On 08/15/2017 04:00 AM, Jan Kara wrote: > audit_remove_watch_rule() drops watch's reference to parent but then > continues to work with it. That is not safe as parent can get freed once > we drop our reference. The following is a trivial reproducer: > > mount -o loop image /mnt > touch /mnt/file > auditctl -w /mnt/file -p wax > umount /mnt > auditctl -D > <crash in fsnotify_destroy_mark()> > > Grab our own reference in audit_remove_watch_rule() earlier to make sure > mark does not get freed under us. > > CC: stable@xxxxxxxxxxxxxxx > Reported-by: Tony Jones <tonyj@xxxxxxx> > Signed-off-by: Jan Kara <jack@xxxxxxx> > --- Tested-by: Tony Jones <tonyj@xxxxxxx> Fix tested and verified against v3.0 and mainline