audit: incorrect ref counting in audit tree tag_chunk
authorEric Paris <eparis@redhat.com>
Tue, 13 Jan 2009 22:32:40 +0000 (17:32 -0500)
committerAl Viro <viro@zeniv.linux.org.uk>
Sun, 5 Apr 2009 17:48:26 +0000 (13:48 -0400)
tag_chunk has bad exit paths in which the inotify ref counting is wrong.
At the top of the function we found &old_watch using  inotify_find_watch().
inotify_find_watch takes a reference to the watch.  This is never dropped
on an error path.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
kernel/audit_tree.c

index 8ad9545b8db9e67203c49f37ece0a3da30f42b28..917ab9525568534f7baa4017842678a5129ee928 100644 (file)
@@ -385,6 +385,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
        mutex_lock(&inode->inotify_mutex);
        if (inotify_clone_watch(&old->watch, &chunk->watch) < 0) {
                mutex_unlock(&inode->inotify_mutex);
+               put_inotify_watch(&old->watch);
                free_chunk(chunk);
                return -ENOSPC;
        }
@@ -394,6 +395,7 @@ static int tag_chunk(struct inode *inode, struct audit_tree *tree)
                chunk->dead = 1;
                inotify_evict_watch(&chunk->watch);
                mutex_unlock(&inode->inotify_mutex);
+               put_inotify_watch(&old->watch);
                put_inotify_watch(&chunk->watch);
                return 0;
        }