From: Eric Paris <eparis@redhat.com> Subject: [RHEL5 PATCH] BZ 245164 kernel oops when audit disables and files watched Date: Fri, 22 Jun 2007 15:55:08 -0400 Bugzilla: 245164 Message-Id: <1182542108.3444.17.camel@dhcp231-215.rdu.redhat.com> Changelog: [audit] kernel oops when audit disabled with files watched BZ 245164 The kernel can oops if a file is watched, auditing is then disabled, and you try to do something with the watched file. To reproduce: - auditctl -e 1 - touch /tmp/foo - auditctl -w /tmp/foo - auditctl -e 0 - rm /tmp/foo (or mv) Simple enough, check if there is an audit_context on the file before you try to use it. Its been posted upstream and I'm sure viro will pull it into the audit tree soon. -Eric --- linux-2.6.18.i686/kernel/auditfilter.c.pre.audit.disabled +++ linux-2.6.18.i686/kernel/auditfilter.c @@ -976,7 +976,7 @@ static void audit_update_watch(struct au /* If the update involves invalidating rules, do the inode-based * filtering now, so we don't omit records. */ - if (invalidating && + if (invalidating && current->audit_context && audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT) audit_set_auditable(current->audit_context);