[PATCH 3/6] audit: Fix possible tagging failures

Fri Jun 29 12:05:07 UTC 2018

On Thu, Jun 28, 2018 at 7:40 PM, Jan Kara <jack at suse.cz> wrote:
> Audit tree code is replacing marks attached to inodes in non-atomic way.
> Thus fsnotify_find_mark() in tag_chunk() may find a mark that belongs to
> a chunk that is no longer valid one and will soon be destroyed. Tags
> added to such chunk will be simply lost.
>
> Fix the problem by making sure old mark is marked as going away (through
> fsnotify_detach_mark()) before dropping mark_mutex and thus in an atomic
> way wrt tag_chunk(). Note that this does not fix the problem completely
> as if tag_chunk() finds a mark that is going away, it fails with
> -ENOENT. But at least the failure is not silent and currently there's no
> way to search for another fsnotify mark attached to the inode. We'll fix
> this problem in later patch.
>
> Signed-off-by: Jan Kara <jack at suse.cz>
> ---

This one too looks sane.
Without knowing anything about audit_watch, there seems to be
an fsnotify_destroy_mark() after unlock of audit_filter_mutex, so it
may require a similar fix.

Thanks,
Amir.