xfs
[Top] [All Lists]

Re: Occasional memory fault in inode_has_perm() while running xfstest 23

To: Eric Paris <eparis@xxxxxxxxxxxxxx>
Subject: Re: Occasional memory fault in inode_has_perm() while running xfstest 234
From: Chandra Seetharaman <sekharan@xxxxxxxxxx>
Date: Mon, 14 Nov 2011 15:55:13 -0600
Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx>, XFS Mailing List <xfs@xxxxxxxxxxx>, linux-security-module@xxxxxxxxxxxxxxx
In-reply-to: <CACLa4psaXKWT0uQBdQFTkT6bzqLED1dZna5RhBK3-oZ=6LjDRw@xxxxxxxxxxxxxx>
Organization: IBM
References: <1320961003.2201.27.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20111114102755.GA31043@xxxxxxxxxxxxx> <CACLa4psaXKWT0uQBdQFTkT6bzqLED1dZna5RhBK3-oZ=6LjDRw@xxxxxxxxxxxxxx>
Reply-to: sekharan@xxxxxxxxxx
On Mon, 2011-11-14 at 10:13 -0500, Eric Paris wrote:
> The only way this can happen is if the filesystem is creating inodes
> and not calling security_inode_alloc() (which should be done in
> inode_init_always)
> 
> I can only guess (and believe me it is a complete wild guess after
> looking at grep for 5 seconds) it has something to do with the XFS
> __releases() function which does some weirdness in the case of a
> failed call to inode_init_always().
> 
> The only other option is an FS somehow still uses an inode after
> __destroy_inode(), but I'd assume that would land you in other
> troubles.  In either case, I'm hard pressed to blame SELinux/LSM,
> since the VFS does appear to be hooked in the right places
> (inode_init_alwasys and __destroy_inode) to set and unset
> inode->i_security....

Hi Eric,

Thanks for your response.

I added code to print inode value at xfs_iget_cache_hit() and
inode_has_perm().

I see the inode values printed at inode_has_perm() but not at
xfs_iget_cache_hit(), which means the failure at xfs_iget_cache_hit() is
not the cause for the inode_security being NULL at inode_has_perm().

So, it makes me think that the memory fault I see is related to the
(error path) code in xfs_iget_cache_hit().

Any other suggestions to try ?

Chandra
> 
> -Eric
> 
> On Mon, Nov 14, 2011 at 5:27 AM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> > This looks like a selinux issues.  Ccing the LSM list.
> >
> > On Thu, Nov 10, 2011 at 03:36:43PM -0600, Chandra Seetharaman wrote:
> >> Hi All,
> >>
> >> While debugging the xfstest case 234, I was occasionally hitting the
> >> following memory fault. Has anybody seen it ?
> >>
> >> -----------------
> >> IP: [<ffffffff811e57ff>] inode_has_perm+0x1f/0x40
> >> PGD 0
> >> Oops: 0000 [#1] SMP
> >> CPU 0
> >> Modules linked in: xfs exportfs ebtable_nat ebtables ipt_MASQUERADE 
> >> iptable_nat nf_nat iptable_mangle bridge stp llc autofs4 sunrpc 
> >> cpufreq_ondemand acpi_cpufreq freq_table mperf ipt_REJECT 
> >> nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT 
> >> nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter 
> >> ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod vhost_net 
> >> macvtap macvlan tun kvm_intel kvm cdc_ether usbnet mii microcode serio_raw 
> >> i2c_i801 i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac 
> >> edac_core ses enclosure sg igb dca ext4 mbcache jbd2 sd_mod crc_t10dif 
> >> ahci libahci megaraid_sas [last unloaded: scsi_wait_scan]
> >>
> >> Pid: 32611, comm: setquota Not tainted 3.1.0-rc9.virgin+ #6 IBM  System 
> >> x3630 M3 -[7377AC1]-/69Y1101
> >> RIP: 0010:[<ffffffff811e57ff>]  [<ffffffff811e57ff>] 
> >> inode_has_perm+0x1f/0x40
> >> RSP: 0018:ffff880642bcdb78  EFLAGS: 00010246
> >> RAX: 0000000000800002 RBX: ffff88064f2205f8 RCX: 0000000000800000
> >> RDX: 0000000000800000 RSI: 0000000000000000 RDI: ffff880649e58480
> >> RBP: ffff880642bcdb78 R08: ffff880642bcdb88 R09: 0000000000000080
> >> R10: ffff880658ffff00 R11: ffff880642bcdb88 R12: 0000000000000081
> >> R13: ffff88064f2205f8 R14: ffff8806592b8100 R15: 0000000000000000
> >> FS:  00007f56dfa3a700(0000) GS:ffff88067f200000(0000) 
> >> knlGS:0000000000000000
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
> >> CR2: 0000000000000020 CR3: 0000000642b30000 CR4: 00000000000006f0
> >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> >> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> >> Process setquota (pid: 32611, threadinfo ffff880642bcc000, task 
> >> ffff8806592b8100)
> >> Stack:
> >> ffff880642bcdc18 ffffffff811e5d79 0000000000000009 0000000000000000
> >> ffff88064f2205f8 0000000000000000 0000000000000000 0000000000000000
> >> 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> >> Call Trace:
> >> [<ffffffff811e5d79>] selinux_inode_permission+0xa9/0x100
> >> [<ffffffff811e323c>] security_inode_permission+0x1c/0x30
> >> [<ffffffff81162509>] inode_permission+0x49/0x100
> >> [<ffffffff81164b57>] link_path_walk+0x87/0x810
> >> [<ffffffff810fedfa>] ? unlock_page+0x2a/0x40
> >> [<ffffffff81165955>] path_lookupat+0x55/0x690
> >> [<ffffffff81125867>] ? handle_pte_fault+0xf7/0xb50
> >> [<ffffffff81165fc1>] do_path_lookup+0x31/0xc0
> >> [<ffffffff81162168>] ? getname_flags+0x1f8/0x280
> >> [<ffffffff81166df9>] user_path_at+0x59/0xa0
> >> [<ffffffff8112641b>] ? handle_mm_fault+0x15b/0x270
> >> [<ffffffff814af8c0>] ? do_page_fault+0x1e0/0x460
> >> [<ffffffff81146a62>] ? kmem_cache_alloc+0x152/0x190
> >> [<ffffffff8115b9c7>] vfs_fstatat+0x47/0x80
> >> [<ffffffff81077571>] ? do_sigaction+0x91/0x1d0
> >> [<ffffffff8115badb>] vfs_stat+0x1b/0x20
> >> [<ffffffff8115bb04>] sys_newstat+0x24/0x50
> >> [<ffffffff810c3c4f>] ? audit_syscall_entry+0x1bf/0x1f0
> >> [<ffffffff814b29c2>] system_call_fastpath+0x16/0x1b
> >> Code: 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 66 66 66 66 90 f6 46 
> >> 0d 02 75 23 48 8b 76 38 48 8b 7f 68 45 89 c1 49 89 c8 89 d1 <0f> b7 46 20 
> >> 8b 7f 04 8b 76 1c 89 c2 e8 a0 f9 ff ff c9 c3 31 c0
> >> RIP  [<ffffffff811e57ff>] inode_has_perm+0x1f/0x40
> >> RSP <ffff880642bcdb78>
> >> CR2: 0000000000000020
> >> ---[ end trace 5d054c892d311b3f ]---
> >> ----------------------------
> >>
> >> I made some code changes and found that inode->i_security is the data
> >> structure that is NULL.
> >>
> >> I added the following code
> >> ------------------
> >> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> >> index 266a229..43870ec 100644
> >> --- a/security/selinux/hooks.c
> >> +++ b/security/selinux/hooks.c
> >> @@ -1466,6 +1466,7 @@ static int task_has_system(struct task_struct *tsk,
> >>                           SECCLASS_SYSTEM, perms, NULL);
> >>  }
> >>
> >> +u64 isec_yes;
> >>  /* Check whether a task has a particular permission to an inode.
> >>     The 'adp' parameter is optional and allows other audit
> >>     data to be passed (e.g. the dentry). */
> >> @@ -1486,6 +1487,13 @@ static int inode_has_perm(const struct cred *cred,
> >>       sid = cred_sid(cred);
> >>       isec = inode->i_security;
> >>
> >> +     if (isec)
> >> +             isec_yes++;
> >> +     else {
> >> +             printk("isec NULL; isec_yes %llu\n", isec_yes);
> >> +             return -EACCES;
> >> +     }
> >> +
> >>       return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, 
> >> flags);
> >>  }
> >>
> >> --------------------------------
> >>
> >> and this is what I see in /var/log/messages
> >> -----------------------------
> >> isec NULL; isec_yes 14345860
> >> isec NULL; isec_yes 102846678
> >> isec NULL; isec_yes 107203361
> >> isec NULL; isec_yes 136859591
> >> isec NULL; isec_yes 140941549
> >> isec NULL; isec_yes 168163633
> >> isec NULL; isec_yes 222030886
> >> isec NULL; isec_yes 238835570
> >> isec NULL; isec_yes 263587444
> >> isec NULL; isec_yes 280912141
> >> ------------------------------
> >>
> >> Can somebody throw some light on it ?
> >>
> >> I am using xfs.sgi.com with commit 9e4c109ac822395e0aae650e4e3c9e4903f6602f
> >> at the top.
> >>
> >> Regards,
> >>
> >> Chandra
> >>
> >> _______________________________________________
> >> xfs mailing list
> >> xfs@xxxxxxxxxxx
> >> http://oss.sgi.com/mailman/listinfo/xfs
> > ---end quoted text---
> > --
> > To unsubscribe from this list: send the line "unsubscribe 
> > linux-security-module" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 


<Prev in Thread] Current Thread [Next in Thread>