diff options
author | Eric Paris <eparis@redhat.com> | 2009-01-13 17:32:40 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2009-04-05 13:48:26 -0400 |
commit | 318b6d3d7ddbcad3d6867e630711b8a705d873d7 (patch) | |
tree | bdf1d75e26b1dc5ea4db67c6061f444c26eb9799 | |
parent | 6d208da89aabee8502debe842832ca0ab298d16d (diff) | |
download | lwn-318b6d3d7ddbcad3d6867e630711b8a705d873d7.tar.gz lwn-318b6d3d7ddbcad3d6867e630711b8a705d873d7.zip |
audit: incorrect ref counting in audit tree tag_chunk
tag_chunk has bad exit paths in which the inotify ref counting is wrong.
At the top of the function we found &old_watch using inotify_find_watch().
inotify_find_watch takes a reference to the watch. This is never dropped
on an error path.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | kernel/audit_tree.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 8ad9545b8db9..917ab9525568 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c @@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) mutex_lock(&inode->inotify_mutex); if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) { mutex_unlock(&inode->inotify_mutex); + put_inotify_watch(&old->watch); free_chunk(chunk); return -ENOSPC; } @@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) chunk->dead = 1; inotify_evict_watch(&chunk->watch); mutex_unlock(&inode->inotify_mutex); + put_inotify_watch(&old->watch); put_inotify_watch(&chunk->watch); return 0; } |