Ubuntu
linux package

apparmor bad lock balance during policy introspection

Bug #1235977 reported by John Johansen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen
linux-goldfish (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen
linux-grouper (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen
linux-maguro (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen
linux-mako (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen
linux-manta (Ubuntu)
Fix Released
High
John Johansen
Saucy
Fix Released
High
John Johansen

Bug Description

There is a bug in the profile introspection file that results in a virtual root ns lock being released twice. Introspection from the root policy namespace is handled correctly it is only when introspection is done from a task in a sub policy namespace that becomes its virtual ns root.

This results in the following lockdep trace
[ 78.479744] [ BUG: bad unlock balance detected! ]
[ 78.479792] 3.11.0-11-generic #17 Not tainted
[ 78.479838] -------------------------------------
[ 78.479885] grep/2223 is trying to release lock (&ns->lock) at:
[ 78.479952] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480002] but there are no more locks to release!
[ 78.480037]
[ 78.480037] other info that might help us debug this:
[ 78.480037] 1 lock held by grep/2223:
[ 78.480037] #0: (&p->lock){+.+.+.}, at: [<ffffffff812111bd>] seq_read+0x3d/0x3d0
[ 78.480037]
[ 78.480037] stack backtrace:
[ 78.480037] CPU: 0 PID: 2223 Comm: grep Not tainted 3.11.0-11-generic #17
[ 78.480037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 78.480037] ffffffff817bf3be ffff880007763d60 ffffffff817b97ef ffff8800189d2190
[ 78.480037] ffff880007763d88 ffffffff810e1c6e ffff88001f044730 ffff8800189d2190
[ 78.480037] ffffffff817bf3be ffff880007763e00 ffffffff810e5bd6 0000000724fe56b7
[ 78.480037] Call Trace:
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff817b97ef>] dump_stack+0x54/0x74
[ 78.480037] [<ffffffff810e1c6e>] print_unlock_imbalance_bug+0xee/0x100
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5bd6>] lock_release_non_nested+0x226/0x300
[ 78.480037] [<ffffffff817bf2fe>] ? __mutex_unlock_slowpath+0xce/0x180
[ 78.480037] [<ffffffff817bf3be>] ? mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff810e5d5c>] lock_release+0xac/0x310
[ 78.480037] [<ffffffff817bf2b3>] __mutex_unlock_slowpath+0x83/0x180
[ 78.480037] [<ffffffff817bf3be>] mutex_unlock+0xe/0x10
[ 78.480037] [<ffffffff81376c91>] p_stop+0x51/0x90
[ 78.480037] [<ffffffff81211408>] seq_read+0x288/0x3d0
[ 78.480037] [<ffffffff811e9d9e>] vfs_read+0x9e/0x170
[ 78.480037] [<ffffffff811ea8cc>] SyS_read+0x4c/0xa0
[ 78.480037] [<ffffffff817ccc9d>] system_call_fastpath+0x1a/0x1f

Requires:
  user of policy namespaces
  root process with in alternate policy namespace reading the /sys/kernel/security/apparmor/profiles file

John Johansen (jjohansen)
Changed in linux (Ubuntu):
status: New → In Progress
John Johansen (jjohansen)
summary: - apparmor bad lock balance in during policy introspection
+ apparmor bad lock balance during policy introspection
Andy Whitcroft (apw)
Changed in linux (Ubuntu Saucy):
importance: Undecided → High
status: In Progress → Fix Committed
Changed in linux-grouper (Ubuntu Saucy):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → John Johansen (jjohansen)
Changed in linux-maguro (Ubuntu Saucy):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → John Johansen (jjohansen)
Changed in linux-mako (Ubuntu Saucy):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → John Johansen (jjohansen)
Changed in linux-manta (Ubuntu Saucy):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → High
status: New → Fix Committed
Andy Whitcroft (apw)
Changed in linux-goldfish (Ubuntu Saucy):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → High
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-goldfish - 3.4.0-1.7

---------------
linux-goldfish (3.4.0-1.7) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977

  [ Tim Gardner ]

  * [Config] Use gcc-4.6 for armhf
    - LP: #1236444
 -- Andy Whitcroft <email address hidden> Tue, 08 Oct 2013 11:06:06 +0100

Changed in linux-goldfish (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-12.18

---------------
linux (3.11.0-12.18) saucy; urgency=low

  [ Andy Whitcroft ]

  * [Packing] tools -- when tools are off they are off
  * [config] tools -- linux-tools-common really is common
  * [Packaging] tools -- make cpupower optional
  * [Packaging] tools -- fix crosscompilation
  * [config] tools -- enable cpupower
  * SAUCE: storvsc -- host takes MAINTENANCE_IN commands badly elide them
    - LP: #1234417

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977

  [ Paolo Pisati ]

  * [Config] arm: VIRTIO_[BLK|NET|MMIO]=y

  [ Rob Herring ]

  * SAUCE: (no-up) net: calxedaxgmac: fix clearing of old filter addresses
    - LP: #1235272
  * SAUCE: (no-up) net: calxedaxgmac: add uc and mc filter addresses in
    promiscuous mode
    - LP: #1235272
  * SAUCE: (no-up) net: calxedaxgmac: determine number of address filters
    at runtime
    - LP: #1235272

  [ Tim Gardner ]

  * [Config] CONFIG_ANDROID=n
    - LP: #1235161
  * [Config] CONFIG_L2TP_V3=y
    - LP: #1235914
  * Release tracker
    - LP: #1236999

  [ Upstream Kernel Changes ]

  * Revert "HID: core: fix reporting of raw events"
    - LP: #1218004
 -- Andy Whitcroft <email address hidden> Fri, 04 Oct 2013 13:08:59 +0100

Changed in linux (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-grouper - 3.1.10-6.25

---------------
linux-grouper (3.1.10-6.25) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977
 -- Andy Whitcroft <email address hidden> Mon, 07 Oct 2013 16:50:39 +0100

Changed in linux-grouper (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-maguro - 3.0.0-3.18

---------------
linux-maguro (3.0.0-3.18) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977
 -- Andy Whitcroft <email address hidden> Mon, 07 Oct 2013 17:16:14 +0100

Changed in linux-maguro (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-mako - 3.4.0-3.21

---------------
linux-mako (3.4.0-3.21) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977

  [ Scott James Remnant ]

  * SAUCE: (no-up) trace: add trace events for open(), exec() and uselib()
    - LP: #1194127
 -- Andy Whitcroft <email address hidden> Mon, 07 Oct 2013 18:17:50 +0100

Changed in linux-mako (Ubuntu Saucy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-manta - 3.4.0-4.19

---------------
linux-manta (3.4.0-4.19) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix unix domain sockets to be mediated on connection
    - LP: #1208988
  * SAUCE: apparmor: allocate path lookup buffers during init
    - LP: #1208988
  * SAUCE: apparmor: fix memleak of the profile hash
    - LP: #1235523
  * SAUCE: apparmor: fix memleak of replacedby struct
    - LP: #1235973
  * SAUCE: apparmor: fix bad lock balance when introspecting policy
    - LP: #1235977

  [ Scott James Remnant ]

  * SAUCE: (no-up) trace: add trace events for open(), exec() and uselib()
    - LP: #1194127
 -- Andy Whitcroft <email address hidden> Mon, 07 Oct 2013 18:23:03 +0100

Changed in linux-manta (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.