Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp426375pxb; Wed, 24 Feb 2021 06:04:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJx1u6hbKKwXaw6tT5wEHohEasGn4P3NpJKhi303wmq+kHwBYtcyK/oOGaEtsdpQsuUp2HRt X-Received: by 2002:a05:6402:50c6:: with SMTP id h6mr33108497edb.117.1614175472170; Wed, 24 Feb 2021 06:04:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614175472; cv=none; d=google.com; s=arc-20160816; b=DnaBYo9pcZJgAl9De1BIqP/IwVqeV1mqXe0RjGZTwb5Ef3wcPBEXXukAoZzhCt7E2P x1204A7uhOG8wPI6XNFIwX4OeSmwXjFHfaFAsO5tNSaGOTYVyLV6IsKxta9lnvuhH5Q2 d6Kq6MYnPX9cbR31azaR7bz6KwTlDB+CUPEjGMujMREieTwlsyWzP5dgxVBz3YiEaVt8 Rzkft/1w/B9yFFZikcHQ8MvpErDYUGW+Dnl2SZB7cMfMA6x1qe/8XVdXdBIgHpYNiwSw fO7VGceFRZ+qBrSG++L6DzrtRXxbeTvXfH07RCTb1Xi2KXaSWVFx4dDFgt3KnUi+NN+4 ctMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=um/PmRvljm0J1+UodCJQnDvszkG9k/TQDiu3ybJKnU8=; b=PiEoqVYT3SaB/JE5BNSCR6AohZYi5Lv9tCrr/bqya47Ev6cJO+WHFEtFbIdquZFxA7 yprfAfb3ekI1v+rh6vPQ9WWhA6JEwG5UjX1XiChbHim4PUcFH3ulEK1jJbqCwD0Oa4Ms kjo75v0g/+D9WFUXoUkE9Tb9K7zAEZI8OqGAtXJL9PeSXIWRmn99aB9PZcsmKb5V17Hl Z2nsWmAHOiJ0xA7r0drAWBX+3pzE2PHNj2YYBj0iWGMLYpaTEcdY+l5qJFlwFIghHRIg wrRrlunSyr+IYRsRvl+OicwPTX17DoL53Xb35JQZa0jGfsIS5bTLyVktYGhER9ZfvffG xj/g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CebqtONn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q2si1417572ejx.738.2021.02.24.06.03.50; Wed, 24 Feb 2021 06:04:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=CebqtONn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237247AbhBXN5N (ORCPT + 99 others); Wed, 24 Feb 2021 08:57:13 -0500 Received: from mail.kernel.org ([198.145.29.99]:58128 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235763AbhBXNGV (ORCPT ); Wed, 24 Feb 2021 08:06:21 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id B771464F8C; Wed, 24 Feb 2021 12:54:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614171254; bh=ytovTDT2dB2uDVc9NabRAcn2j4FiBNH0p9KR+NYPwsI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CebqtONnLhImWwwWvWNvrqbQtwCnXPzngGoZUm+LI1axwgxH7tWHnVsWY3x7tHxUo cbCHhGTR+SGp2lSof1YNgOnsqtd7hn79vF20hTWiNgMxDAxnnjk+IcnbLbLMMOqiMv 1jdaWq9pfg+4ZG514PBfDsLIfp0EzCl/lu0ST0dimLjN5lDt0VASABOsPgOguvSVoP 22sv9Q1wUY0LU04RDaKGvocrRf0QPUj8OaWu2EVp9voJaCndcT4NsdKH7a+jyiOhLh uYiU4CsK/jV73IDHLfTxXC4AX9j94DQzPL6HXQBnMGaSwa5Uj6NxqDBpMYj8P9bjs6 xqaUhyRwOnVGA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tetsuo Handa , syzbot , Sasha Levin , linux-security-module@vger.kernel.org Subject: [PATCH AUTOSEL 5.4 25/40] tomoyo: ignore data race while checking quota Date: Wed, 24 Feb 2021 07:53:25 -0500 Message-Id: <20210224125340.483162-25-sashal@kernel.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210224125340.483162-1-sashal@kernel.org> References: <20210224125340.483162-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tetsuo Handa [ Upstream commit 5797e861e402fff2bedce4ec8b7c89f4248b6073 ] syzbot is reporting that tomoyo's quota check is racy [1]. But this check is tolerant of some degree of inaccuracy. Thus, teach KCSAN to ignore this data race. [1] https://syzkaller.appspot.com/bug?id=999533deec7ba6337f8aa25d8bd1a4d5f7e50476 Reported-by: syzbot Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin --- security/tomoyo/file.c | 16 ++++++++-------- security/tomoyo/network.c | 8 ++++---- security/tomoyo/util.c | 24 ++++++++++++------------ 3 files changed, 24 insertions(+), 24 deletions(-) diff --git a/security/tomoyo/file.c b/security/tomoyo/file.c index 86f7d1b90212a..966f80e4d77e6 100644 --- a/security/tomoyo/file.c +++ b/security/tomoyo/file.c @@ -362,14 +362,14 @@ static bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a, { u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) ->perm; - u16 perm = *a_perm; + u16 perm = READ_ONCE(*a_perm); const u16 b_perm = container_of(b, struct tomoyo_path_acl, head)->perm; if (is_delete) perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } @@ -437,7 +437,7 @@ static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, { u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, head)->perm; - u8 perm = *a_perm; + u8 perm = READ_ONCE(*a_perm); const u8 b_perm = container_of(b, struct tomoyo_mkdev_acl, head) ->perm; @@ -445,7 +445,7 @@ static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } @@ -517,14 +517,14 @@ static bool tomoyo_merge_path2_acl(struct tomoyo_acl_info *a, { u8 * const a_perm = &container_of(a, struct tomoyo_path2_acl, head) ->perm; - u8 perm = *a_perm; + u8 perm = READ_ONCE(*a_perm); const u8 b_perm = container_of(b, struct tomoyo_path2_acl, head)->perm; if (is_delete) perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } @@ -655,7 +655,7 @@ static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a, { u8 * const a_perm = &container_of(a, struct tomoyo_path_number_acl, head)->perm; - u8 perm = *a_perm; + u8 perm = READ_ONCE(*a_perm); const u8 b_perm = container_of(b, struct tomoyo_path_number_acl, head) ->perm; @@ -663,7 +663,7 @@ static bool tomoyo_merge_path_number_acl(struct tomoyo_acl_info *a, perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } diff --git a/security/tomoyo/network.c b/security/tomoyo/network.c index f9ff121d7e1eb..a89ed55d85d41 100644 --- a/security/tomoyo/network.c +++ b/security/tomoyo/network.c @@ -233,14 +233,14 @@ static bool tomoyo_merge_inet_acl(struct tomoyo_acl_info *a, { u8 * const a_perm = &container_of(a, struct tomoyo_inet_acl, head)->perm; - u8 perm = *a_perm; + u8 perm = READ_ONCE(*a_perm); const u8 b_perm = container_of(b, struct tomoyo_inet_acl, head)->perm; if (is_delete) perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } @@ -259,14 +259,14 @@ static bool tomoyo_merge_unix_acl(struct tomoyo_acl_info *a, { u8 * const a_perm = &container_of(a, struct tomoyo_unix_acl, head)->perm; - u8 perm = *a_perm; + u8 perm = READ_ONCE(*a_perm); const u8 b_perm = container_of(b, struct tomoyo_unix_acl, head)->perm; if (is_delete) perm &= ~b_perm; else perm |= b_perm; - *a_perm = perm; + WRITE_ONCE(*a_perm, perm); return !perm; } diff --git a/security/tomoyo/util.c b/security/tomoyo/util.c index eba0b3395851e..3e6be8ff9a396 100644 --- a/security/tomoyo/util.c +++ b/security/tomoyo/util.c @@ -1036,30 +1036,30 @@ bool tomoyo_domain_quota_is_ok(struct tomoyo_request_info *r) if (ptr->is_deleted) continue; + /* + * Reading perm bitmap might race with tomoyo_merge_*() because + * caller does not hold tomoyo_policy_lock mutex. But exceeding + * max_learning_entry parameter by a few entries does not harm. + */ switch (ptr->type) { case TOMOYO_TYPE_PATH_ACL: - perm = container_of(ptr, struct tomoyo_path_acl, head) - ->perm; + data_race(perm = container_of(ptr, struct tomoyo_path_acl, head)->perm); break; case TOMOYO_TYPE_PATH2_ACL: - perm = container_of(ptr, struct tomoyo_path2_acl, head) - ->perm; + data_race(perm = container_of(ptr, struct tomoyo_path2_acl, head)->perm); break; case TOMOYO_TYPE_PATH_NUMBER_ACL: - perm = container_of(ptr, struct tomoyo_path_number_acl, - head)->perm; + data_race(perm = container_of(ptr, struct tomoyo_path_number_acl, head) + ->perm); break; case TOMOYO_TYPE_MKDEV_ACL: - perm = container_of(ptr, struct tomoyo_mkdev_acl, - head)->perm; + data_race(perm = container_of(ptr, struct tomoyo_mkdev_acl, head)->perm); break; case TOMOYO_TYPE_INET_ACL: - perm = container_of(ptr, struct tomoyo_inet_acl, - head)->perm; + data_race(perm = container_of(ptr, struct tomoyo_inet_acl, head)->perm); break; case TOMOYO_TYPE_UNIX_ACL: - perm = container_of(ptr, struct tomoyo_unix_acl, - head)->perm; + data_race(perm = container_of(ptr, struct tomoyo_unix_acl, head)->perm); break; case TOMOYO_TYPE_MANUAL_TASK_ACL: perm = 0; -- 2.27.0