From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: [PATCH V4 (was V6) 2/2] audit: eliminate unnecessary extra layer of watch parent references Date: Tue, 04 Aug 2015 18:28:05 -0400 Message-ID: <3515336.1nYIlqF3Jz@sifl> References: <4d84814704ad61bc547ac74395882a6092f5be09.1438446498.git.rgb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Return-path: In-Reply-To: <4d84814704ad61bc547ac74395882a6092f5be09.1438446498.git.rgb@redhat.com> Sender: linux-kernel-owner@vger.kernel.org To: Richard Guy Briggs Cc: linux-audit@redhat.com, linux-kernel@vger.kernel.org, sgrubb@redhat.com, eparis@redhat.com List-Id: linux-audit@redhat.com On Saturday, August 01, 2015 03:41:13 PM Richard Guy Briggs wrote: > The audit watch parent count was imbalanced, adding an unnecessary layer of > watch parent references. Decrement the additional parent reference when a > watch is reused, already having a reference to the parent. > > audit_find_parent() gets a reference to the parent, if the parent is > already known. This additional parental reference is not needed if the > watch is subsequently found by audit_add_to_parent(), and consumed if > the watch does not already exist, so we need to put the parent if the > watch is found, and do nothing if this new watch is added to the parent. > > If the parent wasn't already known, it is created with a refcount of 1 > and added to the audit_watch_group, then incremented by one to be > subsequently consumed by the newly created watch in > audit_add_to_parent(). > > The rule points to the watch, not to the parent, so the rule's refcount > gets bumped, not the parent's. > > See LKML, 2015-07-16 > > Signed-off-by: Richard Guy Briggs > --- > kernel/audit_watch.c | 6 ++---- > 1 files changed, 2 insertions(+), 4 deletions(-) Merged. > diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c > index f33f54c..8f123d7 100644 > --- a/kernel/audit_watch.c > +++ b/kernel/audit_watch.c > @@ -391,11 +391,12 @@ static void audit_add_to_parent(struct audit_krule > *krule, > > audit_get_watch(w); > krule->watch = watch = w; > + > + audit_put_parent(parent); > break; > } > > if (!watch_found) { > - audit_get_parent(parent); > watch->parent = parent; > > audit_get_watch(watch); > @@ -436,9 +437,6 @@ int audit_add_watch(struct audit_krule *krule, struct > list_head **list) > > audit_add_to_parent(krule, parent); > > - /* match get in audit_find_parent or audit_init_parent */ > - audit_put_parent(parent); > - > h = audit_hash_ino((u32)watch->ino); > *list = &audit_inode_hash[h]; > error: -- paul moore security @ redhat