Re: [PATCH 1/2] audit: Fix use after free in audit_remove_watch_rule()

audit_remove_watch_rule() drops watch's reference to parent but then continues to work with it. That is not safe as parent can get freed once we drop our reference. The following is a trivial reproducer: mount -o loop image /mnt touch /mnt/file auditctl -w /mnt/file -p wax umount /mnt auditctl -D <crash in fsnotify_destroy_mark()> Grab our own reference in audit_remove_watch_rule() earlier to make sure mark does not get freed under us. CC: stable(a)vger.kernel.org Reported-by: Tony Jones <tonyj(a)suse.de&gt; Signed-off-by: Jan Kara <jack(a)suse.cz&gt; ---