Bug 142353 - SELinux oops
SELinux oops
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Morris
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-09 02:23 EST by Alan Cox
Modified: 2007-11-30 17:10 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-22 13:02:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed fix. (1.15 KB, patch)
2004-12-09 16:54 EST, James Morris
no flags Details | Diff
Updated patch (1.54 KB, patch)
2004-12-10 11:32 EST, James Morris
no flags Details | Diff

  None (edit)
Description Alan Cox 2004-12-09 02:23:12 EST
Logging this mostly as the kernel is shared with FC3

Doing a "w" just after login spewed:

security/selinux/avc.c:268:
spin_trylock(security/selinux/avc.c:0241a1f8) already locked by
security/selinux/avc.c/727
Unable to handle kernel paging request at virtual address 00200200
 printing eip:
021c373e
*pde = 00000000
Oops: 0002 [#1]
Modules linked in: snd_es1968 snd_ac97_codec snd_pcm snd_timer
snd_page_alloc gameport snd_mpu401_uart snd_rawmidi snd_seq_device
snd_mixer_oss snd soundcore md5 ipv6 parport_pc lp parport autofs4
rfcomm l2cap bluetooth ds yenta_socket pcmcia_core sunrpc natsemi
ipt_REJECT iptable_filter ip_tables floppy sg microcode dm_mod
uhci_hcd ext3 jbd aic7xxx sd_mod scsi_mod
CPU:    0
EIP:    0060:[<021c373e>]    Not tainted VLI
EFLAGS: 00210002   (2.6.9-1.6_FC2)
EIP is at avc_node_replace+0x19/0x30
eax: 00200200   ebx: 1353720c   ecx: 00200200   edx: 135379d4
esi: 00000010   edi: 00000000   ebp: 00000121   esp: 0872ad6c
ds: 007b   es: 007b   ss: 0068
Process w (pid: 2409, threadinfo=0872a000 task=06392e30)
Stack: 135371e8 021c4992 135379d4 00200206 00000000 00000007 0000029d
00000010
       135379f4 0872ae14 0872ae00 021c4f88 00000273 00000007 00000000
00000007
       00000273 0000029d 00000007 00000037 0000029d 00000000 ffffffff
00000000
Call Trace:
 [<021c4992>] avc_update_node+0x1cf/0x25f
 [<021c4f88>] avc_has_perm_noaudit+0xcf/0xdc
 [<021c4fd0>] avc_has_perm+0x3b/0x45
 [<021c4fb5>] avc_has_perm+0x20/0x45
 [<021c65f9>] inode_has_perm+0x4c/0x54
 [<021c65f9>] inode_has_perm+0x4c/0x54
 [<021a4e73>] pid_revalidate+0x61/0x199
 [<021c828a>] selinux_inode_getattr+0x4a/0x52
 [<021714ab>] vfs_getattr+0x1b/0x88
 [<02171540>] vfs_stat+0x28/0x3a
 [<0215f652>] put_user_size+0x29/0x2d
 [<0218e53d>] simple_read_from_buffer+0x68/0x91
 [<02171aa7>] sys_stat64+0xf/0x23
 [<021a41e9>] proc_info_read+0x66/0x6e
 [<02180331>] dput+0x189/0x4f3
 [<02167196>] __fput+0xc9/0xee
 [<021659af>] filp_close+0x59/0x5f
Code: <3>Debug: sleeping function called from invalid context at
include/linux/rwsem.h:43
in_atomic():0[expected: 0], irqs_disabled():1
 [<0211cbe7>] __might_sleep+0x82/0x8c
 [<0215eec1>] rw_vm+0x205/0x45f
 [<021c3713>] avc_node_delete+0x19/0x2b
 [<021c3713>] avc_node_delete+0x19/0x2b
 [<0215f602>] get_user_size+0x2e/0x55
 [<021c3713>] avc_node_delete+0x19/0x2b
 [<021068ce>] show_registers+0x108/0x164
 [<02106ad9>] die+0x14a/0x241
 [<0211977c>] do_page_fault+0x3a9/0x4ff
 [<021c373e>] avc_node_replace+0x19/0x30
 [<0211b176>] activate_task+0x51/0x5d
 [<0211d2a8>] autoremove_wake_function+0xd/0x2d
 [<0211bbe3>] __wake_up_common+0x36/0x5b
 [<0211bc95>] __wake_up+0x8d/0xf2
 [<02120ac0>] release_console_sem+0x205/0x20b
 [<021193d3>] do_page_fault+0x0/0x4ff
 [<021c373e>] avc_node_replace+0x19/0x30
 [<021c4992>] avc_update_node+0x1cf/0x25f
 [<021c4f88>] avc_has_perm_noaudit+0xcf/0xdc
 [<021c4fd0>] avc_has_perm+0x3b/0x45
 [<021c4fb5>] avc_has_perm+0x20/0x45
 [<021c65f9>] inode_has_perm+0x4c/0x54
 [<021c65f9>] inode_has_perm+0x4c/0x54
 [<021a4e73>] pid_revalidate+0x61/0x199
 [<021c828a>] selinux_inode_getattr+0x4a/0x52
 [<021714ab>] vfs_getattr+0x1b/0x88
 [<02171540>] vfs_stat+0x28/0x3a
 [<0215f652>] put_user_size+0x29/0x2d
 [<0218e53d>] simple_read_from_buffer+0x68/0x91
 [<02171aa7>] sys_stat64+0xf/0x23
 [<021a41e9>] proc_info_read+0x66/0x6e
 [<02180331>] dput+0x189/0x4f3
 [<02167196>] __fput+0xc9/0xee
 [<021659af>] filp_close+0x59/0x5f
 Bad EIP value.


Enforcing is off.
Comment 1 James Morris 2004-12-09 15:44:21 EST
Is this easily reproducable?  I've not seen or heard of this before.
Comment 2 Stephen Smalley 2004-12-09 16:02:45 EST
It would only occur in permissive mode, as that is the only caller of
avc_update_node presently.
avc_has_perm_noaudit() calls it to add the permissions to the entry to avoid
subsequent denials on the same permission check so that we don't fill the logs
when in permissive mode [pre-RCU, it just directly added the permissions to the
entry since it already held the global spinlock; post-RCU, it has to use
avc_update_node].
avc_update_node() takes the spinlock on the hash chain, finds the original, and
calls avc_alloc_node() while still holding the spinlock.
avc_alloc_node() calls avc_reclaim_node() if we hit the threshold, which then
tries to take the spinlock on the hash chain again during the scan.
Yes?
Comment 3 James Morris 2004-12-09 16:07:17 EST
Sounds right, good catch.  I guess we need to add a flag to avc_alloc_node() to
say whether to reclaim or not (will send one soon).
Comment 4 Stephen Smalley 2004-12-09 16:10:56 EST
Alternative would be to move the avc_alloc_node() call to the beginning of
avc_update_node(), prior to taking the spinlock, as done in avc_insert.  Then we
just need to free it if the search for the original node fails in
avc_update_node due to an interleaving.
Comment 5 James Morris 2004-12-09 16:54:56 EST
Created attachment 108264 [details]
Proposed fix.

Here's a proposed patch using Stephen's idea. Please review, we don't have much
time to get this in.
Comment 6 James Morris 2004-12-09 17:04:19 EST
Also note that this could not have been picked up by the testsuite as that runs
in enforcing mode.  And this is a UP only bug as otherwise spin_trylock() will
just return and not cause a problem. (Which explains why we didn't hit it during
development).
Comment 10 Stephen Smalley 2004-12-10 08:10:04 EST
Should use kmem_cache_free(avc_node_cachep, node), right?
Also, need to decrement active nodes, right?
Comment 11 James Morris 2004-12-10 11:15:38 EST
avc_node_free() should be correct
Comment 12 Stephen Smalley 2004-12-10 11:21:48 EST
Hmmm...well, it doesn't decrement active nodes.  You could use
avc_node_delete(), but that seems unnecessarily heavyweight, as there is no
reason to defer the free since the node hasn't been inserted yet.
Comment 13 James Morris 2004-12-10 11:32:56 EST
Created attachment 108326 [details]
Updated patch

Please review this patch.
Comment 14 Stephen Smalley 2004-12-10 11:52:31 EST
Looks sane to me.
Comment 16 Jay Turner 2005-02-22 09:58:48 EST
This appears that it got taken care of in RHEL4.  Can we close this out?
Comment 17 James Morris 2005-02-22 10:38:51 EST
(In reply to comment #16)
> This appears that it got taken care of in RHEL4.  Can we close this out?

Yes
Comment 18 Jay Turner 2005-02-22 13:02:43 EST
Closing out.

Note You need to log in before you can comment on or make changes to this bug.