2.6.12-rc4-mm2 - sleeping function called from invalid context at mm/slab.c:2502
by Valdis.Kletnieks@vt.edu
It threw 5 of them in short succession. Different entry points into
avc_has_perm(). Here's the tracebacks:
[4295584.974000] Debug: sleeping function called from invalid context at mm/slab.c:2502
[4295584.974000] in_atomic():1, irqs_disabled():0
[4295584.974000] [<c01035a8>] dump_stack+0x15/0x17
[4295584.974000] [<c013ba6d>] kmem_cache_alloc+0x1e/0x6a
[4295584.974000] [<c02de4fa>] skb_clone+0x14/0x183
[4295584.974000] [<c02ef64a>] netlink_unicast+0x7d/0x171
[4295584.974000] [<c0130947>] audit_log_end_fast+0xf5/0x188
[4295584.974000] [<c01c3c56>] avc_audit+0x94d/0x958
[4295584.974000] [<c01c3ffb>] avc_has_perm+0x3b/0x48
[4295584.974000] [<c01c8022>] selinux_socket_unix_stream_connect+0x6f/0xa8
[4295584.974000] [<c032b740>] unix_stream_connect+0x228/0x482
[4295584.974000] [<c02dbab6>] sys_connect+0x6a/0x81
[4295584.974000] [<c02dc23b>] sys_socketcall+0x6f/0x166
[4295584.974000] [<c01026cf>] sysenter_past_esp+0x54/0x75
[4295592.398000] Debug: sleeping function called from invalid context at mm/slab.c:2502
[4295592.398000] in_atomic():1, irqs_disabled():0
[4295592.398000] [<c01035a8>] dump_stack+0x15/0x17
[4295592.398000] [<c013ba6d>] kmem_cache_alloc+0x1e/0x6a
[4295592.398000] [<c02de4fa>] skb_clone+0x14/0x183
[4295592.398000] [<c02ef64a>] netlink_unicast+0x7d/0x171
[4295592.398000] [<c0130947>] audit_log_end_fast+0xf5/0x188
[4295592.398000] [<c01c3c56>] avc_audit+0x94d/0x958
[4295592.398000] [<c01c3ffb>] avc_has_perm+0x3b/0x48
[4295592.398000] [<c01c8790>] ipc_has_perm+0x52/0x5a
[4295592.398000] [<c01b808c>] ipcperms+0x89/0x93
[4295592.398000] [<c01bba55>] do_shmat+0x28d/0x2a2
[4295592.398000] [<c0107bfd>] sys_ipc+0xe8/0x143
[4295592.398000] [<c01026cf>] sysenter_past_esp+0x54/0x75
[4295857.484000] Debug: sleeping function called from invalid context at mm/slab.c:2502
[4295857.484000] in_atomic():1, irqs_disabled():0
[4295857.484000] [<c01035a8>] dump_stack+0x15/0x17
[4295857.484000] [<c013ba6d>] kmem_cache_alloc+0x1e/0x6a
[4295857.484000] [<c02de4fa>] skb_clone+0x14/0x183
[4295857.484000] [<c02ef64a>] netlink_unicast+0x7d/0x171
[4295857.484000] [<c0130947>] audit_log_end_fast+0xf5/0x188
[4295857.484000] [<c01c3c56>] avc_audit+0x94d/0x958
[4295857.484000] [<c01c3ffb>] avc_has_perm+0x3b/0x48
[4295857.484000] [<c01c8790>] ipc_has_perm+0x52/0x5a
[4295857.484000] [<c01b808c>] ipcperms+0x89/0x93
[4295857.484000] [<c01bba55>] do_shmat+0x28d/0x2a2
[4295857.484000] [<c0107bfd>] sys_ipc+0xe8/0x143
[4295857.484000] [<c01026cf>] sysenter_past_esp+0x54/0x75
[4295859.266000] Debug: sleeping function called from invalid context at mm/slab.c:2502
[4295859.266000] in_atomic():1, irqs_disabled():0
[4295859.266000] [<c01035a8>] dump_stack+0x15/0x17
[4295859.266000] [<c013ba6d>] kmem_cache_alloc+0x1e/0x6a
[4295859.266000] [<c02de4fa>] skb_clone+0x14/0x183
[4295859.266000] [<c02ef64a>] netlink_unicast+0x7d/0x171
[4295859.266000] [<c0130947>] audit_log_end_fast+0xf5/0x188
[4295859.266000] [<c01c3c56>] avc_audit+0x94d/0x958
[4295859.266000] [<c01c3ffb>] avc_has_perm+0x3b/0x48
[4295859.266000] [<c01c8022>] selinux_socket_unix_stream_connect+0x6f/0xa8
[4295859.266000] [<c032b740>] unix_stream_connect+0x228/0x482
[4295859.266000] [<c02dbab6>] sys_connect+0x6a/0x81
[4295859.266000] [<c02dc23b>] sys_socketcall+0x6f/0x166
[4295859.266000] [<c0102729>] syscall_call+0x7/0xb
[4295873.575000] Debug: sleeping function called from invalid context at mm/slab.c:2502
[4295873.575000] in_atomic():1, irqs_disabled():0
[4295873.575000] [<c01035a8>] dump_stack+0x15/0x17
[4295873.576000] [<c013ba6d>] kmem_cache_alloc+0x1e/0x6a
[4295873.576000] [<c02de4fa>] skb_clone+0x14/0x183
[4295873.576000] [<c02ef64a>] netlink_unicast+0x7d/0x171
[4295873.576000] [<c0130947>] audit_log_end_fast+0xf5/0x188
[4295873.576000] [<c01c3c56>] avc_audit+0x94d/0x958
[4295873.576000] [<c01c3ffb>] avc_has_perm+0x3b/0x48
[4295873.576000] [<c01c8022>] selinux_socket_unix_stream_connect+0x6f/0xa8
[4295873.576000] [<c032b740>] unix_stream_connect+0x228/0x482
[4295873.576000] [<c02dbab6>] sys_connect+0x6a/0x81
[4295873.576000] [<c02dc23b>] sys_socketcall+0x6f/0x166
[4295873.576000] [<c0102729>] syscall_call+0x7/0xb
19 years, 7 months
Re: Current directory for audit names.
by Casey Schaufler
--- David Woodhouse <dwmw2(a)infradead.org> wrote:
> > What about the current root? You need all of
> > the root, the current working directory, and
> > the requested path to have the complete path.
>
> Maybe. Only root can change that though, so it's
> less important.
I'd say it's less likely to have been changed.
On a shared server with multiple chrooted
apache environments wouldn't you want to know
which cgi bin contains the hacked binary?
> We don't handle namespaces either.
That's kind of important, don't you think?
> I can add the root if there's consensus that it
> would be useful.
The Unix experiance is that it's important.
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
19 years, 7 months
sleeping function called / with .50 kernel + patches
by Steve Grubb
Hi,
This took a lot longer....but here it is:
May 26 15:21:23 localhost auditd[1715]: Audit daemon rotating log files
May 26 15:21:24 localhost kernel: Debug: sleeping function called from invalid context at fs/dcache.c:154
May 26 15:21:24 localhost kernel: in_atomic():1[expected: 0], irqs_disabled():0
May 26 15:21:24 localhost kernel: [<c011ca38>] __might_sleep+0x7d/0x89
May 26 15:21:24 localhost kernel: [<c017cc16>] dput+0x22/0x423
May 26 15:21:24 localhost kernel: [<c0141d68>] audit_wentry_put+0x1e/0x61
May 26 15:21:24 localhost kernel: [<c01335f9>] rcu_do_batch+0x19/0x54
May 26 15:21:24 localhost kernel: [<c01338f5>] rcu_process_callbacks+0x14/0x28
May 26 15:21:24 localhost kernel: [<c0124f5e>] tasklet_action+0x3a/0x56
May 26 15:21:24 localhost kernel: [<c0124d85>] __do_softirq+0x35/0x79
May 26 15:21:24 localhost kernel: [<c010905b>] do_softirq+0x46/0x4d
May 26 15:21:24 localhost kernel: =======================
May 26 15:21:24 localhost kernel: [<c0108622>] do_IRQ+0x239/0x242
May 26 15:21:24 localhost kernel: [<c0303c64>] common_interrupt+0x18/0x20
May 26 15:21:25 localhost kernel: [<c01d9dba>] number+0xe/0x25d
May 26 15:21:25 localhost kernel: [<c0173e43>] link_path_walk+0xce0/0xd98
May 26 15:21:25 localhost kernel: [<c0151bbd>] zap_pte_range+0x1cf/0x21c
May 26 15:21:25 localhost kernel: [<c01da451>] vsnprintf+0x448/0x488
May 26 15:21:25 localhost kernel: [<c013ff19>] audit_log_vformat+0x9d/0x14c
May 26 15:21:25 localhost kernel: [<c013ffdd>] audit_log_format+0x15/0x16
May 26 15:21:25 localhost kernel: [<c013fe6f>] audit_log_start+0x1d9/0x1e6
May 26 15:21:25 localhost kernel: [<c0140cc4>] audit_log_exit+0x10/0x2cc
May 26 15:21:25 localhost kernel: [<c0141589>] audit_syscall_exit+0x1ef/0x3e2
May 26 15:21:25 localhost kernel: [<c010b49b>] do_syscall_trace+0x2f/0xc8
May 26 15:21:25 localhost kernel: [<c0303bb6>] syscall_exit_work+0x12/0x18
and
May 26 15:24:19 localhost kernel: Debug: sleeping function called from invalid context at fs/dcache.c:154
May 26 15:24:19 localhost kernel: in_atomic():1[expected: 0], irqs_disabled():0
May 26 15:24:19 localhost kernel: [<c011ca38>] __might_sleep+0x7d/0x89
May 26 15:24:19 localhost kernel: [<c017cc16>] dput+0x22/0x423
May 26 15:24:19 localhost kernel: [<c0141d68>] audit_wentry_put+0x1e/0x61
May 26 15:24:19 localhost kernel: [<c01335f9>] rcu_do_batch+0x19/0x54
May 26 15:24:19 localhost kernel: [<c01338f5>] rcu_process_callbacks+0x14/0x28
May 26 15:24:19 localhost kernel: [<c0124f5e>] tasklet_action+0x3a/0x56
May 26 15:24:19 localhost kernel: [<c0124d85>] __do_softirq+0x35/0x79
May 26 15:24:19 localhost kernel: [<c010905b>] do_softirq+0x46/0x4d
May 26 15:24:19 localhost kernel: =======================
May 26 15:24:19 localhost kernel: [<c0108622>] do_IRQ+0x239/0x242
May 26 15:24:19 localhost kernel: [<c0303c64>] common_interrupt+0x18/0x20
May 26 15:24:19 localhost kernel: [<c0189f3a>] __mark_inode_dirty+0x2e/0x23b
May 26 15:24:19 localhost kernel: [<c01682b5>] generic_commit_write+0x60/0x69
May 26 15:24:19 localhost kernel: [<f0882456>] ext3_ordered_commit_write+0xa6/0xc5 [ext3]
May 26 15:24:19 localhost kernel: [<c014544f>] generic_file_buffered_write+0x2cc/0x456
May 26 15:24:19 localhost kernel: [<c01c0855>] avc_has_perm_noaudit+0x8d/0xda
May 26 15:24:19 localhost kernel: [<c0145916>] generic_file_aio_write_nolock+0x33d/0x36b
May 26 15:24:19 localhost kernel: [<c0145a54>] generic_file_aio_write+0x77/0xcdMay 26 15:24:19 localhost kernel: [<f08800af>] ext3_file_write+0x19/0x8a [ext3]May 26 15:24:19 localhost kernel: [<c0163ff1>] do_sync_write+0x97/0xc9
May 26 15:24:19 localhost kernel: [<c01c3f19>] selinux_file_permission+0x114/0x11d
May 26 15:24:19 localhost kernel: [<c011d04b>] autoremove_wake_function+0x0/0x2d
May 26 15:24:19 localhost kernel: [<c0141381>] audit_syscall_entry+0x125/0x13e
May 26 15:24:19 localhost kernel: [<c01640d9>] vfs_write+0xb6/0xe2
May 26 15:24:19 localhost kernel: [<c01641a3>] sys_write+0x3c/0x62
May 26 15:24:19 localhost kernel: [<c0303b1f>] syscall_call+0x7/0xb
May 26 15:24:24 localhost auditd[1715]: Audit daemon rotating log files
and
May 26 15:52:38 localhost kernel: Debug: sleeping function called from invalid context at fs/dcache.c:154
May 26 15:52:38 localhost kernel: in_atomic():1[expected: 0], irqs_disabled():0
May 26 15:52:38 localhost kernel: [<c011ca38>] __might_sleep+0x7d/0x89
May 26 15:52:38 localhost kernel: [<c017cc16>] dput+0x22/0x423
May 26 15:52:38 localhost kernel: [<c0141d68>] audit_wentry_put+0x1e/0x61
May 26 15:52:38 localhost kernel: [<c01335f9>] rcu_do_batch+0x19/0x54
May 26 15:52:38 localhost kernel: [<c01338f5>] rcu_process_callbacks+0x14/0x28
May 26 15:52:38 localhost kernel: [<c0124f5e>] tasklet_action+0x3a/0x56
May 26 15:52:38 localhost kernel: [<c0124d85>] __do_softirq+0x35/0x79
May 26 15:52:38 localhost kernel: [<c010905b>] do_softirq+0x46/0x4d
May 26 15:52:38 localhost kernel: =======================
May 26 15:52:38 localhost kernel: [<c0108622>] do_IRQ+0x239/0x242
May 26 15:52:38 localhost kernel: [<c0303c64>] common_interrupt+0x18/0x20
19 years, 7 months
audit.51 kernel
by David Woodhouse
Rounding up the patches I posted to the list today...
* Thu May 25 2005 David Woodhouse <dwmw2(a)redhat.com> audit.51
- Enable slab debugging.
- Fix buffer overrun in audit_to_watch()
- Extra debugging for hash table
- Log current directory whenever we log a filename which may be relative
I'll drop the debugging thing for the hash table unless we manage to
trigger it again; I suspect it was a side-effect of the memory
corruption in audit_to_watch().
--
dwmw2
19 years, 7 months
watch dir problem
by Steve Grubb
Hello,
I got a capture of audit doing a log rotate using:
auditctl -w /var/log -k dir -p rwea
type=SYSCALL msg=audit(05/26/05 15:24:55.023:13588534) : arch=i386
syscall=rename success=yes exit=0 a0=94bc008 a1=94bc028 a2=8051254 a3=8054e00
items=2 pid=1716 auid=unknown(4294967295) uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root comm=auditd
exe=/sbin/auditd
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=FS_WATCH msg=audit(05/26/05 15:24:55.023:13588534) : watch=log
filterkey=dir perm=read,write,exec,append perm_mask=exec inode=29249
inode_uid=root inode_gid=root inode_dev=03:07 inode_rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=0
name=/var/log/audit/audit.log inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
type=PATH msg=audit(05/26/05 15:24:55.023:13588534) : item=1
name=/var/log/audit/audit.log.1 inode=29307 dev=03:07 mode=dir,750 ouid=root
ogid=root rdev=00:00
The thing I'm wondering about is the mode not matching the object in PATH. The
watch is on a dir, but the item listed is not a dir, its a file with access
perms of 0640.
-Steve
19 years, 7 months
Re: Current directory for audit names.
by Casey Schaufler
--- David Woodhouse <dwmw2(a)infradead.org> wrote:
> ... but we don't actually record the current
> working directory, from which those
> pathnames are resolved.
What about the current root? You need all of
the root, the current working directory, and
the requested path to have the complete path.
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
19 years, 7 months
Current directory for audit names.
by David Woodhouse
We log pathnames which are passed as arguments to syscalls, but we don't
actually record the current working directory, from which those
pathnames are resolved.
--- linux-2.6.9/include/linux/audit.h~ 2005-05-26 11:25:59.000000000 +0100
+++ linux-2.6.9/include/linux/audit.h 2005-05-26 17:59:36.000000000 +0100
@@ -69,11 +69,12 @@ struct atomic_t;
#define AUDIT_SYSCALL 1300 /* Syscall event */
#define AUDIT_FS_WATCH 1301 /* Filesystem watch event */
-#define AUDIT_PATH 1302 /* Filname path information */
+#define AUDIT_PATH 1302 /* Filename path information */
#define AUDIT_IPC 1303 /* IPC record */
#define AUDIT_SOCKETCALL 1304 /* sys_socketcall arguments */
#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
+#define AUDIT_CWD 1307 /* Current working directory */
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
--- linux-2.6.9/kernel/auditsc.c~ 2005-05-26 14:17:45.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-05-26 18:02:52.000000000 +0100
@@ -565,6 +565,12 @@ static inline void audit_free_names(stru
if (context->names[i].name)
__putname(context->names[i].name);
context->name_count = 0;
+ if (context->pwd)
+ dput(context->pwd);
+ if (context->pwdmnt)
+ mntput(context->pwdmnt);
+ context->pwd = NULL;
+ context->pwdmnt = NULL;
}
static inline void audit_free_aux(struct audit_context *context)
@@ -778,10 +784,18 @@ static void audit_log_exit(struct audit_
audit_log_end(ab);
}
+ if (context->pwd && context->pwdmnt) {
+ ab = audit_log_start(context, AUDIT_CWD);
+ if (ab) {
+ audit_log_d_path(ab, "cwd=", context->pwd, context->pwdmnt);
+ audit_log_end(ab);
+ }
+ }
for (i = 0; i < context->name_count; i++) {
ab = audit_log_start(context, AUDIT_PATH);
if (!ab)
continue; /* audit_panic has been called */
+
audit_log_format(ab, "item=%d", i);
if (context->names[i].name) {
audit_log_format(ab, " name=");
@@ -960,6 +974,13 @@ void audit_getname(const char *name)
context->names[context->name_count].name = name;
context->names[context->name_count].ino = (unsigned long)-1;
++context->name_count;
+ if (!context->pwd) {
+ read_lock(¤t->fs->lock);
+ context->pwd = dget(current->fs->pwd);
+ context->pwdmnt = mntget(current->fs->pwdmnt);
+ read_unlock(¤t->fs->lock);
+ }
+
}
/* Intercept a putname request. Called from
--
dwmw2
19 years, 7 months
audit.50 kernel
by David Woodhouse
* Thu May 25 2005 David Woodhouse <dwmw2(a)redhat.com> audit.50
- Defer freeing of aux items to audit_free_aux()
- Remove items from hlist in audit_list_watches()
- Abolish inode->i_audit in favour of hash table
--
dwmw2
19 years, 7 months
Re: audit.47
by David Woodhouse
On Sat, 2005-05-21 at 19:53 -0400, Rob Myers wrote:
> On Sun, 2005-05-22 at 00:20 +0100, David Woodhouse wrote:
> > On Sat, 2005-05-21 at 19:06 -0400, Rob Myers wrote:
> > > i attempted to send this to linux-audit but it appears to be caught by
> > > the moderator...
> >
> > Hm. I don't moderate that list so I can't see why. What did the message
> > say was the reason?
>
> because i'm not subscribed to the list. its only been a couple of days,
> but the moderator hasn't let me subscibe yet.
Hmm. I'm not sure who does moderate it. I'll investigate; perhaps I
should take over that task.
> > > like audit.45, audit.47 also says "VFS: Busy inodes after unmount.
> > > Self-destruct in 5 seconds. Have a nice day..." during shutdown.
> >
> > Does this happen only after you've set filesystem watches?
>
> after some testing watches in general appear to be fine. i only get the
> message if i set a watch on /var/log/audit like so:
>
> auditctl -w /var/log/audit -k fk_var_log_audit -prwea
OK, thanks. This message is Cc'd to the list so that the IBM developer
who is working on that can see it.
--
dwmw2
19 years, 7 months
[PATCH] auditfs updates to .46
by Timothy R. Chavez
Hello,
For some reason I thought I had updated to .48, but no matter methinks, these
updates should apply to .48 as well.
-tim
19 years, 7 months
