Affected kernels 2.6.36 - 3.0
AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk->group_leader);
held when called from security_task_setrlimit. This will only occur when the
task's current policy has been replaced, and the task's creds have not been
updated before entering the LSM security_task_setrlimit() hook.
BUG: sleeping function called from invalid context at mm/slub.c:847
in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
2 locks held by cupsd/1583:
#0: (tasklist_lock){.+.+.+}, at: [<
ffffffff8104dafa>] do_prlimit+0x61/0x189
#1: (&(&p->alloc_lock)->rlock){+.+.+.}, at: [<
ffffffff8104db2d>]
do_prlimit+0x94/0x189
Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
Call Trace:
[<
ffffffff8102ebf2>] __might_sleep+0x10d/0x112
[<
ffffffff810e6f46>] slab_pre_alloc_hook.isra.49+0x2d/0x33
[<
ffffffff810e7bc4>] kmem_cache_alloc+0x22/0x132
[<
ffffffff8105b6e6>] prepare_creds+0x35/0xe4
[<
ffffffff811c0675>] aa_replace_current_profile+0x35/0xb2
[<
ffffffff811c4d2d>] aa_current_profile+0x45/0x4c
[<
ffffffff811c4d4d>] apparmor_task_setrlimit+0x19/0x3a
[<
ffffffff811beaa5>] security_task_setrlimit+0x11/0x13
[<
ffffffff8104db6b>] do_prlimit+0xd2/0x189
[<
ffffffff8104dea9>] sys_setrlimit+0x3b/0x48
[<
ffffffff814062bb>] system_call_fastpath+0x16/0x1b
Signed-off-by: John Johansen <john.johansen@canonical.com>
Reported-by: Miles Lane <miles.lane@gmail.com>
Cc: stable@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>