Another slab size-32 leak 2.6.16-rc4-mm2

Sat Feb 25 21:54:14 UTC 2006

On Friday 24 February 2006 20:51, Valdis.Kletnieks at vt.edu wrote:
> However, the call from ipc/util.c in ipcperms() doesn't seem to get cleaned
> up after (and, in fact, it isn't clear why it's even called there, at least
> to me...)

I don't see any reason for it either. The attached patch removes the
offending line and since it is not called outside of auditsc.c, we should
make it private to that file.

Signed-off-by: Steve Grubb <sgrubb at redhat.com>


diff -urp linux-2.6.15.x86_64.orig/include/linux/audit.h linux-2.6.15.x86_64/include/linux/audit.h

--- linux-2.6.15.x86_64.orig/include/linux/audit.h	2006-02-25 16:39:08.000000000 -0500
+++ linux-2.6.15.x86_64/include/linux/audit.h	2006-02-25 16:36:38.000000000 -0500
@@ -320,7 +320,6 @@ extern int audit_socketcall(int nargs, u
 extern int audit_sockaddr(int len, void *addr);
 extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
 extern void audit_signal_info(int sig, struct task_struct *t);
-extern char *audit_ipc_context(struct kern_ipc_perm *ipcp);
 extern int audit_set_macxattr(const char *name);
 #else
 #define audit_alloc(t) ({ 0; })
@@ -340,7 +339,6 @@ extern int audit_set_macxattr(const char
 #define audit_sockaddr(len, addr) ({ 0; })
 #define audit_avc_path(dentry, mnt) ({ 0; })
 #define audit_signal_info(s,t) do { ; } while (0)
-#define audit_ipc_context(i) do { ; } while (0)
 #define audit_set_macxattr(n) do { ; } while (0)
 #endif
 
diff -urp linux-2.6.15.x86_64.orig/ipc/util.c linux-2.6.15.x86_64/ipc/util.c
--- linux-2.6.15.x86_64.orig/ipc/util.c	2006-02-25 16:39:18.000000000 -0500
+++ linux-2.6.15.x86_64/ipc/util.c	2006-02-25 16:36:13.000000000 -0500
@@ -27,7 +27,6 @@
 #include <linux/workqueue.h>
 #include <linux/seq_file.h>
 #include <linux/proc_fs.h>
-#include <linux/audit.h>
 
 #include <asm/unistd.h>
 
@@ -469,7 +468,6 @@ int ipcperms (struct kern_ipc_perm *ipcp
 {	/* flag will most probably be 0 or S_...UGO from <linux/stat.h> */
 	int requested_mode, granted_mode;
 
-	audit_ipc_context(ipcp);
 	requested_mode = (flag >> 6) | (flag >> 3) | flag;
 	granted_mode = ipcp->mode;
 	if (current->euid == ipcp->cuid || current->euid == ipcp->uid)
diff -urp linux-2.6.15.x86_64.orig/kernel/auditsc.c linux-2.6.15.x86_64/kernel/auditsc.c
--- linux-2.6.15.x86_64.orig/kernel/auditsc.c	2006-02-25 16:39:18.000000000 -0500
+++ linux-2.6.15.x86_64/kernel/auditsc.c	2006-02-25 16:38:12.000000000 -0500
@@ -1146,6 +1146,38 @@ uid_t audit_get_loginuid(struct audit_co
 	return ctx ? ctx->loginuid : -1;
 }
 
+static char *audit_ipc_context(struct kern_ipc_perm *ipcp)
+{
+	struct audit_context *context = current->audit_context;
+	char *ctx = NULL;
+	int len = 0;
+
+	if (likely(!context))
+		return NULL;
+
+	len = security_ipc_getsecurity(ipcp, NULL, 0);
+	if (len == -EOPNOTSUPP)
+		goto ret;
+	if (len < 0)
+		goto error_path;
+
+	ctx = kmalloc(len, GFP_ATOMIC);
+	if (!ctx)
+		goto error_path;
+
+	len = security_ipc_getsecurity(ipcp, ctx, len);
+	if (len < 0)
+		goto error_path;
+
+	return ctx;
+
+error_path:
+	kfree(ctx);
+	audit_panic("error in audit_ipc_context");
+ret:
+	return NULL;
+}
+
 /**
  * audit_ipc_perms - record audit data for ipc
  * @qbytes: msgq bytes
@@ -1179,38 +1211,6 @@ int audit_ipc_perms(unsigned long qbytes
 	return 0;
 }
 
-char *audit_ipc_context(struct kern_ipc_perm *ipcp)
-{
-	struct audit_context *context = current->audit_context;
-	char *ctx = NULL;
-	int len = 0;
-
-	if (likely(!context))
-		return NULL;
-
-	len = security_ipc_getsecurity(ipcp, NULL, 0);
-	if (len == -EOPNOTSUPP)
-		goto ret;
-	if (len < 0)
-		goto error_path;
-
-	ctx = kmalloc(len, GFP_ATOMIC);
-	if (!ctx)
-		goto error_path;
-
-	len = security_ipc_getsecurity(ipcp, ctx, len);
-	if (len < 0)
-		goto error_path;
-
-	return ctx;
-
-error_path:
-	kfree(ctx);
-	audit_panic("error in audit_ipc_context");
-ret:
-	return NULL;
-}
-
 /**
  * audit_socketcall - record audit data for sys_socketcall
  * @nargs: number of args


