3:10 p.m.
Hello,
This patch introduces some more bug fixes which hopefully address Rob's
Oopses.
I've made sure to call hlist_del_init instead of hlist_del where necessary
(ie: audit_update_watch).
I've also scrapped the audit_is_watched function in favor of !hlist_unhashed.
One other change was putting the lock around the entire list traversal in
audit_drain_watchlist, rather then in it. This was just to make the locking
more uniform (ie: if auditfs_lock is held, whatever is holding it has
complete control).
I also rearranged auditfs_wdata_attach a bit, such that if there is no
context, we return out of the function. I've also made it so the context is
only made auditable if it makes it past the memory allocation. No sense in
making it auditable if we were able to collect audit info.
I added audit_notify_watch hooks to fs/open.c and fs/attr.c
Some other little odds and ends are cleanup related. I removed the item=
field from the PATH record component, I turned audit_notify_watch and
auditfs_attach_wdata into void functions as we're unable to handle failed
memory allocations. Reduced my goto abuse.
-tim
3:14 p.m.
On Friday 17 June 2005 15:10, Timothy R. Chavez wrote:
I also rearranged auditfs_wdata_attach a bit, such that if there is no
context, we return out of the function. I've also made it so the context is
only made auditable if it makes it past the memory allocation. No sense in
making it auditable if we were able to collect audit info.
er... weren't able...
-tim
7:15 a.m.
New subject: audit.60 kernel (Re: [PATCH] bug fixes + cleanups against audit.58)
On Saturday 18 June 2005 03:11, David Woodhouse wrote:
> This patch introduces some more bug fixes which hopefully
address
> Rob's Oopses.
Released in 2.6.9-11.EL.audit.60
This kernel Oopsed within 5 minutes for me. The details are nearly the
same as posted in the bugzilla.
-Steve
Jun 18 08:06:51 localhost kernel: Unable to handle kernel paging request at virtual
address 6b6b6b6b
Jun 18 08:06:51 localhost kernel: printing eip:
Jun 18 08:06:51 localhost kernel: c0142b7a
Jun 18 08:06:51 localhost kernel: *pde = 00000000
Jun 18 08:06:51 localhost kernel: Oops: 0000 [#1]
Jun 18 08:06:51 localhost kernel: Modules linked in: tun parport_pc lp parport autofs4
i2c_dev i2c_core ipt_REJECT ipt_state ip_conntrack iptable_filter ip_tables dm_mod button
battery ac md5 ipv6 uhci_hcd snd_emu10k1 snd_rawmidi snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer snd_seq_device snd_ac97_codec snd_page_alloc snd_util_mem snd_hwdep snd
soundcore 3c59x floppy ext3 jbd
Jun 18 08:06:51 localhost kernel: CPU: 0
Jun 18 08:06:51 localhost kernel: EIP: 0060:[<c0142b7a>] Not tainted VLI
Jun 18 08:06:51 localhost kernel: EFLAGS: 00210202 (2.6.9-11.EL.audit.60)
Jun 18 08:06:51 localhost kernel: EIP is at auditfs_attach_wdata+0x4e/0x169
Jun 18 08:06:51 localhost kernel: eax: 00000000 ebx: 6b6b6b6b ecx: ddf84ee4 edx:
e5606c6c
Jun 18 08:06:51 localhost kernel: esi: e5606c64 edi: ddf84ee4 ebp: df761894 esp:
df72fe8c
Jun 18 08:06:51 localhost kernel: ds: 007b es: 007b ss: 0068
Jun 18 08:06:51 localhost kernel: Process auditctl (pid: 17208, threadinfo=df72f000
task=e1a28d30)
Jun 18 08:06:51 localhost kernel: Stack: e23f51cc 00000001 ee8b5408 de5f4124 ee8b5408
00000001 df72ff58 c0144d4d
Jun 18 08:06:51 localhost kernel: fffffff5 ee8b5408 00000001 c01755b8 fffffff5
ee8b5408 0024a603 df72ff58
Jun 18 08:06:51 localhost kernel: c0175d7b e1852bfc e17d8b50 c01568ca 00000001
00000101 00000000 ef046005
Jun 18 08:06:51 localhost kernel: Call Trace:
Jun 18 08:06:51 localhost kernel: [<c0144d4d>] audit_notify_watch+0x47/0x56
Jun 18 08:06:51 localhost kernel: [<c01755b8>] permission+0xf/0x4f
Jun 18 08:06:51 localhost kernel: [<c0175d7b>] link_path_walk+0x12c/0xd98
Jun 18 08:06:51 localhost kernel: [<c01568ca>] handle_mm_fault+0xd5/0x1fd
Jun 18 08:06:51 localhost kernel: [<c0176c61>] path_lookup+0xfe/0x12c
Jun 18 08:06:51 localhost kernel: [<c0177352>] open_namei+0x99/0x57e
Jun 18 08:06:51 localhost kernel: [<c0165ae3>] filp_open+0x23/0x3c
Jun 18 08:06:51 localhost kernel: [<c0305ab0>] __cond_resched+0x14/0x3b
Jun 18 08:06:51 localhost kernel: [<c01ddf1a>] direct_strncpy_from_user+0x3e/0x5d
Jun 18 08:06:51 localhost kernel: [<c0165fba>] sys_open+0x31/0x7d
Jun 18 08:06:51 localhost kernel: [<c030730b>] syscall_call+0x7/0xb
Jun 18 08:06:51 localhost kernel: Code: 84 39 01 00 00 a1 90 60 35 c0 ba d0 00 00 00 e8 07
be 00 00 85 c0 89 c6 0f 84 20 01 00 00 c7 40 08 00 00 00 00 8b 1b 85 db 74 5e <8b>
03 0f 18 00 90 8d 43 ec ba d0 00 00 00 89 04 24 a1 84 60 35
Jun 18 08:06:51 localhost kernel: <0>Fatal exception: panic in 5 seconds
Jun 18 08:06:51 localhost kernel: Slab corruption: start=e23f51cc, len=48
Jun 18 08:06:51 localhost kernel: Redzone: 0x5a2cf071/0x5a2cf071.
Jun 18 08:06:51 localhost kernel: Last user:
[<c0144448>](audit_remove_watch+0x153/0x4a6)
Jun 18 08:06:51 localhost kernel: 000: 6c 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
Jun 18 08:06:51 localhost kernel: Prev obj: start=e23f5190, len=48
Jun 18 08:06:51 localhost kernel: Redzone: 0x170fc2a5/0x170fc2a5.
Jun 18 08:06:51 localhost kernel: Last user:
[<c01447b0>](audit_to_watch+0x15/0x10e)
Jun 18 08:06:51 localhost kernel: 000: 03 00 00 00 58 51 3f e2 a4 44 f8 dd 60 51 3f e2
Jun 18 08:06:51 localhost kernel: 010: 48 27 40 c0 00 00 00 00 b0 46 af e1 0d 00 00 00
Jun 18 08:06:51 localhost kernel: Next obj: start=e23f5208, len=48
Jun 18 08:06:51 localhost kernel: Redzone: 0x170fc2a5/0x170fc2a5.
Jun 18 08:06:51 localhost kernel: Last user:
[<c01447b0>](audit_to_watch+0x15/0x10e)
Jun 18 08:06:51 localhost kernel: 000: 03 00 00 00 00 00 00 00 34 41 5f de 00 00 00 00
Jun 18 08:06:51 localhost kernel: 010: 24 51 3f e2 00 00 00 00 0c b2 ee e1 02 00 30 00
1:29 p.m.
New subject: audit.60 kernel (Re: [PATCH] bug fixes + cleanups against audit.58)
On Sat, 2005-06-18 at 08:15 -0400, Steve Grubb wrote:
This kernel Oopsed within 5 minutes for me. The details are nearly
the
same as posted in the bugzilla.
It looks like the watch is being freed while we're using it.
Tim, what's the locking strategy here? Why is auditfs_attach_wdata()
allowed to walk the watch list as it does, allocating memory and
potentially sleeping between each item?
--
dwmw2
6:35 p.m.
New subject: audit.60 kernel (Re: [PATCH] bug fixes + cleanups against audit.58)
On Sun, 2005-06-19 at 19:29 +0100, David Woodhouse wrote:
Tim, what's the locking strategy here? Why is
auditfs_attach_wdata()
allowed to walk the watch list as it does, allocating memory and
potentially sleeping between each item?
To answer the rhetorical question...
--- linux-2.6.9/kernel/auditsc.c~ 2005-06-19 20:28:08.000000000 +0100
+++ linux-2.6.9/kernel/auditsc.c 2005-06-19 23:13:33.000000000 +0100
@@ -1232,6 +1232,8 @@ void audit_signal_info(int sig, struct t
}
#ifdef CONFIG_AUDITFILESYSTEM
+extern spinlock_t auditfs_lock;
+
/* This has to be here instead of in auditfs.c, because it needs to
see the audit context */
void auditfs_attach_wdata(struct inode *inode, struct hlist_head *watches,
@@ -1252,7 +1254,11 @@ void auditfs_attach_wdata(struct inode *
INIT_HLIST_HEAD(&ax->watches);
+ spin_lock(&auditfs_lock);
hlist_for_each_entry(watch, pos, watches, w_watched) {
+ restart:
+ audit_watch_get(watch);
+ spin_unlock(&auditfs_lock);
winfo = kmalloc(sizeof(struct audit_watch_info), GFP_KERNEL);
if (!winfo)
goto auditfs_attach_wdata_fail;
@@ -1260,7 +1266,25 @@ void auditfs_attach_wdata(struct inode *
continue;
winfo->watch = audit_watch_get(watch);
hlist_add_head(&winfo->node, &ax->watches);
+ spin_lock(&auditfs_lock);
+ if (hlist_unhashed(&watch->w_watched)) {
+ audit_watch_put(watch);
+ /* Someone took it off the list while we didn't have it locked.
+ Go through the list of watches again until we find one which
+ we haven't already dealt with... */
+ hlist_for_each_entry(watch, pos, watches, w_watched) {
+ hlist_for_each_entry(winfo, tmp, &ax->watches, node) {
+ if (winfo->watch == watch)
+ continue;
+ }
+ /* This watch wasn't found on ax's list, so
+ pick up where we left off. */
+ goto restart;
+ }
+ }
+ audit_watch_put(watch);
}
+ spin_unlock(&auditfs_lock);
if (context->in_syscall && !context->auditable &&
AUDIT_DISABLED != audit_filter_syscall(current, context,
--- linux-2.6.9/kernel/auditfs.c~ 2005-06-19 18:53:58.000000000 +0100
+++ linux-2.6.9/kernel/auditfs.c 2005-06-19 22:27:41.000000000 +0100
@@ -52,7 +52,7 @@ extern int audit_enabled;
static kmem_cache_t *audit_watch_cache;
static HLIST_HEAD(master_watchlist);
-static spinlock_t auditfs_lock = SPIN_LOCK_UNLOCKED;
+spinlock_t auditfs_lock = SPIN_LOCK_UNLOCKED;
struct audit_skb_list {
struct hlist_node list;
--
dwmw2
7125
days inactive
7127
days old
linux-audit@lists.linux-audit.osci.io
5 comments
3 participants
participants (3)
-
David Woodhouse -
Steve Grubb -
Timothy R. Chavez