From: Miklos Szeredi <[email protected]> Removing the parent of a watched file results in "kernel BUG at fs/notify/mark.c:139".
To reproduce add "-w /tmp/audit/dir/watched_file" to audit.rules rm -rf /tmp/audit/dir This is caused by fsnotify_destroy_mark() being called without an extra reference taken by the caller. Reported by Francesco Cosoleto here: https://bugzilla.novell.com/show_bug.cgi?id=689860 Signed-off-by: Miklos Szeredi <[email protected]> CC: Al Viro <[email protected]> CC: Eric Paris <[email protected]> CC: [email protected] Signed-off-by: Eric Paris <[email protected]> --- kernel/audit_watch.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c index e683869..4270d84 100644 --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -349,7 +349,9 @@ static void audit_remove_parent_watches(struct audit_parent *parent) } mutex_unlock(&audit_filter_mutex); + audit_get_parent(parent); fsnotify_destroy_mark(&parent->mark); + audit_put_parent(parent); } /* Get path information necessary for adding watches. */ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
