Oops while checking file system auditing

Timothy R. Chavez tinytim at us.ibm.com
Tue May 24 20:38:44 UTC 2005 

On Tuesday 24 May 2005 15:09, Steve Grubb wrote:
> On Tuesday 24 May 2005 15:56, Rob Myers wrote:
> > steve, can you reproduce it reliably?
> 
> Just like clockwork.
> 

I noticed that I wasn't putting my reference back to my wentry in the 
audit_free_aux() function, only in audit_log_exit() *cough*

Though, on a separate but some-what related tangent, why have this in
audit_log_exit():

case AUDIT_AVC_PATH: {
                        struct audit_aux_data_path *axi = (void *)aux;
                        audit_log_d_path(ab, "path=", axi->dentry, axi->mnt);
->                    dput(axi->dentry);
->                    mntput(axi->mnt);
                        break; }

In theory, you're going to have to call audit_free_aux() and it will be
dealt with there, right?

-tim


> Here's another one just doing the watches - no rules this time. It looks a 
> little different:
> 
> May 24 15:57:22 localhost kernel: Unable to handle kernel paging request at 
> virtual address f97cff90
> May 24 15:57:22 localhost kernel:  printing eip:
> May 24 15:57:22 localhost kernel: c014170c
> May 24 15:57:22 localhost kernel: *pde = 00000000
> May 24 15:57:22 localhost kernel: Oops: 0000 [#1]
> May 24 15:57:22 localhost kernel: Modules linked in: parport_pc lp parport 
> autofs4 i2c_dev i2c_core ipt_REJECT ipt_state ip_conntrack iptable_filter 
> ip_tables dm_mod button battery ac md5 ipv6 uhci_hcd snd_emu10k1 snd_rawmidi 
> snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_seq_device snd_ac97_codec 
> snd_page_alloc snd_util_mem snd_hwdep snd soundcore 3c59x floppy ext3 jbd
> May 24 15:57:22 localhost kernel: CPU:    0
> May 24 15:57:22 localhost kernel: EIP:    0060:[<c014170c>]    Not tainted 
VLI
> May 24 15:57:22 localhost kernel: EFLAGS: 00010282   
(2.6.9-5.0.3.EL.audit.48)
> May 24 15:57:22 localhost kernel: EIP is at audit_syscall_exit+0x340/0x3be
> May 24 15:57:22 localhost kernel: eax: effef060   ebx: f97cff8c   ecx: 
> 00000006   edx: 0000004c
> May 24 15:57:22 localhost kernel: esi: e832e780   edi: 00000000   ebp: 
> e82f4800   esp: e7b9ef94
> May 24 15:57:22 localhost kernel: ds: 007b   es: 007b   ss: 0068
> May 24 15:57:22 localhost kernel: Process socket (pid: 1831, 
> threadinfo=e7b9e000 task=e832e780)
> May 24 15:57:22 localhost kernel: Stack: bff1cea0 00000010 00000000 e832e780 
> e7b9efc4 00000001 e7b9e000 c010b49b
> May 24 15:57:22 localhost kernel:        00000003 00000004 00000005 c0303742 
> 00000003 bff1ad30 ffffffff 00000004
> May 24 15:57:22 localhost kernel:        00000005 bff1d8c8 ffffff92 0000007b 
> 0000007b 00000066 00a947a2 00000073
> May 24 15:57:22 localhost kernel: Call Trace:
> May 24 15:57:22 localhost kernel:  [<c010b49b>] do_syscall_trace+0x2f/0xc8
> May 24 15:57:22 localhost kernel:  [<c0303742>] syscall_exit_work+0x12/0x18
> May 24 15:57:22 localhost kernel: Code: 3c 8b 13 85 d2 74 0a a1 14 6f 40 c0 
e8 
> 93 a9 00 00 47 83 c3 1c 3b 7d 38 7c e7 c7 45 38 00 00 00 00 8b 9d 70 02 00 
00 
> 85 db 74 41 <81> 7b 04 7a 05 00 00 75 27 8b 43 08 e8 73 b0 03 00 8b 53 0c 85
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> http://www.redhat.com/mailman/listinfo/linux-audit
> 
> 

-- 
-tim

More information about the Linux-audit mailing list