• Charan Teja Kalla's avatar
    dmabuf: use spinlock to access dmabuf->name · 6348dd29
    Charan Teja Kalla authored
    There exists a sleep-while-atomic bug while accessing the dmabuf->name
    under mutex in the dmabuffs_dname(). This is caused from the SELinux
    permissions checks on a process where it tries to validate the inherited
    files from fork() by traversing them through iterate_fd() (which
    traverse files under spin_lock) and call
    match_file(security/selinux/hooks.c) where the permission checks happen.
    This audit information is logged using dump_common_audit_data() where it
    calls d_path() to get the file path name. If the file check happen on
    the dmabuf's fd, then it ends up in ->dmabuffs_dname() and use mutex to
    access dmabuf->name. The flow will be like below:
    flush_unauthorized_files()
      iterate_fd()
        spin_lock() --> Start of the atomic section.
          match_file()
            file_has_perm()
              avc_has_perm()
                avc_audit()
                  slow_avc_audit()
    	        common_lsm_audit()
    		  dump_common_audit_data()
    		    audit_log_d_path()
    		      d_path()
                            dmabuffs_dname()
                              mutex_lock()--> Sleep while atomic.
    
    Call trace captured (on 4.19 kernels) is below:
    ___might_sleep+0x204/0x208
    __might_sleep+0x50/0x88
    __mutex_lock_common+0x5c/0x1068
    __mutex_lock_common+0x5c/0x1068
    mutex_lock_nested+0x40/0x50
    dmabuffs_dname+0xa0/0x170
    d_path+0x84/0x290
    audit_log_d_path+0x74/0x130
    common_lsm_audit+0x334/0x6e8
    slow_avc_audit+0xb8/0xf8
    avc_has_perm+0x154/0x218
    file_has_perm+0x70/0x180
    match_file+0x60/0x78
    iterate_fd+0x128/0x168
    selinux_bprm_committing_creds+0x178/0x248
    security_bprm_committing_creds+0x30/0x48
    install_exec_creds+0x1c/0x68
    load_elf_binary+0x3a4/0x14e0
    search_binary_handler+0xb0/0x1e0
    
    So, use spinlock to access dmabuf->name to avoid sleep-while-atomic.
    
    Cc: <stable@vger.kernel.org> [5.3+]
    Signed-off-by: default avatarCharan Teja Kalla <charante@codeaurora.org>
    Reviewed-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
    Acked-by: default avatarChristian König <christian.koenig@amd.com>
     [sumits: added comment to spinlock_t definition to avoid warning]
    Signed-off-by: default avatarSumit Semwal <sumit.semwal@linaro.org>
    Link: https://patchwork.freedesktop.org/patch/msgid/a83e7f0d-4e54-9848-4b58-e1acdbe06735@codeaurora.org
    6348dd29
dma-buf.c 37.9 KB