Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit be29d20f authored by Jan Kara's avatar Jan Kara Committed by Paul Moore
Browse files

audit: Fix sleep in atomic 



Audit tree code was happily adding new notification marks while holding
spinlocks. Since fsnotify_add_mark() acquires group->mark_mutex this can
lead to sleeping while holding a spinlock, deadlocks due to lock
inversion, and probably other fun. Fix the problem by acquiring
group->mark_mutex earlier.

CC: Paul Moore <paul@paul-moore.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
parent e3ba7307

kernel/audit_tree.c

+14 −4
Original line number Diff line number Diff line
@@ -231,9 +231,11 @@ static void untag_chunk(struct node *p) 
	if (size)

		new = alloc_chunk(size);



	mutex_lock(&entry->group->mark_mutex);

	spin_lock(&entry->lock);

	if (chunk->dead || !entry->inode) {

		spin_unlock(&entry->lock);

		mutex_unlock(&entry->group->mark_mutex);

		if (new)

			free_chunk(new);

		goto out;
@@ -251,6 +253,7 @@ static void untag_chunk(struct node *p) 
		list_del_rcu(&chunk->hash);

		spin_unlock(&hash_lock);

		spin_unlock(&entry->lock);

		mutex_unlock(&entry->group->mark_mutex);

		fsnotify_destroy_mark(entry, audit_tree_group);

		goto out;

	}
@@ -258,8 +261,8 @@ static void untag_chunk(struct node *p) 
	if (!new)

		goto Fallback;



	if (fsnotify_add_mark(&new->mark,

			      entry->group, entry->inode, NULL, 1)) {

	if (fsnotify_add_mark_locked(&new->mark, entry->group, entry->inode,

				     NULL, 1)) {

		fsnotify_put_mark(&new->mark);

		goto Fallback;

	}
@@ -293,6 +296,7 @@ static void untag_chunk(struct node *p) 
		owner->root = new;

	spin_unlock(&hash_lock);

	spin_unlock(&entry->lock);

	mutex_unlock(&entry->group->mark_mutex);

	fsnotify_destroy_mark(entry, audit_tree_group);

	fsnotify_put_mark(&new->mark);	/* drop initial reference */

	goto out;
@@ -309,6 +313,7 @@ static void untag_chunk(struct node *p) 
	put_tree(owner);

	spin_unlock(&hash_lock);

	spin_unlock(&entry->lock);

	mutex_unlock(&entry->group->mark_mutex);

out:

	fsnotify_put_mark(entry);

	spin_lock(&hash_lock);
@@ -386,18 +391,21 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) 


	chunk_entry = &chunk->mark;



	mutex_lock(&old_entry->group->mark_mutex);

	spin_lock(&old_entry->lock);

	if (!old_entry->inode) {

		/* old_entry is being shot, lets just lie */

		spin_unlock(&old_entry->lock);

		mutex_unlock(&old_entry->group->mark_mutex);

		fsnotify_put_mark(old_entry);

		free_chunk(chunk);

		return -ENOENT;

	}



	if (fsnotify_add_mark(chunk_entry,

			      old_entry->group, old_entry->inode, NULL, 1)) {

	if (fsnotify_add_mark_locked(chunk_entry, old_entry->group,

				     old_entry->inode, NULL, 1)) {

		spin_unlock(&old_entry->lock);

		mutex_unlock(&old_entry->group->mark_mutex);

		fsnotify_put_mark(chunk_entry);

		fsnotify_put_mark(old_entry);

		return -ENOSPC;
@@ -413,6 +421,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) 
		chunk->dead = 1;

		spin_unlock(&chunk_entry->lock);

		spin_unlock(&old_entry->lock);

		mutex_unlock(&old_entry->group->mark_mutex);



		fsnotify_destroy_mark(chunk_entry, audit_tree_group);
@@ -445,6 +454,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) 
	spin_unlock(&hash_lock);

	spin_unlock(&chunk_entry->lock);

	spin_unlock(&old_entry->lock);

	mutex_unlock(&old_entry->group->mark_mutex);

	fsnotify_destroy_mark(old_entry, audit_tree_group);

	fsnotify_put_mark(chunk_entry);	/* drop initial reference */

	fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */