apparmor: reduce rcu_read_lock scope for aa_file_perm mediation

Now that the buffers allocation has changed and no longer needs the full mediation under an rcu_read_lock, reduce the rcu_read_lock scope to only where it is necessary. Fixes: df323337 ("apparmor: Use a memory pool instead per-CPU caches") Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: reduce rcu_read_lock scope for aa_file_perm mediation
Now that the buffers allocation has changed and no longer needs the full mediation under an rcu_read_lock, reduce the rcu_read_lock scope to only where it is necessary. Fixes: df323337 ("apparmor: Use a memory pool instead per-CPU caches") Signed-off-by: John Johansen <john.johansen@canonical.com>
bce4e7e9 · John Johansen · 8f21a624 · bce4e7e9
Commit bce4e7e9 authored Sep 13, 2019 by John Johansen
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

security/apparmor/file.c security/apparmor/file.c +3 -3

No files found.
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -621,7 +621,8 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 	fctx = file_ctx(file);
 	rcu_read_lock();
-	flabel  = rcu_dereference(fctx->label);
+	flabel  = aa_get_newest_label(rcu_dereference(fctx->label));
+	rcu_read_unlock();
 	AA_BUG(!flabel);
 	/* revalidate access, if task is unconfined, or the cached cred
@@ -646,8 +647,7 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 		error = __file_sock_perm(op, label, flabel, file, request,
 					 denied);
 done:
-	rcu_read_unlock();
+	aa_put_label(flabel);
 	return error;
 }