Re: [PATCH 1/1] ovl: setxattr: avoid deadlock when writing IMA xattrs

linux-unionfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: linux-unionfs@vger.kernel.org
Cc: Krisztian Litkey <hackgyver@gmail.com>
Subject: Re: [PATCH 1/1] ovl: setxattr: avoid deadlock when writing IMA xattrs
Date: Sun, 15 May 2016 14:52:47 -0400	[thread overview]
Message-ID: <1463338367.14611.40.camel@linux.vnet.ibm.com> (raw)

Hi Krisztian,  

> If we're writing an extended attribute used by IMA, don't
> try to lock sb_writers (mnt_want_write) or i_mutex. We're
> being called from ima_file_free and the necessary locks
> are already being held. Trying to lock them again will
> deadlock.

But it probably isn't the only function calling ovl_setxattr().   So in
addition to testing S_IMA, only if the security.ima xattr is being set,
would this be safe.

Mimi

> In practice we test if the real inode has the S_IMA flag
> set and if it does we call __vfs_setxattr_noperm instead
> of the usual vfs_setxattr we call for all other cases.
> 
> Signed-off-by: Krisztian Litkey <kli@iki.fi>
> ---
>  fs/overlayfs/inode.c | 24 ++++++++++++++++++------
>  1 file changed, 18 insertions(+), 6 deletions(-)
> 
> diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
> index b29036a..9257e8d 100644
> --- a/fs/overlayfs/inode.c
> +++ b/fs/overlayfs/inode.c
> @@ -222,12 +222,18 @@ static bool ovl_is_private_xattr(const char *name)
>  int ovl_setxattr(struct dentry *dentry, const char *name,
>         const void *value, size_t size, int flags)
>  {
> -   int err;
> +   int err, ima;
>     struct dentry *upperdentry;
> +   struct inode *inode;
>  
> -   err = ovl_want_write(dentry);
> -   if (err)
> -      goto out;
> +   inode = ovl_dentry_real(dentry)->d_inode;
> +   ima = IS_IMA(inode);
> +
> +   if (!ima) {
> +      err = ovl_want_write(dentry);
> +      if (err)
> +         goto out;
> +   }
>  
>     err = -EPERM;
>     if (ovl_is_private_xattr(name))
> @@ -238,10 +244,16 @@ int ovl_setxattr(struct dentry *dentry, const 
> char *name,
>        goto out_drop_write;
>  
>     upperdentry = ovl_dentry_upper(dentry);
> -   err = vfs_setxattr(upperdentry, name, value, size, flags);
> +
> +   if (!ima)
> +      err = vfs_setxattr(upperdentry, name, value, size, flags);
> +   else
> +      err = __vfs_setxattr_noperm(upperdentry, name, value, size,
> +                   flags);

>  
>  out_drop_write:
> -   ovl_drop_write(dentry);
> +   if (!ima)
> +      ovl_drop_write(dentry);
>  out:
>     return err;
>  }
> -- 
> 2.5.5
>

next             reply	other threads:[~2016-05-15 19:23 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-15 18:52 Mimi Zohar [this message]
2016-05-15 20:07 ` [PATCH v2 1/1] ovl: setxattr: avoid deadlock when setting IMA xattr Krisztian Litkey
     [not found]   ` <201605161420.u4GEKLHk009316@d03av05.boulder.ibm.com>
2016-05-16 15:13     ` Krisztian Litkey
2016-05-16 20:22       ` Krisztian Litkey
2016-05-18 22:45         ` Mimi Zohar
2016-05-20  6:28           ` [PATCH v3 1/1] ovl: setxattr: don't deadlock when called from ima_fix_xattr Krisztian Litkey
2016-05-20 14:21             ` Mimi Zohar
2016-05-20 16:29               ` Al Viro
2016-05-20 17:00                 ` Mimi Zohar
2016-05-20 20:53                   ` Krisztian Litkey
2016-05-30 14:10                     ` Miklos Szeredi
2016-05-30 16:50                       ` Al Viro
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:15                         ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-31  2:29                       ` Mimi Zohar
2016-05-20 15:18             ` Andy Whitcroft
     [not found] <201605150256.u4F2uQnX030109@d03av04.boulder.ibm.com>
2016-05-15 17:14 ` Don't deadlock when setting IMA extended attributes Krisztian Litkey
2016-05-15 17:14   ` [PATCH 1/1] ovl: setxattr: avoid deadlock when writing IMA xattrs Krisztian Litkey
2016-05-15 17:26     ` Krisztian Litkey

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1463338367.14611.40.camel@linux.vnet.ibm.com \
    --to=zohar@linux.vnet.ibm.com \
    --cc=hackgyver@gmail.com \
    --cc=linux-unionfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).