From: Guenter Roeck <linux@roeck-us.net>
To: Sabrina Dubroca <sd@queasysnail.net>, Paul Moore <pmoore@redhat.com>
Cc: Thierry Reding <thierry.reding@gmail.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-audit@redhat.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: Re: linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs
Date: Wed, 21 Jan 2015 08:21:29 -0800 [thread overview]
Message-ID: <54BFD209.1080507@roeck-us.net> (raw)
In-Reply-To: <20150121155407.GA18701@kria>
On 01/21/2015 07:54 AM, Sabrina Dubroca wrote:
> 2015-01-21, 16:39:12 +0100, Thierry Reding wrote:
>> On Wed, Jan 21, 2015 at 10:24:11AM -0500, Paul Moore wrote:
>>> On Wednesday, January 21, 2015 03:42:16 PM Thierry Reding wrote:
>>>> On Wed, Jan 21, 2015 at 12:05:39PM +0100, Sabrina Dubroca wrote:
>>>>> 2015-01-21, 04:36:38 +0000, Al Viro wrote:
>>>>>> On Tue, Jan 20, 2015 at 08:01:26PM -0800, Guenter Roeck wrote:
>>>>>>> With this patch:
>>>>>>>
>>>>>>> sys_mkdir .:40775 returned -17
>>>>>>> sys_mkdir usr:40775 returned 0
>>>>>>> sys_mkdir usr/lib:40775 returned 0
>>>>>>> sys_mkdir usr/share:40755 returned 0
>>>>>>> sys_mkdir usr/share/udhcpc:40755 returned 0
>>>>>>> sys_mkdir usr/bin:40775 returned 0
>>>>>>> sys_mkdir usr/sbin:40775 returned 0
>>>>>>> sys_mkdir mnt:40775 returned 0
>>>>>>> sys_mkdir proc:40775 returned 0
>>>>>>> sys_mkdir root:40775 returned 0
>>>>>>> sys_mkdir lib:40775 returned 0
>>>>>>> sys_mkdir lib/modules:40775 returned 0
>>>>>>> ...
>>>>>>>
>>>>>>> and the problem is fixed.
>>>>>
>>>>> This patch also works for me.
>>>>>
>>>>>> ... except that it simply confirms that something's fishy with
>>>>>> getname_kernel() of ->name of struct filename returned by getname().
>>>>>> IOW, I still do not understand the mechanism of breakage there.
>>>>>
>>>>> I'm not so sure about that. I tried to copy name to a new string in
>>>>> do_path_lookup and that didn't help.
>>>>>
>>>>> Now, I've removed the
>>>>>
>>>>> putname(filename);
>>>>>
>>>>> line from do_path_lookup and I don't get the panic.
>>>>
>>>> That would indicate that somehow the refcount got unbalanced. Looking
>>>> more closely it seems like the various audit_*() function do take a
>>>> reference, but maybe that's not enough.
>>>
>>> I'm thinking the same thing and I think the problem may be that
>>> __audit_reusename() is not bumping the filename->refcnt. Can someone who is
>>> seeing this problem bump the refcnt in __audit_reusename()?
>>>
>>> struct filename *
>>> __audit_reusename(const __user char *uptr)
>>> {
>>> struct audit_context *context = current->audit_context;
>>> struct audit_names *n;
>>>
>>> list_for_each_entry(n, &context->names_list, list) {
>>> if (!n->name)
>>> continue;
>>> if (n->name->uptr == uptr) {
>>> + n->name->refcnt++;
>>> return n->name;
>>> }
>>> }
>>> return NULL;
>>> }
>>
>> That doesn't seem to help, at least in my case.
>
> Same here.
>
> Well, it's probably not an audit issue. I tried audit=0 on the
> commandline, and I just rebuilt a kernel with CONFIG_AUDIT=n, and it's
> still panicing. This should have fixed any audit-related issue,
> right?
>
I don't have audit enabled, so I don't think that is the problem either
(the refcount increase didn't help, and a WARN(1) added to the code
at the same location did not trigger).
Wonder if we have a use-after-free case and just have been lucky all along.
Guenter
next prev parent reply other threads:[~2015-01-21 16:21 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-20 7:53 linux-next: Tree for Jan 20 Stephen Rothwell
2015-01-20 14:16 ` Guenter Roeck
2015-01-20 16:56 ` linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs Sabrina Dubroca
2015-01-20 17:39 ` Paul Moore
2015-01-20 17:51 ` Sabrina Dubroca
2015-01-20 19:54 ` Al Viro
2015-01-20 20:45 ` Sabrina Dubroca
2015-01-20 21:02 ` Al Viro
2015-01-20 21:38 ` Sabrina Dubroca
2015-01-20 21:58 ` Al Viro
2015-01-20 22:08 ` Sabrina Dubroca
2015-01-20 22:13 ` Guenter Roeck
2015-01-20 22:50 ` Al Viro
2015-01-20 23:17 ` Al Viro
2015-01-20 23:27 ` Sabrina Dubroca
2015-01-21 0:04 ` Paul Moore
2015-01-21 0:14 ` Paul Moore
2015-01-21 0:41 ` Al Viro
2015-01-21 2:44 ` Guenter Roeck
2015-01-21 3:36 ` Al Viro
2015-01-21 4:01 ` Guenter Roeck
2015-01-21 4:36 ` Al Viro
2015-01-21 11:05 ` Sabrina Dubroca
2015-01-21 13:32 ` Guenter Roeck
2015-01-21 18:29 ` Al Viro
2015-01-21 19:06 ` Guenter Roeck
2015-01-21 20:06 ` Al Viro
2015-01-21 21:03 ` Guenter Roeck
2015-01-21 21:28 ` Al Viro
2015-01-21 21:38 ` Guenter Roeck
2015-01-21 21:40 ` Sabrina Dubroca
2015-01-21 21:54 ` Paul Walmsley
2015-01-22 2:28 ` Paul Moore
2015-01-22 4:12 ` Al Viro
2015-01-22 4:49 ` Paul Moore
2015-01-21 21:30 ` Sabrina Dubroca
2015-01-21 14:42 ` Thierry Reding
2015-01-21 15:24 ` Paul Moore
2015-01-21 15:39 ` Thierry Reding
2015-01-21 15:54 ` Sabrina Dubroca
2015-01-21 16:16 ` Paul Moore
2015-01-21 17:38 ` Al Viro
2015-01-21 17:51 ` Guenter Roeck
2015-01-21 16:21 ` Guenter Roeck [this message]
2015-01-21 15:06 ` Paul Moore
2015-01-20 21:43 ` Guenter Roeck
2015-01-20 17:54 ` Fabio Estevam
2015-01-20 19:00 ` Ross Zwisler
2015-01-20 19:16 ` Fabio Estevam
2015-01-20 19:24 ` Paul Moore
2015-01-20 19:43 ` Fabio Estevam
2015-01-20 20:10 ` Paul Moore
2015-01-20 20:26 ` linux-next: Tree for Jan 20 Guenter Roeck
2015-01-20 22:54 ` Kirill A. Shutemov
2015-01-21 3:05 ` Guenter Roeck
2015-01-21 10:43 ` Kirill A. Shutemov
2015-01-21 23:34 ` Guenter Roeck
2015-01-22 3:14 ` Guenter Roeck
2015-01-22 17:13 ` linux-next: Tree for Jan 20 -- sparc32: fix broken set_pte() Kirill A. Shutemov
2015-01-22 17:27 ` Kirill A. Shutemov
2015-01-22 17:27 ` Kirill A. Shutemov
2015-01-22 19:34 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54BFD209.1080507@roeck-us.net \
--to=linux@roeck-us.net \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=sd@queasysnail.net \
--cc=sfr@canb.auug.org.au \
--cc=thierry.reding@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.