On Fri, Aug 02, 2013 at 02:08:07PM -0400, Paul Moore wrote: > The SELinux/NetLabel glue code has a locking bug that affects systems > with NetLabel enabled, see the kernel error message below. This patch > corrects this problem by converting the bottom half socket lock to a > more conventional, and correct for this call-path, lock_sock() call. > > =============================== > [ INFO: suspicious RCU usage. ] > 3.11.0-rc3+ #19 Not tainted > ------------------------------- > net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage! > > other info that might help us debug this: > > rcu_scheduler_active = 1, debug_locks = 0 > 2 locks held by ping/731: > #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect > #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr > > stack backtrace: > CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19 > Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 > 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500 > ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000 > 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7 > Call Trace: > [<ffffffff81726b6a>] dump_stack+0x54/0x74 > [<ffffffff810e4457>] lockdep_rcu_suspicious+0xe7/0x120 > [<ffffffff8169bec7>] cipso_v4_sock_setattr+0x187/0x1a0 > [<ffffffff8170f317>] netlbl_conn_setattr+0x187/0x190 > [<ffffffff8170f195>] ? netlbl_conn_setattr+0x5/0x190 > [<ffffffff8131ac9e>] selinux_netlbl_socket_connect+0xae/0xc0 > [<ffffffff81303025>] selinux_socket_connect+0x135/0x170 > [<ffffffff8119d127>] ? might_fault+0x57/0xb0 > [<ffffffff812fb146>] security_socket_connect+0x16/0x20 > [<ffffffff815d3ad3>] SYSC_connect+0x73/0x130 > [<ffffffff81739a85>] ? sysret_check+0x22/0x5d > [<ffffffff810e5e2d>] ? trace_hardirqs_on_caller+0xfd/0x1c0 > [<ffffffff81373d4e>] ? trace_hardirqs_on_thunk+0x3a/0x3f > [<ffffffff815d52be>] SyS_connect+0xe/0x10 > [<ffffffff81739a59>] system_call_fastpath+0x16/0x1b > > Signed-off-by: Paul Moore <pmoore@xxxxxxxxxx> > --- > security/selinux/netlabel.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) <formletter> This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read Documentation/stable_kernel_rules.txt for how to do this properly. </formletter> -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html