From 94e5d714f604d4cb4cb13163f01ede278e69258b Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Fri, 26 Jun 2009 14:05:27 -0400
Subject: integrity: add ima_counts_put (updated)

This patch fixes an imbalance message as reported by J.R. Okajima.
The IMA file counters are incremented in ima_path_check. If the
actual open fails, such as ETXTBSY, decrement the counters to
prevent unnecessary imbalance messages.

Reported-by: J.R. Okajima <hooanon05@yahoo.co.jp>
Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 security/integrity/ima/ima_main.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

(limited to 'security/integrity/ima/ima_main.c')

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 6f611874d10e..101c512564ec 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -238,7 +238,34 @@ out:
 }
 
 /*
- * ima_opens_get - increment file counts
+ * ima_counts_put - decrement file counts
+ *
+ * File counts are incremented in ima_path_check. On file open
+ * error, such as ETXTBSY, decrement the counts to prevent
+ * unnecessary imbalance messages.
+ */
+void ima_counts_put(struct path *path, int mask)
+{
+	struct inode *inode = path->dentry->d_inode;
+	struct ima_iint_cache *iint;
+
+	if (!ima_initialized || !S_ISREG(inode->i_mode))
+		return;
+	iint = ima_iint_find_insert_get(inode);
+	if (!iint)
+		return;
+
+	mutex_lock(&iint->mutex);
+	iint->opencount--;
+	if ((mask & MAY_WRITE) || (mask == 0))
+		iint->writecount--;
+	else if (mask & (MAY_READ | MAY_EXEC))
+		iint->readcount--;
+	mutex_unlock(&iint->mutex);
+}
+
+/*
+ * ima_counts_get - increment file counts
  *
  * - for IPC shm and shmat file.
  * - for nfsd exported files.
-- 
cgit v1.2.3


From 53a7197aff20e341487fca8575275056fe1c63e5 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@redhat.com>
Date: Wed, 26 Aug 2009 14:56:48 -0400
Subject: IMA: iint put in ima_counts_get and put

ima_counts_get() calls ima_iint_find_insert_get() which takes a reference
to the iint in question, but does not put that reference at the end of the
function.  This can lead to a nasty memory leak.  Easy enough to reproduce:

#include <sys/mman.h>
#include <stdio.h>

int main (void)
{
	int i;
	void *ptr;

	for (i=0; i < 100000; i++) {
		ptr = mmap(NULL, 4096, PROT_READ|PROT_WRITE,
			   MAP_SHARED|MAP_ANONYMOUS, -1, 0);
		if (ptr == MAP_FAILED)
			return 2;
		munmap(ptr, 4096);
	}

	return 0;
}

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
---
 security/integrity/ima/ima_main.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'security/integrity/ima/ima_main.c')

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index 101c512564ec..4732f5e5d127 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -262,6 +262,8 @@ void ima_counts_put(struct path *path, int mask)
 	else if (mask & (MAY_READ | MAY_EXEC))
 		iint->readcount--;
 	mutex_unlock(&iint->mutex);
+
+	kref_put(&iint->refcount, iint_free);
 }
 
 /*
@@ -291,6 +293,8 @@ void ima_counts_get(struct file *file)
 	if (file->f_mode & FMODE_WRITE)
 		iint->writecount++;
 	mutex_unlock(&iint->mutex);
+
+	kref_put(&iint->refcount, iint_free);
 }
 EXPORT_SYMBOL_GPL(ima_counts_get);
 
-- 
cgit v1.2.3