security/integrity/ima/ima_crypto.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
ima_calc_file_hash_atfm() and ima_calc_file_hash_tfm() compute a hash
over the entire file contents without checking for pending fatal
signals. When a very large file is being hashed during mmap (via
ima_file_mmap), the computation can take an extended period. If a
coredump is initiated by another thread in the same thread group during
this time, the dumper thread waits in coredump_wait() for all other
threads to exit. However, the hashing thread cannot exit until the hash
loop completes, resulting in a hung task.
Add fatal_signal_pending() checks to both the ahash and shash file
hashing loops so that the computation is aborted promptly when SIGKILL
is received.
Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider")
Reported-by: syzbot+6ed94e81a1492fe1d512@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6ed94e81a1492fe1d512
Tested-by: syzbot+6ed94e81a1492fe1d512@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
security/integrity/ima/ima_crypto.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index aff61643415d..7b721b9c944f 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -17,6 +17,7 @@
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <linux/err.h>
+#include <linux/sched/signal.h>
#include <linux/slab.h>
#include <crypto/hash.h>
@@ -416,6 +417,12 @@ static int ima_calc_file_hash_atfm(struct file *file,
if (rbuf[1])
active = !active; /* swap buffers, if we use two */
+
+ if (fatal_signal_pending(current)) {
+ ahash_wait(ahash_rc, &wait);
+ rc = -EINTR;
+ goto out3;
+ }
}
/* wait for the last update request to complete */
rc = ahash_wait(ahash_rc, &wait);
@@ -491,6 +498,10 @@ static int ima_calc_file_hash_tfm(struct file *file,
rc = crypto_shash_update(shash, rbuf, rbuf_len);
if (rc)
break;
+ if (fatal_signal_pending(current)) {
+ rc = -EINTR;
+ break;
+ }
}
kfree(rbuf);
out:
--
2.52.0On Sun, Mar 22, 2026 at 08:10:19PM +0900, Shigeru Yoshida wrote:
> ima_calc_file_hash_atfm() and ima_calc_file_hash_tfm() compute a hash
> over the entire file contents without checking for pending fatal
> signals. When a very large file is being hashed during mmap (via
> ima_file_mmap), the computation can take an extended period. If a
> coredump is initiated by another thread in the same thread group during
> this time, the dumper thread waits in coredump_wait() for all other
> threads to exit. However, the hashing thread cannot exit until the hash
> loop completes, resulting in a hung task.
>
> Add fatal_signal_pending() checks to both the ahash and shash file
> hashing loops so that the computation is aborted promptly when SIGKILL
> is received.
>
> Fixes: 3323eec921ef ("integrity: IMA as an integrity service provider")
> Reported-by: syzbot+6ed94e81a1492fe1d512@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=6ed94e81a1492fe1d512
> Tested-by: syzbot+6ed94e81a1492fe1d512@syzkaller.appspotmail.com
> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
> ---
> security/integrity/ima/ima_crypto.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
> index aff61643415d..7b721b9c944f 100644
> --- a/security/integrity/ima/ima_crypto.c
> +++ b/security/integrity/ima/ima_crypto.c
> @@ -17,6 +17,7 @@
> #include <linux/crypto.h>
> #include <linux/scatterlist.h>
> #include <linux/err.h>
> +#include <linux/sched/signal.h>
> #include <linux/slab.h>
> #include <crypto/hash.h>
>
> @@ -416,6 +417,12 @@ static int ima_calc_file_hash_atfm(struct file *file,
>
> if (rbuf[1])
> active = !active; /* swap buffers, if we use two */
> +
> + if (fatal_signal_pending(current)) {
> + ahash_wait(ahash_rc, &wait);
> + rc = -EINTR;
> + goto out3;
> + }
I think you'll need to rebase onto
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/log/?h=next-integrity
since there is a patch queued up that removes ima_calc_file_hash_atfm().
So only ima_calc_file_hash_tfm() will need to be updated.
- Eric
© 2016 - 2026 Red Hat, Inc.