[PATCH] audit: fix oops removing watch if audit disabled

Removing a watched file will oops if audit is disabled (auditctl -e 0).

To reproduce:
- auditctl -e 1
- touch /tmp/foo
- auditctl -w /tmp/foo
- auditctl -e 0
- rm /tmp/foo (or mv)

Signed-off-by: Tony Jones <tonyj@suse.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 9c8c23227c7f28970f64de6e21cab6e8bfa08415..5a756579f069ccf3458340c5c2331896054f4fc2 100644 (file)
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -905,7 +905,7 @@ static void audit_update_watch(struct audit_parent *parent,
 
                /* If the update involves invalidating rules, do the inode-based
                 * filtering now, so we don't omit records. */
-               if (invalidating &&
+               if (invalidating && current->audit_context &&
                    audit_filter_inodes(current, current->audit_context) == AUDIT_RECORD_CONTEXT)
                        audit_set_auditable(current->audit_context);