Commit ba0c19ed authored by Stephen Smalley's avatar Stephen Smalley Committed by Linus Torvalds

[PATCH] selinux: fix sb_lock/sb_security_lock nesting

From: Stephen Smalley <sds@tycho.nsa.gov>

Fix unsafe nesting of sb_lock inside sb_security_lock in
selinux_complete_init.  Detected by the kernel locking validator.
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarJames Morris <jmorris@namei.org>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 93ff66bf
...@@ -4422,6 +4422,7 @@ void selinux_complete_init(void) ...@@ -4422,6 +4422,7 @@ void selinux_complete_init(void)
/* Set up any superblocks initialized prior to the policy load. */ /* Set up any superblocks initialized prior to the policy load. */
printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); printk(KERN_INFO "SELinux: Setting up existing superblocks.\n");
spin_lock(&sb_lock);
spin_lock(&sb_security_lock); spin_lock(&sb_security_lock);
next_sb: next_sb:
if (!list_empty(&superblock_security_head)) { if (!list_empty(&superblock_security_head)) {
...@@ -4430,19 +4431,20 @@ void selinux_complete_init(void) ...@@ -4430,19 +4431,20 @@ void selinux_complete_init(void)
struct superblock_security_struct, struct superblock_security_struct,
list); list);
struct super_block *sb = sbsec->sb; struct super_block *sb = sbsec->sb;
spin_lock(&sb_lock);
sb->s_count++; sb->s_count++;
spin_unlock(&sb_lock);
spin_unlock(&sb_security_lock); spin_unlock(&sb_security_lock);
spin_unlock(&sb_lock);
down_read(&sb->s_umount); down_read(&sb->s_umount);
if (sb->s_root) if (sb->s_root)
superblock_doinit(sb, NULL); superblock_doinit(sb, NULL);
drop_super(sb); drop_super(sb);
spin_lock(&sb_lock);
spin_lock(&sb_security_lock); spin_lock(&sb_security_lock);
list_del_init(&sbsec->list); list_del_init(&sbsec->list);
goto next_sb; goto next_sb;
} }
spin_unlock(&sb_security_lock); spin_unlock(&sb_security_lock);
spin_unlock(&sb_lock);
} }
/* SELinux requires early initialization in order to label /* SELinux requires early initialization in order to label
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment