Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1296611imu;
        Wed, 16 Jan 2019 16:38:44 -0800 (PST)
X-Google-Smtp-Source: ALg8bN4b8ngb49cr4X+3AqxXkqpOXlYvYg8/hhOmeCcOY5fj9fkFcCT/dZzkR/N+Op3gmt7oIs31
X-Received: by 2002:a63:6442:: with SMTP id y63mr11415861pgb.450.1547685524451;
        Wed, 16 Jan 2019 16:38:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547685524; cv=none;
        d=google.com; s=arc-20160816;
        b=j5HkMrghQOW+dnNSf5J2BMuCYD8C2cw2vobrVhd64JZE6lvkmW/zV3u81XlqvWGcF1
         sjE+8WpAVdm33Wp20o4FQDKbT21WcJRAbshDTo3qY4ty9Y43P5wtZgPhqMxwsCRBGNvM
         cp6b0ETgL69qq2bJRTlaImI1wDx5cJVGyfN6tmNP+IQeuQ3lkcLWZSZaLx+yzMBUh1Vx
         kppCpekINZMfgFvJKvSaUl2dL4/lgMm46M3D/tK9RNCG5CEzBBBPq4l7bG1/RUfaQZTc
         39rmob2aUTn2aOwQYl1U1vuNQ6R84+h4pSVRfEl6iOAg7cW7wBVPnmV5K0cqnIT9K2hm
         7NUA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :message-id:in-reply-to:subject:cc:to:from:date;
        bh=84dKGgvCj3ngckkwaQuNFnTjhXDVrySvvzmI2WuCR5w=;
        b=FRyIV7mc2oJ+Dbejkp2c/SgexURPjblSNW9bqx5Z38/XBao020bE5p+3jBBA5Y/lKs
         XqkdIRWyavNoAvHDSIt3DWBFCtWy2lbw1RB0pTpIG1xHnZoZ2IbjtaarmV5yGLmvsoK9
         qYlNr2WIeftHekSR9GAFa82Hs1ZxztVogb3wU4gZ4uMDchekdf9dyHr2VLai6nk4AgbB
         Ax26IOhw1TpOKTutpgz20UjpaXsH6twdtSuaBGycbNN6Ss5wl+quKx5vyzmOw0wcdckv
         80XfauF+lmpxAP++G6EsRM33UbgMhp0SFJnbmXo8SA+NT0pQ97W32icU2EYpbhwOZqTR
         AuFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u24si7910913pgj.489.2019.01.16.16.38.25;
        Wed, 16 Jan 2019 16:38:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728207AbfAPVOx (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Wed, 16 Jan 2019 16:14:53 -0500
Received: from namei.org ([65.99.196.166]:56382 "EHLO namei.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726924AbfAPVOx (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Jan 2019 16:14:53 -0500
Received: from localhost (localhost [127.0.0.1])
        by namei.org (8.14.4/8.14.4) with ESMTP id x0GLEjAL007529;
        Wed, 16 Jan 2019 21:14:45 GMT
Date:   Thu, 17 Jan 2019 08:14:45 +1100 (AEDT)
From:   James Morris <jmorris@namei.org>
To:     Casey Schaufler <casey@schaufler-ca.com>
cc:     John Johansen <john.johansen@canonical.com>,
        linux-kernel@vger.kernel.org,
        linux-security-module@vger.kernel.org, serge@hallyn.com
Subject: Re: WARNING in apparmor_cred_free
In-Reply-To: <99cd1f6b-682e-7d1f-35ad-b9092d46323f@schaufler-ca.com>
Message-ID: <alpine.LRH.2.21.1901170814170.7422@namei.org>
References: <0000000000007f604f057f2b8509@google.com> <6213e783-4377-489d-cdfb-1a83f4497076@schaufler-ca.com> <b0d2811e-87e4-21d4-c33a-2d2012a906cc@canonical.com> <2ccf6281-3f4b-a94a-ed71-31905e583fa6@schaufler-ca.com> <234c868b-4521-0707-a135-d8c24bc179bd@schaufler-ca.com>
 <99cd1f6b-682e-7d1f-35ad-b9092d46323f@schaufler-ca.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 11 Jan 2019, Casey Schaufler wrote:

> >From 47134986133c822e1d88860fa2b108f92c97a7ff Mon Sep 17 00:00:00 2001
> From: Casey Schaufler <casey@schaufler-ca.com>
> Date: Fri, 11 Jan 2019 17:31:50 -0800
> Subject: [PATCH 1/2] LSM: Check for NULL cred-security on free
> 
> Check that the cred security blob has been set before trying
> to clean it up. There is a case during credential initialization
> that could result in this.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

JJ: does this fix the problem?

> ---
>  security/security.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/security/security.c b/security/security.c
> index a618e22df5c6..7bffc86d4e87 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -1477,6 +1477,13 @@ int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
>  
>  void security_cred_free(struct cred *cred)
>  {
> +	/*
> +	 * There is a failure case in prepare_creds() that
> +	 * may result in a call here with ->security being NULL.
> +	 */
> +	if (unlikely(cred->security == NULL))
> +		return;
> +
>  	call_void_hook(cred_free, cred);
>  
>  	kfree(cred->security);
> 

-- 
James Morris
<jmorris@namei.org>