> diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
> index 7f358740e958..367eaf2c78b7 100644
> --- a/kernel/audit_watch.c
> +++ b/kernel/audit_watch.c
> @@ -350,11 +350,10 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent)
> struct dentry *d = kern_path_locked(watch->path, parent);
> if (IS_ERR(d))
> return PTR_ERR(d);
> - if (d_is_positive(d)) {
> - /* update watch filter fields */
> - watch->dev = d->d_sb->s_dev;
> - watch->ino = d_backing_inode(d)->i_ino;
> - }
> + /* update watch filter fields */
> + watch->dev = d->d_sb->s_dev;
> + watch->ino = d_backing_inode(d)->i_ino;
> +
> inode_unlock(d_backing_inode(parent->dentry));
> dput(d);
> return 0;
> @@ -419,10 +418,11 @@ int audit_add_watch(struct audit_krule *krule, struct list_head **list)
> /* caller expects mutex locked */
> mutex_lock(&audit_filter_mutex);
>
> - if (ret) {
> + if (ret && ret != -ENOENT) {
> audit_put_watch(watch);
> return ret;
> }
> + ret = 0;
So this is broken.
If kern_path_locked() fails due to a negative dentry and returns ENOENT
it will have already called path_put() and @parent_path is invalid.
But right after this audit does:
>
> /* either find an old parent or attach a new one */
> parent = audit_find_parent(d_backing_inode(parent_path.dentry));
and then later on calls path_put() again. So this is a UAF. We need to
fix this.
This used to work before because kern_path_locked() return a path with a
negative dentry.
