Hello, I revceived the strace file which made the email too big for the mail list. I'm including the important part below.
On Wednesday, July 6, 2016 6:31:00 PM EDT Laurent Bigonville wrote: > Le 06/07/16 à 18:23, Steve Grubb a écrit : > >So, I'm note sure why you are getting a > > core dump. If this is reproducible it might be good to get an strace to see > > what is being handed to writev. Or maybe try it from valgrind to see if > > that gives additional information. > > Valgrind is a bit broken in debian unstable due to the compressed debug > symbols. > > I've attached here the output of strace [pid 1595] write(4</var/log/audit/audit.log>, "type=SYSCALL msg=audit(1467798264.913:1259): arch=c000003e syscall=47 success=yes exit=267 a0=6 a1=7ffe30a5e630 a2=40000040 a3=ffffffff items=0 ppid=1 pid=1108 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=\"systemd-journal\" exe=\"/lib/systemd/systemd-journald\" subj=system_u:system_r:syslogd_t:s0 key=(null)\n", 364) = 364 [pid 1595] fstatfs(4</var/log/audit/audit.log>, {f_type=EXT2_SUPER_MAGIC, f_bsize=4096, f_blocks=3838052, f_bfree=1172381, f_bavail=987245, f_files=977280, f_ffree=703441, f_fsid={9930339, 726475040}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0 This shows that it made it to write_to_log and then called check_log_file_size [pid 1595] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x90430527} --- [pid 1602] +++ killed by SIGSEGV (core dumped) +++ +++ killed by SIGSEGV (core dumped) +++ The traceback is not accurate. We are somewhere else in the code. I am going to bet that its crashing on trying to ack because in the netlink path its not getting set to NULL. I updated svn with a 1 line fix. Can you either pull the new code from svn and try it or add this patch to your build? https://fedorahosted.org/audit/changeset/1320/trunk/src/auditd.c Let me know if this does it. Thanks, -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit