Message ID | 316a5cf9-ca71-6506-bf8b-e79ded9055b2@codeaurora.org (mailing list archive) |
---|---|
State | Not Applicable, archived |
Headers |
Received: from vger.kernel.org ([23.128.96.18]) by www.linuxtv.org with esmtp (Exim 4.92) (envelope-from <linux-media-owner@vger.kernel.org>) id 1jjNNa-008avf-9j; Thu, 11 Jun 2020 13:36:27 +0000 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728022AbgFKNkV (ORCPT <rfc822;mkrufky@linuxtv.org> + 1 other); Thu, 11 Jun 2020 09:40:21 -0400 Received: from mail27.static.mailgun.info ([104.130.122.27]:35757 "EHLO mail27.static.mailgun.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727088AbgFKNkR (ORCPT <rfc822;linux-media@vger.kernel.org>); Thu, 11 Jun 2020 09:40:17 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1591882816; h=Content-Transfer-Encoding: Content-Type: MIME-Version: Date: Message-ID: Subject: From: Cc: To: Sender; bh=ihrRcjhW9ULLbY+ZlVGkZ/PVZKfJ2usDc73eH+pAOvY=; b=Uil+NTUpKOOa8nHeFTQGndl9UYMGYq0aO//iuzg9Dqp1aJFFwVacouPcjpXu+X63caDWdBGH oG4WRQzH98UXzWFdyBoM5eU85OcG81b7uu4u1qUi73owWB6tnRktjIna8icxQ2Ed/mjwJ0KU DFEWv0waW36LpkwKEVi3kw7h0tE= X-Mailgun-Sending-Ip: 104.130.122.27 X-Mailgun-Sid: WyI3ZjU0NiIsICJsaW51eC1tZWRpYUB2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n01.prod.us-east-1.postgun.com with SMTP id 5ee23432c76a4e7a2a8f8d32 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Thu, 11 Jun 2020 13:40:02 GMT Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 702DCC43387; Thu, 11 Jun 2020 13:40:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.0 Received: from [192.168.1.102] (unknown [183.83.143.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: charante) by smtp.codeaurora.org (Postfix) with ESMTPSA id 823FBC433CA; Thu, 11 Jun 2020 13:39:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 823FBC433CA Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=charante@codeaurora.org To: Sumit Semwal <sumit.semwal@linaro.org>, "open list:DMA BUFFER SHARING FRAMEWORK" <linux-media@vger.kernel.org>, DRI mailing list <dri-devel@lists.freedesktop.org> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>, LKML <linux-kernel@vger.kernel.org>, vinmenon@codeaurora.org, stable@vger.kernel.org From: Charan Teja Kalla <charante@codeaurora.org> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name Message-ID: <316a5cf9-ca71-6506-bf8b-e79ded9055b2@codeaurora.org> Date: Thu, 11 Jun 2020 19:09:55 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: <linux-media.vger.kernel.org> X-Mailing-List: linux-media@vger.kernel.org X-LSpam-Score: -2.3 (--) X-LSpam-Report: No, score=-2.3 required=5.0 tests=BAYES_00=-1.9,DKIM_SIGNED=0.1,HEADER_FROM_DIFFERENT_DOMAINS=0.5,MAILING_LIST_MULTI=-1,T_DKIM_INVALID=0.01 autolearn=ham autolearn_force=no |
Series |
dmabuf: use spinlock to access dmabuf->name
|
|
Commit Message
Charan Teja Reddy
June 11, 2020, 1:39 p.m. UTC
There exists a sleep-while-atomic bug while accessing the dmabuf->name
under mutex in the dmabuffs_dname(). This is caused from the SELinux
permissions checks on a process where it tries to validate the inherited
files from fork() by traversing them through iterate_fd() (which
traverse files under spin_lock) and call
match_file(security/selinux/hooks.c) where the permission checks happen.
This audit information is logged using dump_common_audit_data() where it
calls d_path() to get the file path name. If the file check happen on
the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
access dmabuf->name. The flow will be like below:
flush_unauthorized_files()
iterate_fd()
spin_lock() --> Start of the atomic section.
match_file()
file_has_perm()
avc_has_perm()
avc_audit()
slow_avc_audit()
common_lsm_audit()
dump_common_audit_data()
audit_log_d_path()
d_path()
dmabuffs_dname()
mutex_lock()--> Sleep while atomic.
Call trace captured (on 4.19 kernels) is below:
___might_sleep+0x204/0x208
__might_sleep+0x50/0x88
__mutex_lock_common+0x5c/0x1068
__mutex_lock_common+0x5c/0x1068
mutex_lock_nested+0x40/0x50
dmabuffs_dname+0xa0/0x170
d_path+0x84/0x290
audit_log_d_path+0x74/0x130
common_lsm_audit+0x334/0x6e8
slow_avc_audit+0xb8/0xf8
avc_has_perm+0x154/0x218
file_has_perm+0x70/0x180
match_file+0x60/0x78
iterate_fd+0x128/0x168
selinux_bprm_committing_creds+0x178/0x248
security_bprm_committing_creds+0x30/0x48
install_exec_creds+0x1c/0x68
load_elf_binary+0x3a4/0x14e0
search_binary_handler+0xb0/0x1e0
So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
Cc: <stable@vger.kernel.org> [5.3+]
Signed-off-by: Charan Teja Reddy <charante@codeaurora.org>
---
drivers/dma-buf/dma-buf.c | 13 +++++++------
include/linux/dma-buf.h | 1 +
2 files changed, 8 insertions(+), 6 deletions(-)
Comments
Hi Daniel, Chris, On Thu, 11 Jun 2020 at 19:10, Charan Teja Kalla <charante@codeaurora.org> wrote: > > There exists a sleep-while-atomic bug while accessing the dmabuf->name > under mutex in the dmabuffs_dname(). This is caused from the SELinux > permissions checks on a process where it tries to validate the inherited > files from fork() by traversing them through iterate_fd() (which > traverse files under spin_lock) and call > match_file(security/selinux/hooks.c) where the permission checks happen. > This audit information is logged using dump_common_audit_data() where it > calls d_path() to get the file path name. If the file check happen on > the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to > access dmabuf->name. The flow will be like below: > flush_unauthorized_files() > iterate_fd() > spin_lock() --> Start of the atomic section. > match_file() > file_has_perm() > avc_has_perm() > avc_audit() > slow_avc_audit() > common_lsm_audit() > dump_common_audit_data() > audit_log_d_path() > d_path() > dmabuffs_dname() > mutex_lock()--> Sleep while atomic. > > Call trace captured (on 4.19 kernels) is below: > ___might_sleep+0x204/0x208 > __might_sleep+0x50/0x88 > __mutex_lock_common+0x5c/0x1068 > __mutex_lock_common+0x5c/0x1068 > mutex_lock_nested+0x40/0x50 > dmabuffs_dname+0xa0/0x170 > d_path+0x84/0x290 > audit_log_d_path+0x74/0x130 > common_lsm_audit+0x334/0x6e8 > slow_avc_audit+0xb8/0xf8 > avc_has_perm+0x154/0x218 > file_has_perm+0x70/0x180 > match_file+0x60/0x78 > iterate_fd+0x128/0x168 > selinux_bprm_committing_creds+0x178/0x248 > security_bprm_committing_creds+0x30/0x48 > install_exec_creds+0x1c/0x68 > load_elf_binary+0x3a4/0x14e0 > search_binary_handler+0xb0/0x1e0 > > So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. Any objections to this change? This changes protection only for dmabuf->name field, but I'd request either of you to review it, please? > > Cc: <stable@vger.kernel.org> [5.3+] > Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> > --- > drivers/dma-buf/dma-buf.c | 13 +++++++------ > include/linux/dma-buf.h | 1 + > 2 files changed, 8 insertions(+), 6 deletions(-) > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c > index 01ce125..2e0456c 100644 > --- a/drivers/dma-buf/dma-buf.c > +++ b/drivers/dma-buf/dma-buf.c > @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) > size_t ret = 0; > > dmabuf = dentry->d_fsdata; > - dma_resv_lock(dmabuf->resv, NULL); > + spin_lock(&dmabuf->name_lock); > if (dmabuf->name) > ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); > - dma_resv_unlock(dmabuf->resv); > + spin_unlock(&dmabuf->name_lock); > > return dynamic_dname(dentry, buffer, buflen, "/%s:%s", > dentry->d_name.name, ret > 0 ? name : ""); > @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) > if (IS_ERR(name)) > return PTR_ERR(name); > > - dma_resv_lock(dmabuf->resv, NULL); > + spin_lock(&dmabuf->name_lock); > if (!list_empty(&dmabuf->attachments)) { > ret = -EBUSY; > kfree(name); > @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) > dmabuf->name = name; > > out_unlock: > - dma_resv_unlock(dmabuf->resv); > + spin_unlock(&dmabuf->name_lock); > return ret; > } > > @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file) > /* Don't count the temporary reference taken inside procfs seq_show */ > seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); > seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); > - dma_resv_lock(dmabuf->resv, NULL); > + spin_lock(&dmabuf->name_lock); > if (dmabuf->name) > seq_printf(m, "name:\t%s\n", dmabuf->name); > - dma_resv_unlock(dmabuf->resv); > + spin_unlock(&dmabuf->name_lock); > } > > static const struct file_operations dma_buf_fops = { > @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) > dmabuf->size = exp_info->size; > dmabuf->exp_name = exp_info->exp_name; > dmabuf->owner = exp_info->owner; > + spin_lock_init(&dmabuf->name_lock); > init_waitqueue_head(&dmabuf->poll); > dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; > dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; > diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h > index ab0c156..93108fd 100644 > --- a/include/linux/dma-buf.h > +++ b/include/linux/dma-buf.h > @@ -311,6 +311,7 @@ struct dma_buf { > void *vmap_ptr; > const char *exp_name; > const char *name; > + spinlock_t name_lock; > struct module *owner; > struct list_head list_node; > void *priv; > -- > The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project Best, Sumit.
>-----Original Message----- >From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >Charan Teja Kalla >Sent: Thursday, June 11, 2020 9:40 AM >To: Sumit Semwal <sumit.semwal@linaro.org>; open list:DMA BUFFER >SHARING FRAMEWORK <linux-media@vger.kernel.org>; DRI mailing list <dri- >devel@lists.freedesktop.org> >Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >stable@vger.kernel.org >Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name > >There exists a sleep-while-atomic bug while accessing the dmabuf->name >under mutex in the dmabuffs_dname(). This is caused from the SELinux >permissions checks on a process where it tries to validate the inherited >files from fork() by traversing them through iterate_fd() (which >traverse files under spin_lock) and call >match_file(security/selinux/hooks.c) where the permission checks happen. >This audit information is logged using dump_common_audit_data() where it >calls d_path() to get the file path name. If the file check happen on >the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to >access dmabuf->name. The flow will be like below: >flush_unauthorized_files() > iterate_fd() > spin_lock() --> Start of the atomic section. > match_file() > file_has_perm() > avc_has_perm() > avc_audit() > slow_avc_audit() > common_lsm_audit() > dump_common_audit_data() > audit_log_d_path() > d_path() > dmabuffs_dname() > mutex_lock()--> Sleep while atomic. > >Call trace captured (on 4.19 kernels) is below: >___might_sleep+0x204/0x208 >__might_sleep+0x50/0x88 >__mutex_lock_common+0x5c/0x1068 >__mutex_lock_common+0x5c/0x1068 >mutex_lock_nested+0x40/0x50 >dmabuffs_dname+0xa0/0x170 >d_path+0x84/0x290 >audit_log_d_path+0x74/0x130 >common_lsm_audit+0x334/0x6e8 >slow_avc_audit+0xb8/0xf8 >avc_has_perm+0x154/0x218 >file_has_perm+0x70/0x180 >match_file+0x60/0x78 >iterate_fd+0x128/0x168 >selinux_bprm_committing_creds+0x178/0x248 >security_bprm_committing_creds+0x30/0x48 >install_exec_creds+0x1c/0x68 >load_elf_binary+0x3a4/0x14e0 >search_binary_handler+0xb0/0x1e0 > >So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. > >Cc: <stable@vger.kernel.org> [5.3+] >Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> >--- > drivers/dma-buf/dma-buf.c | 13 +++++++------ > include/linux/dma-buf.h | 1 + > 2 files changed, 8 insertions(+), 6 deletions(-) > >diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >index 01ce125..2e0456c 100644 >--- a/drivers/dma-buf/dma-buf.c >+++ b/drivers/dma-buf/dma-buf.c >@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, >char *buffer, int buflen) > size_t ret = 0; > > dmabuf = dentry->d_fsdata; >- dma_resv_lock(dmabuf->resv, NULL); >+ spin_lock(&dmabuf->name_lock); > if (dmabuf->name) > ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >- dma_resv_unlock(dmabuf->resv); >+ spin_unlock(&dmabuf->name_lock); I am not really clear on why you need this lock. If name == NULL you have no issues. If name is real, you have no issues. If name is freed you will copy garbage, but the only way for that to happen is that _set_name or _release have to be called at just the right time. And the above would probably only be an issue if the set_name was called, so you will get NULL or a real name. Is there a reason for the lock here? Mike > return dynamic_dname(dentry, buffer, buflen, "/%s:%s", > dentry->d_name.name, ret > 0 ? name : ""); >@@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >*dmabuf, const char __user *buf) > if (IS_ERR(name)) > return PTR_ERR(name); > >- dma_resv_lock(dmabuf->resv, NULL); >+ spin_lock(&dmabuf->name_lock); > if (!list_empty(&dmabuf->attachments)) { > ret = -EBUSY; > kfree(name); >@@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf >*dmabuf, const char __user *buf) > dmabuf->name = name; > > out_unlock: >- dma_resv_unlock(dmabuf->resv); >+ spin_unlock(&dmabuf->name_lock); > return ret; > } > >@@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file >*m, struct file *file) > /* Don't count the temporary reference taken inside procfs seq_show >*/ > seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); > seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); >- dma_resv_lock(dmabuf->resv, NULL); >+ spin_lock(&dmabuf->name_lock); > if (dmabuf->name) > seq_printf(m, "name:\t%s\n", dmabuf->name); >- dma_resv_unlock(dmabuf->resv); >+ spin_unlock(&dmabuf->name_lock); > } > > static const struct file_operations dma_buf_fops = { >@@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct >dma_buf_export_info *exp_info) > dmabuf->size = exp_info->size; > dmabuf->exp_name = exp_info->exp_name; > dmabuf->owner = exp_info->owner; >+ spin_lock_init(&dmabuf->name_lock); > init_waitqueue_head(&dmabuf->poll); > dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; > dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; >diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h >index ab0c156..93108fd 100644 >--- a/include/linux/dma-buf.h >+++ b/include/linux/dma-buf.h >@@ -311,6 +311,7 @@ struct dma_buf { > void *vmap_ptr; > const char *exp_name; > const char *name; >+ spinlock_t name_lock; > struct module *owner; > struct list_head list_node; > void *priv; >-- >The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >Forum, a Linux Foundation Collaborative Project >_______________________________________________ >dri-devel mailing list >dri-devel@lists.freedesktop.org >https://lists.freedesktop.org/mailman/listinfo/dri-devel
>-----Original Message----- >From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >Ruhl, Michael J >Sent: Tuesday, June 16, 2020 9:51 AM >To: Charan Teja Kalla <charante@codeaurora.org>; Sumit Semwal ><sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING FRAMEWORK ><linux-media@vger.kernel.org>; DRI mailing list <dri- >devel@lists.freedesktop.org> >Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >stable@vger.kernel.org >Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name > >>-----Original Message----- >>From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>Charan Teja Kalla >>Sent: Thursday, June 11, 2020 9:40 AM >>To: Sumit Semwal <sumit.semwal@linaro.org>; open list:DMA BUFFER >>SHARING FRAMEWORK <linux-media@vger.kernel.org>; DRI mailing list <dri- >>devel@lists.freedesktop.org> >>Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>stable@vger.kernel.org >>Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >>There exists a sleep-while-atomic bug while accessing the dmabuf->name >>under mutex in the dmabuffs_dname(). This is caused from the SELinux >>permissions checks on a process where it tries to validate the inherited >>files from fork() by traversing them through iterate_fd() (which >>traverse files under spin_lock) and call >>match_file(security/selinux/hooks.c) where the permission checks happen. >>This audit information is logged using dump_common_audit_data() where it >>calls d_path() to get the file path name. If the file check happen on >>the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to >>access dmabuf->name. The flow will be like below: >>flush_unauthorized_files() >> iterate_fd() >> spin_lock() --> Start of the atomic section. >> match_file() >> file_has_perm() >> avc_has_perm() >> avc_audit() >> slow_avc_audit() >> common_lsm_audit() >> dump_common_audit_data() >> audit_log_d_path() >> d_path() >> dmabuffs_dname() >> mutex_lock()--> Sleep while atomic. >> >>Call trace captured (on 4.19 kernels) is below: >>___might_sleep+0x204/0x208 >>__might_sleep+0x50/0x88 >>__mutex_lock_common+0x5c/0x1068 >>__mutex_lock_common+0x5c/0x1068 >>mutex_lock_nested+0x40/0x50 >>dmabuffs_dname+0xa0/0x170 >>d_path+0x84/0x290 >>audit_log_d_path+0x74/0x130 >>common_lsm_audit+0x334/0x6e8 >>slow_avc_audit+0xb8/0xf8 >>avc_has_perm+0x154/0x218 >>file_has_perm+0x70/0x180 >>match_file+0x60/0x78 >>iterate_fd+0x128/0x168 >>selinux_bprm_committing_creds+0x178/0x248 >>security_bprm_committing_creds+0x30/0x48 >>install_exec_creds+0x1c/0x68 >>load_elf_binary+0x3a4/0x14e0 >>search_binary_handler+0xb0/0x1e0 >> >>So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >> >>Cc: <stable@vger.kernel.org> [5.3+] >>Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> >>--- >> drivers/dma-buf/dma-buf.c | 13 +++++++------ >> include/linux/dma-buf.h | 1 + >> 2 files changed, 8 insertions(+), 6 deletions(-) >> >>diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>index 01ce125..2e0456c 100644 >>--- a/drivers/dma-buf/dma-buf.c >>+++ b/drivers/dma-buf/dma-buf.c >>@@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, >>char *buffer, int buflen) >> size_t ret = 0; >> >> dmabuf = dentry->d_fsdata; >>- dma_resv_lock(dmabuf->resv, NULL); >>+ spin_lock(&dmabuf->name_lock); >> if (dmabuf->name) >> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>- dma_resv_unlock(dmabuf->resv); >>+ spin_unlock(&dmabuf->name_lock); > >I am not really clear on why you need this lock. > >If name == NULL you have no issues. >If name is real, you have no issues. > >If name is freed you will copy garbage, but the only way >for that to happen is that _set_name or _release have to be called >at just the right time. > >And the above would probably only be an issue if the set_name >was called, so you will get NULL or a real name. > >Is there a reason for the lock here? > >Mike Maybe dmabuf->name = NULL after the kfree(dmabuf->name) in: dma_buf_release() Would be sufficient? M >> return dynamic_dname(dentry, buffer, buflen, "/%s:%s", >> dentry->d_name.name, ret > 0 ? name : ""); >>@@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >>*dmabuf, const char __user *buf) >> if (IS_ERR(name)) >> return PTR_ERR(name); >> >>- dma_resv_lock(dmabuf->resv, NULL); >>+ spin_lock(&dmabuf->name_lock); >> if (!list_empty(&dmabuf->attachments)) { >> ret = -EBUSY; >> kfree(name); >>@@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf >>*dmabuf, const char __user *buf) >> dmabuf->name = name; >> >> out_unlock: >>- dma_resv_unlock(dmabuf->resv); >>+ spin_unlock(&dmabuf->name_lock); >> return ret; >> } >> >>@@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file >>*m, struct file *file) >> /* Don't count the temporary reference taken inside procfs seq_show >>*/ >> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); >> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); >>- dma_resv_lock(dmabuf->resv, NULL); >>+ spin_lock(&dmabuf->name_lock); >> if (dmabuf->name) >> seq_printf(m, "name:\t%s\n", dmabuf->name); >>- dma_resv_unlock(dmabuf->resv); >>+ spin_unlock(&dmabuf->name_lock); >> } >> >> static const struct file_operations dma_buf_fops = { >>@@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct >>dma_buf_export_info *exp_info) >> dmabuf->size = exp_info->size; >> dmabuf->exp_name = exp_info->exp_name; >> dmabuf->owner = exp_info->owner; >>+ spin_lock_init(&dmabuf->name_lock); >> init_waitqueue_head(&dmabuf->poll); >> dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; >> dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; >>diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h >>index ab0c156..93108fd 100644 >>--- a/include/linux/dma-buf.h >>+++ b/include/linux/dma-buf.h >>@@ -311,6 +311,7 @@ struct dma_buf { >> void *vmap_ptr; >> const char *exp_name; >> const char *name; >>+ spinlock_t name_lock; >> struct module *owner; >> struct list_head list_node; >> void *priv; >>-- >>The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >>Forum, a Linux Foundation Collaborative Project >>_______________________________________________ >>dri-devel mailing list >>dri-devel@lists.freedesktop.org >>https://lists.freedesktop.org/mailman/listinfo/dri-devel >_______________________________________________ >dri-devel mailing list >dri-devel@lists.freedesktop.org >https://lists.freedesktop.org/mailman/listinfo/dri-devel
Thanks Michael for the comments.. On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >> -----Original Message----- >> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >> Ruhl, Michael J >> Sent: Tuesday, June 16, 2020 9:51 AM >> To: Charan Teja Kalla <charante@codeaurora.org>; Sumit Semwal >> <sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING FRAMEWORK >> <linux-media@vger.kernel.org>; DRI mailing list <dri- >> devel@lists.freedesktop.org> >> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >> stable@vger.kernel.org >> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >>> -----Original Message----- >>> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>> Charan Teja Kalla >>> Sent: Thursday, June 11, 2020 9:40 AM >>> To: Sumit Semwal <sumit.semwal@linaro.org>; open list:DMA BUFFER >>> SHARING FRAMEWORK <linux-media@vger.kernel.org>; DRI mailing list <dri- >>> devel@lists.freedesktop.org> >>> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>> stable@vger.kernel.org >>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>> >>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>> permissions checks on a process where it tries to validate the inherited >>> files from fork() by traversing them through iterate_fd() (which >>> traverse files under spin_lock) and call >>> match_file(security/selinux/hooks.c) where the permission checks happen. >>> This audit information is logged using dump_common_audit_data() where it >>> calls d_path() to get the file path name. If the file check happen on >>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to >>> access dmabuf->name. The flow will be like below: >>> flush_unauthorized_files() >>> iterate_fd() >>> spin_lock() --> Start of the atomic section. >>> match_file() >>> file_has_perm() >>> avc_has_perm() >>> avc_audit() >>> slow_avc_audit() >>> common_lsm_audit() >>> dump_common_audit_data() >>> audit_log_d_path() >>> d_path() >>> dmabuffs_dname() >>> mutex_lock()--> Sleep while atomic. >>> >>> Call trace captured (on 4.19 kernels) is below: >>> ___might_sleep+0x204/0x208 >>> __might_sleep+0x50/0x88 >>> __mutex_lock_common+0x5c/0x1068 >>> __mutex_lock_common+0x5c/0x1068 >>> mutex_lock_nested+0x40/0x50 >>> dmabuffs_dname+0xa0/0x170 >>> d_path+0x84/0x290 >>> audit_log_d_path+0x74/0x130 >>> common_lsm_audit+0x334/0x6e8 >>> slow_avc_audit+0xb8/0xf8 >>> avc_has_perm+0x154/0x218 >>> file_has_perm+0x70/0x180 >>> match_file+0x60/0x78 >>> iterate_fd+0x128/0x168 >>> selinux_bprm_committing_creds+0x178/0x248 >>> security_bprm_committing_creds+0x30/0x48 >>> install_exec_creds+0x1c/0x68 >>> load_elf_binary+0x3a4/0x14e0 >>> search_binary_handler+0xb0/0x1e0 >>> >>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>> >>> Cc: <stable@vger.kernel.org> [5.3+] >>> Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> >>> --- >>> drivers/dma-buf/dma-buf.c | 13 +++++++------ >>> include/linux/dma-buf.h | 1 + >>> 2 files changed, 8 insertions(+), 6 deletions(-) >>> >>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>> index 01ce125..2e0456c 100644 >>> --- a/drivers/dma-buf/dma-buf.c >>> +++ b/drivers/dma-buf/dma-buf.c >>> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, >>> char *buffer, int buflen) >>> size_t ret = 0; >>> >>> dmabuf = dentry->d_fsdata; >>> - dma_resv_lock(dmabuf->resv, NULL); >>> + spin_lock(&dmabuf->name_lock); >>> if (dmabuf->name) >>> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>> - dma_resv_unlock(dmabuf->resv); >>> + spin_unlock(&dmabuf->name_lock); >> >> I am not really clear on why you need this lock. >> >> If name == NULL you have no issues. >> If name is real, you have no issues. Yeah, ideal cases... >> >> If name is freed you will copy garbage, but the only way >> for that to happen is that _set_name or _release have to be called >> at just the right time. >> >> And the above would probably only be an issue if the set_name >> was called, so you will get NULL or a real name. And there exists a use-after-free to avoid which requires the lock. Say that memcpy() in dmabuffs_dname is in progress and in parallel _set_name will free the same buffer that memcpy is operating on. >> >> Is there a reason for the lock here? >> >> Mike > > Maybe dmabuf->name = NULL after the kfree(dmabuf->name) in: > > dma_buf_release() > > Would be sufficient? I don't think that we will access the 'dmabuf'(thus dmabuf->name) once it is in the dma_buf_release(). So, setting the NULL in the _release() is not required at all. > > M >>> return dynamic_dname(dentry, buffer, buflen, "/%s:%s", >>> dentry->d_name.name, ret > 0 ? name : ""); >>> @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >>> *dmabuf, const char __user *buf) >>> if (IS_ERR(name)) >>> return PTR_ERR(name); >>> >>> - dma_resv_lock(dmabuf->resv, NULL); >>> + spin_lock(&dmabuf->name_lock); >>> if (!list_empty(&dmabuf->attachments)) { >>> ret = -EBUSY; >>> kfree(name); >>> @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf >>> *dmabuf, const char __user *buf) >>> dmabuf->name = name; >>> >>> out_unlock: >>> - dma_resv_unlock(dmabuf->resv); >>> + spin_unlock(&dmabuf->name_lock); >>> return ret; >>> } >>> >>> @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file >>> *m, struct file *file) >>> /* Don't count the temporary reference taken inside procfs seq_show >>> */ >>> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); >>> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); >>> - dma_resv_lock(dmabuf->resv, NULL); >>> + spin_lock(&dmabuf->name_lock); >>> if (dmabuf->name) >>> seq_printf(m, "name:\t%s\n", dmabuf->name); >>> - dma_resv_unlock(dmabuf->resv); >>> + spin_unlock(&dmabuf->name_lock); >>> } >>> >>> static const struct file_operations dma_buf_fops = { >>> @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct >>> dma_buf_export_info *exp_info) >>> dmabuf->size = exp_info->size; >>> dmabuf->exp_name = exp_info->exp_name; >>> dmabuf->owner = exp_info->owner; >>> + spin_lock_init(&dmabuf->name_lock); >>> init_waitqueue_head(&dmabuf->poll); >>> dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; >>> dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; >>> diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h >>> index ab0c156..93108fd 100644 >>> --- a/include/linux/dma-buf.h >>> +++ b/include/linux/dma-buf.h >>> @@ -311,6 +311,7 @@ struct dma_buf { >>> void *vmap_ptr; >>> const char *exp_name; >>> const char *name; >>> + spinlock_t name_lock; >>> struct module *owner; >>> struct list_head list_node; >>> void *priv; >>> -- >>> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >>> Forum, a Linux Foundation Collaborative Project >>> _______________________________________________ >>> dri-devel mailing list >>> dri-devel@lists.freedesktop.org >>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >> _______________________________________________ >> dri-devel mailing list >> dri-devel@lists.freedesktop.org >> https://lists.freedesktop.org/mailman/listinfo/dri-devel
From: Charan Teja Kalla > Sent: 17 June 2020 07:29 ... > >> If name is freed you will copy garbage, but the only way > >> for that to happen is that _set_name or _release have to be called > >> at just the right time. > >> > >> And the above would probably only be an issue if the set_name > >> was called, so you will get NULL or a real name. > > And there exists a use-after-free to avoid which requires the lock. Say > that memcpy() in dmabuffs_dname is in progress and in parallel _set_name > will free the same buffer that memcpy is operating on. If the name is being looked at while the item is being freed you almost certainly have much bigger problems that just the name being a 'junk' pointer. David. - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
On 6/17/2020 1:51 PM, David Laight wrote: > From: Charan Teja Kalla >> Sent: 17 June 2020 07:29 > ... >>>> If name is freed you will copy garbage, but the only way >>>> for that to happen is that _set_name or _release have to be called >>>> at just the right time. >>>> >>>> And the above would probably only be an issue if the set_name >>>> was called, so you will get NULL or a real name. >> >> And there exists a use-after-free to avoid which requires the lock. Say >> that memcpy() in dmabuffs_dname is in progress and in parallel _set_name >> will free the same buffer that memcpy is operating on. > > If the name is being looked at while the item is being freed > you almost certainly have much bigger problems that just > the name being a 'junk' pointer. True, thus needs the lock. > > David. > > - > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK > Registration No: 1397386 (Wales) >
>-----Original Message----- >From: charante=codeaurora.org@mg.codeaurora.org ><charante=codeaurora.org@mg.codeaurora.org> On Behalf Of Charan Teja >Kalla >Sent: Wednesday, June 17, 2020 2:29 AM >To: Ruhl, Michael J <michael.j.ruhl@intel.com>; Sumit Semwal ><sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING FRAMEWORK ><linux-media@vger.kernel.org>; DRI mailing list <dri- >devel@lists.freedesktop.org> >Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >stable@vger.kernel.org >Subject: Re: [PATCH] dmabuf: use spinlock to access dmabuf->name > >Thanks Michael for the comments.. > >On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >>> -----Original Message----- >>> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>> Ruhl, Michael J >>> Sent: Tuesday, June 16, 2020 9:51 AM >>> To: Charan Teja Kalla <charante@codeaurora.org>; Sumit Semwal >>> <sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING >FRAMEWORK >>> <linux-media@vger.kernel.org>; DRI mailing list <dri- >>> devel@lists.freedesktop.org> >>> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>> stable@vger.kernel.org >>> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >>> >>>> -----Original Message----- >>>> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>>> Charan Teja Kalla >>>> Sent: Thursday, June 11, 2020 9:40 AM >>>> To: Sumit Semwal <sumit.semwal@linaro.org>; open list:DMA BUFFER >>>> SHARING FRAMEWORK <linux-media@vger.kernel.org>; DRI mailing list ><dri- >>>> devel@lists.freedesktop.org> >>>> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>>> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>>> stable@vger.kernel.org >>>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>> >>>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>>> permissions checks on a process where it tries to validate the inherited >>>> files from fork() by traversing them through iterate_fd() (which >>>> traverse files under spin_lock) and call >>>> match_file(security/selinux/hooks.c) where the permission checks >happen. >>>> This audit information is logged using dump_common_audit_data() >where it >>>> calls d_path() to get the file path name. If the file check happen on >>>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex >to >>>> access dmabuf->name. The flow will be like below: >>>> flush_unauthorized_files() >>>> iterate_fd() >>>> spin_lock() --> Start of the atomic section. >>>> match_file() >>>> file_has_perm() >>>> avc_has_perm() >>>> avc_audit() >>>> slow_avc_audit() >>>> common_lsm_audit() >>>> dump_common_audit_data() >>>> audit_log_d_path() >>>> d_path() >>>> dmabuffs_dname() >>>> mutex_lock()--> Sleep while atomic. >>>> >>>> Call trace captured (on 4.19 kernels) is below: >>>> ___might_sleep+0x204/0x208 >>>> __might_sleep+0x50/0x88 >>>> __mutex_lock_common+0x5c/0x1068 >>>> __mutex_lock_common+0x5c/0x1068 >>>> mutex_lock_nested+0x40/0x50 >>>> dmabuffs_dname+0xa0/0x170 >>>> d_path+0x84/0x290 >>>> audit_log_d_path+0x74/0x130 >>>> common_lsm_audit+0x334/0x6e8 >>>> slow_avc_audit+0xb8/0xf8 >>>> avc_has_perm+0x154/0x218 >>>> file_has_perm+0x70/0x180 >>>> match_file+0x60/0x78 >>>> iterate_fd+0x128/0x168 >>>> selinux_bprm_committing_creds+0x178/0x248 >>>> security_bprm_committing_creds+0x30/0x48 >>>> install_exec_creds+0x1c/0x68 >>>> load_elf_binary+0x3a4/0x14e0 >>>> search_binary_handler+0xb0/0x1e0 >>>> >>>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>>> >>>> Cc: <stable@vger.kernel.org> [5.3+] >>>> Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> >>>> --- >>>> drivers/dma-buf/dma-buf.c | 13 +++++++------ >>>> include/linux/dma-buf.h | 1 + >>>> 2 files changed, 8 insertions(+), 6 deletions(-) >>>> >>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>>> index 01ce125..2e0456c 100644 >>>> --- a/drivers/dma-buf/dma-buf.c >>>> +++ b/drivers/dma-buf/dma-buf.c >>>> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry >*dentry, >>>> char *buffer, int buflen) >>>> size_t ret = 0; >>>> >>>> dmabuf = dentry->d_fsdata; >>>> - dma_resv_lock(dmabuf->resv, NULL); >>>> + spin_lock(&dmabuf->name_lock); >>>> if (dmabuf->name) >>>> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>>> - dma_resv_unlock(dmabuf->resv); >>>> + spin_unlock(&dmabuf->name_lock); >>> >>> I am not really clear on why you need this lock. >>> >>> If name == NULL you have no issues. >>> If name is real, you have no issues. > >Yeah, ideal cases... > >>> >>> If name is freed you will copy garbage, but the only way >>> for that to happen is that _set_name or _release have to be called >>> at just the right time. >>> >>> And the above would probably only be an issue if the set_name >>> was called, so you will get NULL or a real name. > >And there exists a use-after-free to avoid which requires the lock. Say >that memcpy() in dmabuffs_dname is in progress and in parallel _set_name >will free the same buffer that memcpy is operating on. Hmm... I can see that. However, note that in dma_buf_set_name, you cannot use the spinlock to protect the dma_buf->attachements list. I think you need to do this: dma_resv_lock(dmabuf->resv, NULL); if (!list_empty(&dmabuf->attachments)) { ret = -EBUSY; kfree(name); } dma_resv_unlock(dmabuf->resv, NULL); if (ret) return ret; spinlock(nam_lock) namestuff; spinunlock return 0; Mike >>> Is there a reason for the lock here? >>> >>> Mike >> >> Maybe dmabuf->name = NULL after the kfree(dmabuf->name) in: >> >> dma_buf_release() >> >> Would be sufficient? > >I don't think that we will access the 'dmabuf'(thus dmabuf->name) once >it is in the dma_buf_release(). So, setting the NULL in the _release() >is not required at all. > >> >> M >>>> return dynamic_dname(dentry, buffer, buflen, "/%s:%s", >>>> dentry->d_name.name, ret > 0 ? name : ""); >>>> @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >>>> *dmabuf, const char __user *buf) >>>> if (IS_ERR(name)) >>>> return PTR_ERR(name); >>>> >>>> - dma_resv_lock(dmabuf->resv, NULL); >>>> + spin_lock(&dmabuf->name_lock); >>>> if (!list_empty(&dmabuf->attachments)) { >>>> ret = -EBUSY; >>>> kfree(name); >>>> @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf >>>> *dmabuf, const char __user *buf) >>>> dmabuf->name = name; >>>> >>>> out_unlock: >>>> - dma_resv_unlock(dmabuf->resv); >>>> + spin_unlock(&dmabuf->name_lock); >>>> return ret; >>>> } >>>> >>>> @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct >seq_file >>>> *m, struct file *file) >>>> /* Don't count the temporary reference taken inside procfs seq_show >>>> */ >>>> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); >>>> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); >>>> - dma_resv_lock(dmabuf->resv, NULL); >>>> + spin_lock(&dmabuf->name_lock); >>>> if (dmabuf->name) >>>> seq_printf(m, "name:\t%s\n", dmabuf->name); >>>> - dma_resv_unlock(dmabuf->resv); >>>> + spin_unlock(&dmabuf->name_lock); >>>> } >>>> >>>> static const struct file_operations dma_buf_fops = { >>>> @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct >>>> dma_buf_export_info *exp_info) >>>> dmabuf->size = exp_info->size; >>>> dmabuf->exp_name = exp_info->exp_name; >>>> dmabuf->owner = exp_info->owner; >>>> + spin_lock_init(&dmabuf->name_lock); >>>> init_waitqueue_head(&dmabuf->poll); >>>> dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; >>>> dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; >>>> diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h >>>> index ab0c156..93108fd 100644 >>>> --- a/include/linux/dma-buf.h >>>> +++ b/include/linux/dma-buf.h >>>> @@ -311,6 +311,7 @@ struct dma_buf { >>>> void *vmap_ptr; >>>> const char *exp_name; >>>> const char *name; >>>> + spinlock_t name_lock; >>>> struct module *owner; >>>> struct list_head list_node; >>>> void *priv; >>>> -- >>>> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >>>> Forum, a Linux Foundation Collaborative Project >>>> _______________________________________________ >>>> dri-devel mailing list >>>> dri-devel@lists.freedesktop.org >>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >>> _______________________________________________ >>> dri-devel mailing list >>> dri-devel@lists.freedesktop.org >>> https://lists.freedesktop.org/mailman/listinfo/dri-devel > >-- >The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >Forum, a Linux Foundation Collaborative Project
On 6/17/2020 11:13 PM, Ruhl, Michael J wrote: >> -----Original Message----- >> From: charante=codeaurora.org@mg.codeaurora.org >> <charante=codeaurora.org@mg.codeaurora.org> On Behalf Of Charan Teja >> Kalla >> Sent: Wednesday, June 17, 2020 2:29 AM >> To: Ruhl, Michael J <michael.j.ruhl@intel.com>; Sumit Semwal >> <sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING FRAMEWORK >> <linux-media@vger.kernel.org>; DRI mailing list <dri- >> devel@lists.freedesktop.org> >> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >> stable@vger.kernel.org >> Subject: Re: [PATCH] dmabuf: use spinlock to access dmabuf->name >> >> Thanks Michael for the comments.. >> >> On 6/16/2020 7:29 PM, Ruhl, Michael J wrote: >>>> -----Original Message----- >>>> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>>> Ruhl, Michael J >>>> Sent: Tuesday, June 16, 2020 9:51 AM >>>> To: Charan Teja Kalla <charante@codeaurora.org>; Sumit Semwal >>>> <sumit.semwal@linaro.org>; open list:DMA BUFFER SHARING >> FRAMEWORK >>>> <linux-media@vger.kernel.org>; DRI mailing list <dri- >>>> devel@lists.freedesktop.org> >>>> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>>> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>>> stable@vger.kernel.org >>>> Subject: RE: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>> >>>>> -----Original Message----- >>>>> From: dri-devel <dri-devel-bounces@lists.freedesktop.org> On Behalf Of >>>>> Charan Teja Kalla >>>>> Sent: Thursday, June 11, 2020 9:40 AM >>>>> To: Sumit Semwal <sumit.semwal@linaro.org>; open list:DMA BUFFER >>>>> SHARING FRAMEWORK <linux-media@vger.kernel.org>; DRI mailing list >> <dri- >>>>> devel@lists.freedesktop.org> >>>>> Cc: Linaro MM SIG <linaro-mm-sig@lists.linaro.org>; >>>>> vinmenon@codeaurora.org; LKML <linux-kernel@vger.kernel.org>; >>>>> stable@vger.kernel.org >>>>> Subject: [PATCH] dmabuf: use spinlock to access dmabuf->name >>>>> >>>>> There exists a sleep-while-atomic bug while accessing the dmabuf->name >>>>> under mutex in the dmabuffs_dname(). This is caused from the SELinux >>>>> permissions checks on a process where it tries to validate the inherited >>>>> files from fork() by traversing them through iterate_fd() (which >>>>> traverse files under spin_lock) and call >>>>> match_file(security/selinux/hooks.c) where the permission checks >> happen. >>>>> This audit information is logged using dump_common_audit_data() >> where it >>>>> calls d_path() to get the file path name. If the file check happen on >>>>> the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex >> to >>>>> access dmabuf->name. The flow will be like below: >>>>> flush_unauthorized_files() >>>>> iterate_fd() >>>>> spin_lock() --> Start of the atomic section. >>>>> match_file() >>>>> file_has_perm() >>>>> avc_has_perm() >>>>> avc_audit() >>>>> slow_avc_audit() >>>>> common_lsm_audit() >>>>> dump_common_audit_data() >>>>> audit_log_d_path() >>>>> d_path() >>>>> dmabuffs_dname() >>>>> mutex_lock()--> Sleep while atomic. >>>>> >>>>> Call trace captured (on 4.19 kernels) is below: >>>>> ___might_sleep+0x204/0x208 >>>>> __might_sleep+0x50/0x88 >>>>> __mutex_lock_common+0x5c/0x1068 >>>>> __mutex_lock_common+0x5c/0x1068 >>>>> mutex_lock_nested+0x40/0x50 >>>>> dmabuffs_dname+0xa0/0x170 >>>>> d_path+0x84/0x290 >>>>> audit_log_d_path+0x74/0x130 >>>>> common_lsm_audit+0x334/0x6e8 >>>>> slow_avc_audit+0xb8/0xf8 >>>>> avc_has_perm+0x154/0x218 >>>>> file_has_perm+0x70/0x180 >>>>> match_file+0x60/0x78 >>>>> iterate_fd+0x128/0x168 >>>>> selinux_bprm_committing_creds+0x178/0x248 >>>>> security_bprm_committing_creds+0x30/0x48 >>>>> install_exec_creds+0x1c/0x68 >>>>> load_elf_binary+0x3a4/0x14e0 >>>>> search_binary_handler+0xb0/0x1e0 >>>>> >>>>> So, use spinlock to access dmabuf->name to avoid sleep-while-atomic. >>>>> >>>>> Cc: <stable@vger.kernel.org> [5.3+] >>>>> Signed-off-by: Charan Teja Reddy <charante@codeaurora.org> >>>>> --- >>>>> drivers/dma-buf/dma-buf.c | 13 +++++++------ >>>>> include/linux/dma-buf.h | 1 + >>>>> 2 files changed, 8 insertions(+), 6 deletions(-) >>>>> >>>>> diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c >>>>> index 01ce125..2e0456c 100644 >>>>> --- a/drivers/dma-buf/dma-buf.c >>>>> +++ b/drivers/dma-buf/dma-buf.c >>>>> @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry >> *dentry, >>>>> char *buffer, int buflen) >>>>> size_t ret = 0; >>>>> >>>>> dmabuf = dentry->d_fsdata; >>>>> - dma_resv_lock(dmabuf->resv, NULL); >>>>> + spin_lock(&dmabuf->name_lock); >>>>> if (dmabuf->name) >>>>> ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); >>>>> - dma_resv_unlock(dmabuf->resv); >>>>> + spin_unlock(&dmabuf->name_lock); >>>> >>>> I am not really clear on why you need this lock. >>>> >>>> If name == NULL you have no issues. >>>> If name is real, you have no issues. >> >> Yeah, ideal cases... >> >>>> >>>> If name is freed you will copy garbage, but the only way >>>> for that to happen is that _set_name or _release have to be called >>>> at just the right time. >>>> >>>> And the above would probably only be an issue if the set_name >>>> was called, so you will get NULL or a real name. >> >> And there exists a use-after-free to avoid which requires the lock. Say >> that memcpy() in dmabuffs_dname is in progress and in parallel _set_name >> will free the same buffer that memcpy is operating on. > > Hmm... I can see that. > > However, note that in dma_buf_set_name, you cannot use the spinlock > to protect the dma_buf->attachements list. > > I think you need to do this: > > dma_resv_lock(dmabuf->resv, NULL); > if (!list_empty(&dmabuf->attachments)) { > ret = -EBUSY; > kfree(name); > } > dma_resv_unlock(dmabuf->resv, NULL); > if (ret) > return ret; > > spinlock(nam_lock) > namestuff; > spinunlock Hmm..Yes, I should use the dma_resv_lock() to access the ->attachments list. Will correct this in V2. > > return 0; > > Mike > >>>> Is there a reason for the lock here? >>>> >>>> Mike >>> >>> Maybe dmabuf->name = NULL after the kfree(dmabuf->name) in: >>> >>> dma_buf_release() >>> >>> Would be sufficient? >> >> I don't think that we will access the 'dmabuf'(thus dmabuf->name) once >> it is in the dma_buf_release(). So, setting the NULL in the _release() >> is not required at all. >> >>> >>> M >>>>> return dynamic_dname(dentry, buffer, buflen, "/%s:%s", >>>>> dentry->d_name.name, ret > 0 ? name : ""); >>>>> @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf >>>>> *dmabuf, const char __user *buf) >>>>> if (IS_ERR(name)) >>>>> return PTR_ERR(name); >>>>> >>>>> - dma_resv_lock(dmabuf->resv, NULL); >>>>> + spin_lock(&dmabuf->name_lock); >>>>> if (!list_empty(&dmabuf->attachments)) { >>>>> ret = -EBUSY; >>>>> kfree(name); >>>>> @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf >>>>> *dmabuf, const char __user *buf) >>>>> dmabuf->name = name; >>>>> >>>>> out_unlock: >>>>> - dma_resv_unlock(dmabuf->resv); >>>>> + spin_unlock(&dmabuf->name_lock); >>>>> return ret; >>>>> } >>>>> >>>>> @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct >> seq_file >>>>> *m, struct file *file) >>>>> /* Don't count the temporary reference taken inside procfs seq_show >>>>> */ >>>>> seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); >>>>> seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); >>>>> - dma_resv_lock(dmabuf->resv, NULL); >>>>> + spin_lock(&dmabuf->name_lock); >>>>> if (dmabuf->name) >>>>> seq_printf(m, "name:\t%s\n", dmabuf->name); >>>>> - dma_resv_unlock(dmabuf->resv); >>>>> + spin_unlock(&dmabuf->name_lock); >>>>> } >>>>> >>>>> static const struct file_operations dma_buf_fops = { >>>>> @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct >>>>> dma_buf_export_info *exp_info) >>>>> dmabuf->size = exp_info->size; >>>>> dmabuf->exp_name = exp_info->exp_name; >>>>> dmabuf->owner = exp_info->owner; >>>>> + spin_lock_init(&dmabuf->name_lock); >>>>> init_waitqueue_head(&dmabuf->poll); >>>>> dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; >>>>> dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; >>>>> diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h >>>>> index ab0c156..93108fd 100644 >>>>> --- a/include/linux/dma-buf.h >>>>> +++ b/include/linux/dma-buf.h >>>>> @@ -311,6 +311,7 @@ struct dma_buf { >>>>> void *vmap_ptr; >>>>> const char *exp_name; >>>>> const char *name; >>>>> + spinlock_t name_lock; >>>>> struct module *owner; >>>>> struct list_head list_node; >>>>> void *priv; >>>>> -- >>>>> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >>>>> Forum, a Linux Foundation Collaborative Project >>>>> _______________________________________________ >>>>> dri-devel mailing list >>>>> dri-devel@lists.freedesktop.org >>>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >>>> _______________________________________________ >>>> dri-devel mailing list >>>> dri-devel@lists.freedesktop.org >>>> https://lists.freedesktop.org/mailman/listinfo/dri-devel >> >> -- >> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora >> Forum, a Linux Foundation Collaborative Project
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 01ce125..2e0456c 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -45,10 +45,10 @@ static char *dmabuffs_dname(struct dentry *dentry, char *buffer, int buflen) size_t ret = 0; dmabuf = dentry->d_fsdata; - dma_resv_lock(dmabuf->resv, NULL); + spin_lock(&dmabuf->name_lock); if (dmabuf->name) ret = strlcpy(name, dmabuf->name, DMA_BUF_NAME_LEN); - dma_resv_unlock(dmabuf->resv); + spin_unlock(&dmabuf->name_lock); return dynamic_dname(dentry, buffer, buflen, "/%s:%s", dentry->d_name.name, ret > 0 ? name : ""); @@ -335,7 +335,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) if (IS_ERR(name)) return PTR_ERR(name); - dma_resv_lock(dmabuf->resv, NULL); + spin_lock(&dmabuf->name_lock); if (!list_empty(&dmabuf->attachments)) { ret = -EBUSY; kfree(name); @@ -345,7 +345,7 @@ static long dma_buf_set_name(struct dma_buf *dmabuf, const char __user *buf) dmabuf->name = name; out_unlock: - dma_resv_unlock(dmabuf->resv); + spin_unlock(&dmabuf->name_lock); return ret; } @@ -405,10 +405,10 @@ static void dma_buf_show_fdinfo(struct seq_file *m, struct file *file) /* Don't count the temporary reference taken inside procfs seq_show */ seq_printf(m, "count:\t%ld\n", file_count(dmabuf->file) - 1); seq_printf(m, "exp_name:\t%s\n", dmabuf->exp_name); - dma_resv_lock(dmabuf->resv, NULL); + spin_lock(&dmabuf->name_lock); if (dmabuf->name) seq_printf(m, "name:\t%s\n", dmabuf->name); - dma_resv_unlock(dmabuf->resv); + spin_unlock(&dmabuf->name_lock); } static const struct file_operations dma_buf_fops = { @@ -546,6 +546,7 @@ struct dma_buf *dma_buf_export(const struct dma_buf_export_info *exp_info) dmabuf->size = exp_info->size; dmabuf->exp_name = exp_info->exp_name; dmabuf->owner = exp_info->owner; + spin_lock_init(&dmabuf->name_lock); init_waitqueue_head(&dmabuf->poll); dmabuf->cb_excl.poll = dmabuf->cb_shared.poll = &dmabuf->poll; dmabuf->cb_excl.active = dmabuf->cb_shared.active = 0; diff --git a/include/linux/dma-buf.h b/include/linux/dma-buf.h index ab0c156..93108fd 100644 --- a/include/linux/dma-buf.h +++ b/include/linux/dma-buf.h @@ -311,6 +311,7 @@ struct dma_buf { void *vmap_ptr; const char *exp_name; const char *name; + spinlock_t name_lock; struct module *owner; struct list_head list_node; void *priv;