audit: fix a net reference leak in audit_list_rules_send()
[ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ] If audit_list_rules_send() fails when trying to create a new thread to send the rules it also fails to cleanup properly, leaking a reference to a net structure. This patch fixes the error patch and renames audit_send_list() to audit_send_list_thread() to better match its cousin, audit_send_reply_thread(). Reported-by: teroincn@gmail.com Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Paul Moore
Greg Kroah-Hartman
parent
e366d4001a
commit
4fe5dcafc7
3 changed files with 9 additions and 11 deletions
|
|
@ -893,7 +893,7 @@ static int kauditd_thread(void *dummy)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int audit_send_list(void *_dest)
|
int audit_send_list_thread(void *_dest)
|
||||||
{
|
{
|
||||||
struct audit_netlink_list *dest = _dest;
|
struct audit_netlink_list *dest = _dest;
|
||||||
struct sk_buff *skb;
|
struct sk_buff *skb;
|
||||||
|
|
|
||||||
|
|
@ -248,7 +248,7 @@ struct audit_netlink_list {
|
||||||
struct sk_buff_head q;
|
struct sk_buff_head q;
|
||||||
};
|
};
|
||||||
|
|
||||||
int audit_send_list(void *_dest);
|
int audit_send_list_thread(void *_dest);
|
||||||
|
|
||||||
extern int selinux_audit_rule_update(void);
|
extern int selinux_audit_rule_update(void);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1157,11 +1157,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
|
||||||
*/
|
*/
|
||||||
int audit_list_rules_send(struct sk_buff *request_skb, int seq)
|
int audit_list_rules_send(struct sk_buff *request_skb, int seq)
|
||||||
{
|
{
|
||||||
u32 portid = NETLINK_CB(request_skb).portid;
|
|
||||||
struct net *net = sock_net(NETLINK_CB(request_skb).sk);
|
|
||||||
struct task_struct *tsk;
|
struct task_struct *tsk;
|
||||||
struct audit_netlink_list *dest;
|
struct audit_netlink_list *dest;
|
||||||
int err = 0;
|
|
||||||
|
|
||||||
/* We can't just spew out the rules here because we might fill
|
/* We can't just spew out the rules here because we might fill
|
||||||
* the available socket buffer space and deadlock waiting for
|
* the available socket buffer space and deadlock waiting for
|
||||||
|
|
@ -1169,25 +1166,26 @@ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
|
||||||
* happen if we're actually running in the context of auditctl
|
* happen if we're actually running in the context of auditctl
|
||||||
* trying to _send_ the stuff */
|
* trying to _send_ the stuff */
|
||||||
|
|
||||||
dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
|
dest = kmalloc(sizeof(*dest), GFP_KERNEL);
|
||||||
if (!dest)
|
if (!dest)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
dest->net = get_net(net);
|
dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
|
||||||
dest->portid = portid;
|
dest->portid = NETLINK_CB(request_skb).portid;
|
||||||
skb_queue_head_init(&dest->q);
|
skb_queue_head_init(&dest->q);
|
||||||
|
|
||||||
mutex_lock(&audit_filter_mutex);
|
mutex_lock(&audit_filter_mutex);
|
||||||
audit_list_rules(seq, &dest->q);
|
audit_list_rules(seq, &dest->q);
|
||||||
mutex_unlock(&audit_filter_mutex);
|
mutex_unlock(&audit_filter_mutex);
|
||||||
|
|
||||||
tsk = kthread_run(audit_send_list, dest, "audit_send_list");
|
tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
|
||||||
if (IS_ERR(tsk)) {
|
if (IS_ERR(tsk)) {
|
||||||
skb_queue_purge(&dest->q);
|
skb_queue_purge(&dest->q);
|
||||||
|
put_net(dest->net);
|
||||||
kfree(dest);
|
kfree(dest);
|
||||||
err = PTR_ERR(tsk);
|
return PTR_ERR(tsk);
|
||||||
}
|
}
|
||||||
|
|
||||||
return err;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int audit_comparator(u32 left, u32 op, u32 right)
|
int audit_comparator(u32 left, u32 op, u32 right)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue