]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
apparmor: Fix inverted comparison in cache_hold_inc()
authorEduardo Vasconcelos <eduardo@eduardovasconcelos.com>
Thu, 21 May 2026 15:13:06 +0000 (12:13 -0300)
committerJohn Johansen <john.johansen@canonical.com>
Sun, 14 Jun 2026 03:20:13 +0000 (20:20 -0700)
cache_hold_inc() prevents the per-CPU cache hold counter from
rising above MAX_HOLD_COUNT, but the comparison is inverted
(> MAX_HOLD_COUNT instead of <), so the counter never rises
above 0.

This breaks the cache mechanism because since the hold counter
is always 0, the global pool is always attempted first before
falling back to the local cache. The decrement also never occurs,
thus the hold counter is effectively dead.

Fix by changing > to < in cache_hold_inc().

Fixes: 0b6a6b72b329 ("apparmor: document the buffer hold, add an overflow guard")
Signed-off-by: Eduardo Vasconcelos <eduardo@eduardovasconcelos.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
security/apparmor/lsm.c

index 3491e9f601943fd6dc44b11cd70a74c7cf7286e5..b7c19805a216c45ffadd97117d4e74bf67a89eab 100644 (file)
@@ -2129,7 +2129,7 @@ static int param_set_mode(const char *val, const struct kernel_param *kp)
  */
 static void cache_hold_inc(unsigned int *hold)
 {
-       if (*hold > MAX_HOLD_COUNT)
+       if (*hold < MAX_HOLD_COUNT)
                (*hold)++;
 }