Why does this kernel_write-call crash?

Question

Whenever I try to write to a file inside the Linux Security Module I am working on, the kernel crashes with the error message below.

I tried using vfs_write instead of kernel_write, tried using a normal character array instead of the buffer I am using now, but it always crashes with a similar error message.

What is the cause of the error message and how can I fix it?

I know that writing to a file inside the kernel is bad, but I need to persistently store information.

Below is a simplified version of the code I am using, which is executed in a LSM_HOOK.

static int bnp_file_permission(struct file *file, int mask)
{
     loff_t offset = 0;
     struct file *filp = NULL;
     char *buffer = NULL;

     filp = filp_open("/var/bnp/access.log", O_WRONLY | O_APPEND, 0);
     if (IS_ERR(filp)) {
        printk(KERN_INFO "BNP: filp_open failed\n");
        return 0;
     }

     buffer = kmalloc(20, GFP_KERNEL);
     memset(buffer, 0x65, 20);

     kernel_write(filp, buffer, sizeof(buffer), &offset); // <-- this lines causes the crash

     filp_close(filp, NULL);
     kfree(buffer);
}

Detailed crash log:

BUG: stack guard page was hit at 0000000011758623 (stack is 00000000132ba182..0000000012b2f5a4)

Uname:

Linux bnp 4.19.0-9-amd64 #12 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux

Answer 1

It seems you register your function as a hook for file_permissions check, which is performed inside security_file_permission function.

But this function is also executed when you call kernel_write:

• it calls vfs_write,
• which calls rw_verify_area,
• which calls security_file_permission.

So you have a recursion which simply exhaust the stack.

For break a recursion you need somehow to detect that your hook is called for /var/bnp/access.log file opened by you and do not open (and write) that file again.