Dear Eric Paris,
Sorry for the late reply.
Yes I have back trace and I am attaching it.
First time the issue is reproduced then I have added some debug statement in the file kernel/security/selinux/hooks.c to narrow down the problem and then we reproduce the issue again.
I am attaching complete back trace as well as my additional debug patch for your reference.
Some line of back trace are :-
<3>[ 7.482343] Selinux DBG delete:inode_free_security, isec=e53cf2d0,&isec->list=e53cf2d4, sbsec=e8f3d900
<3>[ 7.482378] Selinux DBG delete:sb_finish_set_opts, isec=e53cf2d0,&isec->list=e53cf2d4, sbsec=e8f3d900
<4>[ 7.482413] ------------[ cut here ]------------
<4>[ 7.482439] WARNING: at /home/dpi/qb5_8814/workspace/COMBINATION/android/kernel/lib/list_debug.c:73 __list_del_entry+0x6c/0xbc()
<4>[ 7.482477] list_del corruption. prev->next should be e53cf2d4, but was e92d4010
<4>[ 7.482502] Modules linked in:
<4>[ 7.482527] [<c010c474>] (unwind_backtrace+0x0/0x11c) from [<c0193e98>] (warn_slowpath_common+0x4c/0x64)
<4>[ 7.482570] [<c0193e98>] (warn_slowpath_common+0x4c/0x64) from [<c0193f30>] (warn_slowpath_fmt+0x2c/0x3c)
<4>[ 7.482609] [<c0193f30>] (warn_slowpath_fmt+0x2c/0x3c) from [<c03bdcfc>] (__list_del_entry+0x6c/0xbc)
<4>[ 7.482649] [<c03bdcfc>] (__list_del_entry+0x6c/0xbc) from [<c036bad8>] (sb_finish_set_opts+0x1cc/0x210)
<4>[ 7.482688] [<c036bad8>] (sb_finish_set_opts+0x1cc/0x210) from [<c036cd78>] (selinux_set_mnt_opts+0x3e4/0x444)
<4>[ 7.482728] [<c036cd78>] (selinux_set_mnt_opts+0x3e4/0x444) from [<c036ce08>] (superblock_doinit+0x30/0xb4)
<4>[ 7.482769] [<c036ce08>] (superblock_doinit+0x30/0xb4) from [<c0260b10>] (iterate_supers+0x74/0xc8)
<4>[ 7.482807] [<c0260b10>] (iterate_supers+0x74/0xc8) from [<c037adec>] (security_load_policy+0xa0/0x354)
<4>[ 7.482846] [<c037adec>] (security_load_policy+0xa0/0x354) from [<c03702a4>] (sel_write_load+0xb4/0x634)
<4>[ 7.482883] [<c03702a4>] (sel_write_load+0xb4/0x634) from [<c025dc6c>] (vfs_write+0xa8/0x130)
<4>[ 7.482917] [<c025dc6c>] (vfs_write+0xa8/0x130) from [<c025debc>] (sys_write+0x34/0x68)
<4>[ 7.482954] [<c025debc>] (sys_write+0x34/0x68) from [<c0106000>] (ret_fast_syscall+0x0/0x30)
<4>[ 7.482984] ---[ end trace da227214a82491bc ]---
<6>[ 7.483006] init (1): undefined instruction: pc=c03bdcfc
<6>[ 7.483031] Code: e59f2050 e58d3000 e1a0300c ebf75881 (e7f001f2)
<4>[ 7.483072] [3: init: 1] ------------[ cut here ]------------
<2>[ 7.483099] [3: init: 1] kernel BUG at /home/dpi/qb5_8814/workspace/COMBINATION/android/kernel/lib/list_debug.c:78!
<0>[ 7.483138] [3: init: 1] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
<4>[ 7.483167] [3: init: 1] Modules linked in:
<4>[ 7.483192] [3: init: 1] CPU: 3 Tainted: G W (3.4.0-2012227-eng #1)
<4>[ 7.483226] [3: init: 1] PC is at __list_del_entry+0x6c/0xbc
<4>[ 7.483253] [3: init: 1] LR is at __list_del_entry+0x6c/0xbc
Thanks,
Shivnandan
------- Original Message -------
Sender : Eric Paris<eparis@xxxxxxxxxxxxxx>
Date : Aug 14, 2014 05:27 (GMT+09:00)
Title : Re: [PATCH] Security: List corruption occured during file system automation test
Do you have a backtrace?
On Wed, Aug 13, 2014 at 8:30 AM, Al Viro
> On Wed, Aug 13, 2014 at 05:04:13PM +0530, shivnandan.k@xxxxxxxxxxx wrote:
>> From: Shivnandan Kumar
>>
>> List element was freed by inode_free_security and then it uses rcu
>> element to point inode_free_rcu, since it inside a union so it
>> shares memory, sb_finish_set_opts now also try to free list element,
>
> How in hell does it find that element?
Thanks and Regards,
Shivnandan Kumar
|
|
Attachment:
kernel_log.txt
Description: Binary data
Attachment:
selinux_list_corruption_debug.txt
Description: Binary data
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
