From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753248AbcLMEtr (ORCPT ); Mon, 12 Dec 2016 23:49:47 -0500 Received: from mx1.redhat.com ([209.132.183.28]:40192 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751569AbcLMEtq (ORCPT ); Mon, 12 Dec 2016 23:49:46 -0500 Date: Mon, 12 Dec 2016 23:49:42 -0500 From: Richard Guy Briggs To: Paul Moore Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com, edumazet@google.com, xiyou.wangcong@gmail.com, dvyukov@google.com Subject: Re: [PATCH v2] audit: use proper refcount locking on audit_sock Message-ID: <20161213044942.GD1305@madcap2.tricolour.ca> References: <20161212100215.GA1305@madcap2.tricolour.ca> <5714bd7468cfec225407a6c367e658478d590495.1481534171.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Tue, 13 Dec 2016 04:49:45 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2016-12-12 12:10, Paul Moore wrote: > On Mon, Dec 12, 2016 at 5:03 AM, Richard Guy Briggs wrote: > > Resetting audit_sock appears to be racy. > > > > audit_sock was being copied and dereferenced without using a refcount on > > the source sock. > > > > Bump the refcount on the underlying sock when we store a refrence in > > audit_sock and release it when we reset audit_sock. audit_sock > > modification needs the audit_cmd_mutex. > > > > See: https://lkml.org/lkml/2016/11/26/232 > > > > Thanks to Eric Dumazet and Cong Wang > > on ideas how to fix it. > > > > Signed-off-by: Richard Guy Briggs > > --- > > There has been a lot of change in the audit code that is about to go > > upstream to address audit queue issues. This patch is based on the > > source tree: git://git.infradead.org/users/pcmoore/audit#next > > --- > > kernel/audit.c | 34 ++++++++++++++++++++++++++++------ > > 1 files changed, 28 insertions(+), 6 deletions(-) > > This is coming in pretty late for the v4.10 merge window, much later > than I would usually take things, but this is arguably important, and > (at first glance) relatively low risk - what testing have you done on > this? At this point, compile and boot, and I'm able to compile and run the supplied test code without any issues. > > diff --git a/kernel/audit.c b/kernel/audit.c > > index f20eee0..439f7f3 100644 > > --- a/kernel/audit.c > > +++ b/kernel/audit.c > > @@ -452,7 +452,9 @@ static void auditd_reset(void) > > struct sk_buff *skb; > > > > /* break the connection */ > > + sock_put(audit_sock); > > audit_pid = 0; > > + audit_nlk_portid = 0; > > audit_sock = NULL; > > > > /* flush all of the retry queue to the hold queue */ > > @@ -478,6 +480,12 @@ static int kauditd_send_unicast_skb(struct sk_buff *skb) > > if (rc >= 0) { > > consume_skb(skb); > > rc = 0; > > + } else { > > + if (rc & (-ENOMEM|-EPERM|-ECONNREFUSED)) { > > + mutex_lock(&audit_cmd_mutex); > > + auditd_reset(); > > + mutex_unlock(&audit_cmd_mutex); > > + } > > } > > > > return rc; > > @@ -579,7 +587,9 @@ static int kauditd_thread(void *dummy) > > > > auditd = 0; > > if (AUDITD_BAD(rc, reschedule)) { > > + mutex_lock(&audit_cmd_mutex); > > auditd_reset(); > > + mutex_unlock(&audit_cmd_mutex); > > reschedule = 0; > > } > > } else > > @@ -594,7 +604,9 @@ static int kauditd_thread(void *dummy) > > auditd = 0; > > if (AUDITD_BAD(rc, reschedule)) { > > kauditd_hold_skb(skb); > > + mutex_lock(&audit_cmd_mutex); > > auditd_reset(); > > + mutex_unlock(&audit_cmd_mutex); > > reschedule = 0; > > } else > > /* temporary problem (we hope), queue > > @@ -623,7 +635,9 @@ quick_loop: > > if (rc) { > > auditd = 0; > > if (AUDITD_BAD(rc, reschedule)) { > > + mutex_lock(&audit_cmd_mutex); > > auditd_reset(); > > + mutex_unlock(&audit_cmd_mutex); > > reschedule = 0; > > } > > > > @@ -1004,17 +1018,22 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) > > return -EACCES; > > } > > if (audit_pid && new_pid && > > - audit_replace(requesting_pid) != -ECONNREFUSED) { > > + (audit_replace(requesting_pid) & (-ECONNREFUSED|-EPERM|-ENOMEM))) { > > audit_log_config_change("audit_pid", new_pid, audit_pid, 0); > > return -EEXIST; > > } > > if (audit_enabled != AUDIT_OFF) > > audit_log_config_change("audit_pid", new_pid, audit_pid, 1); > > - audit_pid = new_pid; > > - audit_nlk_portid = NETLINK_CB(skb).portid; > > - audit_sock = skb->sk; > > - if (!new_pid) > > + if (new_pid) { > > + if (audit_sock) > > + sock_put(audit_sock); > > + audit_pid = new_pid; > > + audit_nlk_portid = NETLINK_CB(skb).portid; > > + sock_hold(skb->sk); > > + audit_sock = skb->sk; > > + } else { > > auditd_reset(); > > + } > > wake_up_interruptible(&kauditd_wait); > > } > > if (s.mask & AUDIT_STATUS_RATE_LIMIT) { > > @@ -1283,8 +1302,11 @@ static void __net_exit audit_net_exit(struct net *net) > > { > > struct audit_net *aunet = net_generic(net, audit_net_id); > > struct sock *sock = aunet->nlsk; > > - if (sock == audit_sock) > > + if (sock == audit_sock) { > > + mutex_lock(&audit_cmd_mutex); > > auditd_reset(); > > + mutex_unlock(&audit_cmd_mutex); > > + } > > > > RCU_INIT_POINTER(aunet->nlsk, NULL); > > synchronize_net(); > > -- > > 1.7.1 > > > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > paul moore > www.paul-moore.com - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635