On Fri, Jan 28, 2022 at 3:29 PM <vbendel@xxxxxxxxxx> wrote: > From: Vratislav Bendel <vbendel@xxxxxxxxxx> > > Currently there are two users of policydb->cond_list: cond_read_list() > and duplicate_policydb_cond_list(). On their error path one clears > ->cond_list to NULL, but the other doesn't. > Make the behavior consistent by resetting ->cond_list to NULL in > cond_list_destroy(), which is called by both on the error path. It's also important to see if there are any callers of cond_list_destroy() which incorrectly might be making use of policydb::cond_list after it has been freed; thankfully that does not appear to be the case in any of the call paths I looked at just now. As this is more a a style/Right-Thing-To-Do patch and not an immediate bugfix I'm going to go and merge this into selinux/next. Thanks Vratislav. > Signed-off-by: Vratislav Bendel <vbendel@xxxxxxxxxx> > --- > security/selinux/ss/conditional.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/security/selinux/ss/conditional.c b/security/selinux/ss/conditional.c > index 2ec6e5cd25d9..1d0e5f326b62 100644 > --- a/security/selinux/ss/conditional.c > +++ b/security/selinux/ss/conditional.c > @@ -152,6 +152,7 @@ static void cond_list_destroy(struct policydb *p) > for (i = 0; i < p->cond_list_len; i++) > cond_node_destroy(&p->cond_list[i]); > kfree(p->cond_list); > + p->cond_list = NULL; > } > > void cond_policydb_destroy(struct policydb *p) > @@ -441,7 +442,6 @@ int cond_read_list(struct policydb *p, void *fp) > return 0; > err: > cond_list_destroy(p); > - p->cond_list = NULL; > return rc; > } > > -- > 2.26.3 -- paul-moore.com
