Description of problem: ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE); if (!ab) break; audit_log_format(ab, "auid=%u", loginuid); if (sid) { u32 len; ctx = NULL; if (selinux_ctxid_to_string(sid, &ctx, &len)) audit_log_format(ab, " ssid=%u", sid); else audit_log_format(ab, " subj=%s", ctx); kfree(ctx); } audit_log_format(ab, " op=make_equiv old="); audit_log_untrustedstring(ab, old); audit_log_format(ab, " new="); audit_log_untrustedstring(ab, new); audit_log_format(ab, " res=%d", !err); audit_log_end(ab); kfree(old); kfree(new); If ab is null for any reason we are going to leak old and new
easy enough to fix. Either drop the if (!ab) check altogether since everything can handle null just fine, or wrap all of the audit_log_ stuff in a if(ab) so we always call the kfrees.
submitted fix for this as part of patch for 335731 *** This bug has been marked as a duplicate of 335731 ***