From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valentin Avram Subject: Kernel oops+crash on repeated auditd restarts Date: Wed, 25 Jan 2012 18:45:03 +0200 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8680552689528749155==" Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q0PGj5E9027479 for ; Wed, 25 Jan 2012 11:45:05 -0500 Received: from mail-gy0-f174.google.com (mail-gy0-f174.google.com [209.85.160.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0PGj39V019382 for ; Wed, 25 Jan 2012 11:45:04 -0500 Received: by ghrr11 with SMTP id r11so1733563ghr.33 for ; Wed, 25 Jan 2012 08:45:03 -0800 (PST) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============8680552689528749155== Content-Type: multipart/alternative; boundary=001636c92b853c40fb04b75cfc6a --001636c92b853c40fb04b75cfc6a Content-Type: text/plain; charset=ISO-8859-1 Hello. Did anybody ever experience kernel oopses and even kernel crashes (after a while), by just restarting repeatedly the auditd daemon? I ask this because i had this problem on Dell R610 servers running Gentoo Linux kernels gentoo-sources-3.0.6 and gentoo-sources-2.6.37-r4 (see this bug: https://bugs.gentoo.org/show_bug.cgi?id=389405 ). The kernels are nothing special, just the vanilla 2.6.37 and 3.0.6 with a few gentoo patches (see https://lkml.org/lkml/2011/11/28/330 ). The auditd version is 2.1.3 (latest). The audit.rules file contains basically the following rules: -D -w /etc -p wa -k etc-directory [snip: same for /sbin, /bin, /usr/sbin, /usr/bin] -a exit,never -F dir=/lib/rc -k skip-lib-rc -w /lib -p wa -k lib-directory -w /usr/lib -p wa -k usr-lib-directory -a exit,never -F arch=b32 -S read [snip: -S for write,open,fstat,mmap etc.] -k excluded-syscalls -b 8192 The bug seems to be somewhere in the fsnotify kernel part, however Gentoo kernel devs and ppl on lkml did not seem too interested, so.. did anybody notice a similar behaviour? Or better yet, is anybody willing to run on one of your servers this simple test: start the minimum server services, use a similar audit.rules configuration, then start auditd and run in a shell the following one-liner: while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/init.d/auditd start ; sleep 5 ; done This was enough to oops and crash the kernel in less than one hour on the servers where i did the tests. If any similar behavior happens, i'd be very interested to know the the kernel version and distro. Thank you for your time. --001636c92b853c40fb04b75cfc6a Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hello.

Did anybody ever experience kernel oopses and eve= n kernel crashes (after a while), by just restarting repeatedly the auditd = daemon?

I ask this because i had this problem on D= ell R610 servers running Gentoo Linux kernels gentoo-sources-3.0.6 and gent= oo-sources-2.6.37-r4 (see this bug:=A0https://bugs.gentoo.org/show_bug.cgi?id=3D389405=A0).

The kernels are nothing special, just the vanilla 2.6.3= 7 and 3.0.6 with a few gentoo patches (see=A0 https://lkml.org/lkml/2011/11/28/330=A0).

The auditd version is 2.1.3 (latest). The audit.rules file conta= ins basically the following rules:

-D

-w= /etc -p wa -k etc-directory

[snip: same for /sbin, /bin, /usr/sb= in, /usr/bin]

-a exit,never -F dir=3D/lib/rc -k skip-lib-rc

-w /lib -p wa = -k lib-directory

-w /usr/lib -p wa -k usr-lib-directory

-a exit,never -F arch=3Db32 -S read [snip: -S for write,open,fstat,mmap et= c.] -k excluded-syscalls

-b 8192

The bug seems to be somewhere in the = fsnotify kernel part, however Gentoo kernel devs and ppl on lkml did not se= em too interested, so.. did anybody notice a similar behaviour? Or better y= et, is anybody willing to run on one of your servers this simple test: star= t the minimum server services, use a similar audit.rules configuration, the= n start auditd and run in a shell the following one-liner:

while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/in= it.d/auditd start ; sleep 5 ; done

This was enough= to oops and crash the kernel in less than one hour on the servers where i = did the tests. If any similar behavior happens, i'd be very interested = to know the the kernel version and distro.

Thank you for your time.

--001636c92b853c40fb04b75cfc6a-- --===============8680552689528749155== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============8680552689528749155==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 25 Jan 2012 08:53:01 -0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com [10.5.110.17]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q0PGrWVj002306 for ; Wed, 25 Jan 2012 11:53:32 -0500 Received: from mail-qy0-f174.google.com (mail-qy0-f174.google.com [209.85.216.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q0PGrVLw020818 for ; Wed, 25 Jan 2012 11:53:31 -0500 Received: by qcsg15 with SMTP id g15so940455qcs.33 for ; Wed, 25 Jan 2012 08:53:31 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Just flushing the rules (auditctl -D) would cause my ubuntu machine running a 2.6.38 kernel to oops fairly regularly, maybe one in five times. This was especially painful when testing new rules. On Wed, Jan 25, 2012 at 8:45 AM, Valentin Avram wrote: > Hello. > > Did anybody ever experience kernel oopses and even kernel crashes (after a > while), by just restarting repeatedly the auditd daemon? > > I ask this because i had this problem on Dell R610 servers running Gentoo > Linux kernels gentoo-sources-3.0.6 and gentoo-sources-2.6.37-r4 (see this > bug:=A0https://bugs.gentoo.org/show_bug.cgi?id=3D389405=A0). > > The kernels are nothing special, just the vanilla 2.6.37 and 3.0.6 with a > few gentoo patches (see=A0https://lkml.org/lkml/2011/11/28/330=A0). > > The auditd version is 2.1.3 (latest). The audit.rules file contains > basically the following rules: > > -D > -w /etc -p wa -k etc-directory > [snip: same for /sbin, /bin, /usr/sbin, /usr/bin] > -a exit,never -F dir=3D/lib/rc -k skip-lib-rc > -w /lib -p wa -k lib-directory > -w /usr/lib -p wa -k usr-lib-directory > -a exit,never -F arch=3Db32 -S read [snip: -S for write,open,fstat,mmap e= tc.] > -k excluded-syscalls > -b 8192 > > The bug seems to be somewhere in the fsnotify kernel part, however Gentoo > kernel devs and ppl on lkml did not seem too interested, so.. did anybody > notice a similar behaviour? Or better yet, is anybody willing to run on o= ne > of your servers this simple test: start the minimum server services, use a > similar audit.rules configuration, then start auditd and run in a shell t= he > following one-liner: > > while :; do /etc/init.d/auditd stop ; sleep 5 ; /etc/init.d/auditd start ; > sleep 5 ; done > > This was enough to oops and crash the kernel in less than one hour on the > servers where i did the tests. If any similar behavior happens, i'd be ve= ry > interested to know the the kernel version and distro. > > Thank you for your time. > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 25 Jan 2012 14:20:03 -0500 Message-ID: <1327519203.4131.25.camel@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, 2012-01-25 at 18:45 +0200, Valentin Avram wrote: > Did anybody ever experience kernel oopses and even kernel crashes > (after a while), by just restarting repeatedly the auditd daemon? No, but I'll try to remember to take a look. We did have a BUG() that was recently fixed when using -w rules (as I recall). But I've never seen this particular NULL pointer bug. We did recently fix a race in fsnotify mark destruction that could be this, but those symptoms weren't exactly the same. I'm both the upstream Audit and fsnotify maintainer so I'm grumbley at Gentoo for never letting me know isn't working. Where else did you report this? I'm wondering where all the information failure is happening. Can you send me any and all info you have? I'll see if I can reproduce a problem here (but I'm a Fedora guy) From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valentin Avram Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Thu, 26 Jan 2012 09:13:23 +0200 Message-ID: References: <1327519203.4131.25.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4982181313618091715==" Return-path: In-Reply-To: <1327519203.4131.25.camel@localhost> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4982181313618091715== Content-Type: multipart/alternative; boundary=20cf30363d03a2425304b7691d52 --20cf30363d03a2425304b7691d52 Content-Type: text/plain; charset=ISO-8859-1 Please read below. On Wed, Jan 25, 2012 at 9:20 PM, Eric Paris wrote: > On Wed, 2012-01-25 at 18:45 +0200, Valentin Avram wrote: > > > Did anybody ever experience kernel oopses and even kernel crashes > > (after a while), by just restarting repeatedly the auditd daemon? > > No, but I'll try to remember to take a look. We did have a BUG() that > was recently fixed when using -w rules (as I recall). But I've never > seen this particular NULL pointer bug. We did recently fix a race in > fsnotify mark destruction that could be this, but those symptoms weren't > exactly the same. > > I'm both the upstream Audit and fsnotify maintainer so I'm grumbley at > Gentoo for never letting me know isn't working. Where else did you > report this? I'm wondering where all the information failure is > happening. > I only reported the issue on Gentoo bugs and LKML (the two links i included in the original email). The Gentoo guys at first did seem interested in the bug and asked for a test with a kernel compiled with CONFIG_DEBUG_INFO and CONFIG_DEBUG_LIST. After that test it looked like some list is getting messed up somewhere (altough i'm part C programmer, my kernel insides knowledge is limited). The LKML guys didn't even bother to answer. > Can you send me any and all info you have? > > All the information i had is posted on the Gentoo bug report. The two machines i used to test the issue are now in production mode, so i can't do any testing on them. However I'll soon have access to a new machine that can stay in test mode for a while, where i plan to retest with Gentoo's latest "stable-marked" kernel gentoo-sources-3.1.6. > I'll see if I can reproduce a problem here (but I'm a Fedora guy) > At this moment i'm not extremely sure if it's a auditd issue or a kernel issue or both. However, if you're running a kernel lower than 3.0.7 and auditd 2.1.3, I'd be very interested if running the one-liner i posted (audit start and stop on a loop with 5 seconds delay) will eventually (in 1 hour or something close) crash the kernel completely (or at least oops a lot of times). Thank you. --20cf30363d03a2425304b7691d52 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Please read below.

On Wed, Jan 25, 2012 a= t 9:20 PM, Eric Paris <eparis@redhat.com> wrote:

On Wed, 2012-01-25 at 18:45 +0200, Valentin Avram wrote:<= br>
> Did anybody ever experience kernel oopses and even kernel crashes
> (after a while), by just restarting repeatedly the auditd daemon?

No, but I'll try to remember to take a look. =A0We did have a BUG= () that
was recently fixed when using -w rules (as I recall). =A0 But I've neve= r
seen this particular NULL pointer bug. =A0We did recently fix a race in
fsnotify mark destruction that could be this, but those symptoms weren'= t
exactly the same.

I'm both the upstream Audit and fsnotify maintainer so I'm grumbley= at
Gentoo for never letting me know isn't working. =A0Where else did you report this? =A0I'm wondering where all the information failure is
happening.

I only reported the issue on= Gentoo bugs and LKML (the two links i included in the original email). The= Gentoo guys at first did seem interested in the bug and asked for a test w= ith a kernel compiled with CONFIG_DEBUG_INFO and CONFIG_DEBUG_LIST. After t= hat test it looked like some list is getting messed up somewhere (altough i= 'm part C programmer, my kernel insides knowledge is limited). The LKML= guys didn't even bother to answer.

=A0

Can you send me any and all info you have?

All the information i had is posted on= the Gentoo bug report. The two machines i used to test the issue are now i= n production mode, so i can't do any testing on them. However I'll = soon have access to a new machine that can stay in test mode for a while, w= here i plan to retest with Gentoo's latest "stable-marked" ke= rnel gentoo-sources-3.1.6.

=A0

I'll see if I can reproduce a problem here (but I'm a Fedora guy)

At this moment i'm not extremely sur= e if it's a auditd issue or a kernel issue or both. However, if you'= ;re running a kernel lower than 3.0.7 and auditd 2.1.3, I'd be very int= erested if running the one-liner i posted (audit start and stop on a loop w= ith 5 seconds delay) will eventually (in 1 hour or something close) crash t= he kernel completely (or at least oops a lot of times).=A0

Thank you.

--20cf30363d03a2425304b7691d52-- --===============4982181313618091715== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4982181313618091715==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valentin Avram Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 8 Feb 2012 18:11:03 +0200 Message-ID: References: <1327519203.4131.25.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7474275148628762262==" Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============7474275148628762262== Content-Type: multipart/alternative; boundary=001636c92c9a70425104b8762458 --001636c92c9a70425104b8762458 Content-Type: text/plain; charset=ISO-8859-1 Hello. Fresh news: Gentoo's gentoo-sources-3.1.10-r1 with audit-2.1.3 still gives oops using the simple "start ; sleep 5 ; stop ; sleep 5 ; repeat" one-liner. Kernel oops after less than 5 minutes: BUG: unable to handle kernel NULL pointer dereference at 00000004 IP: [] fsnotify_mark_destroy+0x87/0x130 *pdpt = 0000000000000000 *pde = f000def8f000def8 Oops: 0002 [#1] SMP Pid: 690, comm: fsnotify_mark Not tainted 3.1.10-gentoo-r1-drbd-version3 #1 Dell Inc. PowerEdge R610/0F0XJ6 EIP: 0060:[] EFLAGS: 00010216 CPU: 3 EIP is at fsnotify_mark_destroy+0x87/0x130 EAX: f2e51708 EBX: f2415fa8 ECX: 00000000 EDX: f2e51744 ESI: f2f46c00 EDI: ffffffc4 EBP: c10ea000 ESP: f2415f90 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process fsnotify_mark (pid: 690, ti=f2414000 task=f2f46c00 task.ti=f2414000) Stack: f2f46c00 00000000 f2f46c00 c1050150 f2415fa0 f2415fa0 f2e51744 f2e51744 f2c47f68 00000000 c10f22b0 00000000 c104f854 00000000 00000000 00000000 00000000 f2415fd4 f2415fd4 00000000 c104f7e0 f2c47f68 c15820b6 00000000 Call Trace: [] ? abort_exclusive_wait+0x90/0x90 [] ? fsnotify_put_mark+0x20/0x20 [] ? kthread+0x74/0x80 [] ? kthread_flush_work_fn+0x10/0x10 [] ? kernel_thread_helper+0x6/0xd Code: 34 1b 8b c1 e8 4b 2d f6 ff 8b 54 24 18 8d 42 c4 39 da 8b 48 3c 8d 79 c4 75 0e eb 2d 90 8d b4 26 00 00 00 00 89 f8 89 ef 8b 68 40 69 04 89 4d 00 89 50 3c 89 50 40 e8 48 ff ff ff 8b 4f 3c 8d EIP: [] fsnotify_mark_destroy+0x87/0x130 SS:ESP 0068:f2415f90 CR2: 0000000000000004 ---[ end trace d10081cf0e5b936c ]--- So far only one oops occured, however the test server is doing quite nothing right now. I'll install more services, retry and post back here the results. On Thu, Jan 26, 2012 at 9:13 AM, Valentin Avram wrote: > > All the information i had is posted on the Gentoo bug report. The two > machines i used to test the issue are now in production mode, so i can't do > any testing on them. However I'll soon have access to a new machine that > can stay in test mode for a while, where i plan to retest with Gentoo's > latest "stable-marked" kernel gentoo-sources-3.1.6. > > --001636c92c9a70425104b8762458 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hello.

Fresh news: Gentoo's gentoo-sources-3.1.10-r1 with audit-= 2.1.3 still gives oops using the simple "start ; sleep 5 ; stop ; slee= p 5 ; repeat" one-liner.

Kernel oops after less than 5 minutes:=

BUG: unable to handle kernel NULL pointer dereference at 00000004
IP= : [<c10f2337>] fsnotify_mark_destroy+0x87/0x130
*pdpt =3D 00000000= 00000000 *pde =3D f000def8f000def8
Oops: 0002 [#1] SMP

Pid: 690= , comm: fsnotify_mark Not tainted 3.1.10-gentoo-r1-drbd-version3 #1 Dell In= c. PowerEdge R610/0F0XJ6
EIP: 0060:[<c10f2337>] EFLAGS: 00010216 CPU: 3
EIP is at fsnotify_= mark_destroy+0x87/0x130
EAX: f2e51708 EBX: f2415fa8 ECX: 00000000 EDX: f= 2e51744
ESI: f2f46c00 EDI: ffffffc4 EBP: c10ea000 ESP: f2415f90
=A0DS= : 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process fsnotify_mark (pid: 690, ti=3Df2414000 task=3Df2f46c00 task.ti=3Df2= 414000)
Stack:
=A0f2f46c00 00000000 f2f46c00 c1050150 f2415fa0 f2415f= a0 f2e51744 f2e51744
=A0f2c47f68 00000000 c10f22b0 00000000 c104f854 000= 00000 00000000 00000000
=A000000000 f2415fd4 f2415fd4 00000000 c104f7e0 f2c47f68 c15820b6 00000000<= br>Call Trace:
=A0[<c1050150>] ? abort_exclusive_wait+0x90/0x90=A0[<c10f22b0>] ? fsnotify_put_mark+0x20/0x20
=A0[<c104f854>= ;] ? kthread+0x74/0x80
=A0[<c104f7e0>] ? kthread_flush_work_fn+0x10/0x10
=A0[<c15820b6= >] ? kernel_thread_helper+0x6/0xd
Code: 34 1b 8b c1 e8 4b 2d f6 ff 8b= 54 24 18 8d 42 c4 39 da 8b 48 3c 8d 79 c4 75 0e eb 2d 90 8d b4 26 00 00 00= 00 89 f8 89 ef 8b 68 40
=A069 04 89 4d 00 89 50 3c 89 50 40 e8 48 ff ff ff 8b 4f 3c 8d
EIP: [&l= t;c10f2337>] fsnotify_mark_destroy+0x87/0x130 SS:ESP 0068:f2415f90
CR= 2: 0000000000000004
---[ end trace d10081cf0e5b936c ]---

So far o= nly one oops occured, however the test server is doing quite nothing right = now. I'll install more services, retry and post back here the results.<= br>

On Thu, Jan 26, 2012 at 9:13 AM, Valentin Av= ram <aval13@gmail.= com> wrote:

All = the information i had is posted on the Gentoo bug report. The two machines = i used to test the issue are now in production mode, so i can't do any = testing on them. However I'll soon have access to a new machine that ca= n stay in test mode for a while, where i plan to retest with Gentoo's l= atest "stable-marked" kernel gentoo-sources-3.1.6.

--001636c92c9a70425104b8762458-- --===============7474275148628762262== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7474275148628762262==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valentin Avram Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Mon, 5 Mar 2012 10:35:20 +0200 Message-ID: References: <1327519203.4131.25.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=20cf30563a018a72fa04ba7aceec Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --20cf30563a018a72fa04ba7aceec Content-Type: multipart/alternative; boundary=20cf30563a018a72ee04ba7aceea --20cf30563a018a72ee04ba7aceea Content-Type: text/plain; charset=ISO-8859-1 Finally i found some time and spare server to retest the oops and list_add corruptions i was getting with the 3.x kernels and auditd 2.1.3. I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and kernel.org's 3.2.9. Both get the oops/BUG in the same way and after that, they keep pouring list_add corruptions with audit_prune_tre(truncated?) and auditctl as comms. Since this is not about Gentoo's kernel only, i'll post here the oops in 3.2.9 and also attach some list_add corruptions. 3.2.9 BUG: kernel: [ 301.240011] BUG: unable to handle kernel NULL pointer dereference at (null) kernel: [ 301.240305] IP: [] __list_del_entry+0x20/0xe0 kernel: [ 301.240481] *pdpt = 0000000000000000 *pde = f000ddc8f000ddc8 kernel: [ 301.240698] Oops: 0000 [#1] SMP kernel: [ 301.240910] kernel: [ 301.241030] Pid: 642, comm: fsnotify_mark Not tainted 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 kernel: [ 301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 kernel: [ 301.241498] EIP is at __list_del_entry+0x20/0xe0 kernel: [ 301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: 00000000 kernel: [ 301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: f47cff64 kernel: [ 301.241879] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 kernel: [ 301.242005] Process fsnotify_mark (pid: 642, ti=f47ce000 task=f4f47c00 task.ti=f47ce000) kernel: [ 301.242207] Stack: kernel: [ 301.242327] c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c f47cffa4 f47cffb8 c10f6976 kernel: [ 301.242882] ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 c10530c0 f47cff9c f47cff9c kernel: [ 301.243438] f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 f47cffe4 c1052834 00000000 kernel: [ 301.243995] Call Trace: kernel: [ 301.244119] [] ? rcu_check_callbacks+0x110/0x110 kernel: [ 301.244248] [] fsnotify_mark_destroy+0x86/0x120 kernel: [ 301.244377] [] ? abort_exclusive_wait+0x80/0x80 kernel: [ 301.244504] [] ? fsnotify_put_mark+0x30/0x30 kernel: [ 301.244631] [] kthread+0x74/0x80 kernel: [ 301.244756] [] ? kthread_flush_work_fn+0x10/0x10 kernel: [ 301.244885] [] kernel_thread_helper+0x6/0xd kernel: [ 301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5 53 83 ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e 00 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14 kernel: [ 301.248195] EIP: [] __list_del_entry+0x20/0xe0 SS:ESP 0068:f47cff64 kernel: [ 301.248414] CR2: 0000000000000000 kernel: [ 301.248538] ---[ end trace 15082dbfb353f84c ]--- The kernel was compiled with the following DEBUG support (the bolded one were requested by Gentoo's Dev: CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y CONFIG_SLUB_DEBUG=y CONFIG_HAVE_DMA_API_DEBUG=y CONFIG_X86_DEBUGCTLMSR=y CONFIG_PNP_DEBUG_MESSAGES=y CONFIG_AIC94XX_DEBUG=y CONFIG_USB_DEBUG=y CONFIG_DEBUG_KERNEL=y CONFIG_SCHED_DEBUG=y CONFIG_DEBUG_RT_MUTEXES=y CONFIG_DEBUG_PI_LIST=y CONFIG_DEBUG_BUGVERBOSE=y *CONFIG_DEBUG_INFO=y* CONFIG_DEBUG_MEMORY_INIT=y *CONFIG_DEBUG_LIST=y* CONFIG_DEBUG_STACKOVERFLOW=y CONFIG_DEBUG_RODATA=y CONFIG_DEBUG_RODATA_TEST=y I attached the kernel config i used for 3.2.9 to generate this oops and warnings. >>From the list_add warnings that come after, out of 805 warnings i processed, after masking with XXXXX the PID and next= values that kept changing in every one, i got 26 types of MD5. I also attached the files relevant as an archive to this email. The Gentoo bug i opened is sleeping, it seems nobody has the time to at least test to confirm or not the problems i'm seeing (or everybody's thinking that nobody would restart auditd so often, so the bug it's not that serious). Thank you for your time. On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram wrote: --20cf30563a018a72ee04ba7aceea Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Finally i found some time and spare server to retest the oops and list_add = corruptions i was getting with the 3.x kernels and auditd 2.1.3.

I t= ested now with gentoo's latest stable 3.2.1-gentoo-r2 and kernel.org's 3.2.9.

Both get the oops/BUG in the same way and after that, they keep pouring= list_add corruptions with audit_prune_tre(truncated?) and auditctl as comm= s.

Since this is not about Gentoo's kernel only, i'll post h= ere the oops in 3.2.9 and also attach some list_add corruptions.

3.2.9 BUG:

ker=
nel: [  301.240011] BUG: unable to handle kernel NULL pointer dereference a=
t   (null)
kernel: [  301.240305] IP: [<c1238dd0>] __list_del_entry+0x20/0xe0
kernel: [  301.240481] *pdpt =3D 0000000000000000 *pde =3D f000ddc8f000ddc8=
=20
kernel: [  301.240698] Oops: 0000 [#1] SMP=20
kernel: [  301.240910]=20
kernel: [  301.241030] Pid: 642, comm: fsnotify_mark Not tainted 3.2.9-drbd=
-version3 #1 Dell Inc. PowerEdge 2950/0CX396
kernel: [  301.241370] EIP: 0060:[<c1238dd0>] EFLAGS: 00010287 CPU: 6
kernel: [  301.241498] EIP is at __list_del_entry+0x20/0xe0
kernel: [  301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: 00000=
000=20
kernel: [  301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: f47cf=
f64=20
kernel: [  301.241879]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
kernel: [  301.242005] Process fsnotify_mark (pid: 642, ti=3Df47ce000 task=
=3Df4f47c00 task.ti=3Df47ce000)
kernel: [  301.242207] Stack:
kernel: [  301.242327]  c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c f47cff=
a4 f47cffb8 c10f6976
kernel: [  301.242882]  ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 c10530=
c0 f47cff9c f47cff9c
kernel: [  301.243438]  f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 f47cff=
e4 c1052834 00000000
kernel: [  301.243995] Call Trace:
kernel: [  301.244119]  [<c10813c0>] ? rcu_check_callbacks+0x110/0x11=
0
kernel: [  301.244248]  [<c10f6976>] fsnotify_mark_destroy+0x86/0x120
kernel: [  301.244377]  [<c10530c0>] ? abort_exclusive_wait+0x80/0x80
kernel: [  301.244504]  [<c10f68f0>] ? fsnotify_put_mark+0x30/0x30
kernel: [  301.244631]  [<c1052834>] kthread+0x74/0x80
kernel: [  301.244756]  [<c10527c0>] ? kthread_flush_work_fn+0x10/0x1=
0
kernel: [  301.244885]  [<c1582ab6>] kernel_thread_helper+0x6/0xd
kernel: [  301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5 53 8=
3 ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e 0=
0 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4=
 14
kernel: [  301.248195] EIP: [<c1238dd0>] __list_del_entry+0x20/0xe0 S=
S:ESP 0068:f47cff64
kernel: [  301.248414] CR2: 0000000000000000
kernel: [  301.248538] ---[ end trace 15082dbfb353f84c ]---

The kernel= was compiled with the following DEBUG support (the bolded one were request= ed by Gentoo's Dev:
CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy
CONF= IG_SLUB_DEBUG=3Dy
CONFIG_HAVE_DMA_API_DEBUG=3Dy
CONFIG_X86_DEBUGCTLMSR=3Dy
CONFIG_PNP_D= EBUG_MESSAGES=3Dy
CONFIG_AIC94XX_DEBUG=3Dy
CONFIG_USB_DEBUG=3Dy
CO= NFIG_DEBUG_KERNEL=3Dy
CONFIG_SCHED_DEBUG=3Dy
CONFIG_DEBUG_RT_MUTEXES= =3Dy
CONFIG_DEBUG_PI_LIST=3Dy
CONFIG_DEBUG_BUGVERBOSE=3Dy
CONFIG_DEBUG_INFO=3Dy
CONFIG_DEBUG= _MEMORY_INIT=3Dy
CONFIG_DEBUG_LIST=3Dy
CONFIG_DEBUG_STACKOVERF= LOW=3Dy
CONFIG_DEBUG_RODATA=3Dy
CONFIG_DEBUG_RODATA_TEST=3Dy

I= attached the kernel config i used for 3.2.9 to generate this oops and warn= ings.

From the list_add warnings that come after, out of 805 warnings i proce= ssed, after masking with XXXXX the PID and next=3D values that kept changin= g in every one, i got 26 types of MD5. I also attached the files relevant a= s an archive to this email.

The Gentoo bug i opened is sleeping, it seems nobody has the time to at= least test to confirm or not the problems i'm seeing (or everybody'= ;s thinking that nobody would restart auditd so often, so the bug it's = not that serious).

Thank you for your time.

On Wed, Feb = 8, 2012 at 6:11 PM, Valentin Avram <aval13@gmail.com> wrote:

--20cf30563a018a72ee04ba7aceea-- --20cf30563a018a72fa04ba7aceec Content-Type: application/x-gzip; name="parse_oops.tgz" Content-Disposition: attachment; filename="parse_oops.tgz" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gzf8t7kq0 H4sIALFyVE8AA+1dW4+bRhjd5/0VSH3JqskGhvuqTVW1VduXKKoipVJVoWEYbGQMFpfs7r/vN2Cc XbxNdi2DZ5NzItnx+pi54XN8mAE2vKplFDDmXOblIjLPJoBJ8BxHPVu+a3avrf51/1/PPrMsn7mm b1FFzkzLpr+eGZNUZoy2bnhlGGerIlssm8/xZFXPUaF58eHnv97++fb3K4M3Rp7Fr/OsbqJExu3i Ulwxz4ii7i88Sb43b1z3tXnDzRcX53/wKrnmlTQKvpZXxrvyWla/JQtpsNA1z4ePGKKsqnbTZGVx aRTypnn1ZlPJj0a9LNs8MWJpdC9fCMsXNo35xUsjbhvjmteGYbwo2jy/uKRn+uCPfytcXJ6/y5Ir o3vxkra+XlPF2yRrok3VFjJqqEbveVY0kli/Gx1+7Z/sS3YZvkqqOHn1kUaSqmQb31nnv/A8N95X XMir839+EJZp8zQO3vxLlaiKqM7L6w1vlpEqqiyoC7yg64KOy+wg8Vzi/vRgNz2aY9qxacu9MtN1 Q0QmiWiPNvb/m0o9zmNipHVRNll6S2NZN1V5G615tSJyGBPZYlu2z13pEbstGr6IxLItFMcSnirT 7UluYAaCbVuwbht5E+WlWO3qSR+w2f2N+sLs+P2glIVUtTRfq4cdJVTtuEtg7n1CGu4INKz0sKwk V+21QyL6W6LLAtsh4mr3tu/Q28Hu7aEuW0KU5m29jK7LahWlakAtVS9raCrjseqPlawKmW+LjJYy 38hKDT5Rk/NTf2WPis19/bemKOMg/WfQ/znwLej/B+g/9B/6/yDG+m96xy/jAP23iAb9nwG66n/q cs5CZkL/of/Q/+kw1n97AtH9gv4z2zP39N/B7/9ZoK/+Oyxx+GP1XzQ5hP9Jwi+6xirZX5ck/0oJ U9VEW24pibRCJcFZIyveyJ5WD/r7Saj5VmB7H+6kOqWHrFgMRVtBp7GDJvuxY6my+w9QU/oPVW2u bIBEmMjMHMiuHaQ7ciWFzD5SAVne9IrspsQOk57tcOmFflebQjZ5VqwiLlQNEv9eBWzG2Hibqsd9 5WN86ADbCXxzO4DXfCWjdkMk556PsTS+2/qkpB2mSDPlpbxYqI12bQ+G+iWhpeo31K4tMsHrbrRt VUX2iZha1h1iLYtkXS9U/3BLEcWWGNA/5Vh1Z8k7Vufg1q4TA99Kti3pK5oVZdL1tpmorXkDMTSD 5E571FZpgFRPO4oYDqW6Qah6sL6tu0Kbkhix6j057LA2Z7Lbkig3t1FTRkpAh93a2ZYnAkeKnrWJ CnkdkRg3nqNGTBAtHYrzLN8biqMqyUbQt7frDNVOFu/s23VEz5MkBVU3HlumqhxjX5d5HwFj/3fc 45dxiP8j/80DXf3/icf/4P/wf/g//B/+/0SM/d+bYAbwS/7vUNjfy/8+/H8OwP/h//D/Q/0/ThPB t5TVmvaoUlBjqMzOdroaWiZXZTv4xYBfDBpi7P9+cPwyDpn/9bD+cxZ8Jf6P+d8p539Dy/vs/G/g Yf73mWKk/8zyj18Gjv/qC131X63/MS3M/yL/6Zz/kOaQ5p43xv7vhMcv46D8B/+fBRr7v+fTD0Pk Pw3yH9b/fjP5zz3B+l/HfmD+z4X+zwFd9R/zf8h/+ue/WDphP/+3Wss1ZQ2xlFE3DUhMrib+YiRF JEWNsef/86//efj8T8z/zQJd/b87/stN5D/kP+S/CTHW/0CX8z+Q/2aB1vpPv9iR/5D/9M1/SHVI dc8bY/8PneOXgfk/faGx/3uBeLT/I/8h/yH/HYA9/dcl/3nQ/zmgsf6HkiP/If8h/yH/If9NhZH/ 26Z9/DIOyX84/38eaOz/3PQl8h/yH/LfhBjr/xQ3gPjy+k9/7/4PHvR/Fuiq/1j/ifyH/Dd3/mOS e0Gfx5aSNkhfT7neNF3zu9Z3u4glEBe/Foz9f4L4d8jxX+LD/+eArv7f5b/k0ef/wf/h//B/HP+F oT8Re/5/guu/Pnj/F6z/nQUa+z8Z2qPP/4D/w//h//B/+P8TMfZ/Z/7rP+D+nyeEtv7vhyKUuP8n 5n8x/zslRvrveLpc/w3Hf2eBtvpP+Y8iCPQf+g/9nxAj/Xc9Xe7/AP2fBdrqvx/G3HGg/9B/6P+E GOm/Z57k+p/O/vwPzv+bBbrqP9Z/Yv7nxPM/bhDYve/VYimTSHS2Rw9cTSjIzvMwV4S5omeNsf/b 3vHLwPVf9IWu/q/yn2DIf8h/yH9TYqz//vzzPw+u/8Pxv3mgrf4/7frPyH/If1j/h0yHTPdEjPzf P8H1X3D/3xNCY/8PJVkL/B/+D/+H/8P/p8HY/7VZ/4nr/8wCjf2fmyHWf+L4L47/AgAAAAAAAAAA AAAAAMCh+A8fQCAcAMgAAA== --20cf30563a018a72fa04ba7aceec Content-Type: application/x-gzip; name="kernel_config.gz" Content-Disposition: attachment; filename="kernel_config.gz" Content-Transfer-Encoding: base64 X-Attachment-Id: f_gzf965ch1 H4sICJh5VE8AA2tlcm5lbF9jb25maWcAlDxdc9s6ru/7Kzw592H3oc1nsz33Th5oirJ5LIk6JGU7 fdGkidpmNo27sXO2/fcXJPVByqDj7UynNQB+gQAIgKB++9tvE/K623y/2z3e3z09/Zp8bZ6bl7td 8zD58vjU/N8kEZNC6AlLuH4PxNnj8+vP08fLj9eTy/cX73+fLJqX5+ZpQjfPXx6/vkLLx83z334D SiqKlM/q66sp15PH7eR5s5tsm93fWvj643V9eXHza6A0kOsrnBTo2h+8UFpWVHNR1AmjImFyQIpK l5WuUyFzom9OmqcvlxfvzGRPOgoi6Rzape7nzcndy/23058fr0/v7QK2dmn1Q/PF/e7bzVjBJKc1 zYWqqzIhmg3D0kzQhRKVpKxeEU3niZgN2L6poWJLVmh1EFlPpSAJJUoPZAabsLJWVVkK6SGUJnSh JYGR93BzsmR1BjMt6K0WSOM8r4Yfn0TB6iQn/pYUjCUGVuekNENphmyPJVIzS5exYqbn+8vjirR9 jxECut4HTyuEgfMV47O5N3+7mTm5dSstaZ0m1J++XCmW981VyQvDR2QJjnBN5zOSJDXJZkJyPc9H I82JqmlZ1TzJzD5zjWwjyfhUAp9AxjJy60+mI9E8Z/VS3SqgzZC5BENJ6GWNTAMkmFSZtlPBZkno HLaew44q/omNREIxXZV1yaQdgkjm7YvdzA7F8in8SrlUuqbzqlhE6EoyYziZmxGfMlkQq7KlUIpP 9yatKlWyIvHRPeM6wby8iHGrFGVl5FzVBdiD2klU355UYLssYax9qxiqFiXsDjAsATMD3OPFbG+e LWXCQETtwmEXBR3InF2rVV6GMF9uW5qMfLqtZ2rMLSflNU0zAsiTd1+MYX63vfureXjX3P+chICH n72NWljRMnJFPJvYGzuQBzApJ6dPj59Pv28eXp+a7en/VAWBNiBmjCh2+n5k9ay4cPlnvRLS21UP Yk39zJ4ZT4avrz8A0pKxNQgITKnQJPMNOOwGK5awWjOlHNTo8qK3pBIEoKYiLzkIwUk/EWAxyZZM KpAhYMnDy+eHd381L1s4bC5RIth1LUZyvwApZFk9+8RLHDMFzAWOyj751svHrD/FWnjjh0P3oumP 6wvnmMCMfgi//nS4tUAkvzMhc6G0EYKbk78/b56bf/TsVCvfMoPBWvKS7gHMv1R7+wsqzNd1/mfF KoZD95pMFWi+FJTB3hNKtc+iMa5eXqJrTeekAGOILFQTtTBnl6doBuQsdDeej1gjMC4MpagKHRoF Y1tGP1vTPoI6x2AM1JKNrXN/2hGZgKKpTsng/5Pt6+ftr+2u+T4oGUIe2PqSSGV1GDl7QY2BtVOG o9RcrPYxxkwDC8IeDTk4XRQMp57DeZIETArmYNciaTVR+2sx3KgB5+9/CbC81AaM7jvAa+v/YMc6 4FJSgFdoTEzQxIHBRBGqo/2m4IPBkVLPcfXqphsdny9aN/PXGGJF2nfvQNCrFFjOU31z/jHYwgo8 XgJnIlj2OTDYeoqe7zmToiqVzzIHckcUMqsWncLsP1nneb/hkqPrgbMefAdPxMwq6pInLWY8KwMO dUmy1k22qgSmGhk+B1cM6GowERLle0sHh0saX55l1jBwSrisQ8zQXwo+N1iPFU/0HBcG7bdFSabZ oh0ac5HBvoIWgBEbZlSBF1F4v40t9X8DQ2UAMHz2fxdMu9/9HJyAmJNvbyIDza1KjfsCekXBZcIX Y9zO2+gyQT7sKS7xxpT2fpQxCtYDRXgyPgRAIQvoFhy4YE3WicACyIon59fB6m2HddyzXgBY3eZB 9x2sxpvMhS4zPxYpJS+0p35BoMKyFARb+sceVeVC1iV4pyYoHRnnKHYKzlidVv4hklaaeZEAK4WP VXxWkCz1BN74gtIH2ODSB6g5aJrHfy4CvhvfPwnlI5g79F730ay16m0qoGxevmxevt893zcT9lfz vNtOyPPDhG5en3fgsg3mPuxisPgG3NkHVMJa59vQgZbUy9z64MhMl7nr3zc3/c7w+s+Ky4UHU1k1 dZ0H5gG8UaIhKl/gCpWRKSbe0Fd4jomUQ0yBWWTLUOEogtDnjyovIUyYMlQ2TSuWppxys0Tw5DOQ AmMAqPGWRrLGQS5NFA+jjFMEC+sEjBssJNMoApQbhdvoxR6FcyEWI6RJDhCtZWjghtgc1jlnWRls kW0o2QyUE0JDm+lo11aTkmMDlLzfPh83X8HuMbIoBSjvCJfzNbBsQCs74ojI2mLgRyUL8Ac0T7mf dRrrQ13k49lZ3gy7uReyAwk0qhVJ4WjMS5OJ6IMrKpbvPt9tm4fJv5yC/XjZfHl8enz+OqhS4Dka VlAxZ5L5qzVyyovUC0rgVMuNVfF30loeZRTq5myQw1wkVcYUJuYmsZQTOueFZ/amoY+STROS+lh3 hkxVoGceOOOYSg1nj2YzyfVt7xqLibr/1piQ1rcvXLgDsRDCC2Q6aAJuahbMusPQ1HNtuzDJI/fs kMNBg4idcngzgQMRWDvuzclDc/cA+9r0IVhJEqKDjJzNSzCbywJdux3nsw7R1VPcufFJj+rvv+nM eP1HEyqQYsyN9kirohUttCOHHc0tTucikkM9AQW4ohps56FFmIjnmN2wdEcTvcHige4NFgeEh1ls SaMs9rAHWezT4SweURzB4hXoOzuGx47weKo3uOwRvsHmkPIwnx1tlNE++iCnA0Kc1WMShNedkTdn gZN+8MTFqvDPuCFatBa3fNncN9vt5mWy+/WjmdyBf/eludu9vjSe/dUchhQFU3Pf5bDxtHc88tnc hnvWYX3rZqTiWXKYJIfpk+SPyr892UvG5qVNSYTAKZ85wuBGiq01KxKT7G699MhdVp8ZBqdayFsT cGaVZOPuLi9gEzh6ktqzR+RcA7NNUta6I2GADrMmS26i0Qq2EQs0RT0VQjvHfji+Wa5H9APOXOWh iKsY4sMBhFY0isvzNY67jnVYwpbyKuf8DfRhfH4Qe4VjF5EpLf4ZgX/E4VRWSuCmLbfOOxMFjl3x AtyqkkYm0qIv8SA8hwg+0u+MQYw9W58fwNZZZKforeTrKL+XnNDLGs9kW+Q/MbNjIubgIjgnWuB7 ZjSoVfqIGlqVsbdA7g7MZdSufZLBv+4CPAdw9wf74ERUwYWV6SM7j/e/JkkSUq9Ke12iaj8scrNd ZuVsZIbCvLsBlQIcQaSxZpkNTagob0Ocia1KiNJqmCNdqCoP0aClIaBd6/XVGCyWI8vJC55Xub32 S0nOs9ubDz7ehl9UZ7nyDg9DDPbRzXgfbIXKFQOMMCRPEHJzoVQh3UPsWaicaYL2VeU0gM9Lpt2h M4Kx3F4mQnjkMSmxId1wuIo8r9qIFTPD9l5U3Zxfh9Zd5f6pZEF5cGNtEun2Fm+4bEC673LihQjj kQ6+FBm0JRJP4bVUEQWySmAi6ZGEmAuQPaBkUoDXYNN8UykWrLDHTx1eRFi5oWwP0MtDoN8GAfse 1X9SuHxHjqaoux7MNQT4HVmCdc+LPxiNMUBD4Azxb70EEuHJxjL/GKQbtQDdn+LXcvwj7n06nhkW pXxdlZgbkHMqhSlrGUbuQfsMG1Ajlu3hgRXOOKZkbyt8XbVqX1Y8YFwhjJsGbgS6qhZ3haa2HO76 ys+hmnIBkabmxuDsJz1zf0YtRhaQjCsGyvmtAkcvkbV2NUYjvM0HhehhOVV4neq3S0H3zQ0EKwhS pmDdxjiaZSA0nQeYA9v9e+8sYzOQq9atq5ckq9hNv+yDbbtJ5aSoSCAAw4wcDllW2zjsra2UsO38 W96+O3Nj6qu7S5axfJTaMXtpCxV6R9nvLANnttQ29LD28Ko3yianaou4fDGfSRKCDmxyVxViVjO7 Oe9zRGA1ffm23rIGr7gK0/4K8+O7hExuEqUukEjkzdXZ79fhNkdd/cHfjoQA8xVsv7IXHWMT5F0r wjEG+2CM3LyaMcNi/KIlY2AMjRsSUbxSjzTdegMQ6AhTYyFlVYbstu4HGCcTZuTdKgZC13x8AoD/ YcrMxOrm+irw4ebtScpDB7cj0DIIbczvWpGCa/4JPVOdGRirOTg6qi5nEOBaRiQjNLAyEZ7os9TL zCpGjRwGuX7q8swmS27tP8bZT/X52Vmwq5/qiw9nuG38VF+eRVHQzxk6ws35YBCdnzCXJpwOZJit GR5sUUkUWMAqx7KORqe4OeNhodIY4PPQ/kpmXABN9nxeW/JlsSrUUNubvXzwehuW6a7QjAHAJ+uu V5aJEjg+t3lXI5jRcjlnjTuJHS7tXK5i85/mZfL97vnua/O9ed7ZbAWhJZ9sfphq1a1frtoWokXO ub6ODXes8loany3H9NEM6Akn/LK356lCgXBKrMLQ3yIZdQ52inkOfXN3DTHql9ARYEo0HEO3Y2il tW8SLDAlY0gSHAL9yEwpsT/rHlOT2UzCIYjrlaVtva+9PmilICisE5VgfpubegaKa2rc6ltGpH99 4aY8LocYTZLyWmUi5hXC3naxwmhiAjxtkE+8VMGSqCl+jWmRsXoCt2klw0NtlQZwJ8GgYOlL8+/X 5vn+12R7f9deEQ2aZGI2yf5EltiVtYZhky10nYllncFByGQEmbMiqNhxcSkfFWPZiUxft53STf4O HJ80u/v3//BuhGkQZZk9mQlzXOH6ZtF57n4eIEm4xP19hyaFpwUGZEYMIa6HENYNPKIUOYiDGi+D FtOLM2CYvXLGZ8KMU+H8FA9IRhlAAIEZkLjhbxvEAxxLoMp83KWBRQuGRk6P4iM+qL1Ni+uaVTNd Ydd7cz1OYRtiLpbRjkqJa4fFEcWxiMj1GYayBja6l20L1tuL5kG2FR7w5RSHK/rzInL8w4G5xpid J3URVg5QSiKlNt3ZalQJw0uYfsLFnh6yn8396+7u81NjX3lMbL3Gbjs5nbDvr0933anY+dS8SHNt qls8CyAksx5G7zSb4pc5I8n+FT4xBXj+Ra/rz4DRWbf4nCssy+e6hMNg//WARWkIROD4XLAw7V/Y 8jS7+qLZ/Wfz8i+wjp4H0MczdOEXslUFXwehI9PgeN0i8+KF345DAAFc4eEzDoCSZAlOu/GkTOYk 0G3ApnwK/j+ouC1YxUZp+y3BllgfLaggc522FMR/iNHjlkxOhWKjccsCrxYzy+UlP4ScGUEATx/P GJv52oFxHZAlpqPqFmINIRY8LAUzHK5J7LrOZO4UPlHuZmo8zTh+nUo446uiCIttQqK38LYTE7y3 UZyQuIiPiY/udsoYZtctVSbFHrsSTjCTrmlpPJdZL45BZqtDTtE0e4+m1ZRTtOGKKb0SAjdaPdUc /vcGhXqb5Bb8vsMkS3A5cQ+iJ7GPJqYZLqU9VfbGXMDtxmOYngI8U1x+ewqeQbQj0BvCvtxkzPcO IUfjj9DdGDcn96+fH+9P/A3Nkw+Kz0KrsLxGOgOh6o5K3xCY+w0TUOckUibX0UDAaD1pMHB5iae3 gTTl2cg49sComzJQeELt/N/NS2OsPpx1OwgFx28V99qbNfJigQ/fImv7lOHgNDrKzH8NWJjaxqIw dXILHFobHgZj+0h3zY2z2KfreRwl1bYWUNQJpWjNskeiqC7HM+pwVWLSfLjmBDMiOSkSLO8aUKX7 I/W4+eXF5VvtuaTR9rAhNvdVHME/VRxgXU9VlvoIKkWKI/ijeGwbhk113Al24aCwmkrNNeatDCTr 3o2wurK2buF2cr/5/vnxuXmYtE/FMD0BR6uVVQxlpt2ig553dy9fm12QdQnaaSJn5qA3D2RipmSP urvnPL5BRpTiKX5FhjZol3N0g0RFzi6MeI6f/hipiaxtLuKNbe3oD2xRS1GkzkQdHLZI9yzeQXrz CjZWdILRA/WRC4LzKlfqrfkClSi1Am862IVAFCHouf/WxEUxN2+27C2Avi2PWLqjp1mldCQhhJGL 3LyRfGvxHXFRTG81U5EdHajc08q3qA4Ix0DUHVYHVxFJ7yKk4wPnIC1bxt+yYPRHKZ2jjYULCOmc qLll6NENoqUBCO3YmRoT8BKCicglEELuHuEfTT1eVpw095PIKP4NYXKBqfsGwaE5CZUeO31bp3gs cbnQ/40i/1kJjccWCPHR9q4lZyQ74rTqiOnRFqL11Q4QaPfxikMD2ttfpTmeZkQbyJEzf4jaWfCj qUc3Kodoq0u8/IyX5rMHMdRS7R0RvPzfI0KG1ARXktho6Srizh9A2dsadwE2SsgAWSzAcFhe9n7b qF17aKFlwx4Bo96ljo/Q/qs8h+jDsQDaHfTsjyA3HiCD2CfAVGOfI60LguY22rkVs2ycthp6a8/c SKYqIIWFv00ETDhAJMnqABbC4Mo8TzlAQmS7fTGaSFBmxHgUi5nfdTKd1bnC9a8nENM/aIHrgKWZ g323NWVvkKg5OUfmNhDkyQd/hjKJZF94idsXonHLmF1Eoq2p5En8fASnALfiy4wU9cezi/PY8x1a RGxGltGYncHzoESTLFITdvEBH4KUUxTB4N/ItFawHpdXxu9F5tGWnDFmOPEBL4c2XIy/fU4oPtMp bCQxVTRLRFxk6fmwMrVfd/BvYNZlH5O2CfvJrtnuRneaZmJwqs8YrtNzkksyugHpkTRSIc1lgsvL FOcdAYOwliWWKzX5fFkFWfoVN19b8d9nrpiNlv0KIgsKvxFA05nZoPPAZmYWVJvqfpMexpfZNjS+ NMuE+WjPikjzcRtcLXt6yWbxjwgMnbrk4ugTBB3a1WOTzHSWYLd+PaVZ8j6XTFmZe7Pud5/xqW2E 9Af2p2PTCGK/jCQpgpDUVHuBC+PLH4YNvuLjE/SVYwe7aaluTr4/Pm93L81T/W13MqyqJ82Zwt33 nsK9gDY377gd4DnB7ZBMFzyL5hrq33H7SgnHHXLKShNB4OpfpIFKWLVNmr8e75tJ8vL4l3urOXxA 6PG+BU/E+Faucq+4XVBV25utk9Pt58fn02+b3Y+n168eF0HKdV6iFTLg1RYJyYT/6LOUru+UyxzU go3fGKUr8GFIUP3Qk/Ki/cSOV2C2Bs+upzBfMPImZvYskXwZMc8tAVvKiF8AelDPIX6RS67QEhrj WY7KloeCoECDco2b8hI8E4F+b6EsvLACfvQyqBSZDfnD8mWz29xvnvw71aIMq5/ah7zBnXD7tjc9 8HWN8s86ZphbNOVgMQ7QmBESQn+/xq/kO5IqVuncEVCxsmkbtLKxI8qCZ8c+1NaW2vr+m49I5/K2 1CLD3wz3q5DT4M7O/K7b58S2+CNWpNZ1UEzjnDZ4tcYfNPU8OvRCW5J8f+WmptQtengW4ePsl+rO ry8/Xu2Pto449jSRIjcOAE2WkToqTWoBGlezSEqkG2J+mB8ywi/FCtBFZT6udpktzy4iz7G4ou13 dTDD5L7Q4Nf8ux9Oo56au20D5GA2N/evpoTRhqGnjw+N+ft+93NnKjgm35qnH6ePz182k83zBDqY PBhz6j+IN+8E9KikpX9VD0hFNHZBY1CzJJgc/K7HT9N7aMkPyAaQ0WRfOiy4q06omZQi/DiQRwcD 4J6OR2PrO1Hnzly3uy960ViMByTWbKZIWgDYev/t8QcAJtvXHz82L7vTz69fvzz+DNPIlhn7L9X2 poq9Kt23CHlyfXXYZMF4oxoOJzuU+1PednP2p9p1ccx0zYd9/p+xK2tuG1fWf0WPM1UnZ0Rqox7m VFEkJDHmZoLUkheVx3FOXOPYKdu5J/PvbzdAkQTZDeYhi9AfQRBrd6OXpUu7DjYr5VPfrHkA8UWw dE80h9Jg4shZnOhgbw0mCVfzsXrKKDoxYmO3f+21lEW0jYUdE8jFwrV/OEJmvwChRUIDQruFNrtZ Xs6WdshH5RxkPyVk4HD2a80MjiJ7t0Sl56xoabkDcR37UCuI/UWp9FZzx951eRi4U5h66A/1a8BU 0LqeposOxxuaXWsQEbDjjHqixcCYjnSBjIP1VIyMalkk7to+YofI99zgNLJuysBbBtOpfa3D3hKa vlRqZ5GBjCafNavf7jjXExOIaMzUkf79KOxHB0KU+csMIKxKyp2hN1Vl9X04qaCS0XVjvx6uqqV1 E3Usg98+P779/a/J+933h39NgvADMBgdC+VmLMwIcvtCl9IKgis5k6TTflNnMTwWZYFWRWGXo29e tiObENBsju51vH+5xBXFtioA/B+FJFNWUJQ42+1ocx1FlgEqeuQ5DYyeLV/vnt+wb9964y/Rur0e cfNF20AT+K+I1N8DkFE9iPrEhFLlIK7CPwRB8zP9UoyPeukFhtDEIrc3Is6OMapcTANiNW+ZS0pN VS60SufB90Fw2m1mGm8HzcdAm/Tk/grmBCPDBDLYCJev4DqTZ8cLbDkntdj5N+1zRlerqFDHmtu3 rgDJ2PrpScOaUmuyH9ib50fBytqAGsAeLw1ofaKsv6/kNXA17VysC4ah6fSiPlg/OTlUiWVowxwk RpdWkOrWoDEdzEYLoggSSakjErHz1d4OZyhwlx2l2JWQJFShH8Wb7ERQ0IM2OBOE4YJO8tJlS+EV J9g/Qdx0vX531Qhiv+vPVJCxmRibas1UEupg+OmDViDlB3bZwC61pZ9VFGYlWgmXbco0pz5eTzNn 7VjmrfCZ63C9cVdlhbbgygGGh+24IKvXvd0yWaPcdiyg76hlIgPddxhmVm/oJcPga+o5WcwCD5Yh zcvWDaRVe4p4q+bDBeacpRG3sX9hBr6hj+zWcW6rIAxm68VPO33K3RIifyVz5o5dP866/mj2KxnZ YfPE45jO66lrWXPbfucZTdv3Gcr9pQj9YLCjQvk+v0ia778iRGLr5D3Ir5VlsWQy1BOWc4Y0dSuo xUo1bxb2TrAOwtCedI4PIJkKWNTzQE/nrYH08/vryxOGT5z87/H9K1T+/EFut5Pnu/fH/3uYPGLk 1i939w8dLk7Vujcd9ppCu15DweDrA2fpMitOtxk+VVXHY2QUu1TOGEXbbhtmFL7lvv+R9z/e3l++ TZQA0/nA5gUgAsLpx0TeV2+/lb3R6zXuxDVtk2hhRjcOt1WyhQrW9rkatch0SFIvSmgfOUVLLTQQ hpJIMvf9dffaiMxurIgHZvkgsYotQwriqY1YCimHnqX5aB+2w6rmFtMCTWTCz2hi4UuQdQL6QqyG lAxnoMm8Rqqm595yRS8MBbDoqzSdV0Q1dEYL1dJpPUpLp9UQmn7OC8HYdymA2PqMhQJSLbqrhm7r HqSfXMZHvwHQuhZFt6ijWrqlATbNmgIkfgFyIb20FCAVZWAHROlHnzmHNWCoDOuSQT7p7yS6HLha bstTAK0Xs3U/bpuc+KMAaJHBCRQaEDLuzWpjGagkTep+8E0qQkmhIrBZqo3iJcOX5bbNThFtsaA0 wKI+zm2bniIeo3STmUEp9KYXZR9enp/+6W98g91OXyD03YSNGUnOBj2JLL2C08UyjoObAOO2/8vd 09Nfd/d/T/6YPD389+7+H31hRbSfvc1Bou3eQj2tpUZKPiXuobpliU6mEIpSmElpgIAxSXxS6A2V imNqVIMlzrBkCJovOrnutAcxelq3pG4bGj9f8tuT+kKY+vLmGtmIBBASMQC6RHUzTdQGJJn6eR3n tftEuY9S5DIOESZlovWHAEuimmPtPsvKCUDDhCkY+VAl1aDr/CSKTqxzfEnHK7pbV1MOshX3vhbD qHhV1/WSZrSk6hqRpYvfxn7Pk7yhNi5HZKDebSV12KZWulclqFSlhX9NJiWj66NdVUld1lWSmBSd uKNfP6Ey0XemQoiJM1vPJ79tH18fjvDnd+oichsVAu2+6G+oiSAGSdL93u2MNvy4xOgbh7H6zxcV ugo9KKQJQdsyP/RzWN4sAW8dumExkaz/S5XpMHuZkdgEqUZYD1VghlHDIvPGA0tqA8B2RftBlOJZ U1sRUZpn4BxqOwPDCaBnX4jHic7R1M7IKkno2ShuK2CXP/FuFpzCgg3c6weHXnjatjL4n8zivoNC XXoJz6mfRNREBlCdE6X7HBahLz7pWom2o0iH32UB/zE9jsuK5uAOnCWJX/TthfXsRuO59+tFSOeM u3Yvxjwygkdgw/Stz2UWZMYWfcgKTktVnvN9Rlokdeprp3vb7HqiYzywbUTuON0K4lKYmw/swCk3 Is1TiXFfBj89x3FYm5wcO5LM99itE/stMy6Q/DKmWWIg0DolJDCxKYAy8lU6Uas5QJs5JfPjBYpx W8dpYstol6XMNTBewow2KPBDY+1sUtLlun0m2ItYmrl/6qJLSfdZQ6bb2ZBpU/KWfKDSd3VbFsnA zEnE9VqYklExOnWF5pzXsTxi2uO681TfszqMXSYLUJWGGHPAXh8GRBQGm70R7mjbxck3NibpMmru w2k30oC9cY25zx1Skuo8MIg4KzgVumCtfhSFye6wo02HofxAK1iiE/cIEJiXIGVsskWeuzgZQ/OJ 9ZXI2U/9SMb+67ymlvyN4bxhbEPkzXlkC0ygKj/NjGYn8Wl+YdwhFI3hKrvVRkFhjvqN9Lw5k6IU SAsHqqaZ5xv5CR49MbJn96XnwtAl429nynTNVvhxOrIZpn4phRm2uy6i+RjpzTx3ZDl4s/XU3Efc m/FPSw9RGBn6fJ0ss3f8DR/Mbnqh1fYXbpJDXRnrrVmHtYJpAQz6yODrW6rua29jf8Zdet/G7FF2 G/MuWSeRXkaZBnSRLYWx/3ogRjC2E0gqM3pjLDxnuR55WS91+HI6H5kLUggjWh3+9qZTSuXWfSqK fYN9ksHanc4oVxbjKdNQJpJr7iYzkg5j/yVJAbD7lkQanSDyKGBvTAG7no+tF1kqVajR9jJBH8HR uQ8nqnFW+Xl+ToTP3EdUIN3Rl00BxvlImTUfVfZGlGJflcYa1CUjT5lPsKLOFX8wNwf4eSn2EeOH iVT04wo4D9NtGNJfu49yRkGg3Ps27KmW78+cj0+eM9exMWOxXxpSpBKQKrlpXPz8z3ff33sqQKDD KJb0LoPEG//ISRJIzjH+V0Wrb5FelLHnMPGbkQ5/OFYAyVG+595+7A29Dr74rAIvHh/RR+u3YTDC 3yfvLxO09n//ekURetEj47x4SE4oO9GMiwyZS4l9z+tX622ev/94Z804ozQ3wzqqgst2i2GY4971 jwFBmbvn/qMJOvr8TWJK63qOvD28PmHg5uam9q3XlEuSVVLoesnySy796sRSJfA8cCqd/nSm7tyO Of+5Wnr9xn/MzgBhP1ocyE8Wh56+tdPzA18548kbcd5kfmHI1dcykOnzxcKjPXh6IOpcbCHlzYZ+ w23pTFf0mulgXIdxtWow8c0N41nTQMrAX84d+kKwAcEyWc0W6xFQQO8CLSAvHMa9ocGk4lgyl3sN JstFinz2yOtkmR39I5NquUVV6WgfncoeZDiBO/cKmcoPJF2i6OLHXcfsthzZQvg3zymiPKd+XkYB /WS0xZwnNxRNxcG45mVtef+GjmmsSsHYNHfeL1BOZRjRztuyKtjfkOFuNEiKIjKjj+tyYD5ioZ62 vGETJIv1isknphAHCXy0z4QQ1g24duQlcumvaXYbDM/CJTlEiAowwYUfVQD8Hr2lWVD9MLxqg9rf vX7+393rwyT6I5v07buhDzu6ePUTxOvp3O0Xwt/9YECaEJSeG6yYi0cNAaELRpQYSE0GfkXP795j XOQOTUV5o/AvvYr7b5YuXgeRiJ2fiL7/rD61v9693t1jKBl9nnb669DR/Aa1mltFj9W5MzpL6lBe AW3Z/jgsA1xbjOGUa13/lWlJo9Pau+Tl2RAq4HzKMb73NbxwpMzNAmYP05eqqhK2r/yYM1prOc/s U8YJ5JedpFl6lWQaJB3SywM+40anu9HGVQ+vj3dPQ6173T7PXUzNaVkXDnt1G50uwi/ic4B3Y92E Ot3HdAh7itD1n+4S0uJS+UUp/5y5FLlOKVFj5hSESL3ToSZ+CuOEsdtputz76Mte3NJkffvN0wvZ GLKlL88fsAyGQ3W6uu8gLvrqx5NteNlLSgKrAeadVaewMzj9Sj8yc6YmQ1duRBH6TKjfGlXvAx9L f4fd/gvQMRiqbsYwJ8wPf4L9hUdGeRKBKJyGMRlcDlZ9k/GmFfuuhTqDRZT1vNsHsIHOtyVxlnEt QuWPHMH0jF2u6/2g3cZbHcxsvaRPUzyOo4BJEimz9MzIucmxl5a3o1rzVrPlz8suZ3TrqQx4Ipwq RGCH63fnwjjiVJLBpCfkdPQc6U6naRrE+Gz3vwD+5MzeKOKgn/24s8H3jlvo8Swj89AB+9G9jA4u is80E8hjcRO9rFsGO0pf2oHiXoz4DqUO7IHGNmZNfoz5P5rI/cgTNawHJhNpN5fa3XkiEyz/+vL2 3rGIogRoXX3kcJaODX3JCNNXOmNJqOhJuFrQgktNxmtQplOAZXLM3oi0dVunBK225v1+TpV2mYlP BXTla7rmvxroS8Y8tCavl0y0fyBzlmw1LS+G6SiUeRczRDJIhqlucB68/fP2/vBt8heMdv3o5Ldv MOxP/0wevv318Pnzw+fJHzXqAxxM6AL/e7/2UMhol2pfHMbMXHW8SmmTMPZIiMh4aU+NU+DbTeIV 6ORbWyGjpGQyfiFZHx8sWezc6ZAvFT+BJ32Gsxogf+i1c6dVcNyAhFGGYdMqTjzBD9FBZIAJ3+2Z cwxQpZ/Jizjw/VFGwLigcrDf6Oz9K7SvbXFnDhhshkq+cvGZ6GR6/DGGTf9GjIDgRjQC2TAqxp5V lt6oYM8lGKPc3Iob6H/RYvLu/eV1uOOV+eT+6eX+7z6h1jKaOqTJh/+o+joKxraCWv34746/ASb+ OYIAruw8MwzjhUcgyFbdLacuohWg1OamcpuphELx2bje6pTbUgiFvoYy558sLeQ669kllO6KMfc1 IEzcghqyuXWnn1ZMxIEWs/rJxVCoMYl/clZTLsSHCaJbhEfuTuD98slbT6ko+ftjYtrtqALYkjmO Dqn1+tgTMbRT7RpErbs6JI4PJ3e1qwo6RtkARR+jDSxczR2aGzQgtM6zhSTOlFHwmRh6UE0MfbKb GFojaWBmo+1Zu8zcaDElfPtYPYBZcpqNDoZR65qYkf6RwYqLE3PF3HilYHIsNBBnOorZ+omz2FuW fNumDXuZeYWUp9ze6FAuGc+aFuGMfXm0wGwY9I7ZfNbK8aYL2gami/HcLeNu2YAWs9WCU9LUGGAs GcnuCtmtllPGL+uKiBeOx0rfDcadkrl3rwg8i3HMTdG+7rfSW1mr/xgw22MbpSsVXCiWBpMwHH8L WI0C7MsDAPYPAYB9I4sTzom4BYw10htr5EhvxwlnaNACRoYjWY80sgzmzsK+mhDjMmF/DMz8FzDL kXcl64U7/xWM/V14li+ny18AOfYDRGGW9rkCmOVyNlrPcjmyeBSGuSe/YtIy0DlcI941toZqlYu9 OsTMXfs0zIOtt1jTY5InLFdePy335chubROXG0ySLEdGM0yEs5rZP0UkgTOf2pcEYFxnHLM8upwb fdNmGcxXya+BRhayhm1ma/v3wTGzWJ5OROxMGjoy8grDOKK23Ip0piO7A2CA0x/hHKFLvZGZUu6T YGR9lEkOTOEYZD4ydAgZaQuaCQV5Nco+AW7pLe0n+6F03BHm8lB67ggfe/RmK48LL9LBsCFIuhgm zqaBsa8RBbHPC4DEK2/BpFszUUsuVkyLgum8tzN0GiRGUOoyWibDW1lOj9Y8qBJdjzPK5c3UcSjL vjY7t1kwFC6PmEoizMh4YWiSlUkZ6Qzz+pbu5fnx/m0iH58e71+eJ5u7+7+/P909G+EYpCRDzgaJ P6hu8/py9/n+5dvk7fvD/eOXx/sJsNtGEAB8bNB/yY+n98cvP57vURFyNXwa3BzitVV9M9VUh2We lyfeckpr4BAgkwWzrvdloBIWB/SULXO5dKYLxu0HiIsp45BdHmM4T6a8hku1C7YTnloGs4W35r+q TJhLkRwz9Ib+ejpj/J6RrmyQGIkKa1f6DEYYb+jMqdPS6a0d6cfEmzNCYU2eOSfWFuMKWUzHIOs1 YxcCZGBgFtPljB57f3NaTEcGcBivoSbGedD3iEd8EQYzLoAB0j/66adLkGRc4gTEHE7egh+WY+y4 qxnf6kLsqrgf+qatQYRwetUZxwerdPd69/0r7hYDk0R/Z4iN8JON86FojO+6oiVkkB1N6fqDYtHg whQLtdE/+wIunoCi8bEKkMzdsCBNbLdRIEgvwMMOI5NsOmYiukD5+e7ySmJc7qYyJMpjBLu4KDIy q2xh+o5j9uRwS08qJBYOw2Epoh8KhiFEcuQxtkCKuCbDXCAp2fn9NnL9jjSuY9Vz/oFTHKhHk+OO +XhMdw8nVBXLDeO2tfNVTi6aGEHPXLKqRFssKENHVeJrt4ZKvslQAAuJmsfbzSU0/R2gRIWdPAhJ rrwWFsCfbRTHhZH0qSYEWX6G9/oDgoqAu4mjsvdSpBUqivBJxBIzKmB2Q7InAIkJEK7vtmGuzbBh mhZxoC1sXtEuvYgU1jE9N69Nypi4dEA/JuVlJy6FBSJhAnAXKFtcnrgVM5eLOG5+cDO4aes8jmnD 9QW7NIaljGL1/aU2DlN76/b17tvD5K8fX748vE6+Xm/aCZYShy4qCka4Bmqe0FIOPnjeiMLlnA0A 4Bf0WYokGcUwGuygRYksWSL0M2NGDMQKpz77pIUmtkzUhc0l5XTyQNvv+OnphA7rcYXV8kcLLqfo wNLYjRRosfCmC1Pt2J2EsPGceotXF14SWJEijZjkux0cmqzekjntWtDOmKN1oTZGoar0D4zxKnYE f6jgTCrP3Imkqezo0IwaUvgzAqnMyYPTix/NVGSwUUXsgrg5F/SpArQZdx7jK7MszDJ2doI8v3TZ Dy0LOJX4RchlSVbbAltp4BcJ5/QEZN6wDBvECSHY74kMKr4jqpB2KVPDUpQV43GGc1DAHEwzJjkl AjYem+YAN24MHyD3gjHSbvb1SxyELDccPr6BpPzP0E2nZU8imcf+ma0heHl+e3mCXf5ak07CNOCu kSMMBqbGOz/A8DHZFhPEYRCNjZHYnqbrXC/LxphVxR4hLG4LPxGbarsVxS8Rr7aqeQGHe2HYFlDo Iiv9fp6cKzxLu+ay+PPi/fQGJY4RkkkVLn9yez5SVz+ZS2xFzdG+GF/EQ6A7i9QOgVUUXeY/mZMO EbJKse1WgOP+dJkjHBHO9KdDnRVxtjPcPfE3XrtVsFnDYiEr7GAGR/QQEsRV6bqG1ZvMqpTic/dR s3A6FvNRaPwo/OOV/UFjo67vVTcFmdwMngSutVNQI7Tho9Zqofbp7mkCpUM1Ej7vz9G3xTDKwNKg IC0lFQ11f2YjNiK+iVKzDKW24twvi+BXv1CHauw3ATpll6UFFxsUISIBxpcKqqCIn27EuV/pPkN3 brZCeGLgYdMln0W/wirgI2wj/ejHXCBOJO/OxWD9G4DyGKV70nlXtzeVwDqXPasaDFMeDJSsXSq0 uR52ovQSfuwtH128pXXCSC+qZBOL3A9dG2q3nk9t9CMcRLFlSJUjN+7jZrthUZeiGA62ciPhPaYQ ArJsRCvNkYqBjvjJkoMMAHM8zhi/EoURpR+fGZNIvXyDDM5Wnl6weRSRfFtBI2jGDclFFgQ+fbSr fclP0Gudp8Na5Ym5EGE/zYmJqNI8ZsQzNfnR7QukKb79Es7Q8mN2tlYD60sKJi2sou9BRiwTX3I5 aRGEofqsb/l0Dv1+RNXOrjvY4pXHuLpjNMuUQSOmAd0HIUPJ9l0HHoMkeNKpTzJx18QN3UfTFA6t QKA76aWN2KbvIR7f7h+e8P7j5cebOpReBhkxVa34lJkZtS2Hc9JnYvAqkA6khsxCxiRbUbBjQBkT Iql344NFx5617oB4CTa+scE0x+4eLfbbOOQdr2ejkmC5Ok2nOH7se3As+oAOWdTkfttVeYE6sH0F AgXv76+AZYkDx6dERmB2qlxnus+trQXm3HGWp1HMamn/asTMlq7lwzPmw1X5JtrVii60iedDLfTB SU/w6kNRvwSstkabK6Bi2iNj7/8bu7LexnUd/FeCeT+YZm16L/rgNVHjrbKcLi9Gps1MC3RDmuJi /v0VKduRLNE9L9MJ+VmWJYqiJIqEZL0D38qX3mIxvzgfBN04xMAArG+8Pr+TxsZtOnjZfTpdy3EE B+4NDww5wTHxMV25kH5WOE52s1xE/xlh64icwybD4/5j//b4CakeMRvEL2m0npJTjV53f1tP8N3L 5/vo1370tt8/7h//OwLPb72k9f7lA/NHvr4fINT/73dTzTQ4q5sUecBRW0c1sXy+xYWe8GKPViIt LpbTF3UBTMexMqQS2Okw+X9iqtZRZRjyM7cfVR9GnI3psKsqxZC53wK9xKuIpLY6DHK7k/aWDtx4 nIjwraOalQGEWCYuUOjoKJON6C8mQ2FUzCxFGidhflVW6FdwWoa97v5AUJTTdWmjsDQMlgP9isZq T966onthOM3vwauYzsfMWZl4PkoZ4WLdcAmncVQoYSUqt7mpqrYtI3qkcZbPB1okiVa5IF0/EDGg K5OBaa4VlODuPCA8ZxUMnUXoCSzECAgkPxYhw3AQdPvB2rjZ7aJbkZXyz5bYfMdvpT8VruUH0rry OXl2jZ+S33hc9geNgFsqA1M57PrF7kAFALirOBEDFrgrL1w5wtDmYjWCADqH/cvuuIdAOr8Pu8/j 4evh+HUwHG2yvFCGVBAxd/KQ6satEVIiJ04apVa0ivZl0vyVvWYYsfDbNl+xiiCIj2byeCCJw/Of P73h6AXSpC6ZzxIqUhaT/2bM9zJ3j0dy0eGoMRdBra5AaQSsrUlaByIv79zExka//HE4PpxpOeIB Yk2o+FEc4l85Yh/BE9LWiFXCQPNlSG+CSPfJvfu5Or2uWIShSp2tglXkW0uEu4uZUFOHdmyfC8vx 9MztsKNDiDgqGmRBJJU9QaYTIkNGCwGPZiqQXovh5TyYfvMqVibjyZl7S9bEEFuqLehWQtyWQ4tA b2dCzRoYwv2/+/TZWBBXCFqIfz0lot22iHI6n14Q10JaTJxOx8Rt4q6Jb2V13ZvmGoS6k9VConR6 RjgMd6VsJeQimFhyC3c0TbltUq/vjtIyfu3xeqUGqRmFWpPRydI93WuQOXFcoEPmw30pIeeE737X U2IzPhfesIims6X4psIAIS7M6xAiEFcHKdPF5Jsa+9ezJeEp3XVnMQ8Ij8oWAh1uZyB5f/snKCp3 r4apd9qO6co7UQn9DElzrEOD7t44PK/HU0A6yz2h0oB1r4HwJDWZfwd2h1NX6AxJbWK7tiY04IKX 5/2bHpkJwjz2Xogpe2txS75U0vuavuUEZknV7aDtxex7/9vnw/H53TVZwMmrCvLkLKxh+16S5MT+ fQPp7090/FJ4ZH7P2+Wiu63f7s1Zle/iUJQfz294gdoSpSDZlDzA0NJTLcZTsom2ok/Fn7WZFUIi fcgn0UPmaVppe56aOaOkSrLJJnFljjhttd4VEXdbfAU2hFx1X1sNET8fXrEhHFt2Ueh0P2vd06Rd mHpaWKQoZvXW472wVElSc9/9SWEQ+s5lZZgyFpoDmA3kVFaJl5kfC1k5whyUVjkxRlZ5vkqi7rMc LfSybyJR6HkfbsWk1k22hlDfQlZpm1zkJbuVVq0Zjr1hllFQccrO7Qp2xruX3Glt7iIjKYwwfVBZ i7zOeRjxyNWXzdOOSk+HKj2lKn2CzPqNM9Pfoxc2M95ENcHs37TTzFbvDfPK144M5A8tmp0sN/UD L1hrJ7M8YmXE47LXsh0ZY/y4p64WgqnqIeLOMKxtFCfqCgFuLUezVnE5oXh5MMD0BadLzVhiP3pq Ql1UOkUhhxXoRCN+XVyqvD4nStgnsCbzD+SIMjw0PMVw1u+6yonjPOQEwuV4CzGL4tKU1RgiOZr9 HvS2NtqGVrnLmq9WmnP38GTud8UlypalVoLwH56nP8NtiBrGUjCszC8WizOjald5wvRUM/cSpPOr MK77v7OkO5kK8/Jn7Imfmei98rTULyWGkoCtfJaUDmFJjrLBP/dfj++j364vxBGiVxcJGzNuHNKk 6jeSMiGxgJ3LNM+Y0NPl9hbSIi2sny5ZVYyeGlxXq0gkvl5AQ8KXa1M9/rHUBQTfxFEgKyWilGi5 SMCFAQqnWnEnTS281iT+fpjiVXjSUgI/CJXqPXCqedWtHfRUcSUcpx/ttHH54+v4e/lD5wR5GGGT z6bn5jMd55zmnM8JzlKP4NjjTEgOXRpVg+WCfM9iTHLIGiymJGdGcshaLxYk54LgXEypZy7IFr2Y Ut9zMaPeszzvfY9UOcvl/KJeEg+MJ+T7JavX1F4ZMOYuf+wmT9zkqZtM1H3uJi/c5HM3+YKoN1GV MVGXca8ym5wta+6gVSatErHWBWFi3udJHMkgUW1s9oe3/cvoafcAUetPylhFZWX8Ok68VWk7ZeCZ qAprqL1VaQu5EihL6OAELOltlJwCnUYZxDGupWENR9MFjwK5INVMsYafVqVQRpU2D4PTJz55OTmb aRHb0aMaFD2/dpv6grNCilYqMYTSrTKICQ98P0+IK0UYPImY7taRJ03qITtQPS4NVtTNciZI4U6t a62DwA0kkTPM7KaANSO+EgyrqmicZonDCojkOIDr3oR+t+sqg9yV5cbu346F/Z9X4nI8OdPsxjwX cnLxUg1YeO4MMSRWLh2TKro86yZy8M7ofG9OnQtkuHDl7hgMu1nTfNWquX8lv5i4GJ5UfgsjghwA 4rtXbDCPgueO5AkAuZpPKxHd6qkeFacAx4vSjPTZgHHfnjgFbASmYFk/gmgP0rx2AAEF1LA9Q+Tl 5fm2s+zdTYS5IGoeVDWGhyeqjO+Blhyoiydy8HQqkyhyO4OeqixrU3uy9cooiaGhhj5RvlW+uyrJ a4GqF5WkDCDWbLV2h+Rt4wquthH38zLqd3MTjbVXHlDl6jCsAuLQVsGIwIsNc+Dmg0LccPBLzavM uTWopCRKc34n68NEv+Z96cSofUCsy5wIfdw0OpGcGJm4tmPU7lYTy062TJQJ5iWuZegp4qGaOxrR K/tzSkPXPwGvTzZznJUK+DQMpTxLHSoqHlknaBokKCqQryTp1OVC15ZS8JoY6FJO6cPkRn5wjEBK 2zDaDgExbGx9I1VODdF4YYecBjcIOZVSFxtR77PsSk1g7tErp/IsuOs5aZ/WYXLJhn+gIdq5vV8P OfwsPdPO0aXS5F1rWVcBPKmF4ipTUyyCOMVdca9Y/ytMXGCXDL6mTnHsuICtZ2aMwH4pxtPSGMp5 2IO0DYZIFNSyhwiaB1Up2hKWQ4LhlWtvWb2X1OUsjNDfD7I842kEDHrqPAE1LO02ptT1YtYpYTcK Dy4gR/iCHgCll0KoFIdoYDvgaN+sQuPuNPwefkDqNUsYO6LbpgD1tpFWpcipO+KcBThA3TMBnEg0 kwAqmkrfNIecBI3mMTZGNXod+ivXGNNmMjkh8zjJb/Qi8CBEhFVKP8tzcNnr63dF7Ul3mFfSUle7 A/qxhTrPENydMwobHo5xiDHMcqVuIf9xVJ/dLs9OFmCfJ9cNYzevwv9fTtzcLM+iy6nFw5cZX9Ix iKm3Q1T0FNFhstyZq7E1qY0qXmrTQ1B4A8MLQvmm7B7yeyRylBLmVysYKJaoR+FOvVLC9u5SuX/4 Ojwf/2p+6qeREZEZQtRWPERGK2E/W73NNRM0SMOKb2jE8qorvNkcGyhVTiFi7SpaTtRpfkccH7YY r5CGakqsnpj7tLbpwFMD6GfDfe7lj24T7RZSPMNsril0pQfNHU9FA41U3PWpt/pWpyIV132KUqsw SWz7LDgqZiUuuYtrWHE1J8oUCOpsoQJ+V2CofyUoh78fx/fRA7gfvx9GT/uXj/1BO0VFMETglvNG v4yGPLHpcn3tJNpQP9kEkMSP0xz7obVXrp1EG8r1w4sTzQYWkEzBTbXBqZdJ08euc0M3040rFoxj hzyaD3Y9h+sfq/hVPJ4s0yqxGFmV2MQC/1pkGJHXVVRFFgf/ODquEmtpKbYS430dn/Zvx+cH9GSM 3h5AgmBz+3/Px6eR9/n5/vCMrHB33FmSFASp/VkOWhlds+4up49H/K/vj7p/R1ugH9gfIuyuCRzt GQW+RUv4jaMlHS+5Fd3JzHr3+URUb234nrSPusrbKmRzsfzP/vNofysPphPH5yK5i4TUa1znYEnD mYM2t2ksWHvoRmO/lqehFEcnWd+tP5En84WLPJ3Y6HLtjV1EVxGSPB/bY1Ss+PjCJt8UCqy03/PH k+k10uoqW1gkrZ4vjTvnGidjqv3pIe5llc8cxfLA7go50dzEzNFvLcO6YdeKggdpyZml7iETr7C7 F6h2g4aOr4/dymSz9u4dur6UK3zP1a2K3rRjf8RHjoIiXkSZ/V4R2Z8obQ1nmzV0qslatqpTE5Xh 9eOw//yUWs0SDWkiwMrZKubecEtulcl9N9Hy3dvj++so+3r9tT+MViqphOsFXlYyaUaqics1i+AS Dka10+zpA8tmFqUFc33jeBHmbPVCci9Sg1nBQfTFw2ZrnGw0e1vsnr787bPM483ayb6umDz/OuwO f0eH96/j85vhjI12k25P+Uyua8DhSuut9tAfPI3AaUiuDX1myJc06AImTNJ4YSLE+CxksUljoqrN p6aG9gm0gygpK50u15o0cAV18KqQibbepyJA3mC70RRGpFoiKsUQc0U10QY0ahhp9NPS8x4YbscV ZNV+cOXs8bLGFGf6ngeQ+js/Zc8kxZxbkA3Ig805jVFUcobQvdSyxDzkT3hV97x/pNj178zBhot5 nvF/jXiLDn39AAA= --20cf30563a018a72fa04ba7aceec Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --20cf30563a018a72fa04ba7aceec-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 28 Mar 2012 13:51:10 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q2SKpg0b016714 for ; Wed, 28 Mar 2012 16:51:42 -0400 Received: from mail-iy0-f174.google.com (mail-iy0-f174.google.com [209.85.210.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q2SKpekW026536 for ; Wed, 28 Mar 2012 16:51:41 -0400 Received: by iagz16 with SMTP id z16so2701503iag.33 for ; Wed, 28 Mar 2012 13:51:40 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Are you still able to reliably reproduce this oops? I'm trying to track this down because this bug (or a very similar bug) is causing some significant headaches here at work, but I haven't had a lot of luck. I'm using usermode linux, though, so that might be interfering with things. On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram wrote: > Finally i found some time and spare server to retest the oops and list_add > corruptions i was getting with the 3.x kernels and auditd 2.1.3. > > I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and kernel.org's > 3.2.9. > > Both get the oops/BUG in the same way and after that, they keep pouring > list_add corruptions with audit_prune_tre(truncated?) and auditctl as com= ms. > > Since this is not about Gentoo's kernel only, i'll post here the oops in > 3.2.9 and also attach some list_add corruptions. > > 3.2.9 BUG: > > kernel: [ 301.240011] BUG: unable to handle kernel NULL pointer derefere= nce > at (null) > kernel: [ 301.240305] IP: [] __list_del_entry+0x20/0xe0 > kernel: [ 301.240481] *pdpt =3D 0000000000000000 *pde =3D f000ddc8f000dd= c8 > kernel: [ 301.240698] Oops: 0000 [#1] SMP > kernel: [ 301.240910] > kernel: [ 301.241030] Pid: 642, comm: fsnotify_mark Not tainted > 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 > kernel: [ 301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 > kernel: [ 301.241498] EIP is at __list_del_entry+0x20/0xe0 > kernel: [ 301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: > 00000000 > kernel: [ 301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: > f47cff64 > kernel: [ 301.241879] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > kernel: [ 301.242005] Process fsnotify_mark (pid: 642, ti=3Df47ce000 > task=3Df4f47c00 task.ti=3Df47ce000) > kernel: [ 301.242207] Stack: > kernel: [ 301.242327] c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c > f47cffa4 f47cffb8 c10f6976 > kernel: [ 301.242882] ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 > c10530c0 f47cff9c f47cff9c > kernel: [ 301.243438] f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 > f47cffe4 c1052834 00000000 > kernel: [ 301.243995] Call Trace: > kernel: [ 301.244119] [] ? rcu_check_callbacks+0x110/0x110 > kernel: [ 301.244248] [] fsnotify_mark_destroy+0x86/0x120 > kernel: [ 301.244377] [] ? abort_exclusive_wait+0x80/0x80 > kernel: [ 301.244504] [] ? fsnotify_put_mark+0x30/0x30 > kernel: [ 301.244631] [] kthread+0x74/0x80 > kernel: [ 301.244756] [] ? kthread_flush_work_fn+0x10/0x10 > kernel: [ 301.244885] [] kernel_thread_helper+0x6/0xd > kernel: [ 301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5 53= 83 > ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e 00 > 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14 > kernel: [ 301.248195] EIP: [] __list_del_entry+0x20/0xe0 SS:ESP > 0068:f47cff64 > kernel: [ 301.248414] CR2: 0000000000000000 > kernel: [ 301.248538] ---[ end trace 15082dbfb353f84c ]--- > > The kernel was compiled with the following DEBUG support (the bolded one > were requested by Gentoo's Dev: > CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy > CONFIG_SLUB_DEBUG=3Dy > CONFIG_HAVE_DMA_API_DEBUG=3Dy > CONFIG_X86_DEBUGCTLMSR=3Dy > CONFIG_PNP_DEBUG_MESSAGES=3Dy > CONFIG_AIC94XX_DEBUG=3Dy > CONFIG_USB_DEBUG=3Dy > CONFIG_DEBUG_KERNEL=3Dy > CONFIG_SCHED_DEBUG=3Dy > CONFIG_DEBUG_RT_MUTEXES=3Dy > CONFIG_DEBUG_PI_LIST=3Dy > CONFIG_DEBUG_BUGVERBOSE=3Dy > CONFIG_DEBUG_INFO=3Dy > CONFIG_DEBUG_MEMORY_INIT=3Dy > CONFIG_DEBUG_LIST=3Dy > CONFIG_DEBUG_STACKOVERFLOW=3Dy > CONFIG_DEBUG_RODATA=3Dy > CONFIG_DEBUG_RODATA_TEST=3Dy > > I attached the kernel config i used for 3.2.9 to generate this oops and > warnings. > > From the list_add warnings that come after, out of 805 warnings i process= ed, > after masking with XXXXX the PID and next=3D values that kept changing in > every one, i got 26 types of MD5. I also attached the files relevant as an > archive to this email. > > The Gentoo bug i opened is sleeping, it seems nobody has the time to at > least test to confirm or not the problems i'm seeing (or everybody's > thinking that nobody would restart auditd so often, so the bug it's not t= hat > serious). > > > Thank you for your time. > > On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram wrote: > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 28 Mar 2012 15:42:37 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx16.extmail.prod.ext.phx2.redhat.com [10.5.110.21]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q2SMh9Em017347 for ; Wed, 28 Mar 2012 18:43:09 -0400 Received: from mail-iy0-f174.google.com (mail-iy0-f174.google.com [209.85.210.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q2SMh7aq021130 for ; Wed, 28 Mar 2012 18:43:07 -0400 Received: by iagz16 with SMTP id z16so2878363iag.33 for ; Wed, 28 Mar 2012 15:43:07 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com fyi: this patch [1] seems to fix the issue for me. The explanation in the subject would reliably oops my machine. [1] http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a=3D= commit;h=3Dfed474857efbed79cd390d0aee224231ca718f63 On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote: > Are you still able to reliably reproduce this oops? I'm trying to > track this down because this bug (or a very similar bug) is causing > some significant headaches here at work, but I haven't had a lot of > luck. I'm using usermode linux, though, so that might be interfering > with things. > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram wrote: >> Finally i found some time and spare server to retest the oops and list_a= dd >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. >> >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and kernel.org's >> 3.2.9. >> >> Both get the oops/BUG in the same way and after that, they keep pouring >> list_add corruptions with audit_prune_tre(truncated?) and auditctl as co= mms. >> >> Since this is not about Gentoo's kernel only, i'll post here the oops in >> 3.2.9 and also attach some list_add corruptions. >> >> 3.2.9 BUG: >> >> kernel: [ =A0301.240011] BUG: unable to handle kernel NULL pointer deref= erence >> at =A0 (null) >> kernel: [ =A0301.240305] IP: [] __list_del_entry+0x20/0xe0 >> kernel: [ =A0301.240481] *pdpt =3D 0000000000000000 *pde =3D f000ddc8f00= 0ddc8 >> kernel: [ =A0301.240698] Oops: 0000 [#1] SMP >> kernel: [ =A0301.240910] >> kernel: [ =A0301.241030] Pid: 642, comm: fsnotify_mark Not tainted >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 >> kernel: [ =A0301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 >> kernel: [ =A0301.241498] EIP is at __list_del_entry+0x20/0xe0 >> kernel: [ =A0301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: >> 00000000 >> kernel: [ =A0301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: >> f47cff64 >> kernel: [ =A0301.241879] =A0DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 >> kernel: [ =A0301.242005] Process fsnotify_mark (pid: 642, ti=3Df47ce000 >> task=3Df4f47c00 task.ti=3Df47ce000) >> kernel: [ =A0301.242207] Stack: >> kernel: [ =A0301.242327] =A0c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c >> f47cffa4 f47cffb8 c10f6976 >> kernel: [ =A0301.242882] =A0ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 >> c10530c0 f47cff9c f47cff9c >> kernel: [ =A0301.243438] =A0f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 >> f47cffe4 c1052834 00000000 >> kernel: [ =A0301.243995] Call Trace: >> kernel: [ =A0301.244119] =A0[] ? rcu_check_callbacks+0x110/0x1= 10 >> kernel: [ =A0301.244248] =A0[] fsnotify_mark_destroy+0x86/0x120 >> kernel: [ =A0301.244377] =A0[] ? abort_exclusive_wait+0x80/0x80 >> kernel: [ =A0301.244504] =A0[] ? fsnotify_put_mark+0x30/0x30 >> kernel: [ =A0301.244631] =A0[] kthread+0x74/0x80 >> kernel: [ =A0301.244756] =A0[] ? kthread_flush_work_fn+0x10/0x= 10 >> kernel: [ =A0301.244885] =A0[] kernel_thread_helper+0x6/0xd >> kernel: [ =A0301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5= 53 83 >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e = 00 >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14 >> kernel: [ =A0301.248195] EIP: [] __list_del_entry+0x20/0xe0 SS= :ESP >> 0068:f47cff64 >> kernel: [ =A0301.248414] CR2: 0000000000000000 >> kernel: [ =A0301.248538] ---[ end trace 15082dbfb353f84c ]--- >> >> The kernel was compiled with the following DEBUG support (the bolded one >> were requested by Gentoo's Dev: >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy >> CONFIG_SLUB_DEBUG=3Dy >> CONFIG_HAVE_DMA_API_DEBUG=3Dy >> CONFIG_X86_DEBUGCTLMSR=3Dy >> CONFIG_PNP_DEBUG_MESSAGES=3Dy >> CONFIG_AIC94XX_DEBUG=3Dy >> CONFIG_USB_DEBUG=3Dy >> CONFIG_DEBUG_KERNEL=3Dy >> CONFIG_SCHED_DEBUG=3Dy >> CONFIG_DEBUG_RT_MUTEXES=3Dy >> CONFIG_DEBUG_PI_LIST=3Dy >> CONFIG_DEBUG_BUGVERBOSE=3Dy >> CONFIG_DEBUG_INFO=3Dy >> CONFIG_DEBUG_MEMORY_INIT=3Dy >> CONFIG_DEBUG_LIST=3Dy >> CONFIG_DEBUG_STACKOVERFLOW=3Dy >> CONFIG_DEBUG_RODATA=3Dy >> CONFIG_DEBUG_RODATA_TEST=3Dy >> >> I attached the kernel config i used for 3.2.9 to generate this oops and >> warnings. >> >> From the list_add warnings that come after, out of 805 warnings i proces= sed, >> after masking with XXXXX the PID and next=3D values that kept changing in >> every one, i got 26 types of MD5. I also attached the files relevant as = an >> archive to this email. >> >> The Gentoo bug i opened is sleeping, it seems nobody has the time to at >> least test to confirm or not the problems i'm seeing (or everybody's >> thinking that nobody would restart auditd so often, so the bug it's not = that >> serious). >> >> >> Thank you for your time. >> >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram wrote: >> >> >> -- >> Linux-audit mailing list >> Linux-audit@redhat.com >> https://www.redhat.com/mailman/listinfo/linux-audit > > > > -- > Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 > Security Engineer=A0 pgp:0xC3410038 -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Wed, 28 Mar 2012 21:14:03 -0400 Message-ID: <1332983643.384.8.camel@localhost> References: <1327519203.4131.25.camel@localhost>

Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Moody Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com That patch fixes a BUG() . The report has a NULL ptr deref and some apparent list correuption.... Sadly they aren't the same.... On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: > fyi: this patch [1] seems to fix the issue for me. The explanation in > the subject would reliably oops my machine. > > [1] http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fed474857efbed79cd390d0aee224231ca718f63 > > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote: > > Are you still able to reliably reproduce this oops? I'm trying to > > track this down because this bug (or a very similar bug) is causing > > some significant headaches here at work, but I haven't had a lot of > > luck. I'm using usermode linux, though, so that might be interfering > > with things. > > > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram wrote: > >> Finally i found some time and spare server to retest the oops and list_add > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. > >> > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and kernel.org's > >> 3.2.9. > >> > >> Both get the oops/BUG in the same way and after that, they keep pouring > >> list_add corruptions with audit_prune_tre(truncated?) and auditctl as comms. > >> > >> Since this is not about Gentoo's kernel only, i'll post here the oops in > >> 3.2.9 and also attach some list_add corruptions. > >> > >> 3.2.9 BUG: > >> > >> kernel: [ 301.240011] BUG: unable to handle kernel NULL pointer dereference > >> at (null) > >> kernel: [ 301.240305] IP: [] __list_del_entry+0x20/0xe0 > >> kernel: [ 301.240481] *pdpt = 0000000000000000 *pde = f000ddc8f000ddc8 > >> kernel: [ 301.240698] Oops: 0000 [#1] SMP > >> kernel: [ 301.240910] > >> kernel: [ 301.241030] Pid: 642, comm: fsnotify_mark Not tainted > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 > >> kernel: [ 301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 > >> kernel: [ 301.241498] EIP is at __list_del_entry+0x20/0xe0 > >> kernel: [ 301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: > >> 00000000 > >> kernel: [ 301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: > >> f47cff64 > >> kernel: [ 301.241879] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > >> kernel: [ 301.242005] Process fsnotify_mark (pid: 642, ti=f47ce000 > >> task=f4f47c00 task.ti=f47ce000) > >> kernel: [ 301.242207] Stack: > >> kernel: [ 301.242327] c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c > >> f47cffa4 f47cffb8 c10f6976 > >> kernel: [ 301.242882] ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 > >> c10530c0 f47cff9c f47cff9c > >> kernel: [ 301.243438] f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 > >> f47cffe4 c1052834 00000000 > >> kernel: [ 301.243995] Call Trace: > >> kernel: [ 301.244119] [] ? rcu_check_callbacks+0x110/0x110 > >> kernel: [ 301.244248] [] fsnotify_mark_destroy+0x86/0x120 > >> kernel: [ 301.244377] [] ? abort_exclusive_wait+0x80/0x80 > >> kernel: [ 301.244504] [] ? fsnotify_put_mark+0x30/0x30 > >> kernel: [ 301.244631] [] kthread+0x74/0x80 > >> kernel: [ 301.244756] [] ? kthread_flush_work_fn+0x10/0x10 > >> kernel: [ 301.244885] [] kernel_thread_helper+0x6/0xd > >> kernel: [ 301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 e5 53 83 > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 8e 00 > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14 > >> kernel: [ 301.248195] EIP: [] __list_del_entry+0x20/0xe0 SS:ESP > >> 0068:f47cff64 > >> kernel: [ 301.248414] CR2: 0000000000000000 > >> kernel: [ 301.248538] ---[ end trace 15082dbfb353f84c ]--- > >> > >> The kernel was compiled with the following DEBUG support (the bolded one > >> were requested by Gentoo's Dev: > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y > >> CONFIG_SLUB_DEBUG=y > >> CONFIG_HAVE_DMA_API_DEBUG=y > >> CONFIG_X86_DEBUGCTLMSR=y > >> CONFIG_PNP_DEBUG_MESSAGES=y > >> CONFIG_AIC94XX_DEBUG=y > >> CONFIG_USB_DEBUG=y > >> CONFIG_DEBUG_KERNEL=y > >> CONFIG_SCHED_DEBUG=y > >> CONFIG_DEBUG_RT_MUTEXES=y > >> CONFIG_DEBUG_PI_LIST=y > >> CONFIG_DEBUG_BUGVERBOSE=y > >> CONFIG_DEBUG_INFO=y > >> CONFIG_DEBUG_MEMORY_INIT=y > >> CONFIG_DEBUG_LIST=y > >> CONFIG_DEBUG_STACKOVERFLOW=y > >> CONFIG_DEBUG_RODATA=y > >> CONFIG_DEBUG_RODATA_TEST=y > >> > >> I attached the kernel config i used for 3.2.9 to generate this oops and > >> warnings. > >> > >> From the list_add warnings that come after, out of 805 warnings i processed, > >> after masking with XXXXX the PID and next= values that kept changing in > >> every one, i got 26 types of MD5. I also attached the files relevant as an > >> archive to this email. > >> > >> The Gentoo bug i opened is sleeping, it seems nobody has the time to at > >> least test to confirm or not the problems i'm seeing (or everybody's > >> thinking that nobody would restart auditd so often, so the bug it's not that > >> serious). > >> > >> > >> Thank you for your time. > >> > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram wrote: > >> > >> > >> -- > >> Linux-audit mailing list > >> Linux-audit@redhat.com > >> https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > > > -- > > Peter Moody Google 1.650.253.7306 > > Security Engineer pgp:0xC3410038 > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Valentin Avram Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Thu, 29 Mar 2012 09:44:56 +0300 Message-ID: References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4201550010719350373==" Return-path: In-Reply-To: <1332983643.384.8.camel@localhost> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============4201550010719350373== Content-Type: multipart/alternative; boundary=20cf305e2373e052b704bc5c0f0d --20cf305e2373e052b704bc5c0f0d Content-Type: text/plain; charset=ISO-8859-1 Yes, i know that patch. It made it into kernel 3.2.2. I tested it successfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm seeing is also in 3.2.9. I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes either in audit subsystem or in fsnotify. I'll try to reproduce in latest 3.2.13 and repost the oops, but i'm 99% confident it will be the same. Sadly nobody except you seems to pay attention to this problem, probably because it requires special conditions to reproduce (really, who starts and stops auditd every 5 seconds on a production server?). We only ran into it because one of our servers would randomly oops and then freeze about each month after stopping and then starting auditd every morning (and the stop-start sequence was needed to workaround a bug somewhere that would hang a gzip running on a file outside a watched folder). Anyway, as a last note, i have a feeling that the oops is not exactly random, there is a pattern, just that i haven't figured it out completely yet. Will keep you uptodate with the things i find out. V. On Mar 29, 2012 4:14 AM, "Eric Paris" wrote: > That patch fixes a BUG() . The report has a NULL ptr deref and some > apparent list correuption.... Sadly they aren't the same.... > > On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: > > fyi: this patch [1] seems to fix the issue for me. The explanation in > > the subject would reliably oops my machine. > > > > [1] > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fed474857efbed79cd390d0aee224231ca718f63 > > > > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote: > > > Are you still able to reliably reproduce this oops? I'm trying to > > > track this down because this bug (or a very similar bug) is causing > > > some significant headaches here at work, but I haven't had a lot of > > > luck. I'm using usermode linux, though, so that might be interfering > > > with things. > > > > > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram > wrote: > > >> Finally i found some time and spare server to retest the oops and > list_add > > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. > > >> > > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and > kernel.org's > > >> 3.2.9. > > >> > > >> Both get the oops/BUG in the same way and after that, they keep > pouring > > >> list_add corruptions with audit_prune_tre(truncated?) and auditctl as > comms. > > >> > > >> Since this is not about Gentoo's kernel only, i'll post here the oops > in > > >> 3.2.9 and also attach some list_add corruptions. > > >> > > >> 3.2.9 BUG: > > >> > > >> kernel: [ 301.240011] BUG: unable to handle kernel NULL pointer > dereference > > >> at (null) > > >> kernel: [ 301.240305] IP: [] __list_del_entry+0x20/0xe0 > > >> kernel: [ 301.240481] *pdpt = 0000000000000000 *pde = > f000ddc8f000ddc8 > > >> kernel: [ 301.240698] Oops: 0000 [#1] SMP > > >> kernel: [ 301.240910] > > >> kernel: [ 301.241030] Pid: 642, comm: fsnotify_mark Not tainted > > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 > > >> kernel: [ 301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 > > >> kernel: [ 301.241498] EIP is at __list_del_entry+0x20/0xe0 > > >> kernel: [ 301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: > > >> 00000000 > > >> kernel: [ 301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: > > >> f47cff64 > > >> kernel: [ 301.241879] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > > >> kernel: [ 301.242005] Process fsnotify_mark (pid: 642, ti=f47ce000 > > >> task=f4f47c00 task.ti=f47ce000) > > >> kernel: [ 301.242207] Stack: > > >> kernel: [ 301.242327] c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c > > >> f47cffa4 f47cffb8 c10f6976 > > >> kernel: [ 301.242882] ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 > > >> c10530c0 f47cff9c f47cff9c > > >> kernel: [ 301.243438] f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 > > >> f47cffe4 c1052834 00000000 > > >> kernel: [ 301.243995] Call Trace: > > >> kernel: [ 301.244119] [] ? rcu_check_callbacks+0x110/0x110 > > >> kernel: [ 301.244248] [] fsnotify_mark_destroy+0x86/0x120 > > >> kernel: [ 301.244377] [] ? abort_exclusive_wait+0x80/0x80 > > >> kernel: [ 301.244504] [] ? fsnotify_put_mark+0x30/0x30 > > >> kernel: [ 301.244631] [] kthread+0x74/0x80 > > >> kernel: [ 301.244756] [] ? kthread_flush_work_fn+0x10/0x10 > > >> kernel: [ 301.244885] [] kernel_thread_helper+0x6/0xd > > >> kernel: [ 301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 > e5 53 83 > > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 > 8e 00 > > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 14 > > >> kernel: [ 301.248195] EIP: [] __list_del_entry+0x20/0xe0 > SS:ESP > > >> 0068:f47cff64 > > >> kernel: [ 301.248414] CR2: 0000000000000000 > > >> kernel: [ 301.248538] ---[ end trace 15082dbfb353f84c ]--- > > >> > > >> The kernel was compiled with the following DEBUG support (the bolded > one > > >> were requested by Gentoo's Dev: > > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y > > >> CONFIG_SLUB_DEBUG=y > > >> CONFIG_HAVE_DMA_API_DEBUG=y > > >> CONFIG_X86_DEBUGCTLMSR=y > > >> CONFIG_PNP_DEBUG_MESSAGES=y > > >> CONFIG_AIC94XX_DEBUG=y > > >> CONFIG_USB_DEBUG=y > > >> CONFIG_DEBUG_KERNEL=y > > >> CONFIG_SCHED_DEBUG=y > > >> CONFIG_DEBUG_RT_MUTEXES=y > > >> CONFIG_DEBUG_PI_LIST=y > > >> CONFIG_DEBUG_BUGVERBOSE=y > > >> CONFIG_DEBUG_INFO=y > > >> CONFIG_DEBUG_MEMORY_INIT=y > > >> CONFIG_DEBUG_LIST=y > > >> CONFIG_DEBUG_STACKOVERFLOW=y > > >> CONFIG_DEBUG_RODATA=y > > >> CONFIG_DEBUG_RODATA_TEST=y > > >> > > >> I attached the kernel config i used for 3.2.9 to generate this oops > and > > >> warnings. > > >> > > >> From the list_add warnings that come after, out of 805 warnings i > processed, > > >> after masking with XXXXX the PID and next= values that kept changing > in > > >> every one, i got 26 types of MD5. I also attached the files relevant > as an > > >> archive to this email. > > >> > > >> The Gentoo bug i opened is sleeping, it seems nobody has the time to > at > > >> least test to confirm or not the problems i'm seeing (or everybody's > > >> thinking that nobody would restart auditd so often, so the bug it's > not that > > >> serious). > > >> > > >> > > >> Thank you for your time. > > >> > > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram > wrote: > > >> > > >> > > >> -- > > >> Linux-audit mailing list > > >> Linux-audit@redhat.com > > >> https://www.redhat.com/mailman/listinfo/linux-audit > > > > > > > > > > > > -- > > > Peter Moody Google 1.650.253.7306 > > > Security Engineer pgp:0xC3410038 > > > > > > > > > --20cf305e2373e052b704bc5c0f0d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Yes, i know that patch. It made it into kernel 3.2.2. I tested it succes= sfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm seeing is a= lso in 3.2.9.

I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes eit= her in audit subsystem or in fsnotify. I'll try to reproduce in latest = 3.2.13 and repost the oops, but i'm 99% confident it will be the same.<= /p>

Sadly nobody except you seems to pay attention to this problem, probably= because it requires special conditions to reproduce (really, who starts an= d stops auditd every 5 seconds on a production server?). We only ran into i= t because one of our servers would randomly oops and then freeze about each= month after stopping and then starting

auditd

every morning (and the stop-start sequence was needed to workaround a b= ug somewhere that would hang a

gzip

running on a file outside a watched folder).

Anyway, as a last note, i have a feeling that the oops is not exactly ra= ndom, there is a pattern, just that i haven't figured it out completely= yet.

Will keep you

uptodate

with the things i find out.

On Mar 29, 2012 4:14 AM, "Eric Paris" = <eparis@redhat.com> wrote:

That patch fixes a BUG() . =A0The report has a NULL ptr deref and some
apparent list correuption.... =A0Sadly they aren't the same....

On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote:
> fyi: this patch [1] seems to fix the issue for me. The explanation in<= br> > the subject would reliably oops my machine.
>
> [1] http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.= git;a=3Dcommit;h=3Dfed474857efbed79cd390d0aee224231ca718f63
>
> On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody <pmoody@google.com> wrote:
> > Are you still able to reliably reproduce this oops? I'm tryin= g to
> > track this down because this bug (or a very similar bug) is causi= ng
> > some significant headaches here at work, but I haven't had a = lot of
> > luck. I'm using usermode linux, though, so that might be inte= rfering
> > with things.
> >
> > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram <aval13@gmail.com> wrote:
> >> Finally i found some time and spare server to retest the oops= and list_add
> >> corruptions i was getting with the 3.x kernels and auditd 2.1= .3.
> >>
> >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 = and kernel.org's > >> 3.2.9.
> >>
> >> Both get the oops/BUG in the same way and after that, they ke= ep pouring
> >> list_add corruptions with audit_prune_tre(truncated?) and aud= itctl as comms.
> >>
> >> Since this is not about Gentoo's kernel only, i'll po= st here the oops in
> >> 3.2.9 and also attach some list_add corruptions.
> >>
> >> 3.2.9 BUG:
> >>
> >> kernel: [ =A0301.240011] BUG: unable to handle kernel NULL po= inter dereference
> >> at =A0 (null)
> >> kernel: [ =A0301.240305] IP: [<c1238dd0>] __list_del_en= try+0x20/0xe0
> >> kernel: [ =A0301.240481] *pdpt =3D 0000000000000000 *pde =3D = f000ddc8f000ddc8
> >> kernel: [ =A0301.240698] Oops: 0000 [#1] SMP
> >> kernel: [ =A0301.240910]
> >> kernel: [ =A0301.241030] Pid: 642, comm: fsnotify_mark Not ta= inted
> >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396
> >> kernel: [ =A0301.241370] EIP: 0060:[<c1238dd0>] EFLAGS:= 00010287 CPU: 6
> >> kernel: [ =A0301.241498] EIP is at __list_del_entry+0x20/0xe0=
> >> kernel: [ =A0301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: fff= fffff EDX:
> >> 00000000
> >> kernel: [ =A0301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47= cff7c ESP:
> >> f47cff64
> >> kernel: [ =A0301.241879] =A0DS: 007b ES: 007b FS: 00d8 GS: 00= 00 SS: 0068
> >> kernel: [ =A0301.242005] Process fsnotify_mark (pid: 642, ti= =3Df47ce000
> >> task=3Df4f47c00 task.ti=3Df47ce000)
> >> kernel: [ =A0301.242207] Stack:
> >> kernel: [ =A0301.242327] =A0c10813c0 f47cffa4 f4f47c00 f4e708= 88 f47cff7c
> >> f47cffa4 f47cffb8 c10f6976
> >> kernel: [ =A0301.242882] =A0ffffffc3 f4f47c00 f4f47c00 000000= 00 f4f47c00
> >> c10530c0 f47cff9c f47cff9c
> >> kernel: [ =A0301.243438] =A0f4fae544 f4fae544 f4c47f58 000000= 00 c10f68f0
> >> f47cffe4 c1052834 00000000
> >> kernel: [ =A0301.243995] Call Trace:
> >> kernel: [ =A0301.244119] =A0[<c10813c0>] ? rcu_check_ca= llbacks+0x110/0x110
> >> kernel: [ =A0301.244248] =A0[<c10f6976>] fsnotify_mark_= destroy+0x86/0x120
> >> kernel: [ =A0301.244377] =A0[<c10530c0>] ? abort_exclus= ive_wait+0x80/0x80
> >> kernel: [ =A0301.244504] =A0[<c10f68f0>] ? fsnotify_put= _mark+0x30/0x30
> >> kernel: [ =A0301.244631] =A0[<c1052834>] kthread+0x74/0= x80
> >> kernel: [ =A0301.244756] =A0[<c10527c0>] ? kthread_flus= h_work_fn+0x10/0x10
> >> kernel: [ =A0301.244885] =A0[<c1582ab6>] kernel_thread_= helper+0x6/0xd
> >> kernel: [ =A0301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff = 90 55 89 e5 53 83
> >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 0= 0 0f 84 8e 00
> >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04= 89 0a 83 c4 14
> >> kernel: [ =A0301.248195] EIP: [<c1238dd0>] __list_del_e= ntry+0x20/0xe0 SS:ESP
> >> 0068:f47cff64
> >> kernel: [ =A0301.248414] CR2: 0000000000000000
> >> kernel: [ =A0301.248538] ---[ end trace 15082dbfb353f84c ]---=
> >>
> >> The kernel was compiled with the following DEBUG support (the= bolded one
> >> were requested by Gentoo's Dev:
> >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy
> >> CONFIG_SLUB_DEBUG=3Dy
> >> CONFIG_HAVE_DMA_API_DEBUG=3Dy
> >> CONFIG_X86_DEBUGCTLMSR=3Dy
> >> CONFIG_PNP_DEBUG_MESSAGES=3Dy
> >> CONFIG_AIC94XX_DEBUG=3Dy
> >> CONFIG_USB_DEBUG=3Dy
> >> CONFIG_DEBUG_KERNEL=3Dy
> >> CONFIG_SCHED_DEBUG=3Dy
> >> CONFIG_DEBUG_RT_MUTEXES=3Dy
> >> CONFIG_DEBUG_PI_LIST=3Dy
> >> CONFIG_DEBUG_BUGVERBOSE=3Dy
> >> CONFIG_DEBUG_INFO=3Dy
> >> CONFIG_DEBUG_MEMORY_INIT=3Dy
> >> CONFIG_DEBUG_LIST=3Dy
> >> CONFIG_DEBUG_STACKOVERFLOW=3Dy
> >> CONFIG_DEBUG_RODATA=3Dy
> >> CONFIG_DEBUG_RODATA_TEST=3Dy
> >>
> >> I attached the kernel config i used for 3.2.9 to generate thi= s oops and
> >> warnings.
> >>
> >> From the list_add warnings that come after, out of 805 warnin= gs i processed,
> >> after masking with XXXXX the PID and next=3D values that kept= changing in
> >> every one, i got 26 types of MD5. I also attached the files r= elevant as an
> >> archive to this email.
> >>
> >> The Gentoo bug i opened is sleeping, it seems nobody has the = time to at
> >> least test to confirm or not the problems i'm seeing (or = everybody's
> >> thinking that nobody would restart auditd so often, so the bu= g it's not that
> >> serious).
> >>
> >>
> >> Thank you for your time.
> >>
> >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram <aval13@gmail.com> wrote:
> >>
> >>
> >> --
> >> Linux-audit mailing list
> >> Linux-audit@redhat.= com
> >> https://www.redhat.com/mailman/listinfo/linux-audit
> >
> >
> >
> > --
> > Peter Moody =A0 =A0 =A0Google =A0 =A0 1.650.253.7306
> > Security Engineer =A0pgp:0xC3410038
>
>
>

--20cf305e2373e052b704bc5c0f0d-- --===============4201550010719350373== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4201550010719350373==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Tue, 3 Apr 2012 09:15:37 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.19]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q33GG9aN019464 for ; Tue, 3 Apr 2012 12:16:10 -0400 Received: from mail-yw0-f46.google.com (mail-yw0-f46.google.com [209.85.213.46]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q33GG8ru021876 for ; Tue, 3 Apr 2012 12:16:08 -0400 Received: by yhmm54 with SMTP id m54so2367313yhm.33 for ; Tue, 03 Apr 2012 09:16:08 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com This may already be known, but the issue seems to be limited to watch rules. With any watch rules, I can reliably crash my machine while freeing a watch rule after only starting/stopping auditd a few times. With no watch rules, I have no issues. Cheers, peter On Wed, Mar 28, 2012 at 11:44 PM, Valentin Avram wrote: > Yes, i know that patch. It made it into kernel 3.2.2. I tested it > successfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm seeing = is > also in 3.2.9. > > I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes eith= er > in audit subsystem or in fsnotify. I'll try to reproduce in latest 3.2.13 > and repost the oops, but i'm 99% confident it will be the same. > > Sadly nobody except you seems to pay attention to this problem, probably > because it requires special conditions to reproduce (really, who starts a= nd > stops auditd every 5 seconds on a production server?). We only ran into it > because one of our servers would randomly oops and then freeze about each > month after stopping and then starting > > auditd > > every morning (and the stop-start sequence was needed to workaround a bug > somewhere that would hang a > > gzip > > running on a file outside a watched folder). > > Anyway, as a last note, i have a feeling that the oops is not exactly > random, there is a pattern, just that i haven't figured it out completely > yet. > > Will keep you > > uptodate > > with the things i find out. > > V. > > On Mar 29, 2012 4:14 AM, "Eric Paris" wrote: >> >> That patch fixes a BUG() . =A0The report has a NULL ptr deref and some >> apparent list correuption.... =A0Sadly they aren't the same.... >> >> On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: >> > fyi: this patch [1] seems to fix the issue for me. The explanation in >> > the subject would reliably oops my machine. >> > >> > [1] >> > http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a= =3Dcommit;h=3Dfed474857efbed79cd390d0aee224231ca718f63 >> > >> > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote: >> > > Are you still able to reliably reproduce this oops? I'm trying to >> > > track this down because this bug (or a very similar bug) is causing >> > > some significant headaches here at work, but I haven't had a lot of >> > > luck. I'm using usermode linux, though, so that might be interfering >> > > with things. >> > > >> > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram >> > > wrote: >> > >> Finally i found some time and spare server to retest the oops and >> > >> list_add >> > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. >> > >> >> > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and >> > >> kernel.org's >> > >> 3.2.9. >> > >> >> > >> Both get the oops/BUG in the same way and after that, they keep >> > >> pouring >> > >> list_add corruptions with audit_prune_tre(truncated?) and auditctl = as >> > >> comms. >> > >> >> > >> Since this is not about Gentoo's kernel only, i'll post here the oo= ps >> > >> in >> > >> 3.2.9 and also attach some list_add corruptions. >> > >> >> > >> 3.2.9 BUG: >> > >> >> > >> kernel: [ =A0301.240011] BUG: unable to handle kernel NULL pointer >> > >> dereference >> > >> at =A0 (null) >> > >> kernel: [ =A0301.240305] IP: [] __list_del_entry+0x20/0xe0 >> > >> kernel: [ =A0301.240481] *pdpt =3D 0000000000000000 *pde =3D >> > >> f000ddc8f000ddc8 >> > >> kernel: [ =A0301.240698] Oops: 0000 [#1] SMP >> > >> kernel: [ =A0301.240910] >> > >> kernel: [ =A0301.241030] Pid: 642, comm: fsnotify_mark Not tainted >> > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 >> > >> kernel: [ =A0301.241370] EIP: 0060:[] EFLAGS: 00010287 CP= U: 6 >> > >> kernel: [ =A0301.241498] EIP is at __list_del_entry+0x20/0xe0 >> > >> kernel: [ =A0301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff = EDX: >> > >> 00000000 >> > >> kernel: [ =A0301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c = ESP: >> > >> f47cff64 >> > >> kernel: [ =A0301.241879] =A0DS: 007b ES: 007b FS: 00d8 GS: 0000 SS:= 0068 >> > >> kernel: [ =A0301.242005] Process fsnotify_mark (pid: 642, ti=3Df47c= e000 >> > >> task=3Df4f47c00 task.ti=3Df47ce000) >> > >> kernel: [ =A0301.242207] Stack: >> > >> kernel: [ =A0301.242327] =A0c10813c0 f47cffa4 f4f47c00 f4e70888 f47= cff7c >> > >> f47cffa4 f47cffb8 c10f6976 >> > >> kernel: [ =A0301.242882] =A0ffffffc3 f4f47c00 f4f47c00 00000000 f4f= 47c00 >> > >> c10530c0 f47cff9c f47cff9c >> > >> kernel: [ =A0301.243438] =A0f4fae544 f4fae544 f4c47f58 00000000 c10= f68f0 >> > >> f47cffe4 c1052834 00000000 >> > >> kernel: [ =A0301.243995] Call Trace: >> > >> kernel: [ =A0301.244119] =A0[] ? >> > >> rcu_check_callbacks+0x110/0x110 >> > >> kernel: [ =A0301.244248] =A0[] fsnotify_mark_destroy+0x86= /0x120 >> > >> kernel: [ =A0301.244377] =A0[] ? abort_exclusive_wait+0x8= 0/0x80 >> > >> kernel: [ =A0301.244504] =A0[] ? fsnotify_put_mark+0x30/0= x30 >> > >> kernel: [ =A0301.244631] =A0[] kthread+0x74/0x80 >> > >> kernel: [ =A0301.244756] =A0[] ? >> > >> kthread_flush_work_fn+0x10/0x10 >> > >> kernel: [ =A0301.244885] =A0[] kernel_thread_helper+0x6/0= xd >> > >> kernel: [ =A0301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 = 89 >> > >> e5 53 83 >> > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 >> > >> 8e 00 >> > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 >> > >> 14 >> > >> kernel: [ =A0301.248195] EIP: [] __list_del_entry+0x20/0x= e0 >> > >> SS:ESP >> > >> 0068:f47cff64 >> > >> kernel: [ =A0301.248414] CR2: 0000000000000000 >> > >> kernel: [ =A0301.248538] ---[ end trace 15082dbfb353f84c ]--- >> > >> >> > >> The kernel was compiled with the following DEBUG support (the bolded >> > >> one >> > >> were requested by Gentoo's Dev: >> > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy >> > >> CONFIG_SLUB_DEBUG=3Dy >> > >> CONFIG_HAVE_DMA_API_DEBUG=3Dy >> > >> CONFIG_X86_DEBUGCTLMSR=3Dy >> > >> CONFIG_PNP_DEBUG_MESSAGES=3Dy >> > >> CONFIG_AIC94XX_DEBUG=3Dy >> > >> CONFIG_USB_DEBUG=3Dy >> > >> CONFIG_DEBUG_KERNEL=3Dy >> > >> CONFIG_SCHED_DEBUG=3Dy >> > >> CONFIG_DEBUG_RT_MUTEXES=3Dy >> > >> CONFIG_DEBUG_PI_LIST=3Dy >> > >> CONFIG_DEBUG_BUGVERBOSE=3Dy >> > >> CONFIG_DEBUG_INFO=3Dy >> > >> CONFIG_DEBUG_MEMORY_INIT=3Dy >> > >> CONFIG_DEBUG_LIST=3Dy >> > >> CONFIG_DEBUG_STACKOVERFLOW=3Dy >> > >> CONFIG_DEBUG_RODATA=3Dy >> > >> CONFIG_DEBUG_RODATA_TEST=3Dy >> > >> >> > >> I attached the kernel config i used for 3.2.9 to generate this oops >> > >> and >> > >> warnings. >> > >> >> > >> From the list_add warnings that come after, out of 805 warnings i >> > >> processed, >> > >> after masking with XXXXX the PID and next=3D values that kept chang= ing >> > >> in >> > >> every one, i got 26 types of MD5. I also attached the files relevant >> > >> as an >> > >> archive to this email. >> > >> >> > >> The Gentoo bug i opened is sleeping, it seems nobody has the time to >> > >> at >> > >> least test to confirm or not the problems i'm seeing (or everybody's >> > >> thinking that nobody would restart auditd so often, so the bug it's >> > >> not that >> > >> serious). >> > >> >> > >> >> > >> Thank you for your time. >> > >> >> > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram >> > >> wrote: >> > >> >> > >> >> > >> -- >> > >> Linux-audit mailing list >> > >> Linux-audit@redhat.com >> > >> https://www.redhat.com/mailman/listinfo/linux-audit >> > > >> > > >> > > >> > > -- >> > > Peter Moody =A0 =A0 =A0Google =A0 =A01.650.253.7306 >> > > Security Engineer =A0pgp:0xC3410038 >> > >> > >> > >> >> > -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Thu, 5 Apr 2012 14:03:57 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q35L4Umh013054 for ; Thu, 5 Apr 2012 17:04:30 -0400 Received: from mail-iy0-f174.google.com (mail-iy0-f174.google.com [209.85.210.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q35L4Sil009721 for ; Thu, 5 Apr 2012 17:04:28 -0400 Received: by iagz16 with SMTP id z16so3083881iag.33 for ; Thu, 05 Apr 2012 14:04:28 -0700 (PDT) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valentin Avram Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com (please let me know if I should take this off-list) One other thing (again, maybe already known), but this seems to be exacerbated by SMP. On my machine, I can't reproduce the crash if I booth with maxcpus=3D1. Still hunting. Cheers, peter On Tue, Apr 3, 2012 at 9:15 AM, Peter Moody wrote: > This may already be known, but the issue seems to be limited to watch > rules. With any watch rules, I can reliably crash my machine while > freeing a watch rule after only starting/stopping auditd a few times. > With no watch rules, I have no issues. > > Cheers, > peter > > On Wed, Mar 28, 2012 at 11:44 PM, Valentin Avram wrote: >> Yes, i know that patch. It made it into kernel 3.2.2. I tested it >> successfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm seeing= is >> also in 3.2.9. >> >> I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes eit= her >> in audit subsystem or in fsnotify. I'll try to reproduce in latest 3.2.13 >> and repost the oops, but i'm 99% confident it will be the same. >> >> Sadly nobody except you seems to pay attention to this problem, probably >> because it requires special conditions to reproduce (really, who starts = and >> stops auditd every 5 seconds on a production server?). We only ran into = it >> because one of our servers would randomly oops and then freeze about each >> month after stopping and then starting >> >> auditd >> >> every morning (and the stop-start sequence was needed to workaround a bug >> somewhere that would hang a >> >> gzip >> >> running on a file outside a watched folder). >> >> Anyway, as a last note, i have a feeling that the oops is not exactly >> random, there is a pattern, just that i haven't figured it out completely >> yet. >> >> Will keep you >> >> uptodate >> >> with the things i find out. >> >> V. >> >> On Mar 29, 2012 4:14 AM, "Eric Paris" wrote: >>> >>> That patch fixes a BUG() . =A0The report has a NULL ptr deref and some >>> apparent list correuption.... =A0Sadly they aren't the same.... >>> >>> On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: >>> > fyi: this patch [1] seems to fix the issue for me. The explanation in >>> > the subject would reliably oops my machine. >>> > >>> > [1] >>> > http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git;a= =3Dcommit;h=3Dfed474857efbed79cd390d0aee224231ca718f63 >>> > >>> > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrot= e: >>> > > Are you still able to reliably reproduce this oops? I'm trying to >>> > > track this down because this bug (or a very similar bug) is causing >>> > > some significant headaches here at work, but I haven't had a lot of >>> > > luck. I'm using usermode linux, though, so that might be interfering >>> > > with things. >>> > > >>> > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram >>> > > wrote: >>> > >> Finally i found some time and spare server to retest the oops and >>> > >> list_add >>> > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. >>> > >> >>> > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and >>> > >> kernel.org's >>> > >> 3.2.9. >>> > >> >>> > >> Both get the oops/BUG in the same way and after that, they keep >>> > >> pouring >>> > >> list_add corruptions with audit_prune_tre(truncated?) and auditctl= as >>> > >> comms. >>> > >> >>> > >> Since this is not about Gentoo's kernel only, i'll post here the o= ops >>> > >> in >>> > >> 3.2.9 and also attach some list_add corruptions. >>> > >> >>> > >> 3.2.9 BUG: >>> > >> >>> > >> kernel: [ =A0301.240011] BUG: unable to handle kernel NULL pointer >>> > >> dereference >>> > >> at =A0 (null) >>> > >> kernel: [ =A0301.240305] IP: [] __list_del_entry+0x20/0x= e0 >>> > >> kernel: [ =A0301.240481] *pdpt =3D 0000000000000000 *pde =3D >>> > >> f000ddc8f000ddc8 >>> > >> kernel: [ =A0301.240698] Oops: 0000 [#1] SMP >>> > >> kernel: [ =A0301.240910] >>> > >> kernel: [ =A0301.241030] Pid: 642, comm: fsnotify_mark Not tainted >>> > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 >>> > >> kernel: [ =A0301.241370] EIP: 0060:[] EFLAGS: 00010287 C= PU: 6 >>> > >> kernel: [ =A0301.241498] EIP is at __list_del_entry+0x20/0xe0 >>> > >> kernel: [ =A0301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff= EDX: >>> > >> 00000000 >>> > >> kernel: [ =A0301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c= ESP: >>> > >> f47cff64 >>> > >> kernel: [ =A0301.241879] =A0DS: 007b ES: 007b FS: 00d8 GS: 0000 SS= : 0068 >>> > >> kernel: [ =A0301.242005] Process fsnotify_mark (pid: 642, ti=3Df47= ce000 >>> > >> task=3Df4f47c00 task.ti=3Df47ce000) >>> > >> kernel: [ =A0301.242207] Stack: >>> > >> kernel: [ =A0301.242327] =A0c10813c0 f47cffa4 f4f47c00 f4e70888 f4= 7cff7c >>> > >> f47cffa4 f47cffb8 c10f6976 >>> > >> kernel: [ =A0301.242882] =A0ffffffc3 f4f47c00 f4f47c00 00000000 f4= f47c00 >>> > >> c10530c0 f47cff9c f47cff9c >>> > >> kernel: [ =A0301.243438] =A0f4fae544 f4fae544 f4c47f58 00000000 c1= 0f68f0 >>> > >> f47cffe4 c1052834 00000000 >>> > >> kernel: [ =A0301.243995] Call Trace: >>> > >> kernel: [ =A0301.244119] =A0[] ? >>> > >> rcu_check_callbacks+0x110/0x110 >>> > >> kernel: [ =A0301.244248] =A0[] fsnotify_mark_destroy+0x8= 6/0x120 >>> > >> kernel: [ =A0301.244377] =A0[] ? abort_exclusive_wait+0x= 80/0x80 >>> > >> kernel: [ =A0301.244504] =A0[] ? fsnotify_put_mark+0x30/= 0x30 >>> > >> kernel: [ =A0301.244631] =A0[] kthread+0x74/0x80 >>> > >> kernel: [ =A0301.244756] =A0[] ? >>> > >> kthread_flush_work_fn+0x10/0x10 >>> > >> kernel: [ =A0301.244885] =A0[] kernel_thread_helper+0x6/= 0xd >>> > >> kernel: [ =A0301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55= 89 >>> > >> e5 53 83 >>> > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f = 84 >>> > >> 8e 00 >>> > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 >>> > >> 14 >>> > >> kernel: [ =A0301.248195] EIP: [] __list_del_entry+0x20/0= xe0 >>> > >> SS:ESP >>> > >> 0068:f47cff64 >>> > >> kernel: [ =A0301.248414] CR2: 0000000000000000 >>> > >> kernel: [ =A0301.248538] ---[ end trace 15082dbfb353f84c ]--- >>> > >> >>> > >> The kernel was compiled with the following DEBUG support (the bold= ed >>> > >> one >>> > >> were requested by Gentoo's Dev: >>> > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy >>> > >> CONFIG_SLUB_DEBUG=3Dy >>> > >> CONFIG_HAVE_DMA_API_DEBUG=3Dy >>> > >> CONFIG_X86_DEBUGCTLMSR=3Dy >>> > >> CONFIG_PNP_DEBUG_MESSAGES=3Dy >>> > >> CONFIG_AIC94XX_DEBUG=3Dy >>> > >> CONFIG_USB_DEBUG=3Dy >>> > >> CONFIG_DEBUG_KERNEL=3Dy >>> > >> CONFIG_SCHED_DEBUG=3Dy >>> > >> CONFIG_DEBUG_RT_MUTEXES=3Dy >>> > >> CONFIG_DEBUG_PI_LIST=3Dy >>> > >> CONFIG_DEBUG_BUGVERBOSE=3Dy >>> > >> CONFIG_DEBUG_INFO=3Dy >>> > >> CONFIG_DEBUG_MEMORY_INIT=3Dy >>> > >> CONFIG_DEBUG_LIST=3Dy >>> > >> CONFIG_DEBUG_STACKOVERFLOW=3Dy >>> > >> CONFIG_DEBUG_RODATA=3Dy >>> > >> CONFIG_DEBUG_RODATA_TEST=3Dy >>> > >> >>> > >> I attached the kernel config i used for 3.2.9 to generate this oops >>> > >> and >>> > >> warnings. >>> > >> >>> > >> From the list_add warnings that come after, out of 805 warnings i >>> > >> processed, >>> > >> after masking with XXXXX the PID and next=3D values that kept chan= ging >>> > >> in >>> > >> every one, i got 26 types of MD5. I also attached the files releva= nt >>> > >> as an >>> > >> archive to this email. >>> > >> >>> > >> The Gentoo bug i opened is sleeping, it seems nobody has the time = to >>> > >> at >>> > >> least test to confirm or not the problems i'm seeing (or everybody= 's >>> > >> thinking that nobody would restart auditd so often, so the bug it's >>> > >> not that >>> > >> serious). >>> > >> >>> > >> >>> > >> Thank you for your time. >>> > >> >>> > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram >>> > >> wrote: >>> > >> >>> > >> >>> > >> -- >>> > >> Linux-audit mailing list >>> > >> Linux-audit@redhat.com >>> > >> https://www.redhat.com/mailman/listinfo/linux-audit >>> > > >>> > > >>> > > >>> > > -- >>> > > Peter Moody =A0 =A0 =A0Google =A0 =A01.650.253.7306 >>> > > Security Engineer =A0pgp:0xC3410038 >>> > >>> > >>> > >>> >>> >> > > > > -- > Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 > Security Engineer=A0 pgp:0xC3410038 -- = Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Thu, 05 Apr 2012 17:07:01 -0400 Message-ID: <1333660021.2273.0.camel@localhost> References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Peter Moody Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com please please please keep on list. Everything you say might help track it down! On Thu, 2012-04-05 at 14:03 -0700, Peter Moody wrote: > (please let me know if I should take this off-list) > > One other thing (again, maybe already known), but this seems to be > exacerbated by SMP. On my machine, I can't reproduce the crash if I > booth with maxcpus=1. > > Still hunting. > > Cheers, > peter > > On Tue, Apr 3, 2012 at 9:15 AM, Peter Moody wrote: > > This may already be known, but the issue seems to be limited to watch > > rules. With any watch rules, I can reliably crash my machine while > > freeing a watch rule after only starting/stopping auditd a few times. > > With no watch rules, I have no issues. > > > > Cheers, > > peter > > > > On Wed, Mar 28, 2012 at 11:44 PM, Valentin Avram wrote: > >> Yes, i know that patch. It made it into kernel 3.2.2. I tested it > >> successfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm seeing is > >> also in 3.2.9. > >> > >> I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes either > >> in audit subsystem or in fsnotify. I'll try to reproduce in latest 3.2.13 > >> and repost the oops, but i'm 99% confident it will be the same. > >> > >> Sadly nobody except you seems to pay attention to this problem, probably > >> because it requires special conditions to reproduce (really, who starts and > >> stops auditd every 5 seconds on a production server?). We only ran into it > >> because one of our servers would randomly oops and then freeze about each > >> month after stopping and then starting > >> > >> auditd > >> > >> every morning (and the stop-start sequence was needed to workaround a bug > >> somewhere that would hang a > >> > >> gzip > >> > >> running on a file outside a watched folder). > >> > >> Anyway, as a last note, i have a feeling that the oops is not exactly > >> random, there is a pattern, just that i haven't figured it out completely > >> yet. > >> > >> Will keep you > >> > >> uptodate > >> > >> with the things i find out. > >> > >> V. > >> > >> On Mar 29, 2012 4:14 AM, "Eric Paris" wrote: > >>> > >>> That patch fixes a BUG() . The report has a NULL ptr deref and some > >>> apparent list correuption.... Sadly they aren't the same.... > >>> > >>> On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: > >>> > fyi: this patch [1] seems to fix the issue for me. The explanation in > >>> > the subject would reliably oops my machine. > >>> > > >>> > [1] > >>> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=fed474857efbed79cd390d0aee224231ca718f63 > >>> > > >>> > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody wrote: > >>> > > Are you still able to reliably reproduce this oops? I'm trying to > >>> > > track this down because this bug (or a very similar bug) is causing > >>> > > some significant headaches here at work, but I haven't had a lot of > >>> > > luck. I'm using usermode linux, though, so that might be interfering > >>> > > with things. > >>> > > > >>> > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram > >>> > > wrote: > >>> > >> Finally i found some time and spare server to retest the oops and > >>> > >> list_add > >>> > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3. > >>> > >> > >>> > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and > >>> > >> kernel.org's > >>> > >> 3.2.9. > >>> > >> > >>> > >> Both get the oops/BUG in the same way and after that, they keep > >>> > >> pouring > >>> > >> list_add corruptions with audit_prune_tre(truncated?) and auditctl as > >>> > >> comms. > >>> > >> > >>> > >> Since this is not about Gentoo's kernel only, i'll post here the oops > >>> > >> in > >>> > >> 3.2.9 and also attach some list_add corruptions. > >>> > >> > >>> > >> 3.2.9 BUG: > >>> > >> > >>> > >> kernel: [ 301.240011] BUG: unable to handle kernel NULL pointer > >>> > >> dereference > >>> > >> at (null) > >>> > >> kernel: [ 301.240305] IP: [] __list_del_entry+0x20/0xe0 > >>> > >> kernel: [ 301.240481] *pdpt = 0000000000000000 *pde = > >>> > >> f000ddc8f000ddc8 > >>> > >> kernel: [ 301.240698] Oops: 0000 [#1] SMP > >>> > >> kernel: [ 301.240910] > >>> > >> kernel: [ 301.241030] Pid: 642, comm: fsnotify_mark Not tainted > >>> > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 > >>> > >> kernel: [ 301.241370] EIP: 0060:[] EFLAGS: 00010287 CPU: 6 > >>> > >> kernel: [ 301.241498] EIP is at __list_del_entry+0x20/0xe0 > >>> > >> kernel: [ 301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: ffffffff EDX: > >>> > >> 00000000 > >>> > >> kernel: [ 301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cff7c ESP: > >>> > >> f47cff64 > >>> > >> kernel: [ 301.241879] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 > >>> > >> kernel: [ 301.242005] Process fsnotify_mark (pid: 642, ti=f47ce000 > >>> > >> task=f4f47c00 task.ti=f47ce000) > >>> > >> kernel: [ 301.242207] Stack: > >>> > >> kernel: [ 301.242327] c10813c0 f47cffa4 f4f47c00 f4e70888 f47cff7c > >>> > >> f47cffa4 f47cffb8 c10f6976 > >>> > >> kernel: [ 301.242882] ffffffc3 f4f47c00 f4f47c00 00000000 f4f47c00 > >>> > >> c10530c0 f47cff9c f47cff9c > >>> > >> kernel: [ 301.243438] f4fae544 f4fae544 f4c47f58 00000000 c10f68f0 > >>> > >> f47cffe4 c1052834 00000000 > >>> > >> kernel: [ 301.243995] Call Trace: > >>> > >> kernel: [ 301.244119] [] ? > >>> > >> rcu_check_callbacks+0x110/0x110 > >>> > >> kernel: [ 301.244248] [] fsnotify_mark_destroy+0x86/0x120 > >>> > >> kernel: [ 301.244377] [] ? abort_exclusive_wait+0x80/0x80 > >>> > >> kernel: [ 301.244504] [] ? fsnotify_put_mark+0x30/0x30 > >>> > >> kernel: [ 301.244631] [] kthread+0x74/0x80 > >>> > >> kernel: [ 301.244756] [] ? > >>> > >> kthread_flush_work_fn+0x10/0x10 > >>> > >> kernel: [ 301.244885] [] kernel_thread_helper+0x6/0xd > >>> > >> kernel: [ 301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90 55 89 > >>> > >> e5 53 83 > >>> > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 0f 84 > >>> > >> 8e 00 > >>> > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 83 c4 > >>> > >> 14 > >>> > >> kernel: [ 301.248195] EIP: [] __list_del_entry+0x20/0xe0 > >>> > >> SS:ESP > >>> > >> 0068:f47cff64 > >>> > >> kernel: [ 301.248414] CR2: 0000000000000000 > >>> > >> kernel: [ 301.248538] ---[ end trace 15082dbfb353f84c ]--- > >>> > >> > >>> > >> The kernel was compiled with the following DEBUG support (the bolded > >>> > >> one > >>> > >> were requested by Gentoo's Dev: > >>> > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y > >>> > >> CONFIG_SLUB_DEBUG=y > >>> > >> CONFIG_HAVE_DMA_API_DEBUG=y > >>> > >> CONFIG_X86_DEBUGCTLMSR=y > >>> > >> CONFIG_PNP_DEBUG_MESSAGES=y > >>> > >> CONFIG_AIC94XX_DEBUG=y > >>> > >> CONFIG_USB_DEBUG=y > >>> > >> CONFIG_DEBUG_KERNEL=y > >>> > >> CONFIG_SCHED_DEBUG=y > >>> > >> CONFIG_DEBUG_RT_MUTEXES=y > >>> > >> CONFIG_DEBUG_PI_LIST=y > >>> > >> CONFIG_DEBUG_BUGVERBOSE=y > >>> > >> CONFIG_DEBUG_INFO=y > >>> > >> CONFIG_DEBUG_MEMORY_INIT=y > >>> > >> CONFIG_DEBUG_LIST=y > >>> > >> CONFIG_DEBUG_STACKOVERFLOW=y > >>> > >> CONFIG_DEBUG_RODATA=y > >>> > >> CONFIG_DEBUG_RODATA_TEST=y > >>> > >> > >>> > >> I attached the kernel config i used for 3.2.9 to generate this oops > >>> > >> and > >>> > >> warnings. > >>> > >> > >>> > >> From the list_add warnings that come after, out of 805 warnings i > >>> > >> processed, > >>> > >> after masking with XXXXX the PID and next= values that kept changing > >>> > >> in > >>> > >> every one, i got 26 types of MD5. I also attached the files relevant > >>> > >> as an > >>> > >> archive to this email. > >>> > >> > >>> > >> The Gentoo bug i opened is sleeping, it seems nobody has the time to > >>> > >> at > >>> > >> least test to confirm or not the problems i'm seeing (or everybody's > >>> > >> thinking that nobody would restart auditd so often, so the bug it's > >>> > >> not that > >>> > >> serious). > >>> > >> > >>> > >> > >>> > >> Thank you for your time. > >>> > >> > >>> > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram > >>> > >> wrote: > >>> > >> > >>> > >> > >>> > >> -- > >>> > >> Linux-audit mailing list > >>> > >> Linux-audit@redhat.com > >>> > >> https://www.redhat.com/mailman/listinfo/linux-audit > >>> > > > >>> > > > >>> > > > >>> > > -- > >>> > > Peter Moody Google 1.650.253.7306 > >>> > > Security Engineer pgp:0xC3410038 > >>> > > >>> > > >>> > > >>> > >>> > >> > > > > > > > > -- > > Peter Moody Google 1.650.253.7306 > > Security Engineer pgp:0xC3410038 > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Tue, 17 Apr 2012 10:56:17 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> <1333660021.2273.0.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=20cf300faff5f02d0904bde3a98f Return-path: Received: from mx1.redhat.com (ext-mx15.extmail.prod.ext.phx2.redhat.com [10.5.110.20]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q3HHuto6000977 for ; Tue, 17 Apr 2012 13:56:55 -0400 Received: from mail-qc0-f174.google.com (mail-qc0-f174.google.com [209.85.216.174]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q3HHurZa022665 for ; Tue, 17 Apr 2012 13:56:53 -0400 Received: by qcro28 with SMTP id o28so5102648qcr.33 for ; Tue, 17 Apr 2012 10:56:53 -0700 (PDT) In-Reply-To: <1333660021.2273.0.camel@localhost> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Eric Paris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --20cf300faff5f02d0904bde3a98f Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Here's a trace with debugging turned way up plus a few extra printk's added to fs/notify/mark.c. I'm looping through private_destroy_list before and after the call to synchronize_srcu. I can reproduce this reliably with kvm with 2 virtual processors: Linux desktop 3.4.0-rc3-oops1+ #1 SMP Tue Apr 17 09:59:44 PDT 2012 x86_64 GNU/Linux Cheers, peter On Thu, Apr 5, 2012 at 2:07 PM, Eric Paris wrote: > please please please keep on list. =A0Everything you say might help track > it down! > > On Thu, 2012-04-05 at 14:03 -0700, Peter Moody wrote: >> (please let me know if I should take this off-list) >> >> One other thing (again, maybe already known), but this seems to be >> exacerbated by SMP. On my machine, I can't reproduce the crash if I >> booth with maxcpus=3D1. >> >> Still hunting. >> >> Cheers, >> peter >> >> On Tue, Apr 3, 2012 at 9:15 AM, Peter Moody wrote: >> > This may already be known, but the issue seems to be limited to watch >> > rules. With any watch rules, I can reliably crash my machine while >> > freeing a watch rule after only starting/stopping auditd a few times. >> > With no watch rules, I have no issues. >> > >> > Cheers, >> > peter >> > >> > On Wed, Mar 28, 2012 at 11:44 PM, Valentin Avram wr= ote: >> >> Yes, i know that patch. It made it into kernel 3.2.2. I tested it >> >> successfully (oops in 3.2.1, no oops in 3.2.9), but this oops i'm see= ing is >> >> also in 3.2.9. >> >> >> >> I monitored changelogs since 3.2.1 to 3.2.12 but there were no fixes = either >> >> in audit subsystem or in fsnotify. I'll try to reproduce in latest 3.= 2.13 >> >> and repost the oops, but i'm 99% confident it will be the same. >> >> >> >> Sadly nobody except you seems to pay attention to this problem, proba= bly >> >> because it requires special conditions to reproduce (really, who star= ts and >> >> stops auditd every 5 seconds on a production server?). We only ran in= to it >> >> because one of our servers would randomly oops and then freeze about = each >> >> month after stopping and then starting >> >> >> >> auditd >> >> >> >> every morning (and the stop-start sequence was needed to workaround a= bug >> >> somewhere that would hang a >> >> >> >> gzip >> >> >> >> running on a file outside a watched folder). >> >> >> >> Anyway, as a last note, i have a feeling that the oops is not exactly >> >> random, there is a pattern, just that i haven't figured it out comple= tely >> >> yet. >> >> >> >> Will keep you >> >> >> >> uptodate >> >> >> >> with the things i find out. >> >> >> >> V. >> >> >> >> On Mar 29, 2012 4:14 AM, "Eric Paris" wrote: >> >>> >> >>> That patch fixes a BUG() . =A0The report has a NULL ptr deref and so= me >> >>> apparent list correuption.... =A0Sadly they aren't the same.... >> >>> >> >>> On Wed, 2012-03-28 at 15:42 -0700, Peter Moody wrote: >> >>> > fyi: this patch [1] seems to fix the issue for me. The explanation= in >> >>> > the subject would reliably oops my machine. >> >>> > >> >>> > [1] >> >>> > http://git.kernel.org/?p=3Dlinux/kernel/git/torvalds/linux-2.6.git= ;a=3Dcommit;h=3Dfed474857efbed79cd390d0aee224231ca718f63 >> >>> > >> >>> > On Wed, Mar 28, 2012 at 1:51 PM, Peter Moody w= rote: >> >>> > > Are you still able to reliably reproduce this oops? I'm trying t= o >> >>> > > track this down because this bug (or a very similar bug) is caus= ing >> >>> > > some significant headaches here at work, but I haven't had a lot= of >> >>> > > luck. I'm using usermode linux, though, so that might be interfe= ring >> >>> > > with things. >> >>> > > >> >>> > > On Mon, Mar 5, 2012 at 12:35 AM, Valentin Avram >> >>> > > wrote: >> >>> > >> Finally i found some time and spare server to retest the oops a= nd >> >>> > >> list_add >> >>> > >> corruptions i was getting with the 3.x kernels and auditd 2.1.3= . >> >>> > >> >> >>> > >> I tested now with gentoo's latest stable 3.2.1-gentoo-r2 and >> >>> > >> kernel.org's >> >>> > >> 3.2.9. >> >>> > >> >> >>> > >> Both get the oops/BUG in the same way and after that, they keep >> >>> > >> pouring >> >>> > >> list_add corruptions with audit_prune_tre(truncated?) and audit= ctl as >> >>> > >> comms. >> >>> > >> >> >>> > >> Since this is not about Gentoo's kernel only, i'll post here th= e oops >> >>> > >> in >> >>> > >> 3.2.9 and also attach some list_add corruptions. >> >>> > >> >> >>> > >> 3.2.9 BUG: >> >>> > >> >> >>> > >> kernel: [ =A0301.240011] BUG: unable to handle kernel NULL poin= ter >> >>> > >> dereference >> >>> > >> at =A0 (null) >> >>> > >> kernel: [ =A0301.240305] IP: [] __list_del_entry+0x20= /0xe0 >> >>> > >> kernel: [ =A0301.240481] *pdpt =3D 0000000000000000 *pde =3D >> >>> > >> f000ddc8f000ddc8 >> >>> > >> kernel: [ =A0301.240698] Oops: 0000 [#1] SMP >> >>> > >> kernel: [ =A0301.240910] >> >>> > >> kernel: [ =A0301.241030] Pid: 642, comm: fsnotify_mark Not tain= ted >> >>> > >> 3.2.9-drbd-version3 #1 Dell Inc. PowerEdge 2950/0CX396 >> >>> > >> kernel: [ =A0301.241370] EIP: 0060:[] EFLAGS: 0001028= 7 CPU: 6 >> >>> > >> kernel: [ =A0301.241498] EIP is at __list_del_entry+0x20/0xe0 >> >>> > >> kernel: [ =A0301.241623] EAX: f4fae544 EBX: f47cffa4 ECX: fffff= fff EDX: >> >>> > >> 00000000 >> >>> > >> kernel: [ =A0301.241751] ESI: f4fae544 EDI: f4fae508 EBP: f47cf= f7c ESP: >> >>> > >> f47cff64 >> >>> > >> kernel: [ =A0301.241879] =A0DS: 007b ES: 007b FS: 00d8 GS: 0000= SS: 0068 >> >>> > >> kernel: [ =A0301.242005] Process fsnotify_mark (pid: 642, ti=3D= f47ce000 >> >>> > >> task=3Df4f47c00 task.ti=3Df47ce000) >> >>> > >> kernel: [ =A0301.242207] Stack: >> >>> > >> kernel: [ =A0301.242327] =A0c10813c0 f47cffa4 f4f47c00 f4e70888= f47cff7c >> >>> > >> f47cffa4 f47cffb8 c10f6976 >> >>> > >> kernel: [ =A0301.242882] =A0ffffffc3 f4f47c00 f4f47c00 00000000= f4f47c00 >> >>> > >> c10530c0 f47cff9c f47cff9c >> >>> > >> kernel: [ =A0301.243438] =A0f4fae544 f4fae544 f4c47f58 00000000= c10f68f0 >> >>> > >> f47cffe4 c1052834 00000000 >> >>> > >> kernel: [ =A0301.243995] Call Trace: >> >>> > >> kernel: [ =A0301.244119] =A0[] ? >> >>> > >> rcu_check_callbacks+0x110/0x110 >> >>> > >> kernel: [ =A0301.244248] =A0[] fsnotify_mark_destroy+= 0x86/0x120 >> >>> > >> kernel: [ =A0301.244377] =A0[] ? abort_exclusive_wait= +0x80/0x80 >> >>> > >> kernel: [ =A0301.244504] =A0[] ? fsnotify_put_mark+0x= 30/0x30 >> >>> > >> kernel: [ =A0301.244631] =A0[] kthread+0x74/0x80 >> >>> > >> kernel: [ =A0301.244756] =A0[] ? >> >>> > >> kthread_flush_work_fn+0x10/0x10 >> >>> > >> kernel: [ =A0301.244885] =A0[] kernel_thread_helper+0= x6/0xd >> >>> > >> kernel: [ =A0301.245011] Code: 55 f4 8b 45 f8 e9 75 ff ff ff 90= 55 89 >> >>> > >> e5 53 83 >> >>> > >> ec 14 8b 08 8b 50 04 81 f9 00 01 10 00 74 24 81 fa 00 02 20 00 = 0f 84 >> >>> > >> 8e 00 >> >>> > >> 00 00 <8b> 1a 39 d8 75 62 8b 59 04 39 d8 75 35 89 51 04 89 0a 8= 3 c4 >> >>> > >> 14 >> >>> > >> kernel: [ =A0301.248195] EIP: [] __list_del_entry+0x2= 0/0xe0 >> >>> > >> SS:ESP >> >>> > >> 0068:f47cff64 >> >>> > >> kernel: [ =A0301.248414] CR2: 0000000000000000 >> >>> > >> kernel: [ =A0301.248538] ---[ end trace 15082dbfb353f84c ]--- >> >>> > >> >> >>> > >> The kernel was compiled with the following DEBUG support (the b= olded >> >>> > >> one >> >>> > >> were requested by Gentoo's Dev: >> >>> > >> CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=3Dy >> >>> > >> CONFIG_SLUB_DEBUG=3Dy >> >>> > >> CONFIG_HAVE_DMA_API_DEBUG=3Dy >> >>> > >> CONFIG_X86_DEBUGCTLMSR=3Dy >> >>> > >> CONFIG_PNP_DEBUG_MESSAGES=3Dy >> >>> > >> CONFIG_AIC94XX_DEBUG=3Dy >> >>> > >> CONFIG_USB_DEBUG=3Dy >> >>> > >> CONFIG_DEBUG_KERNEL=3Dy >> >>> > >> CONFIG_SCHED_DEBUG=3Dy >> >>> > >> CONFIG_DEBUG_RT_MUTEXES=3Dy >> >>> > >> CONFIG_DEBUG_PI_LIST=3Dy >> >>> > >> CONFIG_DEBUG_BUGVERBOSE=3Dy >> >>> > >> CONFIG_DEBUG_INFO=3Dy >> >>> > >> CONFIG_DEBUG_MEMORY_INIT=3Dy >> >>> > >> CONFIG_DEBUG_LIST=3Dy >> >>> > >> CONFIG_DEBUG_STACKOVERFLOW=3Dy >> >>> > >> CONFIG_DEBUG_RODATA=3Dy >> >>> > >> CONFIG_DEBUG_RODATA_TEST=3Dy >> >>> > >> >> >>> > >> I attached the kernel config i used for 3.2.9 to generate this = oops >> >>> > >> and >> >>> > >> warnings. >> >>> > >> >> >>> > >> From the list_add warnings that come after, out of 805 warnings= i >> >>> > >> processed, >> >>> > >> after masking with XXXXX the PID and next=3D values that kept c= hanging >> >>> > >> in >> >>> > >> every one, i got 26 types of MD5. I also attached the files rel= evant >> >>> > >> as an >> >>> > >> archive to this email. >> >>> > >> >> >>> > >> The Gentoo bug i opened is sleeping, it seems nobody has the ti= me to >> >>> > >> at >> >>> > >> least test to confirm or not the problems i'm seeing (or everyb= ody's >> >>> > >> thinking that nobody would restart auditd so often, so the bug = it's >> >>> > >> not that >> >>> > >> serious). >> >>> > >> >> >>> > >> >> >>> > >> Thank you for your time. >> >>> > >> >> >>> > >> On Wed, Feb 8, 2012 at 6:11 PM, Valentin Avram >> >>> > >> wrote: >> >>> > >> >> >>> > >> >> >>> > >> -- >> >>> > >> Linux-audit mailing list >> >>> > >> Linux-audit@redhat.com >> >>> > >> https://www.redhat.com/mailman/listinfo/linux-audit >> >>> > > >> >>> > > >> >>> > > >> >>> > > -- >> >>> > > Peter Moody =A0 =A0 =A0Google =A0 =A01.650.253.7306 >> >>> > > Security Engineer =A0pgp:0xC3410038 >> >>> > >> >>> > >> >>> > >> >>> >> >>> >> >> >> > >> > >> > >> > -- >> > Peter Moody =A0 =A0 =A0Google =A0 =A01.650.253.7306 >> > Security Engineer =A0pgp:0xC3410038 >> >> >> > > --=20 Peter Moody=A0 =A0 =A0 Google=A0 =A0 1.650.253.7306 Security Engineer=A0 pgp:0xC3410038 --20cf300faff5f02d0904bde3a98f Content-Type: application/x-gzip; name="trace.gz" Content-Disposition: attachment; filename="trace.gz" Content-Transfer-Encoding: base64 X-Attachment-Id: f_h1597grv0 H4sICEyrjU8CA3RyYWNlAM1bbXPbNhL+nP4K3PSLPY0VACQIUFPnLu/NzDXN2O20d5kMBwRBWSeJ 5JCUX/rrbwFSkiWSVhH7OMcosg1Rz7O72F0shNWrokSEI4KnHp9igRJdLeq8QAtdZno5RV8QQj6b iJBjKr6itHqR5fU8vXuxkuVioqZeQNGJKtZTRE6RzuryDqVwCYExlyLF3BfPUVHq6+2wxyVONcPP UaZv63t3Sx3HCu4udaqyGuHvXv112TzqKtuGbU+2nch7su1EdpMtmGAfU94rG/d2sql8VSx1rZPn 6F/vLv/mBB70gQv2FycliPf/tYp3h1vFicCUYhIGnouQof8VzXSmS7kE2rzWqp7nGUrlellPEYYL ffmefEWXP39GTrig/JvPvyHi9i7+Ff2cJ+ulrtByni10gubZFMXzLF3V0WpeKVQUCRinqFb5utKo 0uU8j0p5g1ZzVeYqTzSaUxUV8/mtD++t9TKSs6L9bVbXqJBlkZd1VCi0LDZ/IU2MpukyL4o7B4E9 DGo63Q+B+nmeTJHHnhvfWk3BRRoPiYyHoE95jWppxE2QN/En+KxU3lmeFxX5AX1P0OtcXVXNswsv gSm8+PjZzCjc/uXHtL0EIZoIHrz8ilDv6J50ETDUZX73A74lafAC3/rEJdw8CtN7cdlIIaZ7IZyk GKF37//56sOldTsCOY06YYeA/eqPxmd3l5Do4jWMHoYNunjTuRc7KeNhIHzbAwIqfuyMErj3cJT6 gROhmcPXYL393BcCIRZ9hDjsjjoRekAIN/YYj5A+vQk9FI66mdQ3hN60k91h1N+N8pAK6VtCNu2k TydCCN/34HAdXU7M0ykCZ9zCJ/79VxbZEl58lP9AKnjTcBOM3l622fbd5pc3F3hnYxCAgTliJwKI iDcXtAHhaSI0D7TfQHs7aB6mTDej/sGkBtpJIx/85e19qbee8faC9I7Sx4WgHxhCrxc62I2aKYQn M8oP7vUdCSGBfYZlRlfVQd4+KTZZvb4qtUxgxcr33NiYGF6U1aLjx6dOIsCsXtZSLaYu72KQrLph vMn324HeO3aB6DkFFwN36MbsHoFUXnfuDt/ixMlazmYZA7f3BO5oMTzwTZwmkOVyiX4tpdJO0xIE B+tuIzCsu39HN3Kho3URxfMa1lsfm+XWSa4g7C7qQQu+dd5K183SPp9leakT+KNaRMtcQe0FtJ6h 9ZxoOenopJUytcSiCQ2AVaZ4SJxgBT2ADfyYct/A2pujBjy60stCl8ZiQOFWnoigQ0Fo3Bis1DUU ZVEJBRCYKZLlrDJVkGdIPCcS0WMe3JBE0Tyb11Frp+gmLxdWFW5mgTvpEpI+czU0sypSVzKb6W/T IISZeAOFNtTlAoUaCYIChkSMsEKUIcizSQJRbR5+gkSIEmKefR9RHwG0R5CCl5QZDBniJj7bhy/M IFHmTg1RGaPYg32khVKG4uD+H/3kpWWWhsoLkUoR940UDXMqUCyRAFqykUggxZEKkNCIBS61u09C W0OPUCj71MweVMrox8Mi+aUTDNRTZ2dnX2CjmaDaZCfk8TTEiknpa8EozN5XuGEfk5B+zHBCcQiO ZDG31xek1jW60mUDtb1cME0p/furi08fP32YIlnD1i9+sZxXNZgxXs9g10wFxIYdkYnJH0ECNpX4 5NSJBfz2J1kmNxJkzeQKHLhnH3UEA9a0jRywfyvLdWH2yxO7Nz97aTfu1VW+XiYo1s0+/mTnLMrT nsanz1EMJruRVWe9naATA3S+V9PiWJxOnIRk/3e76IcFNnWc3RUTSv3NvliuE8iFRbnOdFTDjP3a 7Iqn6AOy19vmR88m2Yn6ocX74beyzuLNKAlSyAXgYVlULfObQtZXkVEnz0waT8FrFXbiCLscNAg6 HDCxZskzqYY5EQSH6wRs0iVNgKAv4JyQWbf8SBTfLz/aPGmTJtBIblYj7sbDe3g0uZ+SD1gUcWfh 3uFE6DRONbCss1rOYEFdZwbbk9qke+EGzrrgsN20pmoCIM/0UB1wBJr3QGMG0PeBPeYOHPYAC7kF hpDV0bbg8yUQhE4E4lvryCOwwRPUkQ9ThPhJ6sgjJPSJ6sgjNP4j6sgj0OxYdZL2VCc07MUM+ITh IDQfQZw/5eVCbja8r3/7gBYrWFBydcYIRSfdZet3eD6dos/5vMozlF/r8qac17XOnLjYfhn26MuV 3Ol+SEIfP73/ZYrw7X5po/BZZ4hP0Pt5WdUovqu1eQeGwqOqwZNRnsLfQezCzfGG+5WZFFnbaghV sMON7DTBFjhLoqJaxODGlJv07QGlnOlzAlOKVLE+J6iYJ+fBYRo4wgxaP4tgjZZxw2TChJl0wj03 oNACtW4VZVCeRSZeFpGCERvZMgZYGjjBCmxhWyNY9bnsWxmPwEAienbMnE6Afg9gg0fMOkWd0Ewy frbO5rcR1ABarizcqpqZVc9+uuEzN7ydulAzm8i16S8UxnKxG5RxkCSPqrtMRSZTXzd41wCYmAkl jqqKBq8XymUOOJTxAHWdVjsU3ygYuIFYU93dA7Her9xAWANS65V19yiVVW1qXmP1wBrdCU5s0sF7 KFCaVLCIwWRLLSsdJbKWxmTYLvq9WUDgwIkw3GWBFCiNKZmt0z0nO5gTvGeLFoGEoWu8A4JnLDms rBOW36QkI88mNnXPFuEICtRiz1SeVevVBsUztbl2QxEHEV5qdd1EOLMFohBOeBTfj/C20iSSuAY4 INGDAAcgTV0DG3C8Nho3wnAb0qEbSBtIGxAbi27zRYMnjUW6jcVLiI62NtDSHFNq6UExi/L4P1rV FYQgWlc6MT/T4hzfou11kq2Xy1OULuWsOrduvDvacZz2cCPNL5a1U6uAPP/I07TS9TluxLj/uhcT JzrzmZfT/eBLrWCHYpkDWrcHWhxcTpL4A5KQ0SUJBiSho0vCByTxRpckHJDEH1sSHw9IwkaXZCh2 gtElGYodProkbEASMbokQ7ETji6JGJBEji0JG4qdeHRJhmJHgSSwT44JkhpxaQ7XhGjP5QYlmUwm f8L/yTdJ4g1Ikoxuk6HY0aNLMrQCpqNLMhA7ZPT6JBiIHTJ6fWIOV3olGb0+CQZih4xenwQDsUNG r0+Cgdgho9cnwVDsjF6fBAPVIxm9PuFDsTN6fcKHYmf0+oQPVEpk9PqED/nJ6PWJGPITNbokA5US Gb0+EQO7DDJ6fSKGsr1zfSJZR5KJkyTmuwc6+TPP9L4o1BQocdz/GLwm7eUkgvnyh0ySeTbbF8Ez ax+T/Y/B69/t5SKCOQ2xnTZ+sP0CShKvq7NE6lWeof7TyuNNNkdY6QNNNkfe2ukiETRg2rYZmIP0 upTz5ggsNZ8/E7ePxEPeRY+x6TFQV1otInMCWUUyS6JSmw4nQ2M/5/TdaDqduMJXYbqlaT7mtM2C pkWIupxIcYIPGyUYjoWv7RH9053LAY/X1SJNTMdHQ2Cb9aKiaY8HHzfGsueJwo2mO+OcEd92JD32 LJUT0ukqISJMUmusZL0q7MGqPWKx3VoedkP3x5kKEnR4NOO8bf64fyrjc9dP+QkR/0Nw2mlboUzI xv6VvAZk892G7SzQtKej7QhDj//EYWz952mP0IGrmz8EVY02i5U9JYEIj3akxrGwjXHqRhSO41he N5doGUtrvMc1CgC2N6TDk2pwOP1MSR0Ka6n+Q0KihfMhIfF7km6YsB5lvrFzASg69oI1g2DbcvhE 7QxA0jEXlrJtPbSarItE1jpSSwlJ3R4+MkNDYzeabk5hqRZbcz2ulYIThrtqhNJ7QI3Yc9eC0VGM xbqrCNNs09pniYz3RnVTmiQl1GT2BBY7V0Ck08RMwlhIky2frDGFk04rME0CGjcxKYtClqu8jFKo 46JCl6s52M72SxPhHDOd7zxRlTDa+oFWa9DiroeJej3tqQ8zdb7mREIVktZwj+/AIdzv0UToY5oI 7a5J1wWU5GZ2HtkARLjoIsexKeUe2RVERLfFNtQ0bJCfpj2BmP38+49/3G/nnMIW0jTumh3cX2pl PHdrVwRSz6ktgJitfkfIn2W5MCKaLVfbQmH7J777L0CIo8ZTRAAA --20cf300faff5f02d0904bde3a98f Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --20cf300faff5f02d0904bde3a98f-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Moody Subject: Re: Kernel oops+crash on repeated auditd restarts Date: Tue, 17 Apr 2012 11:24:53 -0700 Message-ID: References: <1327519203.4131.25.camel@localhost>

<1332983643.384.8.camel@localhost> <1333660021.2273.0.camel@localhost> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=20cf300faff5f177bb04bde40f38 Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id q3HIPRcg027704 for ; Tue, 17 Apr 2012 14:25:27 -0400 Received: from mail-qa0-f45.google.com (mail-qa0-f45.google.com [209.85.216.45]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q3HIPOKO017961 for ; Tue, 17 Apr 2012 14:25:25 -0400 Received: by qaeb19 with SMTP id b19so669632qae.11 for ; Tue, 17 Apr 2012 11:25:24 -0700 (PDT) In-Reply-To: List-Unsubscribe: