Kernel oops+crash on repeated auditd restarts

Peter Moody pmoody at google.com
Tue Apr 24 18:38:11 UTC 2012 

On Tue, Apr 24, 2012 at 11:31 AM, Eric Paris <eparis at redhat.com> wrote:
> On Tue, 2012-04-24 at 02:12 -0300, Marcelo Cerri wrote:
>> On Mon, 23 Apr 2012 12:26:16 -0400, Eric Paris <eparis at redhat.com> wrote:
>
>> Considering that the issue is specific to audit and it seems to occur
>> only with watches on directories, I investigated the audit_tree.c file
>> and found a probable cause. The untag_chunk() holds a reference to a
>> mark at the begging of the function and releases it at the end of it (on
>> the label out). However when it jumps to the "out" label, it calls
>> fsnotify_put_mark once more.
>>
>> Peter and Valentin, can you test this new patch to check if it
>> solves the oops problem?
>>
>> Eric, do you agree with this solution?
>>
>> Regards,
>> Marcelo
>>
>> ---
>>  kernel/audit_tree.c |    2 --
>>  1 file changed, 2 deletions(-)
>>
>> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
>> index 5bf0790..b5bd9f9 100644
>> --- a/kernel/audit_tree.c
>> +++ b/kernel/audit_tree.c
>> @@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
>>         spin_unlock(&hash_lock);
>>         spin_unlock(&entry->lock);
>>         fsnotify_destroy_mark(entry);
>> -       fsnotify_put_mark(entry);
>>         goto out;
>>     }
>>
>> @@ -293,7 +292,6 @@ static void untag_chunk(struct node *p)
>>     spin_unlock(&hash_lock);
>>     spin_unlock(&entry->lock);
>>     fsnotify_destroy_mark(entry);
>> -   fsnotify_put_mark(entry);
>>     goto out;
>>
>>  Fallback:
>
> This looks right to me.  The old audit logic before the switch to
> fsnotify was:
> -       inotify_evict_watch(&chunk->watch);
> -       mutex_unlock(&chunk->watch.inode->inotify_mutex);
> -       put_inotify_watch(&chunk->watch);
>
> Which I changed to:
> +       spin_unlock(&entry->lock);
> +       fsnotify_destroy_mark_by_entry(entry);
> +       fsnotify_put_mark(entry);
>
> The difference being that inotify_evict_watch() took a reference on
> chunk->watch, however fsnotify_destroy_mark_by_entry() does not.  So the
> fsnotify_put_mark() was incorrect.
>
> I'd love to hear testing results, and I'm going to try to figure out if
> I screwed that up other places....

I'm testing this now. It looks good WRT the crash. I need to spend
some more time testing be sure memory isn't leaking anywhere.


> -Eric
>



-- 
Peter Moody      Google    1.650.253.7306
Security Engineer  pgp:0xC3410038

More information about the Linux-audit mailing list