Commit 0fe33aae0e94b4097dd433c9399e16e17d638cd8
1 parent
ddf343f635
Exists in
smarc-l5.0.0_1.0.0-ga
and in
5 other branches
audit: don't free_chunk() after fsnotify_add_mark()
Don't do free_chunk() after fsnotify_add_mark(). That one does a delayed unref via the destroy list and this results in use-after-free. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: Eric Paris <eparis@redhat.com> CC: stable@vger.kernel.org
Showing 1 changed file with 3 additions and 3 deletions Side-by-side Diff
kernel/audit_tree.c
| ... | ... | @@ -259,7 +259,7 @@ |
| 259 | 259 | |
| 260 | 260 | fsnotify_duplicate_mark(&new->mark, entry); |
| 261 | 261 | if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) { |
| 262 | - free_chunk(new); | |
| 262 | + fsnotify_put_mark(&new->mark); | |
| 263 | 263 | goto Fallback; |
| 264 | 264 | } |
| 265 | 265 | |
| ... | ... | @@ -322,7 +322,7 @@ |
| 322 | 322 | |
| 323 | 323 | entry = &chunk->mark; |
| 324 | 324 | if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) { |
| 325 | - free_chunk(chunk); | |
| 325 | + fsnotify_put_mark(entry); | |
| 326 | 326 | return -ENOSPC; |
| 327 | 327 | } |
| 328 | 328 | |
| ... | ... | @@ -396,7 +396,7 @@ |
| 396 | 396 | fsnotify_duplicate_mark(chunk_entry, old_entry); |
| 397 | 397 | if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) { |
| 398 | 398 | spin_unlock(&old_entry->lock); |
| 399 | - free_chunk(chunk); | |
| 399 | + fsnotify_put_mark(chunk_entry); | |
| 400 | 400 | fsnotify_put_mark(old_entry); |
| 401 | 401 | return -ENOSPC; |
| 402 | 402 | } |