From: Eric Paris <eparis@redhat.com>
Date: Mon, 16 Jun 2008 14:47:45 -0400
Subject: [audit] deadlock under load and auditd takes a signal
Message-id: 1213642065.3029.68.camel@localhost.localdomain
O-Subject: [PATCH RHEL5.3 BZ429941] Audit: deadlock under load and auditd takes a signal
Bugzilla: 429941
RH-Acked-by: James Morris <jmorris@redhat.com>
RH-Acked-by: Alexander Viro <aviro@redhat.com>
BZ 429941
A deadlock is possible between kauditd and auditd under load if auditd
receives a signal. When auditd receives a signal it sends a netlink
message to the kernel asking for information about the sender of the
signal. In that same context the audit system will attempt to send a
netlink message back to the userspace auditd. If kauditd has already
filled the socket buffer (see netlink_attachskb()) auditd will now put
itself to sleep waiting for room to send the message. Since auditd is
responsible for draining that socket we have a deadlock. The fix, since
the response from the kernel does not need to be synchronous is to send
the signal information back to auditd in a separate thread. And thus
auditd can continue to drain the audit queue normally.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
diff --git a/kernel/audit.c b/kernel/audit.c
index bd4c730..666cc3f 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -153,6 +153,11 @@ struct audit_buffer {
gfp_t gfp_mask;
};
+struct audit_reply {
+ pid_t pid;
+ struct sk_buff *skb;
+};
+
static void audit_set_pid(struct audit_buffer *ab, pid_t pid)
{
struct nlmsghdr *nlh = (struct nlmsghdr *)ab->skb->data;
@@ -508,6 +513,19 @@ nlmsg_failure: /* Used by NLMSG_PUT */
return NULL;
}
+static int audit_send_reply_thread(void *arg)
+{
+ struct audit_reply *reply = (struct audit_reply *)arg;
+
+ mutex_lock(&audit_cmd_mutex);
+ mutex_unlock(&audit_cmd_mutex);
+
+ /* Ignore failure. It'll only happen if the sender goes away,
+ because our timeout is set to infinite. */
+ netlink_unicast(audit_sock, reply->skb, reply->pid, 0);
+ kfree(reply);
+ return 0;
+}
/**
* audit_send_reply - send an audit reply message via netlink
* @pid: process id to send reply to
@@ -524,14 +542,26 @@ nlmsg_failure: /* Used by NLMSG_PUT */
void audit_send_reply(int pid, int seq, int type, int done, int multi,
void *payload, int size)
{
- struct sk_buff *skb;
+ struct sk_buff *skb;
+ struct task_struct *tsk;
+ struct audit_reply *reply = kmalloc(sizeof(struct audit_reply),
+ GFP_KERNEL);
+
+ if (!reply)
+ return;
+
skb = audit_make_reply(pid, seq, type, done, multi, payload, size);
if (!skb)
return;
- /* Ignore failure. It'll only happen if the sender goes away,
- because our timeout is set to infinite. */
- netlink_unicast(audit_sock, skb, pid, 0);
- return;
+
+ reply->pid = pid;
+ reply->skb = skb;
+
+ tsk = kthread_run(audit_send_reply_thread, reply, "audit_send_reply");
+ if (IS_ERR(tsk)) {
+ kfree(reply);
+ kfree_skb(skb);
+ }
}
/*
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
89877e42827f16fa5f86b1df0c2860b1
>
files
>
138
