Kernel oops+crash on repeated auditd restarts
Peter Moody
pmoody at google.com
Tue Apr 24 01:27:21 UTC 2012
On Mon, Apr 23, 2012 at 9:26 AM, Eric Paris <eparis at redhat.com> wrote:
> On Fri, 2012-04-20 at 23:14 -0300, Marcelo Cerri wrote:
>
>> The patch below increments the reference count of a mark when it is
>> added to the destroy list. It seems to solve the issue and it doesn't
>> seem to cause any memory leak. Please, can you make some tests in your
>> environments and let me know if there is any problem with this patch.
>
> That is almost certainly the wrong thing to do. This test program
> should show a memory leak with your patch. If it doesn't show a memory
> leak then something is screwed up in inotify as well.
>
> #include <errno.h>
> #include <unistd.h>
> #include <sys/inotify.h>
>
> int main(void)
> {
> int fd;
> int rc;
> struct inotify_event event[10];
>
> fd = inotify_init();
> if (fd < 0)
> return errno;
>
> while(1) {
> rc = inotify_add_watch(fd, "/tmp", IN_CLOSE_WRITE);
> if (rc < 0)
> return errno;
>
> rc = inotify_rm_watch(fd, rc);
> if (rc)
> return errno;
>
> rc = read(fd, event, sizeof(event));
> if (rc < 0)
> return errno;
> }
>
> return 0;
> }
>
> The lifetime of an object is supposed to be from fsnotify_init_mark()
> until it's matching reference is dropped in fsnotify_mark_destroy(). It
> sounds to me like we are calling put somewhere in the audit code when we
> didn't previously call a get....
>
FWIW, bisecting points me to 75c1be487a690db43da2c1234fcacd84c982803c
75c1be487a690db43da2c1234fcacd84c982803c is the first bad commit
commit 75c1be487a690db43da2c1234fcacd84c982803c
Author: Eric Paris <eparis at redhat.com>
Date: Wed Jul 28 10:18:38 2010 -0400
fsnotify: srcu to protect read side of inode and vfsmount locks
Currently reading the inode->i_fsnotify_marks or
vfsmount->mnt_fsnotify_marks lists are protected by a spinlock on both the
read and the write side. This patch protects the read side of those lists
with a new single srcu.
Signed-off-by: Eric Paris <eparis at redhat.com>
:040000 040000 4b5d9b446eefaca96f8a89b8e9c2ef18da88534e
1abcff76e285ae57f5855b60857ef1708e937a0c M fs
:040000 040000 a02d4ab5b164aa9282a342d73ebe3658f88b4539
3ca9f66ba26cc265d118e6c8558ff2214b9ed192 M include
Cheers,
peter
--
Peter Moody Google 1.650.253.7306
Security Engineer pgp:0xC3410038
More information about the Linux-audit
mailing list