[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <7a203ea257e9e3b701344a4bc42fceddff32f915.1485514374.git.jslaby@suse.cz>
Date: Fri, 27 Jan 2017 11:55:47 +0100
From: Jiri Slaby <jslaby@...e.cz>
To: stable@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
John Johansen <john.johansen@...onical.com>,
Jiri Slaby <jslaby@...e.cz>
Subject: [PATCH 3.12 214/235] apparmor: fix refcount race when finding a child profile
From: John Johansen <john.johansen@...onical.com>
3.12-stable review patch. If anyone has any objections, please let me know.
===============
commit de7c4cc947f9f56f61520ee7edaf380434a98c8d upstream.
When finding a child profile via an rcu critical section, the profile
may be put and scheduled for deletion after the child is found but
before its refcount is incremented.
Protect against this by repeating the lookup if the profiles refcount
is 0 and is one its way to deletion.
Signed-off-by: John Johansen <john.johansen@...onical.com>
Acked-by: Seth Arnold <seth.arnold@...onical.com>
Signed-off-by: Jiri Slaby <jslaby@...e.cz>
---
security/apparmor/policy.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index ca402d028db8..780712553651 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -766,7 +766,9 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
struct aa_profile *profile;
rcu_read_lock();
- profile = aa_get_profile(__find_child(&parent->base.profiles, name));
+ do {
+ profile = __find_child(&parent->base.profiles, name);
+ } while (profile && !aa_get_profile_not0(profile));
rcu_read_unlock();
/* refcount released by caller */
--
2.11.0
Powered by blists - more mailing lists