Hi Ondrej,

I may be wrong as well w.r.t to centos83/rhel83. Can you please confirm us if the image  

4.18.0-240.22.1.el8_3.x86_64  (rhel83/centos83) 
4.18.0-305.el8.x86_64 (rhel84/centos84)  

contains the above mentioned patches?

Thanks a lot again.


On Fri, Jul 23, 2021 at 11:34 AM Sujithra P <sujithrap@gmail.com> wrote:
Thank you very much Ondrej!!!  

Just to summarize: 

This issued should not observed in kernel versions >= 5.6 ?
We are seeing this issue not just in oracle84 but on centos83/rhel83 as well. I have list bellow all the OS&kernel versions in which we are observing this issue.

# uname  -r
4.18.0-305.el8.x86_64
# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"

# uname -r
4.18.0-240.22.1.el8_3.x86_64
cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.3 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.3"

# uname -r
4.18.0-147.5.1.el8_1.x86_64
# cat /etc/os-release
NAME="Red Hat Enterprise Linux"
VERSION="8.1 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.1"

#uname -r
4.18.0-147.8.1.el8_1.x86_64
cat /etc/os-release
NAME="CentOS Linux"
VERSION="8 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"

#uname -r
4.18.0-240.22.1.el8_3.x86_64
# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"

#uname -r
4.18.0-305.3.1.el8.x86_64
# cat /etc/os-release
NAME="CentOS Linux"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"


Kindly let us know. Thanks.

On Fri, Jul 23, 2021 at 5:28 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
On Fri, Jul 23, 2021 at 10:52 AM Sujithra P <sujithrap@gmail.com> wrote:
> Thanks Ondrej.  Sorry about that, please find the details below.
>
> On Fri, Jul 23, 2021 at 1:31 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > On Thu, Jul 22, 2021 at 9:25 PM Sujithra P <sujithrap@gmail.com> wrote:
> > > Thanks Ondrej.
> > >
> > > Kernel version:  Linux #2 SMP Fri Apr 23 09:05:57 PDT 2021 x86_64
> > > x86_64 x86_64 GNU/Linux
> >
> > Somehow that string doesn't contain the actual version :) uname -r
> > should return the right version string (something like
> > "4.18.0-305.el8.x86_64").
>
> uname -r
> 5.4.17-2102.201.3.el8uek.x86_64

Ah, so this was actually a crucial bit of information. When I
installed this kernel from Oracle, I was able to reproduce the bug
using my artificial reproducer. I also reproduced it on plain 5.4.17
upstream kernel, so it's not related to Oracle's modifications.

The bug was indeed caused by the race condition I found, but in
kernels before 5.6 the code used to be a little different and lead to
the bug you are seeing. After commit 66f8e2f03c02 ("selinux: sidtab
reverse lookup hash table"), the race condition was still there, but
it wasn't able to cause the bug any more (or it became extremely
unlikely, at least).

So to avoid the bug you need to either switch to a kernel that
includes the aforementioned commit (hint: stock RHEL/CentOS kernels in
version 8.3 and above already have that commit backported) or get
Oracle to either backport the commit (+ any relevant follow ups) or
fix the race condition. I will submit a patch to fix the race
condition upstream so if you decide to report this problem to Oracle I
can provide you a link to the patch once I post it (it may take a
couple of days/weeks before I get it ready).

Hope this helps,

--
Ondrej Mosnacek
Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.