Kernel oops+crash on repeated auditd restarts
Eric Paris
eparis at redhat.com
Mon Apr 23 16:26:16 UTC 2012
On Fri, 2012-04-20 at 23:14 -0300, Marcelo Cerri wrote:
> The patch below increments the reference count of a mark when it is
> added to the destroy list. It seems to solve the issue and it doesn't
> seem to cause any memory leak. Please, can you make some tests in your
> environments and let me know if there is any problem with this patch.
That is almost certainly the wrong thing to do. This test program
should show a memory leak with your patch. If it doesn't show a memory
leak then something is screwed up in inotify as well.
#include <errno.h>
#include <unistd.h>
#include <sys/inotify.h>
int main(void)
{
int fd;
int rc;
struct inotify_event event[10];
fd = inotify_init();
if (fd < 0)
return errno;
while(1) {
rc = inotify_add_watch(fd, "/tmp", IN_CLOSE_WRITE);
if (rc < 0)
return errno;
rc = inotify_rm_watch(fd, rc);
if (rc)
return errno;
rc = read(fd, event, sizeof(event));
if (rc < 0)
return errno;
}
return 0;
}
The lifetime of an object is supposed to be from fsnotify_init_mark()
until it's matching reference is dropped in fsnotify_mark_destroy(). It
sounds to me like we are calling put somewhere in the audit code when we
didn't previously call a get....
More information about the Linux-audit
mailing list