From: Will Deacon <will@kernel.org> To: selinux@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Will Deacon <will@kernel.org>, Paul Moore <paul@paul-moore.com>, Ondrej Mosnacek <omosnace@redhat.com>, Stephen Smalley <sds@tycho.nsa.gov>, Jeffrey Vander Stoep <jeffv@google.com> Subject: [RFC PATCH 0/2] Avoid blocking in selinux inode callbacks on RCU walk Date: Tue, 19 Nov 2019 18:40:55 +0000 [thread overview] Message-ID: <20191119184057.14961-1-will@kernel.org> (raw) Hi all, While debugging a KASAN report in the selinux access vector cache hash table, I noticed that it looks like we may block in the inode_follow_link() and inode_permission() callbacks, even when called from the VFS layer as part of an RCU-protected path walk. These two patches attempt to fix that, but since I found this by inspection and I'm not familiar with this code, I'm sending as an RFC in case I missed something that means this cannot happen. Comments very welcome, Will Cc: Paul Moore <paul@paul-moore.com> Cc: Ondrej Mosnacek <omosnace@redhat.com> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: Jeffrey Vander Stoep <jeffv@google.com> --->8 Will Deacon (2): selinux: Don't call avc_compute_av() from RCU path walk selinux: Propagate RCU walk status from 'security_inode_follow_link()' security/selinux/avc.c | 21 +++++++++++++-------- security/selinux/hooks.c | 5 +++-- security/selinux/include/avc.h | 12 ++++++++---- 3 files changed, 24 insertions(+), 14 deletions(-) -- 2.24.0.432.g9d3f5f5b63-goog
next reply other threads:[~2019-11-19 18:41 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2019-11-19 18:40 Will Deacon [this message] 2019-11-19 18:40 ` [RFC PATCH 1/2] selinux: Don't call avc_compute_av() from RCU path walk Will Deacon 2019-11-19 18:59 ` Stephen Smalley 2019-11-20 13:12 ` Will Deacon 2019-11-20 15:28 ` Stephen Smalley 2019-11-20 19:07 ` Paul E. McKenney 2019-11-20 19:13 ` Will Deacon 2019-11-19 18:40 ` [RFC PATCH 2/2] selinux: Propagate RCU walk status from 'security_inode_follow_link()' Will Deacon 2019-11-19 18:46 ` Stephen Smalley 2019-11-20 13:13 ` Will Deacon 2019-11-20 13:31 ` Stephen Smalley 2019-11-29 7:36 ` [selinux] 5149a783b9: WARNING:at_security/selinux/avc.c:#avc_has_perm_flags kernel test robot
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20191119184057.14961-1-will@kernel.org \ --to=will@kernel.org \ --cc=jeffv@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=omosnace@redhat.com \ --cc=paul@paul-moore.com \ --cc=sds@tycho.nsa.gov \ --cc=selinux@vger.kernel.org \ --subject='Re: [RFC PATCH 0/2] Avoid blocking in selinux inode callbacks on RCU walk' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).