kernel/audit.c: avoid negative sleep durations

audit_log_start() performs the same jiffies comparison in two places.
If sufficient time has elapsed between the two comparisons, the second
one produces a negative sleep duration:

  schedule_timeout: wrong timeout value fffffffffffffff0
  Pid: 6606, comm: trinity-child1 Not tainted 3.8.0-rc1+ #43
  Call Trace:
    schedule_timeout+0x305/0x340
    audit_log_start+0x311/0x470
    audit_log_exit+0x4b/0xfb0
    __audit_syscall_exit+0x25f/0x2c0
    sysret_audit+0x17/0x21

Fix it by performing the comparison a single time.

Reported-by: Dave Jones <davej@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Paris <eparis@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 23 insertions, 13 deletions

diff --git a/kernel/audit.c b/kernel/audit.c
index a219998aecc1..d596e5355f15 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1101,6 +1101,23 @@ static inline void audit_get_stamp(struct audit_context *ctx,
         }
 }
 
+/*
+ * Wait for auditd to drain the queue a little
+ */
+static void wait_for_auditd(unsigned long sleep_time)
+{
+        DECLARE_WAITQUEUE(wait, current);
+        set_current_state(TASK_INTERRUPTIBLE);
+        add_wait_queue(&audit_backlog_wait, &wait);
+
+        if (audit_backlog_limit &&
+            skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
+                schedule_timeout(sleep_time);
+
+        __set_current_state(TASK_RUNNING);
+        remove_wait_queue(&audit_backlog_wait, &wait);
+}
+
 /* Obtain an audit buffer.  This routine does locking to obtain the
  * audit buffer, but then no locking is required for calls to
  * audit_log_*format.  If the tsk is a task that is currently in a
@@ -1146,20 +1163,13 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
 
         while (audit_backlog_limit
                && skb_queue_len(&audit_skb_queue) > audit_backlog_limit + reserve) {
-                if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time
-                    && time_before(jiffies, timeout_start + audit_backlog_wait_time)) {
-
-                        /* Wait for auditd to drain the queue a little */
-                        DECLARE_WAITQUEUE(wait, current);
-                        set_current_state(TASK_INTERRUPTIBLE);
-                        add_wait_queue(&audit_backlog_wait, &wait);
-
-                        if (audit_backlog_limit &&
-                            skb_queue_len(&audit_skb_queue) > audit_backlog_limit)
-                                schedule_timeout(timeout_start + audit_backlog_wait_time - jiffies);
+                if (gfp_mask & __GFP_WAIT && audit_backlog_wait_time) {
+                        unsigned long sleep_time;
 
-                        __set_current_state(TASK_RUNNING);
-                        remove_wait_queue(&audit_backlog_wait, &wait);
+                        sleep_time = timeout_start + audit_backlog_wait_time -
+                                        jiffies;
+                        if ((long)sleep_time > 0)
+                                wait_for_auditd(sleep_time);
                         continue;
                 }
                 if (audit_rate_check() && printk_ratelimit())