diff options
author | Eric Paris <eparis@redhat.com> | 2009-01-13 17:32:40 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2009-04-05 13:48:26 -0400 |
commit | 318b6d3d7ddbcad3d6867e630711b8a705d873d7 (patch) | |
tree | bdf1d75e26b1dc5ea4db67c6061f444c26eb9799 | |
parent | 6d208da89aabee8502debe842832ca0ab298d16d (diff) |
audit: incorrect ref counting in audit tree tag_chunk
tag_chunk has bad exit paths in which the inotify ref counting is wrong.
At the top of the function we found &old_watch using inotify_find_watch().
inotify_find_watch takes a reference to the watch. This is never dropped
on an error path.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | kernel/audit_tree.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 8ad9545b8db9..917ab9525568 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c | |||
@@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) | |||
385 | mutex_lock(&inode->inotify_mutex); | 385 | mutex_lock(&inode->inotify_mutex); |
386 | if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) { | 386 | if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) { |
387 | mutex_unlock(&inode->inotify_mutex); | 387 | mutex_unlock(&inode->inotify_mutex); |
388 | put_inotify_watch(&old->watch); | ||
388 | free_chunk(chunk); | 389 | free_chunk(chunk); |
389 | return -ENOSPC; | 390 | return -ENOSPC; |
390 | } | 391 | } |
@@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree) | |||
394 | chunk->dead = 1; | 395 | chunk->dead = 1; |
395 | inotify_evict_watch(&chunk->watch); | 396 | inotify_evict_watch(&chunk->watch); |
396 | mutex_unlock(&inode->inotify_mutex); | 397 | mutex_unlock(&inode->inotify_mutex); |
398 | put_inotify_watch(&old->watch); | ||
397 | put_inotify_watch(&chunk->watch); | 399 | put_inotify_watch(&chunk->watch); |
398 | return 0; | 400 | return 0; |
399 | } | 401 | } |