linux-stable.git/kernel/audit_watch.c, branch v3.2.102 Linux kernel stable tree audit: Fix use after free in audit_remove_watch_rule() 2017-11-11T13:34:29+00:00 Jan Kara jack@suse.cz 2017-08-15T11:00:36+00:00 c13e7423c71b5cb912aa7fb307b412f4d8d79cf6 commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream. audit_remove_watch_rule() drops watch's reference to parent but then continues to work with it. That is not safe as parent can get freed once we drop our reference. The following is a trivial reproducer: mount -o loop image /mnt touch /mnt/file auditctl -w /mnt/file -p wax umount /mnt auditctl -D <crash in fsnotify_destroy_mark()> Grab our own reference in audit_remove_watch_rule() earlier to make sure mark does not get freed under us. Reported-by: Tony Jones <tonyj@suse.de> Signed-off-by: Jan Kara <jack@suse.cz> Tested-by: Tony Jones <tonyj@suse.de> Signed-off-by: Paul Moore <paul@paul-moore.com> [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 
commit d76036ab47eafa6ce52b69482e91ca3ba337d6d6 upstream.

audit_remove_watch_rule() drops watch's reference to parent but then
continues to work with it. That is not safe as parent can get freed once
we drop our reference. The following is a trivial reproducer:

mount -o loop image /mnt
touch /mnt/file
auditctl -w /mnt/file -p wax
umount /mnt
auditctl -D
<crash in fsnotify_destroy_mark()>

Grab our own reference in audit_remove_watch_rule() earlier to make sure
mark does not get freed under us.

Reported-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Tested-by: Tony Jones <tonyj@suse.de>
Signed-off-by: Paul Moore <paul@paul-moore.com>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
kill path_lookup() 2011-03-14T13:15:23+00:00 Al Viro viro@zeniv.linux.org.uk 2011-02-16T20:15:47+00:00 c9c6cac0c2bdbda42e7b804838648d0bc60ddb13 all remaining callers pass LOOKUP_PARENT to it, so flags argument can die; renamed to kern_path_parent() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
all remaining callers pass LOOKUP_PARENT to it, so
flags argument can die; renamed to kern_path_parent()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fix race in audit_get_nd() 2011-03-14T13:15:23+00:00 Al Viro viro@zeniv.linux.org.uk 2011-02-16T20:08:54+00:00 15a9155fe3e8215c02b80df51ec2cac7c0d726ad don't rely on pathname resolution ending up twice at the same point... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
don't rely on pathname resolution ending up twice at the same point...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
audit: make functions static 2010-10-30T05:42:19+00:00 Stephen Hemminger shemminger@vyatta.com 2010-10-21T00:23:50+00:00 b8800aa5d9c7e4e2869321c77b80f322a0d9663a I was doing some namespace checks and found some simple stuff in audit that could be cleaned up. Make some functions static, and put const on make_reply payload arg. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
I was doing some namespace checks and found some simple stuff in
audit that could be cleaned up. Make some functions static, and
put const on make_reply payload arg.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Revert "fsnotify: store struct file not struct path" 2010-08-12T21:23:04+00:00 Linus Torvalds torvalds@linux-foundation.org 2010-08-12T21:23:04+00:00 2069601b3f0ea38170d4b509b89f3ca0a373bdc1 This reverts commit 3bcf3860a4ff9bbc522820b4b765e65e4deceb3e (and the accompanying commit c1e5c954020e "vfs/fsnotify: fsnotify_close can delay the final work in fput" that was a horribly ugly hack to make it work at all). The 'struct file' approach not only causes that disgusting hack, it somehow breaks pulseaudio, probably due to some other subtlety with f_count handling. Fix up various conflicts due to later fsnotify work. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
This reverts commit 3bcf3860a4ff9bbc522820b4b765e65e4deceb3e (and the
accompanying commit c1e5c954020e "vfs/fsnotify: fsnotify_close can delay
the final work in fput" that was a horribly ugly hack to make it work at
all).

The 'struct file' approach not only causes that disgusting hack, it
somehow breaks pulseaudio, probably due to some other subtlety with
f_count handling.

Fix up various conflicts due to later fsnotify work.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fanotify: use both marks when possible 2010-07-28T14:18:55+00:00 Eric Paris eparis@redhat.com 2010-07-28T14:18:39+00:00 1968f5eed54ce47bde488fd9a450912e4a2d7138 fanotify currently, when given a vfsmount_mark will look up (if it exists) the corresponding inode mark. This patch drops that lookup and uses the mark provided. Signed-off-by: Eric Paris <eparis@redhat.com> 
fanotify currently, when given a vfsmount_mark will look up (if it exists)
the corresponding inode mark.  This patch drops that lookup and uses the
mark provided.

Signed-off-by: Eric Paris <eparis@redhat.com>
fsnotify: pass both the vfsmount mark and inode mark 2010-07-28T14:18:54+00:00 Eric Paris eparis@redhat.com 2010-07-28T14:18:39+00:00 ce8f76fb7320297ccbe7c950fd9a2d727dd6a5a0 should_send_event() and handle_event() will both need to look up the inode event if they get a vfsmount event. Lets just pass both at the same time since we have them both after walking the lists in lockstep. Signed-off-by: Eric Paris <eparis@redhat.com> 
should_send_event() and handle_event() will both need to look up the inode
event if they get a vfsmount event.  Lets just pass both at the same time
since we have them both after walking the lists in lockstep.

Signed-off-by: Eric Paris <eparis@redhat.com>
fsnotify: remove group->mask 2010-07-28T14:18:54+00:00 Eric Paris eparis@redhat.com 2010-07-28T14:18:39+00:00 43709a288ed03aa0e2979ab63dd089b3889645c4 group->mask is now useless. It was originally a shortcut for fsnotify to save on performance. These checks are now redundant, so we remove them. Signed-off-by: Eric Paris <eparis@redhat.com> 
group->mask is now useless.  It was originally a shortcut for fsnotify to
save on performance.  These checks are now redundant, so we remove them.

Signed-off-by: Eric Paris <eparis@redhat.com>
fsnotify: cleanup should_send_event 2010-07-28T14:18:53+00:00 Eric Paris eparis@redhat.com 2010-07-28T14:18:39+00:00 2612abb51b11ffd2d75c472b11178115f5808909 The change to use srcu and walk the object list rather than the global fsnotify_group list means that should_send_event is no longer needed for a number of groups and can be simplified for others. Do that. Signed-off-by: Eric Paris <eparis@redhat.com> 
The change to use srcu and walk the object list rather than the global
fsnotify_group list means that should_send_event is no longer needed for a
number of groups and can be simplified for others.  Do that.

Signed-off-by: Eric Paris <eparis@redhat.com>
audit: use the mark in handler functions 2010-07-28T14:18:53+00:00 Eric Paris eparis@redhat.com 2010-07-28T14:18:38+00:00 4cd76a47924cd966799402d0f2bba356cde5c1b3 audit now gets a mark in the should_send_event and handle_event functions. Rather than look up the mark themselves audit should just use the mark it was handed. Signed-off-by: Eric Paris <eparis@redhat.com> 
audit now gets a mark in the should_send_event and handle_event
functions.  Rather than look up the mark themselves audit should just use
the mark it was handed.

Signed-off-by: Eric Paris <eparis@redhat.com>