Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit

Pull audit fixes from Paul Moore:
 "Two small patches to fix some bugs with the audit-by-executable
  functionality we introduced back in v4.3 (both patches are marked
  for the stable folks)"

* 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit:
  audit: fix exe_file access in audit_exe_compare
  mm: introduce get_task_exe_file

4 files changed, 30 insertions, 9 deletions

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 54e270262979..ac0df4dde823 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1556,18 +1556,13 @@ static const struct file_operations proc_pid_set_comm_operations = {
 static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
 {
         struct task_struct *task;
-        struct mm_struct *mm;
         struct file *exe_file;
 
         task = get_proc_task(d_inode(dentry));
         if (!task)
                 return -ENOENT;
-        mm = get_task_mm(task);
+        exe_file = get_task_exe_file(task);
         put_task_struct(task);
-        if (!mm)
-                return -ENOENT;
-        exe_file = get_mm_exe_file(mm);
-        mmput(mm);
         if (exe_file) {
                 *exe_path = exe_file->f_path;
                 path_get(&exe_file->f_path);
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 08ed53eeedd5..ef815b9cd426 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2014,6 +2014,7 @@ extern void mm_drop_all_locks(struct mm_struct *mm);
 
 extern void set_mm_exe_file(struct mm_struct *mm, struct file *new_exe_file);
 extern struct file *get_mm_exe_file(struct mm_struct *mm);
+extern struct file *get_task_exe_file(struct task_struct *task);
 
 extern bool may_expand_vm(struct mm_struct *, vm_flags_t, unsigned long npages);
 extern void vm_stat_account(struct mm_struct *, vm_flags_t, long npages);
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index d6709eb70970..0d302a87f21b 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -19,6 +19,7 @@
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <linux/file.h>
 #include <linux/kernel.h>
 #include <linux/audit.h>
 #include <linux/kthread.h>
@@ -544,10 +545,11 @@ int audit_exe_compare(struct task_struct *tsk, struct audit_fsnotify_mark *mark)
         unsigned long ino;
         dev_t dev;
 
-        rcu_read_lock();
-        exe_file = rcu_dereference(tsk->mm->exe_file);
+        exe_file = get_task_exe_file(tsk);
+        if (!exe_file)
+                return 0;
         ino = exe_file->f_inode->i_ino;
         dev = exe_file->f_inode->i_sb->s_dev;
-        rcu_read_unlock();
+        fput(exe_file);
         return audit_mark_compare(mark, ino, dev);
 }
diff --git a/kernel/fork.c b/kernel/fork.c
index aaf782327bf3..36c0daa03c60 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -799,6 +799,29 @@ struct file *get_mm_exe_file(struct mm_struct *mm)
 EXPORT_SYMBOL(get_mm_exe_file);
 
 /**
+ * get_task_exe_file - acquire a reference to the task's executable file
+ *
+ * Returns %NULL if task's mm (if any) has no associated executable file or
+ * this is a kernel thread with borrowed mm (see the comment above get_task_mm).
+ * User must release file via fput().
+ */
+struct file *get_task_exe_file(struct task_struct *task)
+{
+        struct file *exe_file = NULL;
+        struct mm_struct *mm;
+
+        task_lock(task);
+        mm = task->mm;
+        if (mm) {
+                if (!(task->flags & PF_KTHREAD))
+                        exe_file = get_mm_exe_file(mm);
+        }
+        task_unlock(task);
+        return exe_file;
+}
+EXPORT_SYMBOL(get_task_exe_file);
+
+/**
  * get_task_mm - acquire a reference to the task's mm
  *
  * Returns %NULL if the task has no mm.  Checks PF_KTHREAD (meaning