apparmor: reduce rcu_read_lock scope for aa_file_perm mediation

Now that the buffers allocation has changed and no longer needs
the full mediation under an rcu_read_lock, reduce the rcu_read_lock
scope to only where it is necessary.

Fixes: df323337e507 ("apparmor: Use a memory pool instead per-CPU caches")
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/file.c b/security/apparmor/file.c
index ab56e19..37d62ec 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -621,7 +621,8 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
        fctx = file_ctx(file);
 
        rcu_read_lock();
-       flabel  = rcu_dereference(fctx->label);
+       flabel  = aa_get_newest_label(rcu_dereference(fctx->label));
+       rcu_read_unlock();
        AA_BUG(!flabel);
 
        /* revalidate access, if task is unconfined, or the cached cred
@@ -646,8 +647,7 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
                error = __file_sock_perm(op, label, flabel, file, request,
                                         denied);
 done:
-       rcu_read_unlock();
-
+       aa_put_label(flabel);
        return error;
 }