From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752194AbcK2R15 (ORCPT <rfc822;w@1wt.eu>);
        Tue, 29 Nov 2016 12:27:57 -0500
Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:43004 "EHLO
        Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1750795AbcK2R1t (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 29 Nov 2016 12:27:49 -0500
Date: Tue, 29 Nov 2016 18:24:50 +0100
From: Florian Westphal <fw@strlen.de>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: Florian Westphal <fw@strlen.de>, linux-kernel@vger.kernel.org,
        linux-audit@redhat.com
Subject: Re: [PATCH] audit: remove the audit freelist
Message-ID: <20161129172450.GD26930@breakpoint.cc>
References: <1479215774-29810-1-git-send-email-fw@strlen.de>
 <20161129161233.GG6897@madcap2.tricolour.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20161129161233.GG6897@madcap2.tricolour.ca>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Richard Guy Briggs <rgb@redhat.com> wrote:
> >  static void audit_buffer_free(struct audit_buffer *ab)
> >  {
> > -	unsigned long flags;
> > -
> >  	if (!ab)
> >  		return;
> >  
> >  	kfree_skb(ab->skb);
> > -	spin_lock_irqsave(&audit_freelist_lock, flags);
> > -	if (audit_freelist_count > AUDIT_MAXFREE)
> > -		kfree(ab);
> > -	else {
> > -		audit_freelist_count++;
> > -		list_add(&ab->list, &audit_freelist);
> > -	}
> > -	spin_unlock_irqrestore(&audit_freelist_lock, flags);
> > +	kfree(ab);
> >  }
[..]

> >  	nlh = nlmsg_put(ab->skb, 0, 0, type, 0, 0);
> >  	if (!nlh)
> > -		goto out_kfree_skb;
> > +		goto err;
> >  
> >  	return ab;
> >  
> > -out_kfree_skb:
> > -	kfree_skb(ab->skb);
> > -	ab->skb = NULL;
> 
> Why is the kfree_skb() skipped on error from nlmsg_put()?  I don't see
> much risk in nlmsg_put() failing considering the very simple arguments,
> however the code path is not trivial either.

if nlmsg_put fails we jump to err and ...

> >  err:
> >  	audit_buffer_free(ab);
> >  	return NULL;

... ab->skb gets free'd by audit_buffer_free() here.