Audit: fix audit watch use after free

eparis · Al Viro · commit 35aa901c0b66 · 2009-06-23T23:50:33.000-04:00
When an audit watch is added to a parent the temporary watch inside the
original krule from userspace is freed.  Yet the original watch is used after
the real watch was created in audit_add_rules()

Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
@@ -1320,6 +1320,8 @@ static inline int audit_add_rule(struct audit_entry *entry)
 			mutex_unlock(&audit_filter_mutex);
 			goto error;
 		}
+		/* entry->rule.watch may have changed during audit_add_watch() */
+		watch = entry->rule.watch;
 		h = audit_hash_ino((u32)watch->ino);
 		list = &audit_inode_hash[h];
 	}

Original file line number	Diff line number	Diff line change
`@@ -1320,6 +1320,8 @@ static inline int audit_add_rule(struct audit_entry *entry)`
`1320`	`1320`	`mutex_unlock(&audit_filter_mutex);`
`1321`	`1321`	`goto error;`
`1322`	`1322`	`}`
	`1323`	`+ /* entry->rule.watch may have changed during audit_add_watch() */`
	`1324`	`+ watch = entry->rule.watch;`
`1323`	`1325`	`h = audit_hash_ino((u32)watch->ino);`
`1324`	`1326`	`list = &audit_inode_hash[h];`
`1325`	`1327`	`}`