Kernel oops+crash on repeated auditd restarts

Peter Moody pmoody at google.com
Tue Apr 24 01:27:21 UTC 2012 

On Mon, Apr 23, 2012 at 9:26 AM, Eric Paris <eparis at redhat.com> wrote:
> On Fri, 2012-04-20 at 23:14 -0300, Marcelo Cerri wrote:
>
>> The patch below increments the reference count of a mark when it is
>> added to the destroy list. It seems to solve the issue and it doesn't
>> seem to cause any memory leak. Please, can you make some tests in your
>> environments and let me know if there is any problem with this patch.
>
> That is almost certainly the wrong thing to do.  This test program
> should show a memory leak with your patch.  If it doesn't show a memory
> leak then something is screwed up in inotify as well.
>
> #include <errno.h>
> #include <unistd.h>
> #include <sys/inotify.h>
>
> int main(void)
> {
>        int fd;
>        int rc;
>        struct inotify_event event[10];
>
>        fd = inotify_init();
>        if (fd < 0)
>                return errno;
>
>        while(1) {
>                rc = inotify_add_watch(fd, "/tmp", IN_CLOSE_WRITE);
>                if (rc < 0)
>                        return errno;
>
>                rc = inotify_rm_watch(fd, rc);
>                if (rc)
>                        return errno;
>
>                rc = read(fd, event, sizeof(event));
>                if (rc < 0)
>                        return errno;
>        }
>
>        return 0;
> }
>
> The lifetime of an object is supposed to be from fsnotify_init_mark()
> until it's matching reference is dropped in fsnotify_mark_destroy().  It
> sounds to me like we are calling put somewhere in the audit code when we
> didn't previously call a get....
>

FWIW, bisecting points me to 75c1be487a690db43da2c1234fcacd84c982803c

75c1be487a690db43da2c1234fcacd84c982803c is the first bad commit
commit 75c1be487a690db43da2c1234fcacd84c982803c
Author: Eric Paris <eparis at redhat.com>
Date:   Wed Jul 28 10:18:38 2010 -0400

    fsnotify: srcu to protect read side of inode and vfsmount locks

    Currently reading the inode->i_fsnotify_marks or
    vfsmount->mnt_fsnotify_marks lists are protected by a spinlock on both the
    read and the write side.  This patch protects the read side of those lists
    with a new single srcu.

    Signed-off-by: Eric Paris <eparis at redhat.com>

:040000 040000 4b5d9b446eefaca96f8a89b8e9c2ef18da88534e
1abcff76e285ae57f5855b60857ef1708e937a0c M	fs
:040000 040000 a02d4ab5b164aa9282a342d73ebe3658f88b4539
3ca9f66ba26cc265d118e6c8558ff2214b9ed192 M	include

Cheers,
peter

-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list