tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

crash_dump: fix dm_crypt keys locking and ref leak

crash_load_dm_crypt_keys() reads dm-crypt volume keys from the user
keyring. It uses user_key_payload_locked() without holding key->sem,
which makes lockdep complain when kexec_file_load() assembles the crash
image:

=============================
WARNING: suspicious RCU usage
-----------------------------
./include/keys/user-type.h:53 suspicious rcu_dereference_protected() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
no locks held by kexec/4875.

stack backtrace:
Call Trace:
<TASK>
dump_stack_lvl+0x5d/0x80
lockdep_rcu_suspicious.cold+0x4e/0x96
crash_load_dm_crypt_keys+0x314/0x390
bzImage64_load+0x116/0x9a0
? __lock_acquire+0x464/0x1ba0
__do_sys_kexec_file_load+0x26a/0x4f0
do_syscall_64+0xbd/0x430
entry_SYSCALL_64_after_hwframe+0x77/0x7f

In addition, the key returned by request_key() is never key_put()'d,
leaking a key reference on each load attempt.

Take key->sem while copying the payload and drop the key reference
afterwards.

Link: https://lkml.kernel.org/r/patch.git-2d4d76083a5c.your-ad-here.call-01769426386-ext-2560@work.hours
Fixes: 479e58549b0f ("crash_dump: store dm crypt keys in kdump reserved memory")
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: Coiby Xu <coxu@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

authored by

Vasily Gorbik and committed by
Andrew Morton 96a54b8f b50634c5

+13 -4
+13 -4
kernel/crash_dump_dm_crypt.c
··· 143 143 { 144 144 const struct user_key_payload *ukp; 145 145 struct key *key; 146 + int ret = 0; 146 147 147 148 kexec_dprintk("Requesting logon key %s", dm_key->key_desc); 148 149 key = request_key(&key_type_logon, dm_key->key_desc, NULL); ··· 153 152 return PTR_ERR(key); 154 153 } 155 154 155 + down_read(&key->sem); 156 156 ukp = user_key_payload_locked(key); 157 - if (!ukp) 158 - return -EKEYREVOKED; 157 + if (!ukp) { 158 + ret = -EKEYREVOKED; 159 + goto out; 160 + } 159 161 160 162 if (ukp->datalen > KEY_SIZE_MAX) { 161 163 pr_err("Key size %u exceeds maximum (%u)\n", ukp->datalen, KEY_SIZE_MAX); 162 - return -EINVAL; 164 + ret = -EINVAL; 165 + goto out; 163 166 } 164 167 165 168 memcpy(dm_key->data, ukp->data, ukp->datalen); 166 169 dm_key->key_size = ukp->datalen; 167 170 kexec_dprintk("Get dm crypt key (size=%u) %s: %8ph\n", dm_key->key_size, 168 171 dm_key->key_desc, dm_key->data); 169 - return 0; 172 + 173 + out: 174 + up_read(&key->sem); 175 + key_put(key); 176 + return ret; 170 177 } 171 178 172 179 struct config_key {