From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Mon, 23 Apr 2012 12:26:16 -0400 Message-ID: <1335198376.8224.4.camel@localhost> References: <1327519203.4131.25.camel@localhost> <1332983643.384.8.camel@localhost> <1333660021.2273.0.camel@localhost> <20120420231424.1836e56b@oc8526070481.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20120420231424.1836e56b@oc8526070481.ibm.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Marcelo Cerri Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 2012-04-20 at 23:14 -0300, Marcelo Cerri wrote: > The patch below increments the reference count of a mark when it is > added to the destroy list. It seems to solve the issue and it doesn't > seem to cause any memory leak. Please, can you make some tests in your > environments and let me know if there is any problem with this patch. That is almost certainly the wrong thing to do. This test program should show a memory leak with your patch. If it doesn't show a memory leak then something is screwed up in inotify as well. #include #include #include int main(void) { int fd; int rc; struct inotify_event event[10]; fd = inotify_init(); if (fd < 0) return errno; while(1) { rc = inotify_add_watch(fd, "/tmp", IN_CLOSE_WRITE); if (rc < 0) return errno; rc = inotify_rm_watch(fd, rc); if (rc) return errno; rc = read(fd, event, sizeof(event)); if (rc < 0) return errno; } return 0; } The lifetime of an object is supposed to be from fsnotify_init_mark() until it's matching reference is dropped in fsnotify_mark_destroy(). It sounds to me like we are calling put somewhere in the audit code when we didn't previously call a get....