_for_each_entry(spp, &smk_ipv6_port_list, list) {
> + rcu_read_lock();
> + list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
> if (sk != spp->smk_sock)
> continue;
> spp->smk_in = ssp->smk_in;
> spp->smk_out = ssp->smk_out;
> + rcu_read_unlock();
> return;
> }
> /*
> * A NULL address is only used for updating existing
> * bound entries. If there isn't one, it's OK.
> */
> + rcu_read_unlock();
> return;
> }
>
> @@ -2258,16 +2262,18 @@ static void smk_ipv6_port_label(struct socket
> *sock, struct sockaddr *address)
> * Look for an existing port list entry.
> * This is an indication that a port is getting reused.
> */
> - list_for_each_entry(spp, &smk_ipv6_port_list, list) {
> + rcu_read_lock();
> + list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
> if (spp->smk_port != port)
> continue;
> spp->smk_port = port;
> spp->smk_sock = sk;
> spp->smk_in = ssp->smk_in;
> spp->smk_out = ssp->smk_out;
> + rcu_read_unlock();
> return;
> }
> -
> + rcu_read_unlock();
> /*
> * A new port entry is required.
> */
> @@ -2280,7 +2286,9 @@ static void smk_ipv6_port_label(struct socket
> *sock, struct sockaddr *address)
> spp->smk_in = ssp->smk_in;
> spp->smk_out = ssp->smk_out;
>
> - list_add(&spp->list, &smk_ipv6_port_list);
> + mutex_lock(&smack_ipv6_lock);
> + list_add_rcu(&spp->list, &smk_ipv6_port_list);
> + mutex_unlock(&smack_ipv6_lock);
> return;
> }
>
> @@ -2335,8 +2343,8 @@ static int smk_ipv6_port_check(struct sock *sk,
> struct sockaddr_in6 *address,
> skp = &smack_known_web;
> goto auditout;
> }
> -
> - list_for_each_entry(spp, &smk_ipv6_port_list, list) {
> + rcu_read_lock();
> + list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
> if (spp->smk_port != port)
> continue;
> object = spp->smk_in;
> @@ -2344,6 +2352,7 @@ static int smk_ipv6_port_check(struct sock *sk,
> struct sockaddr_in6 *address,
> ssp->smk_packet = spp->smk_out;
> break;
> }
> + rcu_read_unlock();
>
> auditout:
>
> --
> 1.8.3.2
>
next prev parent reply other threads:[~2015-01-09 0:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-08 16:41 Fix for synchronization issue in IPV6 implementation in smack module(v3.18) Vishal Goel
2015-01-09 0:09 ` Casey Schaufler [this message]
2015-01-09 13:42 ` Ahmed S. Darwish
2015-01-09 17:44 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AF1C3A.3060104@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=goel.cool@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.