--- /dev/null
+From d7dc0fe419e6502d788240150474399cf7cca50a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 29 Sep 2018 03:49:26 +0200
+Subject: apparmor: don't try to replace stale label in ptraceme check
+
+From: Jann Horn <jannh@google.com>
+
+[ Upstream commit ca3fde5214e1d24f78269b337d3f22afd6bf445e ]
+
+begin_current_label_crit_section() must run in sleepable context because
+when label_is_stale() is true, aa_replace_current_label() runs, which uses
+prepare_creds(), which can sleep.
+
+Until now, the ptraceme access check (which runs with tasklist_lock held)
+violated this rule.
+
+Fixes: b2d09ae449ced ("apparmor: move ptrace checks to using labels")
+Reported-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reported-by: kernel test robot <rong.a.chen@intel.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/apparmor/lsm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 4f08023101f3c..1c6b389ad8f94 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -123,11 +123,11 @@ static int apparmor_ptrace_traceme(struct task_struct *parent)
+ struct aa_label *tracer, *tracee;
+ int error;
+
+- tracee = begin_current_label_crit_section();
++ tracee = __begin_current_label_crit_section();
+ tracer = aa_get_task_label(parent);
+ error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
+ aa_put_label(tracer);
+- end_current_label_crit_section(tracee);
++ __end_current_label_crit_section(tracee);
+
+ return error;
+ }
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
