On Mon, 01 Aug 2016, Fabian Frederick wrote:
Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref() to receive rcu freeing function but used generic ipc_rcu_free() instead of msg_rcu_free() which does security cleaning. Running LTP msgsnd06 with kmemleak gives the following: cat /sys/kernel/debug/kmemleak unreferenced object 0xffff88003c0a11f8 (size 8): comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s) hex dump (first 8 bytes): 1b 00 00 00 01 00 00 00 ........ backtrace: [<ffffffff818e2c43>] kmemleak_alloc+0x23/0x40 [<ffffffff81177f31>] kmem_cache_alloc_trace+0xe1/0x180 [<ffffffff812d42af>] selinux_msg_queue_alloc_security+0x3f/0xd0 [<ffffffff812cc6be>] security_msg_queue_alloc+0x2e/0x40 [<ffffffff812b94ee>] newque+0x4e/0x150 [<ffffffff812b8cb9>] ipcget+0x159/0x1b0 [<ffffffff812b98d9>] SyS_msgget+0x39/0x40 [<ffffffff818e7bdb>] entry_SYSCALL_64_fastpath+0x13/0x8f [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by: Fabian Frederick <fabf@xxxxxxxxx> --- V2: Update description with original commit and cc stable (Suggested by Manfred Spraul)
Ideally we would have the fix for sem.c in the same patch, under, ie: "sysv, ipc: fix security-layer leaking" Just like with shm and msg, the only caller of ipc_rcu_free() should be a failed security allocation in newary(). Thanks, Davidlohr -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html