Commit 3c80fe4a authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Al Viro
Browse files

audit: Call tty_audit_push_task() outside preempt disabled 



While auditing all tasklist_lock read_lock sites I stumbled over the
following call chain:

audit_prepare_user_tty()
  read_lock(&tasklist_lock);
  tty_audit_push_task();
     mutex_lock(&buf->mutex);

     --> buf->mutex is locked with preemption disabled.

Solve this by acquiring a reference to the task struct under
rcu_read_lock and call tty_audit_push_task outside of the preempt
disabled region.

Move all code which needs to be protected by sighand lock into
tty_audit_push_task() and use lock/unlock_sighand as we do not hold
tasklist_lock.

Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent f7a998a9

drivers/char/tty_audit.c

+28 −10
Original line number Diff line number Diff line
@@ -189,24 +189,42 @@ void tty_audit_tiocsti(struct tty_struct *tty, char ch) 


/**

 * tty_audit_push_task	-	Flush task's pending audit data

 * @tsk:		task pointer

 * @loginuid:		sender login uid

 * @sessionid:		sender session id

 *

 * Called with a ref on @tsk held. Try to lock sighand and get a

 * reference to the tty audit buffer if available.

 * Flush the buffer or return an appropriate error code.

 */

void tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)

int tty_audit_push_task(struct task_struct *tsk, uid_t loginuid, u32 sessionid)

{

	struct tty_audit_buf *buf;

	struct tty_audit_buf *buf = ERR_PTR(-EPERM);

	unsigned long flags;



	if (!lock_task_sighand(tsk, &flags))

		return -ESRCH;



	spin_lock_irq(&tsk->sighand->siglock);

	if (tsk->signal->audit_tty) {

		buf = tsk->signal->tty_audit_buf;

		if (buf)

			atomic_inc(&buf->count);

	spin_unlock_irq(&tsk->sighand->siglock);

	if (!buf)

		return;

	}

	unlock_task_sighand(tsk, &flags);



	/*

	 * Return 0 when signal->audit_tty set

	 * but tsk->signal->tty_audit_buf == NULL.

	 */

	if (!buf || IS_ERR(buf))

		return PTR_ERR(buf);



	mutex_lock(&buf->mutex);

	tty_audit_buf_push(tsk, loginuid, sessionid, buf);

	mutex_unlock(&buf->mutex);



	tty_audit_buf_put(buf);

	return 0;

}



/**

include/linux/tty.h

+5 −4
Original line number Diff line number Diff line
@@ -541,7 +541,7 @@ extern void tty_audit_exit(void); 
extern void tty_audit_fork(struct signal_struct *sig);

extern void tty_audit_tiocsti(struct tty_struct *tty, char ch);

extern void tty_audit_push(struct tty_struct *tty);

extern void tty_audit_push_task(struct task_struct *tsk,

extern int tty_audit_push_task(struct task_struct *tsk,

			       uid_t loginuid, u32 sessionid);

#else

static inline void tty_audit_add_data(struct tty_struct *tty,
@@ -560,9 +560,10 @@ static inline void tty_audit_fork(struct signal_struct *sig) 
static inline void tty_audit_push(struct tty_struct *tty)

{

}

static inline void tty_audit_push_task(struct task_struct *tsk,

static inline int tty_audit_push_task(struct task_struct *tsk,

				      uid_t loginuid, u32 sessionid)

{

	return 0;

}

#endif

kernel/audit.c

+9 −16
Original line number Diff line number Diff line
@@ -467,23 +467,16 @@ static int audit_prepare_user_tty(pid_t pid, uid_t loginuid, u32 sessionid) 
	struct task_struct *tsk;

	int err;



	read_lock(&tasklist_lock);

	rcu_read_lock();

	tsk = find_task_by_vpid(pid);

	err = -ESRCH;

	if (!tsk)

		goto out;

	err = 0;



	spin_lock_irq(&tsk->sighand->siglock);

	if (!tsk->signal->audit_tty)

		err = -EPERM;

	spin_unlock_irq(&tsk->sighand->siglock);

	if (err)

		goto out;



	tty_audit_push_task(tsk, loginuid, sessionid);

out:

	read_unlock(&tasklist_lock);

	if (!tsk) {

		rcu_read_unlock();

		return -ESRCH;

	}

	get_task_struct(tsk);

	rcu_read_unlock();

	err = tty_audit_push_task(tsk, loginuid, sessionid);

	put_task_struct(tsk);

	return err;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE