aboutsummaryrefslogtreecommitdiffstats
path: root/security/tomoyo/common.c
diff options
context:
space:
mode:
authorTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>2011-04-02 11:09:26 -0400
committerJames Morris <jmorris@namei.org>2011-04-18 19:37:06 -0400
commit2a086e5d3a23570735f75b784d29b93068070833 (patch)
tree43949632ba2e1c8ed4a8169d64c406d66ce36f23 /security/tomoyo/common.c
parenta3232d2fa2e3cbab3e76d91cdae5890fee8a4034 (diff)
TOMOYO: Fix race on updating profile's comment line.
In tomoyo_write_profile() since 2.6.34, a lock was by error missing when replacing profile's comment line. If multiple threads attempted echo '0-COMMENT=comment' > /sys/kernel/security/tomoyo/profile in parallel, garbage collector will fail to kfree() the old value. Protect the replacement using a lock. Also, keep the old value rather than replace with empty string when out of memory error has occurred. Signed-off-by: Xiaochen Wang <wangxiaochen0@gmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/tomoyo/common.c')
-rw-r--r--security/tomoyo/common.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 7556315c1978..2b7b1a123600 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -459,8 +459,16 @@ static int tomoyo_write_profile(struct tomoyo_io_buffer *head)
459 if (profile == &tomoyo_default_profile) 459 if (profile == &tomoyo_default_profile)
460 return -EINVAL; 460 return -EINVAL;
461 if (!strcmp(data, "COMMENT")) { 461 if (!strcmp(data, "COMMENT")) {
462 const struct tomoyo_path_info *old_comment = profile->comment; 462 static DEFINE_SPINLOCK(lock);
463 profile->comment = tomoyo_get_name(cp); 463 const struct tomoyo_path_info *new_comment
464 = tomoyo_get_name(cp);
465 const struct tomoyo_path_info *old_comment;
466 if (!new_comment)
467 return -ENOMEM;
468 spin_lock(&lock);
469 old_comment = profile->comment;
470 profile->comment = new_comment;
471 spin_unlock(&lock);
464 tomoyo_put_name(old_comment); 472 tomoyo_put_name(old_comment);
465 return 0; 473 return 0;
466 } 474 }