audit: incorrect ref counting in audit tree tag_chunk

tag_chunk has bad exit paths in which the inotify ref counting is wrong. At the top of the function we found &old_watch using inotify_find_watch(). inotify_find_watch takes a reference to the watch. This is never dropped on an error path. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Eric Paris <eparis@redhat.com> 2009-01-13 17:32:40 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2009-04-05 13:48:26 -0400
commit: 318b6d3d7ddbcad3d6867e630711b8a705d873d7 (patch)
tree: bdf1d75e26b1dc5ea4db67c6061f444c26eb9799 /kernel
parent: 6d208da89aabee8502debe842832ca0ab298d16d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 8ad9545b8db9..917ab9525568 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
        mutex_lock(&inode->inotify_mutex);
        if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
                mutex_unlock(&inode->inotify_mutex);
+                put_inotify_watch(&old->watch);
                free_chunk(chunk);
                return -ENOSPC;
        }
@@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
                chunk->dead = 1;
                inotify_evict_watch(&chunk->watch);
                mutex_unlock(&inode->inotify_mutex);
+                put_inotify_watch(&old->watch);
                put_inotify_watch(&chunk->watch);
                return 0;
        }
author	Eric Paris <eparis@redhat.com>	2009-01-13 17:32:40 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2009-04-05 13:48:26 -0400
commit	318b6d3d7ddbcad3d6867e630711b8a705d873d7 (patch)
tree	bdf1d75e26b1dc5ea4db67c6061f444c26eb9799 /kernel
parent	6d208da89aabee8502debe842832ca0ab298d16d (diff)