[PATCH] fix deadlocks in AUDIT_LIST/AUDIT_LIST_RULES

We should not send a pile of replies while holding audit_netlink_mutex
since we hold the same mutex when we receive commands.  As the result,
we can get blocked while sending and sit there holding the mutex while
auditctl is unable to send the next command and get around to receiving
what we'd sent.

Solution: create skb and put them into a queue instead of sending;
once we are done, send what we've got on the list.  The former can
be done synchronously while we are handling AUDIT_LIST or AUDIT_LIST_RULES;
we are holding audit_netlink_mutex at that point.  The latter is done
asynchronously and without messing with audit_netlink_mutex.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 45 insertions, 17 deletions

diff --git a/kernel/audit.c b/kernel/audit.c
index df57b493e1cb..bf74bf02aa4b 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -366,6 +366,50 @@ static int kauditd_thread(void *dummy)
         return 0;
 }
 
+int audit_send_list(void *_dest)
+{
+        struct audit_netlink_list *dest = _dest;
+        int pid = dest->pid;
+        struct sk_buff *skb;
+
+        /* wait for parent to finish and send an ACK */
+        mutex_lock(&audit_netlink_mutex);
+        mutex_unlock(&audit_netlink_mutex);
+
+        while ((skb = __skb_dequeue(&dest->q)) != NULL)
+                netlink_unicast(audit_sock, skb, pid, 0);
+
+        kfree(dest);
+
+        return 0;
+}
+
+struct sk_buff *audit_make_reply(int pid, int seq, int type, int done,
+                                 int multi, void *payload, int size)
+{
+        struct sk_buff  *skb;
+        struct nlmsghdr *nlh;
+        int             len = NLMSG_SPACE(size);
+        void            *data;
+        int             flags = multi ? NLM_F_MULTI : 0;
+        int             t     = done  ? NLMSG_DONE  : type;
+
+        skb = alloc_skb(len, GFP_KERNEL);
+        if (!skb)
+                return NULL;
+
+        nlh              = NLMSG_PUT(skb, pid, seq, t, size);
+        nlh->nlmsg_flags = flags;
+        data             = NLMSG_DATA(nlh);
+        memcpy(data, payload, size);
+        return skb;
+
+nlmsg_failure:                  /* Used by NLMSG_PUT */
+        if (skb)
+                kfree_skb(skb);
+        return NULL;
+}
+
 /**
  * audit_send_reply - send an audit reply message via netlink
  * @pid: process id to send reply to
@@ -383,29 +427,13 @@ void audit_send_reply(int pid, int seq, int type, int done, int multi,
                       void *payload, int size)
 {
         struct sk_buff  *skb;
-        struct nlmsghdr *nlh;
-        int             len = NLMSG_SPACE(size);
-        void            *data;
-        int             flags = multi ? NLM_F_MULTI : 0;
-        int             t     = done  ? NLMSG_DONE  : type;
-
-        skb = alloc_skb(len, GFP_KERNEL);
+        skb = audit_make_reply(pid, seq, type, done, multi, payload, size);
         if (!skb)
                 return;
-
-        nlh              = NLMSG_PUT(skb, pid, seq, t, size);
-        nlh->nlmsg_flags = flags;
-        data             = NLMSG_DATA(nlh);
-        memcpy(data, payload, size);
-
         /* Ignore failure. It'll only happen if the sender goes away,
            because our timeout is set to infinite. */
         netlink_unicast(audit_sock, skb, pid, 0);
         return;
-
-nlmsg_failure:                  /* Used by NLMSG_PUT */
-        if (skb)
-                kfree_skb(skb);
 }
 
 /*