From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: Kernel oops+crash on repeated auditd restarts
Date: Tue, 24 Apr 2012 14:31:39 -0400
Message-ID: <1335292299.10352.3.camel@localhost>
References: <CACP9ZVxJpHxt8PYc=t3Z+biiJ8K9g3nEjz70R5zp0uU_PAo8kw@mail.gmail.com>
	<CACP9ZVyvvJZ8QTjQHWAdi1=MY+voeyNayqwBaVkAJJ0RZ593Kw@mail.gmail.com>
	<CACP9ZVyG=PEpj_JmvO1dNC-c-DoFnHmNZmj_R0GU29Kfa0Mp1g@mail.gmail.com>
	<CALnj_=7qyFQCcWTfTiQBaoOZvgiAUANv2iApmerh8U2ogBkOug@mail.gmail.com>
	<CALnj_=7VB1FG+mWfLHHkkkyzYWtpRFpQw_RYnx+MVe64c=F0=A@mail.gmail.com>
	<1332983643.384.8.camel@localhost>
	<CACP9ZVxv+az=q65VGRdXsfY_1Bq1+e=Q-mmZXVaO4qJ8Lt2GoA@mail.gmail.com>
	<CALnj_=7hH3KsiL1R+mh0EGcc9zWQ2s2heEOg7F0+zfTechY8xw@mail.gmail.com>
	<CALnj_=44rFZBci99ns8Y8_0ZAJ9CEQ1N+bLFfHaA_3cHAcJN1Q@mail.gmail.com>
	<1333660021.2273.0.camel@localhost>
	<CALnj_=4gFhBia-bnuQ6XhRoE6rcsLpTQDr3y1ees8bVkj3BSiQ@mail.gmail.com>
	<CALnj_=7dyV4iA_3NpR66CgC4egXmc-8vGHUTxzTyM+1szx8r7A@mail.gmail.com>
	<CALnj_=6Zg5cDKnrTch0dbBYDCnVmutTtGm1ngZdymqJqZLztHw@mail.gmail.com>
	<20120420231424.1836e56b@oc8526070481.ibm.com>
	<1335198376.8224.4.camel@localhost>
	<20120424021210.283cd4cd@oc8526070481.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20120424021210.283cd4cd@oc8526070481.ibm.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Marcelo Cerri <mhcerri@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2012-04-24 at 02:12 -0300, Marcelo Cerri wrote:
> On Mon, 23 Apr 2012 12:26:16 -0400, Eric Paris <eparis@redhat.com> wrote:

> Considering that the issue is specific to audit and it seems to occur
> only with watches on directories, I investigated the audit_tree.c file
> and found a probable cause. The untag_chunk() holds a reference to a
> mark at the begging of the function and releases it at the end of it (on
> the label out). However when it jumps to the "out" label, it calls
> fsnotify_put_mark once more.
> 
> Peter and Valentin, can you test this new patch to check if it
> solves the oops problem?
> 
> Eric, do you agree with this solution?
> 
> Regards,
> Marcelo
> 
> ---
>  kernel/audit_tree.c |    2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/kernel/audit_tree.c b/kernel/audit_tree.c
> index 5bf0790..b5bd9f9 100644
> --- a/kernel/audit_tree.c
> +++ b/kernel/audit_tree.c
> @@ -250,7 +250,6 @@ static void untag_chunk(struct node *p)
>         spin_unlock(&hash_lock);
>         spin_unlock(&entry->lock);
>         fsnotify_destroy_mark(entry);
> -       fsnotify_put_mark(entry);
>         goto out;
>     }
>  
> @@ -293,7 +292,6 @@ static void untag_chunk(struct node *p)
>     spin_unlock(&hash_lock);
>     spin_unlock(&entry->lock);
>     fsnotify_destroy_mark(entry);
> -   fsnotify_put_mark(entry);
>     goto out;
>  
>  Fallback:

This looks right to me.  The old audit logic before the switch to
fsnotify was:
-       inotify_evict_watch(&chunk->watch);
-       mutex_unlock(&chunk->watch.inode->inotify_mutex);
-       put_inotify_watch(&chunk->watch);

Which I changed to:
+       spin_unlock(&entry->lock);
+       fsnotify_destroy_mark_by_entry(entry);
+       fsnotify_put_mark(entry);

The difference being that inotify_evict_watch() took a reference on
chunk->watch, however fsnotify_destroy_mark_by_entry() does not.  So the
fsnotify_put_mark() was incorrect.

I'd love to hear testing results, and I'm going to try to figure out if
I screwed that up other places....

-Eric