audit.56 oops

Rob Myers rob.myers at gtri.gatech.edu
Mon Jun 13 17:25:50 UTC 2005 

here are 2 oopses with audit.56 with a few file watches enabled.

the second one happened when i was updating to audit 0.9.4.  i don't
know what triggered the first.

rob.

[root at localhost ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=8:2, path=/etc/shadow, filterkey=fk_etc_shadow,
perms=rwea, valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/etc/passwd, filterkey=fk_etc_passwd,
perms=rwea, valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/etc/auditd.conf,
filterkey=fk_etc_auditd.conf, perms=rwea, valid=0
AUDIT_WATCH_LIST: dev=8:2, path=/etc/audit.rules,
filterkey=fk_etc_audit.rules, perms=rwea, valid=0
AUDIT_WATCH_LIST: dev=8:5, path=/var/log/audit,
filterkey=fk_var_log_audit, perms=rwe, valid=0
AUDIT_WATCH_LIST: dev=8:5, path=/var/log/messages,
filterkey=fk_var_log_messages, perms=rwe, valid=0
AUDIT_WATCH_LIST: dev=8:5, path=/var/log/messages-old,
filterkey=fk_var_log_messages-old, perms=rwea, valid=0


Jun 13 08:22:47 localhost kernel: Unable to handle kernel NULL pointer
dereference at virtual address 00000000
Jun 13 08:22:47 localhost kernel:  printing eip:
Jun 13 08:22:47 localhost kernel: c013cdd5
Jun 13 08:22:47 localhost kernel: *pde = 11651001
Jun 13 08:22:47 localhost kernel: Oops: 0002 [#1]
Jun 13 08:22:47 localhost kernel: SMP 
Jun 13 08:22:47 localhost kernel: Modules linked in: i2c_dev i2c_core
ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button
battery ac uhci_hcd ehci_hcd hw_random snd_intel8x0 snd_ac97_codec
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore sk98lin floppy
ext3 jbd i2o_block i2o_core ata_piix libata aic7xxx sd_mod scsi_mod
Jun 13 08:22:47 localhost kernel: CPU:    0
Jun 13 08:22:47 localhost kernel: EIP:    0060:[<c013cdd5>]    Not
tainted VLI
Jun 13 08:22:47 localhost kernel: EFLAGS: 00010246
(2.6.9-5.0.3.EL.audit.56smp) 
Jun 13 08:22:47 localhost kernel: EIP is at audit_inode_free+0xe6/0x113
Jun 13 08:22:47 localhost kernel: eax: d84b735c   ebx: 00000000   ecx:
00000000   edx: d84b7370
Jun 13 08:22:47 localhost kernel: esi: ce96d770   edi: dc1ca180   ebp:
dfb58d5c   esp: cb639ecc
Jun 13 08:22:47 localhost kernel: ds: 007b   es: 007b   ss: 0068
Jun 13 08:22:47 localhost kernel: Process usermod (pid: 3521,
threadinfo=cb639000 task=da0119b0)
Jun 13 08:22:47 localhost kernel: Stack: ce96d770 ce96d770 dc2fd93c
dfb58d5c c016c914 ce96d770 c016d952 dc2fd934 
Jun 13 08:22:47 localhost kernel:        c016b15b 00000000 dc2fd934
d822cdf4 c0165a6f 00000000 dfb58d5c c6ab2000 
Jun 13 08:22:47 localhost kernel:        c5d28000 dfb58d5c c15f2e00
ceb0fa2e 00000006 c6ab2005 00000010 00000000 
Jun 13 08:22:47 localhost kernel: Call Trace:
Jun 13 08:22:47 localhost kernel:  [<c016c914>] destroy_inode+0x1b/0x4c
Jun 13 08:22:47 localhost kernel:  [<c016d952>] iput+0x5f/0x61
Jun 13 08:22:47 localhost kernel:  [<c016b15b>] dput+0x17b/0x1a7
Jun 13 08:22:47 localhost kernel:  [<c0165a6f>] sys_rename+0x157/0x1e0
Jun 13 08:22:47 localhost kernel:  [<c0109ebb>] do_syscall_trace
+0xc0/0xc9
Jun 13 08:22:47 localhost kernel:  [<c02c82db>] syscall_call+0x7/0xb
Jun 13 08:22:47 localhost kernel: Code: 89 d8 e8 5d f4 ff ff 89 d8 e8 56
f4 ff ff e8 04 f1 ff ff 89 ea e9 5e ff ff ff 8b 57 0c 85 d2 74 27 8b 1a
8d 42 ec 8b 4a 04 85 db <89> 19 74 03 89 4b 04 c7 02 00 01 10 00 c7 42
04 00 02 20 00 e8 

Jun 13 12:56:36 localhost kernel: Unable to handle kernel NULL pointer
dereference at virtual address 00000000
Jun 13 12:56:36 localhost kernel:  printing eip:
Jun 13 12:56:36 localhost kernel: c013cdd5
Jun 13 12:56:36 localhost kernel: *pde = 0f408001
Jun 13 12:56:36 localhost kernel: Oops: 0002 [#1]
Jun 13 12:56:36 localhost kernel: SMP 
Jun 13 12:56:36 localhost kernel: Modules linked in: i2c_dev i2c_core
ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button
battery ac uhci_hcd ehci_hcd hw_random snd_intel8x0 snd_ac97_codec
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc
snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore sk98lin floppy
ext3 jbd i2o_block i2o_core ata_piix libata aic7xxx sd_mod scsi_mod
Jun 13 12:56:36 localhost kernel: CPU:    0
Jun 13 12:56:36 localhost kernel: EIP:    0060:[<c013cdd5>]    Not
tainted VLI
Jun 13 12:56:36 localhost kernel: EFLAGS: 00010246
(2.6.9-5.0.3.EL.audit.56smp) 
Jun 13 12:56:36 localhost kernel: EIP is at audit_inode_free+0xe6/0x113
Jun 13 12:56:36 localhost kernel: eax: d7f4e32c   ebx: 00000000   ecx:
00000000   edx: d7f4e340
Jun 13 12:56:36 localhost kernel: esi: da7b6548   edi: de03cd60   ebp:
df8f42ac   esp: c5dd6ecc
Jun 13 12:56:36 localhost kernel: ds: 007b   es: 007b   ss: 0068
Jun 13 12:56:36 localhost kernel: Process rpm (pid: 9601,
threadinfo=c5dd6000 task=ce6fa230)
Jun 13 12:56:36 localhost kernel: Stack: da7b6548 da7b6548 dd155b04
df8f42ac c016c914 da7b6548 c016d952 dd155afc 
Jun 13 12:56:36 localhost kernel:        c016b15b 00000000 dd155afc
c588b50c c0165a6f 00000000 df8f42ac c641f000 
Jun 13 12:56:36 localhost kernel:        c6c0b000 df8f42ac c15f2e00
2cefc80a 0000000b c641f005 00000010 00000000 
Jun 13 12:56:36 localhost kernel: Call Trace:
Jun 13 12:56:36 localhost kernel:  [<c016c914>] destroy_inode+0x1b/0x4c
Jun 13 12:56:36 localhost kernel:  [<c016d952>] iput+0x5f/0x61
Jun 13 12:56:36 localhost kernel:  [<c016b15b>] dput+0x17b/0x1a7
Jun 13 12:56:36 localhost kernel:  [<c0165a6f>] sys_rename+0x157/0x1e0
Jun 13 12:56:36 localhost kernel:  [<c01077ff>] do_IRQ+0xd5/0x130
Jun 13 12:56:36 localhost kernel:  [<c0107822>] do_IRQ+0xf8/0x130
Jun 13 12:56:36 localhost kernel:  [<c02c8c98>] common_interrupt
+0x18/0x20
Jun 13 12:56:36 localhost kernel:  [<c0109ebb>] do_syscall_trace
+0xc0/0xc9
Jun 13 12:56:36 localhost kernel:  [<c02c82db>] syscall_call+0x7/0xb
Jun 13 12:56:36 localhost kernel: Code: 89 d8 e8 5d f4 ff ff 89 d8 e8 56
f4 ff ff e8 04 f1 ff ff 89 ea e9 5e ff ff ff 8b 57 0c 85 d2 74 27 8b 1a
8d 42 ec 8b 4a 04 85 db <89> 19 74 03 89 4b 04 c7 02 00 01 10 00 c7 42
04 00 02 20 00 e8

More information about the Linux-audit mailing list