From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Moore Subject: Re: v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...) Date: Tue, 30 Dec 2014 13:46:24 -0500 Message-ID: <4559278.bMkG2euyQm@sifl> References: <54A17C49.5080102@gmx.de> <54A1B724.8070106@gmx.de> <5490032.bFDrnJqxyv@sifl> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <5490032.bFDrnJqxyv@sifl> Sender: linux-kernel-owner@vger.kernel.org To: Toralf =?ISO-8859-1?Q?F=F6rster?= Cc: linux Kernel , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, December 30, 2014 09:11:32 AM Paul Moore wrote: > On Monday, December 29, 2014 09:18:44 PM Toralf F=F6rster wrote: > > On 12/29/2014 08:41 PM, Paul Moore wrote: > > > To help verify that I'm heading down the right path, could you sh= are > > > your audit configuration as well? If that's not possible, can yo= u at > > > least confirm that you using a few audit directory watches? > >=20 > > Well, it is just a victim system for trinity - but I did not config= ured > > auditd in a special manner - so it is just the plain default config= uration > > of Gentoo: > > Okay, thanks for the information; the file related syscall watches ar= e > likely what triggered the problem code. Until I've got the fix sorte= d out, > removing the syscall watches or just disabling auditd from starting a= t boot > should workaround the problem. I still want to go over the below patch a bit more to check a few thing= s, but=20 it solves the problem for me and I believe it should solve the problem = you are=20 seeing as well. Can you give it a try and let me know what happens? diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 287b3d3..d834770 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -72,6 +72,8 @@ #include #include #include +#include +#include =20 #include "audit.h" =20 @@ -1862,7 +1864,7 @@ void __audit_inode(struct filename *name, const s= truct=20 dentry *dentry, =20 list_for_each_entry_reverse(n, &context->names_list, list) { /* does the name pointer match? */ - if (!n->name || n->name->name !=3D name->name) + if (!n->name || strcmp(n->name->name, name->name)) continue; =20 /* match the correct record type */ @@ -1881,14 +1883,39 @@ out_alloc: n =3D audit_alloc_name(context, AUDIT_TYPE_UNKNOWN); if (!n) return; - if (name) - /* since name is not NULL we know there is already a matching - * name record, see audit_getname(), so there must be a type - * mismatch; reuse the string path since the original name - * record will keep the string valid until we free it in - * audit_free_names() */ - n->name =3D name; + /* unfortunately, while we may have a path name to record with the + * inode, we can't always rely on the string lasting until the end of + * the syscall so we need to create our own copy, it may fail due to + * memory allocation issues, but we do our best */ + if (name) { + /* we can't use getname_kernel() due to size limits */ + struct filename *new =3D __getname(); =20 + if (unlikely(!new)) + goto out; + + memset(new, 0, sizeof(*new)); + if ((strlen(name->name) + 1) <=3D (PATH_MAX - sizeof(*new))) { + char *new_name =3D (char *)(new) + sizeof(*new); + new->name =3D new_name; + new->separate =3D false; + } else { + /* this looks odd, but is due to final_putname() */ + struct filename *new2; + new2 =3D kzalloc(sizeof(*new2), GFP_KERNEL); + if (unlikely(!new2)) { + __putname(new); + goto out; + } + new2->name =3D (char *)new; + new =3D new2; + new->separate =3D true; + } + strcpy((char *)new->name, name->name); + new->aname =3D n; + n->name =3D new; + n->name_put =3D true; + } out: if (parent) { n->name_len =3D n->name ? parent_len(n->name->name) : AUDIT_NAME_FUL= L; --=20 paul moore www.paul-moore.com