* security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
@ 2010-02-01 5:06 Shi Weihua
2010-02-01 17:05 ` Mimi Zohar
2010-02-01 18:03 ` hooanon05
0 siblings, 2 replies; 4+ messages in thread
From: Shi Weihua @ 2010-02-01 5:06 UTC (permalink / raw)
To: zohar, Ingo Molnar; +Cc: LKML
[-- Attachment #1: Type: text/plain, Size: 2873 bytes --]
Hi, Mimi
Used the latest LTP to test 2.6.33-rc6, a Kernel BUG occured on my x86_64 (OS: Fedora 12).
The message from dmesg is as following.
The LTP case is testcases/kernel/syscalls/pipe/pipe06.c. For seeing code easily, I
recreated a simple code to reproduce this BUG. please check the code in the attached.
I bisected a commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd,
--------
commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Thu Oct 22 17:30:13 2009 -0400
LSM: imbed ima calls in the security hooks
--------
Maybe you should fix it ;-)
--------------------------------------------------------------------------
BUG: unable to handle kernel NULL pointer dereference at 00000000000000ae
IP: [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
PGD 13a08e067 PUD 139fdf067 PMD 0
Oops: 0000 [#2] SMP
last sysfs file: /sys/devices/pci0000:00/0000:00:1c.1/0000:19:00.0/0000:1a:00.0/irq
CPU 1
Pid: 1868, comm: a.out Tainted: G D 2.6.33-rc6 #1 D2671/PRIMERGY
RIP: 0010:[<ffffffff811e3057>] [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
RSP: 0018:ffff88013a713e48 EFLAGS: 00010202
RAX: ffff8801325a70c0 RBX: ffff88013a1c1f00 RCX: 0000041500000415
RDX: 000004143a713e68 RSI: ffffffff81a3a080 RDI: ffff88013a1c1f00
RBP: ffff88013a713e88 R08: ffff88013b75c8c0 R09: ffff88013a713ec8
R10: ffff88013a713df8 R11: ffff88013a713e08 R12: ffff88013a1c1f00
R13: 0000000000000000 R14: 00000000ffffffe8 R15: ffff88013a713f38
FS: 00007f6e5ea48700(0000) GS:ffff880028280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000ae CR3: 000000013a101000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process a.out (pid: 1868, threadinfo ffff88013a712000, task ffff880137e20000)
Stack:
000004143a713e68 0000041500000415 ffff88013fc03500 ffff88013a1c1f00
<0> ffff880133d3a000 ffff88013a1c1f00 00000000ffffffe8 ffff88013a713f38
<0> ffff88013a713ea8 ffffffff811c87f9 ffff88013a713ea8 ffff88013a1c1f00
Call Trace:
[<ffffffff811c87f9>] security_file_free+0x2d/0x31
[<ffffffff81106767>] put_filp+0x22/0x36
[<ffffffff8110c53c>] free_write_pipe+0x2f/0x34
[<ffffffff8110d161>] do_pipe_flags+0xdc/0xf6
[<ffffffff8110d19c>] sys_pipe2+0x21/0x63
[<ffffffff8110d1ee>] sys_pipe+0x10/0x12
[<ffffffff81009c72>] system_call_fastpath+0x16/0x1b
Code: e5 41 57 41 56 41 55 41 54 53 48 83 ec 18 0f 1f 44 00 00 83 3d a2 50 bb 00 00 48 8b 47 18 49 89 fc 4c 8b 68 10 0f 84 bb 01 00 00 <41> 0f b7 85 ae 00 00 00 25 00 f0 00 00 3d 00 80 00 00 0f 85 a3
RIP [<ffffffff811e3057>] ima_file_free+0x2e/0x1fb
RSP <ffff88013a713e48>
CR2: 00000000000000ae
---[ end trace 1d8416bb1c67accb ]---
--------------------------------------------------------------------------
Shi Weihua
[-- Attachment #2: pipe.c --]
[-- Type: text/plain, Size: 394 bytes --]
#include <fcntl.h>
#include <errno.h>
int pipe_ret, pipes[2];
int main(int ac, char **av)
{
int i, numb_fds;
numb_fds = getdtablesize();
for (i = 0; i < numb_fds; i++) {
pipe_ret = pipe(pipes);
if (pipe_ret < 0) {
if (errno != EMFILE)
printf ("got unexpected error - %d", errno);
else
printf ("got expected error - %d", errno);
break;
}
}
return 0;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
2010-02-01 5:06 security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd Shi Weihua
@ 2010-02-01 17:05 ` Mimi Zohar
2010-02-01 18:03 ` hooanon05
1 sibling, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2010-02-01 17:05 UTC (permalink / raw)
To: Shi Weihua; +Cc: LKML, Ingo Molnar, Al Viro
Shi Weihua <shiwh@cn.fujitsu.com> wrote on 02/01/2010 12:06:44 AM:
> Hi, Mimi
>
> Used the latest LTP to test 2.6.33-rc6, a Kernel BUG occured on my
x86_64 (OS:
> Fedora 12).
> The message from dmesg is as following.
> The LTP case is testcases/kernel/syscalls/pipe/pipe06.c. For seeing code
easily, I
> recreated a simple code to reproduce this BUG. please check the code in
the attached.
>
> I bisected a commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd,
> --------
> commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
> Author: Mimi Zohar <zohar@linux.vnet.ibm.com>
> Date: Thu Oct 22 17:30:13 2009 -0400
>
> LSM: imbed ima calls in the security hooks
> --------
> Maybe you should fix it ;-)
Thanks for isolating the problem. The problem is caused by
free_write_pipe()
calling path_put(), which puts the dentry and mnt, before it calls
put_filp().
The ordering should be like in __fput(), which puts the dentry and mnt as
the
last thing it does.
Mimi
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
2010-02-01 5:06 security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd Shi Weihua
2010-02-01 17:05 ` Mimi Zohar
@ 2010-02-01 18:03 ` hooanon05
2010-02-01 18:35 ` Mimi Zohar
1 sibling, 1 reply; 4+ messages in thread
From: hooanon05 @ 2010-02-01 18:03 UTC (permalink / raw)
To: Shi Weihua; +Cc: zohar, Ingo Molnar, LKML
Shi Weihua:
> Used the latest LTP to test 2.6.33-rc6, a Kernel BUG occured on my x86_64 (OS: Fedora 12).
> The message from dmesg is as following.
> The LTP case is testcases/kernel/syscalls/pipe/pipe06.c. For seeing code easily, I
> recreated a simple code to reproduce this BUG. please check the code in the attached.
>
> I bisected a commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd,
The problem is already known and a patch is posted in last year.
http://marc.info/?l=linux-kernel&m=126206539702176&w=2
J. R. Okajima
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd
2010-02-01 18:03 ` hooanon05
@ 2010-02-01 18:35 ` Mimi Zohar
0 siblings, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2010-02-01 18:35 UTC (permalink / raw)
To: hooanon05; +Cc: LKML, Ingo Molnar, Shi Weihua, Al Viro
hooanon05@yahoo.co.jp wrote on 02/01/2010 01:03:33 PM:
> Shi Weihua:
> > Used the latest LTP to test 2.6.33-rc6, a Kernel BUG occured on my
x86_64
> (OS: Fedora 12).
> > The message from dmesg is as following.
> > The LTP case is testcases/kernel/syscalls/pipe/pipe06.c. For seeing
code easily, I
> > recreated a simple code to reproduce this BUG. please check the code
in the attached.
> >
> > I bisected a commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd,
>
> The problem is already known and a patch is posted in last year.
> http://marc.info/?l=linux-kernel&m=126206539702176&w=2
>
>
> J. R. Okajima
Thanks for the pointer. Al, can you please push this patch forward?
Thanks!
Mimi
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-02-01 18:35 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-02-01 5:06 security ima: Kernel BUG in ima_file_free -- bisected to commit 6c21a7fb492bf7e2c4985937082ce58ddeca84bd Shi Weihua
2010-02-01 17:05 ` Mimi Zohar
2010-02-01 18:03 ` hooanon05
2010-02-01 18:35 ` Mimi Zohar
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.