Hi Simon, Thanks for your help, your advice is clear, can i just use it, how about this: The current IMA ruleset is identified by the variable "ima_rules", and the pointer starts pointing at the list "ima_default_rules". When loading a custom policy for the first time, the variable is updated to point to the list "ima_policy_rules" instead. That update isn't RCU-safe, and deadlocks are possible. Introduce a temporary value for "ima_rules" when iterating over the ruleset to avoid the deadlocks. Signed-off-by: liqiong <liqiong@xxxxxxxxxxxx> --- security/integrity/ima/ima_policy.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima_policy.c b/security/integrity/ima/ima_policy.c index fd5d46e511f1..e92b197bfd3c 100644 --- a/security/integrity/ima/ima_policy.c +++ b/security/integrity/ima/ima_policy.c Thanks liqiong 在 2021年08月25日 20:03, THOBY Simon 写道: > Hi Liqiong, > > On 8/25/21 1:45 PM, liqiong wrote: >> Hi Mimi, >> >> This copy may be better. >> >> >> subject: ima: fix deadlock when iterating over the init "ima_rules" list. >> >> > As Mimi said, consider adding an introducing paragraph, like: > 'The current IMA ruleset is identified by the variable "ima_rules", > and the pointer starts pointing at the list "ima_default_rules". When > loading a custom policy for the first time, the variable is > updated to point to the list "ima_policy_rules" instead. That update > isn't RCU-safe, and deadlocks are possible.' > >> When traversing back to head, the init "ima_rules" list can't exit >> iterating if "ima_rules" has been updated to "ima_policy_rules". >> It causes soft lockup and RCU stalls. So we can introduce a duplicate >> of "ima_rules" for each "ima_rules" list loop. > Per the process (see 'Documentation/process/submitting-patches.rst'), > please prefer an imperative style (written in another paragraph): > 'Introduce a temporary value for "ima_rules" when iterating over the ruleset.' > > > Thanks, > Simon
