On 2020-07-18 20:56, Dominick Grift wrote:
> On 7/18/20 8:40 PM, bauen1 wrote:
>> Hi,
>> After upgrading from linux 5.6 to 5.7 on my debian machines with selinux I've
started seeing this null pointer dereference in the audit system. I've included
shortened logs for 5.6 without the error and from 5.7 with the error from my laptop.
I've also seen it happen in a VM and a server, but don't have the logs anymore.
Grift was able to reproduced (presumably) the same issue on fedora with 5.8-rc4.
>>
>> Steps to reproduce:
>> Write an selinux policy with a domain for systemd-user-runtime-dir and audit all
permissions of the dir class. E.g. `(auditallow systemd_user_runtime_dir_t all_types (dir
(all)))`
>> Switch to permissive mode.
>> Create a new user and login, log out and wait a few seconds for systemd to stop
user-runtime-dir(a)<uid>.service
>
> This should be a reproducer:
>
> echo "(auditallow systemd_logind_t file_type (dir (all)))" > mytest.cil
> && sudo semodule -i mytest.cil
> reboot
Is this recipe complete? Is permissive mode needed? Is the user
create/login/logout needed?
Are you saying you can't reproduce it?
It *should* be complete yes. with kernel 5.7/5.8 it should oops when you
reboot.
I will admit though that I adjusted the reproducer a little bit in an
attempt to make it fit fedora.
So if it doesnt oops for you and if you use 5.7/5.8 then maybe the
reproducer got mangled in the conversion.
>> I believe this issue was made visible by
1320a4052ea11eb2879eb7361da15a106a780972.
>> Now a AUDIT_PATH event is also generated by default and systemd-user-runtime-dir
is making syscalls that audit_log_name can't handle.
>>
>> I hope this is enough info to find the root cause.
>> - bauen1
>>
>> Log without crash (5.6):
>>
>> Jul 18 14:26:36 jh-mba kernel: Linux version 5.6.0-2-amd64
(debian-kernel(a)lists.debian.org) (gcc version 9.3.0 (Debian 9.3.0-13)) #1 SMP Debian
5.6.14-2 (2020-06-09)
>> Jul 18 14:27:53 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1001
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
>> Jul 18 14:27:53 jh-mba systemd[1]: Stopping User Runtime Directory
/run/user/1001...
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for pid=3178
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/dconf"
dev="tmpfs" ino=41325 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/dconf"
dev="tmpfs" ino=41325 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for pid=3178
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for pid=3178
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
pid=3178 comm="systemd-user-ru" name="user" dev="tmpfs"
ino=41326 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="user" dev="tmpfs" ino=41326
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=41325
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for pid=3178
comm="systemd-user-ru" name="gvfs" dev="tmpfs" ino=42315
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/gvfs"
dev="tmpfs" ino=42315 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/gvfs"
dev="tmpfs" ino=42315 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="gvfs" dev="tmpfs" ino=42315
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:user_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for pid=3178
comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/dbus-1"
dev="tmpfs" ino=39557 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/dbus-1"
dev="tmpfs" ino=39557 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for pid=3178
comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for pid=3178
comm="systemd-user-ru" name="dbus-1" dev="tmpfs" ino=39557
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
pid=3178 comm="systemd-user-ru" name="services" dev="tmpfs"
ino=39558 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="services" dev="tmpfs" ino=39558
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/pulse"
dev="tmpfs" ino=41258 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/pulse"
dev="tmpfs" ino=41258 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for pid=3178
comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for pid=3178
comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
pid=3178 comm="systemd-user-ru" name="native" dev="tmpfs"
ino=41259 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="native" dev="tmpfs" ino=41259
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=sock_file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="pulse" dev="tmpfs" ino=41258
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:pulseaudio_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="bus" dev="tmpfs" ino=41239
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { read } for pid=3178
comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/gnupg"
dev="tmpfs" ino=42225 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/gnupg"
dev="tmpfs" ino=42225 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for pid=3178
comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for pid=3178
comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
pid=3178 comm="systemd-user-ru" name="S.gpg-agent"
dev="tmpfs" ino=41252 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="S.gpg-agent" dev="tmpfs"
ino=41252 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=sock_file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="gnupg" dev="tmpfs" ino=42225
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:dirmngr_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { open } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/systemd"
dev="tmpfs" ino=39472 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { getattr } for pid=3178
comm="systemd-user-ru" path="/run/user/1001/systemd"
dev="tmpfs" ino=39472 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { search } for pid=3178
comm="systemd-user-ru" name="systemd" dev="tmpfs" ino=39472
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { write } for pid=3178
comm="systemd-user-ru" name="systemd" dev="tmpfs" ino=39472
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { remove_name } for
pid=3178 comm="systemd-user-ru" name="private" dev="tmpfs"
ino=41230 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="private" dev="tmpfs" ino=41230
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { unlink } for pid=3178
comm="systemd-user-ru" name="notify" dev="tmpfs" ino=41226
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1
>> Jul 18 14:27:53 jh-mba audit[3178]: AVC avc: denied { rmdir } for pid=3178
comm="systemd-user-ru" name="units" dev="tmpfs" ino=39473
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1
>> Jul 18 14:27:53 jh-mba systemd[2501]: run-user-1001.mount: Succeeded.
>> Jul 18 14:27:53 jh-mba systemd[1]: run-user-1001.mount: Succeeded.
>> Jul 18 14:27:53 jh-mba systemd[2839]: run-user-1001.mount: Succeeded.
>> Jul 18 14:27:53 jh-mba systemd[1]: user-runtime-dir(a)1001.service: Succeeded.
>> Jul 18 14:27:53 jh-mba systemd[1]: Stopped User Runtime Directory
/run/user/1001.
>>
>>
>> Log with crash (5.7):
>>
>> Jul 18 14:30:09 jh-mba kernel: Linux version 5.7.0-1-amd64
(debian-kernel(a)lists.debian.org) (gcc version 9.3.0 (Debian 9.3.0-14), GNU ld (GNU
Binutils for Debian) 2.34) #1 SMP Debian 5.7.6-1 (2020-06-24)
>> Jul 18 14:35:10 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=user@1001
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
>> Jul 18 14:35:10 jh-mba systemd[1]: Stopping User Runtime Directory
/run/user/1001...
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { read } for pid=3163
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { open } for pid=3163
comm="systemd-user-ru" path="/run/user/1001/dconf"
dev="tmpfs" ino=39541 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=257 success=yes
exit=4 a0=3 a1=55edb4e41073 a2=f0800 a3=0 items=0 ppid=1 pid=3163 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir"
subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>> Jul 18 14:35:10 jh-mba audit: PROCTITLE
proctitle=2F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303031
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { getattr } for pid=3163
comm="systemd-user-ru" path="/run/user/1001/dconf"
dev="tmpfs" ino=39541 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=5 success=yes
exit=0 a0=4 a1=7fff95e523b0 a2=7fff95e523b0 a3=7fff95e52414 items=0 ppid=1 pid=3163
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="systemd-user-ru"
exe="/usr/lib/systemd/systemd-user-runtime-dir"
subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>> Jul 18 14:35:10 jh-mba audit: PROCTITLE
proctitle=2F6C69622F73797374656D642F73797374656D642D757365722D72756E74696D652D6469720073746F700031303031
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { search } for pid=3163
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { write } for pid=3163
comm="systemd-user-ru" name="dconf" dev="tmpfs" ino=39541
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { remove_name } for
pid=3163 comm="systemd-user-ru" name="user" dev="tmpfs"
ino=39542 scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=dir permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: AVC avc: denied { unlink } for pid=3163
comm="systemd-user-ru" name="user" dev="tmpfs" ino=39542
scontext=system_u:system_r:systemd_user_runtime_dir_t:s0
tcontext=user_u:object_r:gconf_tmp_t:s0 tclass=file permissive=1
>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=263 success=yes
exit=0 a0=4 a1=55edb4e490b3 a2=0 a3=4 items=2 ppid=1 pid=3163 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir"
subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>> Jul 18 14:35:10 jh-mba kernel: BUG: kernel NULL pointer dereference, address:
0000000000000060
>> Jul 18 14:35:10 jh-mba kernel: #PF: supervisor read access in kernel mode
>> Jul 18 14:35:10 jh-mba kernel: #PF: error_code(0x0000) - not-present page
>> Jul 18 14:35:11 jh-mba kernel: PGD 0 P4D 0
>> Jul 18 14:35:11 jh-mba kernel: Oops: 0000 [#1] SMP PTI
>> Jul 18 14:35:11 jh-mba kernel: CPU: 1 PID: 3163 Comm: systemd-user-ru Tainted: P
OE 5.7.0-1-amd64 #1 Debian 5.7.6-1
>> Jul 18 14:35:11 jh-mba kernel: Hardware name: Apple Inc.
MacBookAir6,2/Mac-7DF21CB3ED6977E5, BIOS 110.0.0.0.0 09/17/2018
>> Jul 18 14:35:11 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>> Jul 18 14:35:11 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54 24 04
65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48 89 44 24 08
<48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b 7f 18
>> Jul 18 14:35:11 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>> Jul 18 14:35:11 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060 RCX:
00000000000004dd
>> Jul 18 14:35:11 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000 RDI:
0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060 R09:
0000000000000006
>> Jul 18 14:35:11 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030 R12:
ffff9a524fc522b0
>> Jul 18 14:35:11 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000 R15:
0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: FS: 00007ff68934e980(0000)
GS:ffff9a5267280000(0000) knlGS:0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002 CR4:
00000000001606e0
>> Jul 18 14:35:11 jh-mba kernel: Call Trace:
>> Jul 18 14:35:11 jh-mba kernel: audit_log_d_path+0x75/0xd0
>> Jul 18 14:35:11 jh-mba kernel: audit_log_exit+0x63d/0xcf0
>> Jul 18 14:35:11 jh-mba kernel: ? audit_filter_inodes+0x2e/0x100
>> Jul 18 14:35:11 jh-mba kernel: __audit_syscall_exit+0x23b/0x2a0
>> Jul 18 14:35:11 jh-mba kernel: syscall_slow_exit_work+0x117/0x140
>> Jul 18 14:35:11 jh-mba kernel: do_syscall_64+0x10e/0x180
>> Jul 18 14:35:11 jh-mba kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> Jul 18 14:35:11 jh-mba kernel: RIP: 0033:0x7ff689f8eb67
>> Jul 18 14:35:11 jh-mba kernel: Code: 73 01 c3 48 8b 0d 29 d3 0c 00 f7 d8 64 89 01
48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 d2 0c 00 f7 d8 64 89 01 48
>> Jul 18 14:35:11 jh-mba kernel: RSP: 002b:00007fff95e52468 EFLAGS: 00000246
ORIG_RAX: 0000000000000107
>> Jul 18 14:35:11 jh-mba kernel: RAX: 0000000000000000 RBX: 00007ff68934e830 RCX:
00007ff689f8eb67
>> Jul 18 14:35:11 jh-mba kernel: RDX: 0000000000000000 RSI: 000055edb4e490b3 RDI:
0000000000000004
>> Jul 18 14:35:11 jh-mba kernel: RBP: 0000000000000004 R08: 000055edb4e490a0 R09:
00007ff68a05cbe0
>> Jul 18 14:35:11 jh-mba kernel: R10: 0000000000000004 R11: 0000000000000246 R12:
000055edb4e49040
>> Jul 18 14:35:11 jh-mba kernel: R13: 0000000000000000 R14: 000055edb4e490a0 R15:
000055edb4e490b3
>> Jul 18 14:35:11 jh-mba kernel: Modules linked in: rfcomm bnep xt_CHECKSUM
cpufreq_powersave xt_MASQUERADE cpufreq_conservative cpufreq_userspace xt_tcpudp
nft_compat bridge stp llc overlay fuse nft_chain_nat nf_nat nf_log_ipv6 nf_log_ipv4
nf_log_common nft_log veth intel_rapl_msr btusb btrtl btbcm joydev binfmt_misc btintel
nls_ascii nls_cp437 vfat fat bluetooth nft_counter drbg intel_rapl_common asix ansi_cprng
ecdh_generic usbnet ecc mii vrf libphy x86_pkg_temp_thermal intel_powerclamp applesmc
snd_hda_codec_hdmi snd_hda_codec_cirrus snd_hda_codec_generic coretemp ledtrig_audio evdev
wireguard kvm_intel curve25519_x86_64 libcurve25519_generic libchacha20poly1305
snd_hda_intel kvm bcm5974 wl(POE) snd_intel_dspcfg chacha_x86_64 poly1305_x86_64
ip6_udp_tunnel efi_pstore udp_tunnel irqbypass snd_hda_codec libblake2s cfg80211
intel_cstate snd_hda_core blake2s_x86_64 libblake2s_generic libchacha snd_hwdep
intel_uncore iTCO_wdt i915 iTCO_vendor_support intel_rapl_perf snd_pcm nft_ct sg
> efivars pcspkr nf_conntrack
>> Jul 18 14:35:11 jh-mba kernel: watchdog rfkill snd_timer nf_defrag_ipv6
nf_defrag_ipv4 drm_kms_helper mei_me snd mei cec soundcore i2c_algo_bit sbs sbshc acpi_als
kfifo_buf industrialio apple_bl ac button bonding nf_tables parport_pc(E) nfnetlink
ppdev(E) lp(E) drm parport(E) sunrpc efivarfs ip_tables x_tables autofs4 ext4 crc16
mbcache jbd2 btrfs blake2b_generic zstd_decompress zstd_compress hid_apple hid_generic
usbhid hid dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear
md_mod uas usb_storage sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_pclmul
crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel ahci libahci xhci_pci
aesni_intel xhci_hcd libaes crypto_simd libata cryptd glue_helper usbcore scsi_mod
i2c_i801 thunderbolt lpc_ich mfd_core usb_common spi_pxa2xx_platform dw_dmac video
dw_dmac_core
>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060
>> Jul 18 14:35:11 jh-mba kernel: ---[ end trace 01b46d19ab2d30bf ]---
>> Jul 18 14:35:11 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>> Jul 18 14:35:11 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54 24 04
65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48 89 44 24 08
<48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b 7f 18
>> Jul 18 14:35:11 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>> Jul 18 14:35:11 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060 RCX:
00000000000004dd
>> Jul 18 14:35:11 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000 RDI:
0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060 R09:
0000000000000006
>> Jul 18 14:35:11 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030 R12:
ffff9a524fc522b0
>> Jul 18 14:35:11 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000 R15:
0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: FS: 00007ff68934e980(0000)
GS:ffff9a5267280000(0000) knlGS:0000000000000000
>> Jul 18 14:35:11 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> Jul 18 14:35:11 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002 CR4:
00000000001606e0
>> Jul 18 14:35:11 jh-mba kernel: BUG: kernel NULL pointer dereference, address:
0000000000000060
>> Jul 18 14:35:11 jh-mba kernel: #PF: supervisor read access in kernel mode
>> Jul 18 14:35:12 jh-mba kernel: #PF: error_code(0x0000) - not-present page
>> Jul 18 14:35:13 jh-mba kernel: PGD 0 P4D 0
>> Jul 18 14:35:13 jh-mba kernel: Oops: 0000 [#2] SMP PTI
>> Jul 18 14:35:13 jh-mba kernel: CPU: 1 PID: 3163 Comm: systemd-user-ru Tainted: P
D OE 5.7.0-1-amd64 #1 Debian 5.7.6-1
>> Jul 18 14:35:13 jh-mba kernel: Hardware name: Apple Inc.
MacBookAir6,2/Mac-7DF21CB3ED6977E5, BIOS 110.0.0.0.0 09/17/2018
>> Jul 18 14:35:13 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>> Jul 18 14:35:13 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54 24 04
65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48 89 44 24 08
<48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b 7f 18
>> Jul 18 14:35:13 jh-mba kernel: RSP: 0018:ffffb71e411cfde0 EFLAGS: 00010282
>> Jul 18 14:35:13 jh-mba kernel: RAX: ffff9a525f18500b RBX: ffff9a524fc52060 RCX:
00000000000004e0
>> Jul 18 14:35:13 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f184000 RDI:
0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: RBP: ffffb71e411cfe10 R08: ffff9a52672b0060 R09:
0000000000000006
>> Jul 18 14:35:13 jh-mba kernel: R10: ffff9a522c99cec0 R11: ffff9a532c99c830 R12:
ffff9a524fc522b0
>> Jul 18 14:35:13 jh-mba kernel: R13: ffff9a52658d35e8 R14: ffff9a524fc52000 R15:
0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: FS: 00007ff68934e980(0000)
GS:ffff9a5267280000(0000) knlGS:0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002 CR4:
00000000001606e0
>> Jul 18 14:35:13 jh-mba kernel: Call Trace:
>> Jul 18 14:35:13 jh-mba kernel: audit_log_d_path+0x75/0xd0
>> Jul 18 14:35:13 jh-mba kernel: audit_log_exit+0x63d/0xcf0
>> Jul 18 14:35:13 jh-mba kernel: ? audit_log_d_path+0x75/0xd0
>> Jul 18 14:35:13 jh-mba kernel: ? audit_filter_inodes+0x2e/0x100
>> Jul 18 14:35:13 jh-mba kernel: __audit_free+0x233/0x260
>> Jul 18 14:35:13 jh-mba kernel: do_exit+0x8d3/0xb50
>> Jul 18 14:35:13 jh-mba kernel: ? syscall_slow_exit_work+0x117/0x140
>> Jul 18 14:35:13 jh-mba kernel: rewind_stack_do_exit+0x17/0x20
>> Jul 18 14:35:13 jh-mba kernel: RIP: 0033:0x7ff689f8eb67
>> Jul 18 14:35:13 jh-mba kernel: Code: 73 01 c3 48 8b 0d 29 d3 0c 00 f7 d8 64 89 01
48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 07 01 00 00 0f 05
<48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d f9 d2 0c 00 f7 d8 64 89 01 48
>> Jul 18 14:35:13 jh-mba kernel: RSP: 002b:00007fff95e52468 EFLAGS: 00000246
ORIG_RAX: 0000000000000107
>> Jul 18 14:35:13 jh-mba kernel: RAX: 0000000000000000 RBX: 00007ff68934e830 RCX:
00007ff689f8eb67
>> Jul 18 14:35:13 jh-mba kernel: RDX: 0000000000000000 RSI: 000055edb4e490b3 RDI:
0000000000000004
>> Jul 18 14:35:13 jh-mba kernel: RBP: 0000000000000004 R08: 000055edb4e490a0 R09:
00007ff68a05cbe0
>> Jul 18 14:35:13 jh-mba kernel: R10: 0000000000000004 R11: 0000000000000246 R12:
000055edb4e49040
>> Jul 18 14:35:13 jh-mba kernel: R13: 0000000000000000 R14: 000055edb4e490a0 R15:
000055edb4e490b3
>> Jul 18 14:35:13 jh-mba kernel: Modules linked in: rfcomm bnep xt_CHECKSUM
cpufreq_powersave xt_MASQUERADE cpufreq_conservative cpufreq_userspace xt_tcpudp
nft_compat bridge stp llc overlay fuse nft_chain_nat nf_nat nf_log_ipv6 nf_log_ipv4
nf_log_common nft_log veth intel_rapl_msr btusb btrtl btbcm joydev binfmt_misc btintel
nls_ascii nls_cp437 vfat fat bluetooth nft_counter drbg intel_rapl_common asix ansi_cprng
ecdh_generic usbnet ecc mii vrf libphy x86_pkg_temp_thermal intel_powerclamp applesmc
snd_hda_codec_hdmi snd_hda_codec_cirrus snd_hda_codec_generic coretemp ledtrig_audio evdev
wireguard kvm_intel curve25519_x86_64 libcurve25519_generic libchacha20poly1305
snd_hda_intel kvm bcm5974 wl(POE) snd_intel_dspcfg chacha_x86_64 poly1305_x86_64
ip6_udp_tunnel efi_pstore udp_tunnel irqbypass snd_hda_codec libblake2s cfg80211
intel_cstate snd_hda_core blake2s_x86_64 libblake2s_generic libchacha snd_hwdep
intel_uncore iTCO_wdt i915 iTCO_vendor_support intel_rapl_perf snd_pcm nft_ct sg
> efivars pcspkr nf_conntrack
>> Jul 18 14:35:13 jh-mba kernel: watchdog rfkill snd_timer nf_defrag_ipv6
nf_defrag_ipv4 drm_kms_helper mei_me snd mei cec soundcore i2c_algo_bit sbs sbshc acpi_als
kfifo_buf industrialio apple_bl ac button bonding nf_tables parport_pc(E) nfnetlink
ppdev(E) lp(E) drm parport(E) sunrpc efivarfs ip_tables x_tables autofs4 ext4 crc16
mbcache jbd2 btrfs blake2b_generic zstd_decompress zstd_compress hid_apple hid_generic
usbhid hid dm_crypt dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq
async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear
md_mod uas usb_storage sd_mod t10_pi crc_t10dif crct10dif_generic crct10dif_pclmul
crct10dif_common crc32_pclmul crc32c_intel ghash_clmulni_intel ahci libahci xhci_pci
aesni_intel xhci_hcd libaes crypto_simd libata cryptd glue_helper usbcore scsi_mod
i2c_i801 thunderbolt lpc_ich mfd_core usb_common spi_pxa2xx_platform dw_dmac video
dw_dmac_core
>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060
>> Jul 18 14:35:13 jh-mba kernel: ---[ end trace 01b46d19ab2d30c0 ]---
>> Jul 18 14:35:13 jh-mba kernel: RIP: 0010:d_path+0x35/0x140
>> Jul 18 14:35:13 jh-mba kernel: Code: 49 89 fc 48 83 ec 28 48 8b 7f 08 89 54 24 04
65 48 8b 04 25 28 00 00 00 48 89 44 24 20 31 c0 48 63 c2 48 01 f0 48 89 44 24 08
<48> 8b 47 60 48 85 c0 74 22 48 8b 40 48 48 85 c0 74 19 48 3b 7f 18
>> Jul 18 14:35:13 jh-mba kernel: RSP: 0018:ffffb71e411cfe18 EFLAGS: 00010282
>> Jul 18 14:35:13 jh-mba kernel: RAX: ffff9a525f18700b RBX: ffff9a524fc52060 RCX:
00000000000004dd
>> Jul 18 14:35:13 jh-mba kernel: RDX: 000000000000100b RSI: ffff9a525f186000 RDI:
0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: RBP: ffffb71e411cfe48 R08: ffff9a52672b0060 R09:
0000000000000006
>> Jul 18 14:35:13 jh-mba kernel: R10: ffff9a522c99e6c0 R11: ffff9a532c99e030 R12:
ffff9a524fc522b0
>> Jul 18 14:35:13 jh-mba kernel: R13: ffff9a52658d3708 R14: ffff9a524fc52000 R15:
0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: FS: 00007ff68934e980(0000)
GS:ffff9a5267280000(0000) knlGS:0000000000000000
>> Jul 18 14:35:13 jh-mba kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> Jul 18 14:35:13 jh-mba kernel: CR2: 0000000000000060 CR3: 0000000226ce6002 CR4:
00000000001606e0
>> Jul 18 14:35:13 jh-mba kernel: Fixing recursive fault but reboot is needed!
>> Jul 18 14:35:10 jh-mba audit[3163]: SYSCALL arch=c000003e syscall=263 a0=4
a1=55edb4e490b3 a2=0 a3=4 items=2 ppid=1 pid=3163 auid=4294967295 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="systemd-user-ru" exe="/usr/lib/systemd/systemd-user-runtime-dir"
subj=system_u:system_r:systemd_user_runtime_dir_t:s0 key=(null)
>> Jul 18 14:35:14 jh-mba systemd[1]: systemd-hostnamed.service: Succeeded.
>> Jul 18 14:35:14 jh-mba audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed
comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=?
terminal=? res=success'
>>
>> Line information from the debian linux-image-5.7.0-1-amd64 (version 5.7.6-1)
package, duplicates ommitted:
>>
>> Reading symbols from /usr/lib/debug/boot/vmlinux-5.7.0-1-amd64...
>> (gdb) l *d_path+0x35
>> 0xffffffff812dcee5 is in d_path (fs/d_path.c:275).
>> 270 *
>> 271 * Some pseudo inodes are mountable. When they are mounted
>> 272 * path->dentry == path->mnt->mnt_root. In that case
don't call d_dname
>> 273 * and instead have d_path return the mounted path.
>> 274 */
>> 275 if (path->dentry->d_op &&
path->dentry->d_op->d_dname &&
>> 276 (!IS_ROOT(path->dentry) || path->dentry !=
path->mnt->mnt_root))
>> 277 return
path->dentry->d_op->d_dname(path->dentry, buf, buflen);
>> 278
>> 279 rcu_read_lock();
>> (gdb) l *audit_log_d_path+0x75
>> 0xffffffff8114f175 is in audit_log_d_path (kernel/audit.c:2046).
>> 2041 pathname = kmalloc(PATH_MAX+11, ab->gfp_mask);
>> 2042 if (!pathname) {
>> 2043 audit_log_string(ab, "<no_memory>");
>> 2044 return;
>> 2045 }
>> 2046 p = d_path(path, pathname, PATH_MAX+11);
>> 2047 if (IS_ERR(p)) { /* Should never happen since we send PATH_MAX
*/
>> 2048 /* FIXME: can we save some information here? */
>> 2049 audit_log_string(ab, "<too_long>");
>> 2050 } else
>> (gdb) l *audit_log_exit+0x63d
>> 0xffffffff8115445d is in audit_log_exit (kernel/auditsc.c:1342).
>> 1337 case 0:
>> 1338 /* name was specified as a relative path and the
>> 1339 * directory component is the cwd
>> 1340 */
>> 1341 audit_log_d_path(ab, " name=",
&context->pwd);
>> 1342 break;
>> 1343 default:
>> 1344 /* log the name's directory component */
>> 1345 audit_log_format(ab, " name=");
>> 1346 audit_log_n_untrustedstring(ab,
n->name->name,
>> (gdb) l *audit_filter_inodes+0x2e
>> 0xffffffff81155e2e is in audit_filter_inodes (kernel/auditsc.c:835).
>> 830 */
>> 831 void audit_filter_inodes(struct task_struct *tsk, struct audit_context
*ctx)
>> 832 {
>> 833 struct audit_names *n;
>> 834
>> 835 if (auditd_test_task(tsk))
>> 836 return;
>> 837
>> 838 rcu_read_lock();
>> 839
>> (gdb) l *__audit_syscall_exit+0x23b
>> 0xffffffff8115661b is in __audit_syscall_exit (kernel/auditsc.c:1710).
>> 1705
>> 1706 audit_filter_syscall(current, context,
>> 1707
&audit_filter_list[AUDIT_FILTER_EXIT]);
>> 1708 audit_filter_inodes(current, context);
>> 1709 if (context->current_state == AUDIT_RECORD_CONTEXT)
>> 1710 audit_log_exit();
>> 1711 }
>> 1712
>> 1713 context->in_syscall = 0;
>> 1714 context->prio = context->state == AUDIT_RECORD_CONTEXT ?
~0ULL : 0;
>> (gdb) l *syscall_slow_exit_work+0x117
>> 0xffffffff81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
>> 311 {
>> 312 if (unlikely(audit_context())) {
>> 313 int success = is_syscall_success(pt_regs);
>> 314 long return_code = regs_return_value(pt_regs);
>> 315
>> 316 __audit_syscall_exit(success, return_code);
>> 317 }
>> 318 }
>> 319 static inline struct filename *audit_reusename(const __user char *name)
>> 320 {
>> (gdb) l *do_syscall_64+0x10e
>> 0xffffffff8100543e is in do_syscall_64 (arch/x86/entry/common.c:276).
>> warning: Source file is more recent than executable.
>> 271 /*
>> 272 * First do one-time work. If these work items are enabled, we
>> 273 * want to run them exactly once per syscall exit with IRQs on.
>> 274 */
>> 275 if (unlikely(cached_flags & SYSCALL_EXIT_WORK_FLAGS))
>> 276 syscall_slow_exit_work(regs, cached_flags);
>> 277
>> 278 local_irq_disable();
>> 279 prepare_exit_to_usermode(regs);
>> 280 }
>> (gdb) l *entry_SYSCALL_64_after_hwframe+0x44
>> 0xffffffff8180008c is at
/build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S:184.
>> 179 /build/linux-iTqI2R/linux-5.7.6/arch/x86/entry/entry_64.S: No such file
or directory.
>> (gdb) l *__audit_free+0x233
>> 0xffffffff81156283 is in __audit_free (kernel/auditsc.c:1602).
>> 1597
>> 1598 audit_filter_syscall(tsk, context,
>> 1599
&audit_filter_list[AUDIT_FILTER_EXIT]);
>> 1600 audit_filter_inodes(tsk, context);
>> 1601 if (context->current_state == AUDIT_RECORD_CONTEXT)
>> 1602 audit_log_exit();
>> 1603 }
>> 1604
>> 1605 audit_set_context(tsk, NULL);
>> 1606 audit_free_context(context);
>> (gdb) l *do_exit+0x8d3
>> 0xffffffff81088ce3 is in do_exit (include/linux/audit.h:301).
>> 296 return !p || *(int *)p;
>> 297 }
>> 298 static inline void audit_free(struct task_struct *task)
>> 299 {
>> 300 if (unlikely(task->audit_context))
>> 301 __audit_free(task);
>> 302 }
>> 303 static inline void audit_syscall_entry(int major, unsigned long a0,
>> 304 unsigned long a1, unsigned long
a2,
>> 305 unsigned long a3)
>> (gdb) l *syscall_slow_exit_work+0x117
>> 0xffffffff81005197 is in syscall_slow_exit_work (include/linux/audit.h:316).
>> 311 {
>> 312 if (unlikely(audit_context())) {
>> 313 int success = is_syscall_success(pt_regs);
>> 314 long return_code = regs_return_value(pt_regs);
>> 315
>> 316 __audit_syscall_exit(success, return_code);
>> 317 }
>> 318 }
>> 319 static inline struct filename *audit_reusename(const __user char *name)
>> 320 {
>> (gdb) l *rewind_stack_do_exit+0x17
>> (gdb)
>>
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635