[xenial, yakkety] [patch] UBUNTU: SAUCE: apparmor: fix sleep in critical section
John Johansen
john.johansen at canonical.com
Wed Oct 19 06:17:20 UTC 2016
UBUNTU: SAUCE: apparmor: fix sleep in critical section
path_put() call dput() which might sleep on some paths. When it does
sleep from these code paths, the per cpu work buffer may get reused
overwriting the data that was just placed in the buffer.
This causes the following mediation to fail as the work buffer no
longer has valid data for the current operation.
BugLink: http://bugs.launchpad.net/bugs/1634753
Signed-off-by: John Johansen <john.johansen at canonical.com>
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index b380e32..ee07f76 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -405,7 +405,6 @@ int aa_bind_mount(struct aa_label *label, struct path *path,
&old_path),
old_buffer, &old_name, &info,
labels_profile(label)->disconnected);
- path_put(&old_path);
if (error)
goto error;
@@ -415,6 +414,7 @@ int aa_bind_mount(struct aa_label *label, struct path *path,
out:
put_buffers(buffer, old_buffer);
+ path_put(&old_path);
return error;
@@ -494,7 +494,6 @@ int aa_move_mount(struct aa_label *label, struct path *path,
&old_path),
old_buffer, &old_name, &info,
labels_profile(label)->disconnected);
- path_put(&old_path);
if (error)
goto error;
@@ -504,6 +503,7 @@ int aa_move_mount(struct aa_label *label, struct path *path,
out:
put_buffers(buffer, old_buffer);
+ path_put(&old_path);
return error;
@@ -557,7 +557,6 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
&dev_path),
dev_buffer, &dev_name, &info,
labels_profile(label)->disconnected);
- path_put(&dev_path);
if (error)
goto error;
}
@@ -574,6 +573,8 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
cleanup:
put_buffers(buffer, dev_buffer);
+ if (requires_dev)
+ path_put(&dev_path);
return error;
More information about the kernel-team
mailing list