IMA: iint put in ima_counts_get and put
ima_counts_get() calls ima_iint_find_insert_get() which takes a reference to the iint in question, but does not put that reference at the end of the function. This can lead to a nasty memory leak. Easy enough to reproduce: #include <sys/mman.h> #include <stdio.h> int main (void) { int i; void *ptr; for (i=0; i < 100000; i++) { ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0); if (ptr == MAP_FAILED) return 2; munmap(ptr, 4096); } return 0; } Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
3edf2fb9d8
commit
53a7197aff
|
@ -262,6 +262,8 @@ void ima_counts_put(struct path *path, int mask)
|
|||
else if (mask & (MAY_READ | MAY_EXEC))
|
||||
iint->readcount--;
|
||||
mutex_unlock(&iint->mutex);
|
||||
|
||||
kref_put(&iint->refcount, iint_free);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -291,6 +293,8 @@ void ima_counts_get(struct file *file)
|
|||
if (file->f_mode & FMODE_WRITE)
|
||||
iint->writecount++;
|
||||
mutex_unlock(&iint->mutex);
|
||||
|
||||
kref_put(&iint->refcount, iint_free);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ima_counts_get);
|
||||
|
||||
|
|
Loading…
Reference in New Issue