| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7358f12d852964d9209492e337d33b8880234b74.camel@huaweicloud.com> Date: Wed, 09 Oct 2024 18:25:45 +0200 From: Roberto Sassu <roberto.sassu@...weicloud.com> To: Paul Moore <paul@...l-moore.com> Cc: zohar@...ux.ibm.com, dmitry.kasatkin@...il.com, eric.snowberg@...cle.com, jmorris@...ei.org, serge@...lyn.com, linux-integrity@...r.kernel.org, linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org, ebpqwerty472123@...il.com, Roberto Sassu <roberto.sassu@...wei.com> Subject: Re: [PATCH 1/3] ima: Remove inode lock On Wed, 2024-10-09 at 11:37 -0400, Paul Moore wrote: > On Wed, Oct 9, 2024 at 11:36 AM Paul Moore <paul@...l-moore.com> wrote: > > On Tue, Oct 8, 2024 at 12:57 PM Roberto Sassu > > <roberto.sassu@...weicloud.com> wrote: > > > > > > From: Roberto Sassu <roberto.sassu@...wei.com> > > > > > > Move out the mutex in the ima_iint_cache structure to a new structure > > > called ima_iint_cache_lock, so that a lock can be taken regardless of > > > whether or not inode integrity metadata are stored in the inode. > > > > > > Introduce ima_inode_security() to simplify accessing the new structure in > > > the inode security blob. > > > > > > Move the mutex initialization and annotation in the new function > > > ima_inode_alloc_security() and introduce ima_iint_lock() and > > > ima_iint_unlock() to respectively lock and unlock the mutex. > > > > > > Finally, expand the critical region in process_measurement() guarded by > > > iint->mutex up to where the inode was locked, use only one iint lock in > > > __ima_inode_hash(), since the mutex is now in the inode security blob, and > > > replace the inode_lock()/inode_unlock() calls in ima_check_last_writer(). > > > > > > Signed-off-by: Roberto Sassu <roberto.sassu@...wei.com> > > > --- > > > security/integrity/ima/ima.h | 26 ++++++++--- > > > security/integrity/ima/ima_api.c | 4 +- > > > security/integrity/ima/ima_iint.c | 77 ++++++++++++++++++++++++++----- > > > security/integrity/ima/ima_main.c | 39 +++++++--------- > > > 4 files changed, 104 insertions(+), 42 deletions(-) > > > > I'm not an IMA expert, but it looks reasonable to me, although > > shouldn't this carry a stable CC in the patch metadata? > > > > Reviewed-by: Paul Moore <paul@...l-moore.com> > > Sorry, one more thing ... did you verify this patchset resolves the > syzbot problem? I saw at least one reproducer. Uhm, could not reproduce the deadlock with the reproducer. However, without the patch I have a lockdep warning, and with I don't. I asked syzbot to try the patches. Let's see. Thanks Roberto
Powered by blists - more mailing lists