1 files changed, 17 insertions, 12 deletions
diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
index 5bf0790497e7..ed206fd88cca 100644
--- a/kernel/audit_tree.c
+++ b/kernel/audit_tree.c
@@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
                spin_unlock(&hash_lock);
                spin_unlock(&entry->lock);
                fsnotify_destroy_mark(entry);
-                fsnotify_put_mark(entry);
                goto out;
        }
@@ -259,7 +258,7 @@ static void untag_chunk(struct node *p)
        fsnotify_duplicate_mark(&new->mark, entry);
        if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) {
-                free_chunk(new);
+                fsnotify_put_mark(&new->mark);
                goto Fallback;
        }
@@ -293,7 +292,7 @@ static void untag_chunk(struct node *p)
        spin_unlock(&hash_lock);
        spin_unlock(&entry->lock);
        fsnotify_destroy_mark(entry);
-        fsnotify_put_mark(entry);
+        fsnotify_put_mark(&new->mark);  /* drop initial reference */
        goto out;
 Fallback:
@@ -322,7 +321,7 @@ static int create_chunk(struct inode *inode, struct audit_tree *tree)
        entry = &chunk->mark;
        if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) {
-                free_chunk(chunk);
+                fsnotify_put_mark(entry);
                return -ENOSPC;
        }
@@ -347,6 +346,7 @@ static int create_chunk(struct inode *inode, struct audit_tree *tree)
        insert_hash(chunk);
        spin_unlock(&hash_lock);
        spin_unlock(&entry->lock);
+        fsnotify_put_mark(entry);       /* drop initial reference */
        return 0;
 }
@@ -396,7 +396,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
        fsnotify_duplicate_mark(chunk_entry, old_entry);
        if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) {
                spin_unlock(&old_entry->lock);
-                free_chunk(chunk);
+                fsnotify_put_mark(chunk_entry);
                fsnotify_put_mark(old_entry);
                return -ENOSPC;
        }
@@ -444,8 +444,8 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
        spin_unlock(&chunk_entry->lock);
        spin_unlock(&old_entry->lock);
        fsnotify_destroy_mark(old_entry);
+        fsnotify_put_mark(chunk_entry); /* drop initial reference */
        fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
-        fsnotify_put_mark(old_entry); /* and kill it */
        return 0;
 }
@@ -595,7 +595,7 @@ void audit_trim_trees(void)
                root_mnt = collect_mounts(&path);
                path_put(&path);
-                if (!root_mnt)
+                if (IS_ERR(root_mnt))
                        goto skip_it;
                spin_lock(&hash_lock);
@@ -669,8 +669,8 @@ int audit_add_tree_rule(struct audit_krule *rule)
                goto Err;
        mnt = collect_mounts(&path);
        path_put(&path);
-        if (!mnt) {
+        if (IS_ERR(mnt)) {
-                err = -ENOMEM;
+                err = PTR_ERR(mnt);
                goto Err;
        }
@@ -719,8 +719,8 @@ int audit_tag_tree(char *old, char *new)
                return err;
        tagged = collect_mounts(&path2);
        path_put(&path2);
-        if (!tagged)
+        if (IS_ERR(tagged))
-                return -ENOMEM;
+                return PTR_ERR(tagged);
        err = kern_path(old, 0, &path1);
        if (err) {
@@ -916,7 +916,12 @@ static void audit_tree_freeing_mark(struct fsnotify_mark *entry, struct fsnotify
        struct audit_chunk *chunk = container_of(entry, struct audit_chunk, mark);
        evict_chunk(chunk);
-        fsnotify_put_mark(entry);
+        /*
+         * We are guaranteed to have at least one reference to the mark from
+         * either the inode or the caller of fsnotify_destroy_mark().
+         */
+        BUG_ON(atomic_read(&entry->refcnt) < 1);
 }
 static bool audit_tree_send_event(struct fsnotify_group *group, struct inode *inode,

diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c index 5bf0790497e7..ed206fd88cca 100644 --- a/kernel/audit_tree.c +++ b/kernel/audit_tree.c
@@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
250	spin_unlock(&hash_lock);	250	spin_unlock(&hash_lock);
251	spin_unlock(&entry->lock);	251	spin_unlock(&entry->lock);
252	fsnotify_destroy_mark(entry);	252	fsnotify_destroy_mark(entry);
253	fsnotify_put_mark(entry);
254	goto out;	253	goto out;
255	}	254	}
256		255
@@ -259,7 +258,7 @@ static void untag_chunk(struct node *p)
259		258
260	fsnotify_duplicate_mark(&new->mark, entry);	259	fsnotify_duplicate_mark(&new->mark, entry);
261	if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) {	260	if (fsnotify_add_mark(&new->mark, new->mark.group, new->mark.i.inode, NULL, 1)) {
262	free_chunk(new);	261	fsnotify_put_mark(&new->mark);
263	goto Fallback;	262	goto Fallback;
264	}	263	}
265		264
@@ -293,7 +292,7 @@ static void untag_chunk(struct node *p)
293	spin_unlock(&hash_lock);	292	spin_unlock(&hash_lock);
294	spin_unlock(&entry->lock);	293	spin_unlock(&entry->lock);
295	fsnotify_destroy_mark(entry);	294	fsnotify_destroy_mark(entry);
296	fsnotify_put_mark(entry);	295	fsnotify_put_mark(&new->mark); /* drop initial reference */
297	goto out;	296	goto out;
298		297
299	Fallback:	298	Fallback:
@@ -322,7 +321,7 @@ static int create_chunk(struct inode inode, struct audit_tree tree)
322		321
323	entry = &chunk->mark;	322	entry = &chunk->mark;
324	if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) {	323	if (fsnotify_add_mark(entry, audit_tree_group, inode, NULL, 0)) {
325	free_chunk(chunk);	324	fsnotify_put_mark(entry);
326	return -ENOSPC;	325	return -ENOSPC;
327	}	326	}
328		327
@@ -347,6 +346,7 @@ static int create_chunk(struct inode inode, struct audit_tree tree)
347	insert_hash(chunk);	346	insert_hash(chunk);
348	spin_unlock(&hash_lock);	347	spin_unlock(&hash_lock);
349	spin_unlock(&entry->lock);	348	spin_unlock(&entry->lock);
		349	fsnotify_put_mark(entry); /* drop initial reference */
350	return 0;	350	return 0;
351	}	351	}
352		352
@@ -396,7 +396,7 @@ static int tag_chunk(struct inode inode, struct audit_tree tree)
396	fsnotify_duplicate_mark(chunk_entry, old_entry);	396	fsnotify_duplicate_mark(chunk_entry, old_entry);
397	if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) {	397	if (fsnotify_add_mark(chunk_entry, chunk_entry->group, chunk_entry->i.inode, NULL, 1)) {
398	spin_unlock(&old_entry->lock);	398	spin_unlock(&old_entry->lock);
399	free_chunk(chunk);	399	fsnotify_put_mark(chunk_entry);
400	fsnotify_put_mark(old_entry);	400	fsnotify_put_mark(old_entry);
401	return -ENOSPC;	401	return -ENOSPC;
402	}	402	}
@@ -444,8 +444,8 @@ static int tag_chunk(struct inode inode, struct audit_tree tree)
444	spin_unlock(&chunk_entry->lock);	444	spin_unlock(&chunk_entry->lock);
445	spin_unlock(&old_entry->lock);	445	spin_unlock(&old_entry->lock);
446	fsnotify_destroy_mark(old_entry);	446	fsnotify_destroy_mark(old_entry);
		447	fsnotify_put_mark(chunk_entry); /* drop initial reference */
447	fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */	448	fsnotify_put_mark(old_entry); /* pair to fsnotify_find mark_entry */
448	fsnotify_put_mark(old_entry); /* and kill it */
449	return 0;	449	return 0;
450	}	450	}
451		451
@@ -595,7 +595,7 @@ void audit_trim_trees(void)
595		595
596	root_mnt = collect_mounts(&path);	596	root_mnt = collect_mounts(&path);
597	path_put(&path);	597	path_put(&path);
598	if (!root_mnt)	598	if (IS_ERR(root_mnt))
599	goto skip_it;	599	goto skip_it;
600		600
601	spin_lock(&hash_lock);	601	spin_lock(&hash_lock);
@@ -669,8 +669,8 @@ int audit_add_tree_rule(struct audit_krule *rule)
669	goto Err;	669	goto Err;
670	mnt = collect_mounts(&path);	670	mnt = collect_mounts(&path);
671	path_put(&path);	671	path_put(&path);
672	if (!mnt) {	672	if (IS_ERR(mnt)) {
673	err = -ENOMEM;	673	err = PTR_ERR(mnt);
674	goto Err;	674	goto Err;
675	}	675	}
676		676
@@ -719,8 +719,8 @@ int audit_tag_tree(char old, char new)
719	return err;	719	return err;
720	tagged = collect_mounts(&path2);	720	tagged = collect_mounts(&path2);
721	path_put(&path2);	721	path_put(&path2);
722	if (!tagged)	722	if (IS_ERR(tagged))
723	return -ENOMEM;	723	return PTR_ERR(tagged);
724		724
725	err = kern_path(old, 0, &path1);	725	err = kern_path(old, 0, &path1);
726	if (err) {	726	if (err) {
@@ -916,7 +916,12 @@ static void audit_tree_freeing_mark(struct fsnotify_mark *entry, struct fsnotify
916	struct audit_chunk *chunk = container_of(entry, struct audit_chunk, mark);	916	struct audit_chunk *chunk = container_of(entry, struct audit_chunk, mark);
917		917
918	evict_chunk(chunk);	918	evict_chunk(chunk);
919	fsnotify_put_mark(entry);	919
		920	/*
		921	* We are guaranteed to have at least one reference to the mark from
		922	* either the inode or the caller of fsnotify_destroy_mark().
		923	*/
		924	BUG_ON(atomic_read(&entry->refcnt) < 1);
920	}	925	}
921		926
922	static bool audit_tree_send_event(struct fsnotify_group group, struct inode inode,	927	static bool audit_tree_send_event(struct fsnotify_group group, struct inode inode,