UBUNTU: SAUCE: apparmor4.0.0 [69/99]: apparmor: fix oops when racing to retrieve notification

jrjohansen · tjaalton · commit 27b6fb18ae41 · 2024-09-09T13:32:14.000+03:00
BugLink: https://bugs.launchpad.net/bugs/2028253 BugLink: http://bugs.launchpad.net/bugs/2028253 When there is a race to receive a notification, the failing tasks oopes when erroring [ 196.140993] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 196.140993] #PF: supervisor read access in kernel mode [ 196.140993] #PF: error_code(0x0000) - not-present page [ 196.140993] PGD 0 P4D 0 [ 196.140993] Oops: 0000 [93] PREEMPT SMP NOPTI [ 196.141093] CPU: 0 PID: 2316 Comm: aa-prompt Not tainted 6.5.0-9-generic #9-Ubuntu [ 196.141093] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 196.141093] RIP: 0010:aa_listener_unotif_recv+0x11d/0x260 [ 196.141093] Code: ff ff ff 8b 55 d0 48 8b 75 c8 4c 89 ef e8 6b db ff ff 49 89 c2 48 85 c0 0f 88 c0 00 00 00 0f 84 25 ff ff ff 8b 05 3b 1c 1f 03 <49> 8b 55 00 83 e0 20 83 7a 08 07 74 66 85 c0 0f 85 01 01 00 00 48 [ 196.141093] RSP: 0018:ffffa2674075fdd8 EFLAGS: 00010246 [ 196.141093] RAX: 0000000000000000 RBX: ffff974507a08404 RCX: 0000000000000000 [ 196.141093] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 196.141093] RBP: ffffa2674075fe10 R08: 0000000000000000 R09: 0000000000000000 [ 196.141093] R10: fffffffffffffffe R11: 0000000000000000 R12: ffff974507a08400 [ 196.141093] R13: 0000000000000000 R14: ffff974507a08430 R15: ffff97451de00a00 [ 196.141093] FS: 00007f4ab6b30740(0000) GS:ffff97486fa00000(0000) knlGS:0000000000000000 [ 196.141093] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 196.141093] CR2: 0000000000000000 CR3: 0000000104cf2003 CR4: 0000000000770ef0 [ 196.141093] PKRU: 55555554 [ 196.141093] Call Trace: [ 196.141093] <TASK> [ 196.141093] ? show_regs+0x6d/0x80 [ 196.141093] ? __die+0x24/0x80 [ 196.141093] ? page_fault_oops+0x99/0x1b0 [ 196.141093] ? do_user_addr_fault+0x316/0x6b0 [ 196.141093] ? filemap_map_pages+0x2b3/0x460 [ 196.141093] ? exc_page_fault+0x83/0x1b0 [ 196.141093] ? asm_exc_page_fault+0x27/0x30 [ 196.141093] ? aa_listener_unotif_recv+0x11d/0x260 [ 196.141093] ? aa_listener_unotif_recv+0x184/0x260 [ 196.141093] listener_ioctl+0x1e1/0x260 [ 196.141093] __x64_sys_ioctl+0xa0/0xf0 [ 196.141093] do_syscall_64+0x59/0x90 [ 196.141093] ? do_user_addr_fault+0x238/0x6b0 [ 196.141093] ? exit_to_user_mode_prepare+0x30/0xb0 [ 196.141193] ? irqentry_exit_to_user_mode+0x17/0x20 [ 196.141193] ? irqentry_exit+0x43/0x50 [ 196.141193] ? exc_page_fault+0x94/0x1b0 [ 196.141193] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 196.141193] RIP: 0033:0x7f4ab69238ef [ 196.141193] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00 [ 196.141193] RSP: 002b:00007ffd607a9020 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 196.141193] RAX: ffffffffffffffda RBX: 00007ffd607a9100 RCX: 00007f4ab69238ef [ 196.141193] RDX: 00007ffd607a9100 RSI: 00000000c008f804 RDI: 0000000000000003 [ 196.141193] RBP: 0000000000000003 R08: 0000000000000001 R09: 00007f4ab6b30740 [ 196.141193] R10: 00007f4ab6b7f0a0 R11: 0000000000000246 R12: 00007ffd607a90a0 [ 196.141193] R13: 00007ffd607a90dc R14: 0000559564822c10 R15: 0000000000031000 [ 196.141193] </TASK> [ 196.141193] Modules linked in: snd_seq_dummy snd_hrtimer binfmt_misc nls_iso8859_1 intel_rapl_msr intel_rapl_common snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_hwdep snd_pcm kvm_intel snd_seq_midi snd_seq_midi_event kvm irqbypass crct10dif_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel aesni_intel crypto_simd cryptd rapl joydev snd_rawmidi snd_seq i2c_i801 i2c_smbus snd_seq_device snd_timer qxl snd drm_ttm_helper lpc_ich soundcore ttm 9pnet_virtio 9pnet drm_kms_helper input_leds mac_hid serio_raw nfsd msr parport_pc auth_rpcgss ppdev nfs_acl lockd grace lp parport drm efi_pstore sunrpc dmi_sysfs qemu_fw_cfg ip_tables x_tables autofs4 hid_generic usbhid hid ahci crc32_pclmul psmouse xhci_pci libahci virtio_rng xhci_pci_renesas [ 196.141193] CR2: 0000000000000000 [ 196.141193] ---[ end trace 00000000000000093]--- Fixes: e074176 ("UBUNTU: SAUCE: apparmor4.0.0 [69/99]: prompt - refactor to moving caching to uresponse") Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> Signed-off-by: Roxana Nicolescu <roxana.nicolescu@canonical.com> Signed-off-by: Timo Aaltonen <timo.aaltonen@canonical.com>
diff --git a/security/apparmor/notify.c b/security/apparmor/notify.c
@@ -1023,8 +1023,7 @@ long aa_listener_unotif_recv(struct aa_listener *listener, void __user *buf,
 	do {
 		knotif = listener_pop_and_hold_knotif(listener);
 		if (!knotif) {
-			ret = -ENOENT;
-			break;
+			return -ENOENT;
 		}
 		AA_DEBUG(DEBUG_UPCALL, "id %lld: removed notif from listener queue",
 			 knotif->id);
