From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Paul Moore <paul@paul-moore.com>,
teroincn@gmail.com, Richard Guy Briggs <rgb@redhat.com>,
Sasha Levin <sashal@kernel.org>,
linux-audit@redhat.com
Subject: [PATCH AUTOSEL 4.14 33/72] audit: fix a net reference leak in audit_list_rules_send()
Date: Mon, 8 Jun 2020 19:24:21 -0400 [thread overview]
Message-ID: <20200608232500.3369581-33-sashal@kernel.org> (raw)
In-Reply-To: <20200608232500.3369581-1-sashal@kernel.org>
From: Paul Moore <paul@paul-moore.com>
[ Upstream commit 3054d06719079388a543de6adb812638675ad8f5 ]
If audit_list_rules_send() fails when trying to create a new thread
to send the rules it also fails to cleanup properly, leaking a
reference to a net structure. This patch fixes the error patch and
renames audit_send_list() to audit_send_list_thread() to better
match its cousin, audit_send_reply_thread().
Reported-by: teroincn@gmail.com
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit.c | 2 +-
kernel/audit.h | 2 +-
kernel/auditfilter.c | 16 +++++++---------
3 files changed, 9 insertions(+), 11 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 53224f399038..6faaa908544a 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -853,7 +853,7 @@ static int kauditd_thread(void *dummy)
return 0;
}
-int audit_send_list(void *_dest)
+int audit_send_list_thread(void *_dest)
{
struct audit_netlink_list *dest = _dest;
struct sk_buff *skb;
diff --git a/kernel/audit.h b/kernel/audit.h
index 9b110ae17ee3..1007773b0b81 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -248,7 +248,7 @@ struct audit_netlink_list {
struct sk_buff_head q;
};
-int audit_send_list(void *_dest);
+int audit_send_list_thread(void *_dest);
extern int selinux_audit_rule_update(void);
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 16cf396ea738..f26f4cb5d08d 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1137,11 +1137,8 @@ int audit_rule_change(int type, int seq, void *data, size_t datasz)
*/
int audit_list_rules_send(struct sk_buff *request_skb, int seq)
{
- u32 portid = NETLINK_CB(request_skb).portid;
- struct net *net = sock_net(NETLINK_CB(request_skb).sk);
struct task_struct *tsk;
struct audit_netlink_list *dest;
- int err = 0;
/* We can't just spew out the rules here because we might fill
* the available socket buffer space and deadlock waiting for
@@ -1149,25 +1146,26 @@ int audit_list_rules_send(struct sk_buff *request_skb, int seq)
* happen if we're actually running in the context of auditctl
* trying to _send_ the stuff */
- dest = kmalloc(sizeof(struct audit_netlink_list), GFP_KERNEL);
+ dest = kmalloc(sizeof(*dest), GFP_KERNEL);
if (!dest)
return -ENOMEM;
- dest->net = get_net(net);
- dest->portid = portid;
+ dest->net = get_net(sock_net(NETLINK_CB(request_skb).sk));
+ dest->portid = NETLINK_CB(request_skb).portid;
skb_queue_head_init(&dest->q);
mutex_lock(&audit_filter_mutex);
audit_list_rules(seq, &dest->q);
mutex_unlock(&audit_filter_mutex);
- tsk = kthread_run(audit_send_list, dest, "audit_send_list");
+ tsk = kthread_run(audit_send_list_thread, dest, "audit_send_list");
if (IS_ERR(tsk)) {
skb_queue_purge(&dest->q);
+ put_net(dest->net);
kfree(dest);
- err = PTR_ERR(tsk);
+ return PTR_ERR(tsk);
}
- return err;
+ return 0;
}
int audit_comparator(u32 left, u32 op, u32 right)
--
2.25.1
next prev parent reply other threads:[~2020-06-08 23:48 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 23:23 [PATCH AUTOSEL 4.14 01/72] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 02/72] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 03/72] drm: bridge: adv7511: Extend list of audio sample rates Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 04/72] crypto: ccp -- don't "select" CONFIG_DMADEVICES Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 05/72] media: si2157: Better check for running tuner in init Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 06/72] objtool: Ignore empty alternatives Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 07/72] spi: pxa2xx: Apply CS clk quirk to BXT Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 08/72] net: ena: fix error returning in ena_com_get_hash_function() Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 09/72] spi: dw: Zero DMA Tx and Rx configurations on stack Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 10/72] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 11/72] MIPS: Loongson: Build ATI Radeon GPU driver as module Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 12/72] Bluetooth: Add SCO fallback for invalid LMP parameters error Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 13/72] kgdb: Prevent infinite recursive entries to the debugger Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 14/72] spi: dw: Enable interrupts in accordance with DMA xfer mode Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 15/72] clocksource: dw_apb_timer: Make CPU-affiliation being optional Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 16/72] clocksource: dw_apb_timer_of: Fix missing clockevent timers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 17/72] btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 18/72] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 19/72] spi: dw: Fix Rx-only DMA transfers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 20/72] x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 21/72] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 22/72] staging: android: ion: use vmap instead of vm_map_ram Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 23/72] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 24/72] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 25/72] brcmfmac: fix wrong location to get firmware feature Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 26/72] tools api fs: Make xxx__mountpoint() more scalable Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 27/72] e1000: Distribute switch variables for initialization Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 28/72] dt-bindings: display: mediatek: control dpi pins mode to avoid leakage Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 29/72] audit: fix a net reference leak in audit_send_reply() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 30/72] media: dvb: return -EREMOTEIO on i2c transfer failure Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 31/72] media: platform: fcp: Set appropriate DMA parameters Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 32/72] MIPS: Make sparse_init() using top-down allocation Sasha Levin
2020-06-08 23:24 ` Sasha Levin [this message]
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 34/72] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 35/72] net: bcmgenet: set Rx mode before starting netif Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 36/72] lib/mpi: Fix 64-bit MIPS build with Clang Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 37/72] perf: Add cond_resched() to task_function_call() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 38/72] exit: Move preemption fixup up, move blocking operations down Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 39/72] net: lpc-enet: fix error return code in lpc_mii_init() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 40/72] media: cec: silence shift wrapping warning in __cec_s_log_addrs() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 41/72] net: allwinner: Fix use correct return type for ndo_start_xmit() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 42/72] powerpc/spufs: fix copy_to_user while atomic Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 43/72] ath9k_htc: Silence undersized packet warnings Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 44/72] Crypto/chcr: fix for ccm(aes) failed test Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 45/72] MIPS: Truncate link address into 32bit for 32bit kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 46/72] mips: cm: Fix an invalid error code of INTVN_*_ERR Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 47/72] kgdb: Fix spurious true from in_dbg_master() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 48/72] nvme: refine the Qemu Identify CNS quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 49/72] wcn36xx: Fix error handling path in 'wcn36xx_probe()' Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 50/72] net: qed*: Reduce RX and TX default ring count when running inside kdump kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 51/72] md: don't flush workqueue unconditionally in md_open Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 52/72] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 53/72] mwifiex: Fix memory corruption in dump_station Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 54/72] x86/boot: Correct relocation destination on old linkers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 55/72] mips: MAAR: Use more precise address mask Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 56/72] mips: Add udelay lpj numbers adjustment Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 57/72] x86/mm: Stop printing BRK addresses Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 58/72] m68k: mac: Don't call via_flush_cache() on Mac IIfx Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 59/72] macvlan: Skip loopback packets in RX handler Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 60/72] PCI: Don't disable decoding when mmio_always_on is set Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 61/72] MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 62/72] xfs: gut error handling in xfs_trans_unreserve_and_mod_sb() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 63/72] mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 64/72] staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 65/72] mmc: via-sdmmc: " Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 66/72] ixgbe: fix signed-integer-overflow warning Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 67/72] mmc: sdhci-esdhc-imx: fix the mask for tuning start point Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 68/72] spi: dw: Return any value retrieved from the dma_transfer callback Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 69/72] cpuidle: Fix three reference count leaks Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 70/72] platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 71/72] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Sasha Levin
2020-06-08 23:25 ` [PATCH AUTOSEL 4.14 72/72] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN Sasha Levin
2020-06-08 23:46 ` Daniel Axtens
2020-06-09 11:20 ` Pavel Machek
2020-06-09 11:54 ` Greg KH
2020-06-09 13:55 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608232500.3369581-33-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=stable@vger.kernel.org \
--cc=teroincn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).