Audit: fix audit watch use after free

When an audit watch is added to a parent the temporary watch inside the
original krule from userspace is freed.  Yet the original watch is used after
the real watch was created in audit_add_rules()

Signed-off-by: Eric Paris <eparis@redhat.com>

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 713098ee5a0243c61a30e946f6c34be44de653ca..19c0a0a2cede373d8c5cbf08278dce802c7844e7 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1320,6 +1320,8 @@ static inline int audit_add_rule(struct audit_entry *entry)
                        mutex_unlock(&audit_filter_mutex);
                        goto error;
                }
+               /* entry->rule.watch may have changed during audit_add_watch() */
+               watch = entry->rule.watch;
                h = audit_hash_ino((u32)watch->ino);
                list = &audit_inode_hash[h];
        }