From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH V6 2/2] audit: eliminate unnecessary extra layer of watch parent references Date: Fri, 17 Jul 2015 13:58:26 -0400 Message-ID: <12612791.hlKxMY8d10@sifl> References: <1782280.KrZWA343Ju@sifl> <20150717014510.GE32473@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: <20150717014510.GE32473@madcap2.tricolour.ca> Sender: linux-kernel-owner@vger.kernel.org To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com List-Id: linux-audit@redhat.com On Thursday, July 16, 2015 09:45:10 PM Richard Guy Briggs wrote: > On 15/07/16, Paul Moore wrote: > > On Tuesday, July 14, 2015 11:40:42 AM Richard Guy Briggs wrote: > > > The audit watch parent count was imbalanced, adding an unnecessary layer > > > of > > > watch parent references. Decrement the additional parent reference when > > > a > > > watch is reused, already having a reference to the parent. > > > > > > Signed-off-by: Richard Guy Briggs > > > --- > > > > > > kernel/audit_watch.c | 6 ++---- > > > 1 files changed, 2 insertions(+), 4 deletions(-) > > > > > > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > > > index f33f54c..8f123d7 100644 > > > --- a/kernel/audit_watch.c > > > +++ b/kernel/audit_watch.c > > > @@ -391,11 +391,12 @@ static void audit_add_to_parent(struct audit_krule > > > *krule, > > > > > > audit_get_watch(w); > > > krule->watch = watch = w; > > > > > > + > > > + audit_put_parent(parent); > > > > > > break; > > > > > > } > > > > > > if (!watch_found) { > > > > > > - audit_get_parent(parent); > > > > > > watch->parent = parent; > > > > I understand removing the get() here and the put() in audit_add_watch, but > > I don't understand adding the put() above, can you help me understand? > > audit_find_parent() gets a reference to the parent, if the parent is > already known. This additional parental reference is not needed if the > watch is subsequently found by audit_add_to_parent(), and consumed if > the watch does not already exist, so we need to put the parent if the > watch is found, and do nothing if this new watch is added to the parent. > > If the parent wasn't already known, it is created with a refcount of 1 > and added to the audit_watch_group, then incremented by one to be > subsequently consumed by the newly created watch in > audit_add_to_parent(). > > The graph below may help to visualize it. > > The rule points to the watch, not to the parent, so the rule's refcount > gets bumped, not the parent's. Great, thanks for the explanation. Fix up the goto/return in patch 1/2, resubmit and I'll merge this patchset into audit#next. -- paul moore security @ redhat