diff options
| author | Miklos Szeredi <mszeredi@suse.cz> | 2012-01-03 14:23:09 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-01-12 00:25:10 -0500 |
| commit | 16938bb22f1b01d8c3bb93d28aaeb6a67d433559 (patch) | |
| tree | bf49e1944f19e7852078109aacc56570810fd7bc | |
| parent | 2196821a0b3c0829e7b44638225a7072975428a6 (diff) | |
| download | audit-16938bb22f1b01d8c3bb93d28aaeb6a67d433559.tar.gz | |
audit: fix mark refcounting
Removing the parent of a watched file results in "kernel BUG at
fs/notify/mark.c:139".
To reproduce
add "-w /tmp/audit/dir/watched_file" to audit.rules
rm -rf /tmp/audit/dir
This is caused by fsnotify_destroy_mark() being called without an
extra reference taken by the caller.
Reported by Francesco Cosoleto here:
https://bugzilla.novell.com/show_bug.cgi?id=689860
This is not actually a real bug in the logic, but it does hit a BUG().
Even though the mark is not pinned by a reference after the destroy, it
will not get freed because it is held by the srcu mark lock. The real
'fix' would be to take a reference under the srcu lock every time a mark
is found, but this is an expensive operation. Instead just get the
mark in the odd places, like here, where a mark might get destroyed with
the only thing keeping it from being freed being the srcu lock.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
CC: Al Viro <viro@zeniv.linux.org.uk>
CC: Eric Paris <eparis@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Eric Paris <eparis@redhat.com>
| -rw-r--r-- | kernel/audit_watch.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index e683869365d9bd..4270d84cf4d704 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -349,7 +349,9 @@ static void audit_remove_parent_watches(struct audit_parent *parent) } mutex_unlock(&audit_filter_mutex); + audit_get_parent(parent); fsnotify_destroy_mark(&parent->mark); + audit_put_parent(parent); } /* Get path information necessary for adding watches. */ |