On 01/16/2015 04:24 AM, Avijit Das wrote:
> Hi All,
>
>
>
> I am seeing kernel panic in selinux code sometime during boot up and on
> random scenarios. Has anyone encountered similar issue. Any help in this
> is highly appreciated.
>
>
>
> *Case 1:*
>
> Device crashes during boot time. The crash happened at task_has_perm()
> as the real_cred->security was 0x7(freed) . so I think this is a race
> condition between calling task_has_perm and switching credential data of
> the task.
>
>
>
> *Case 2: *
>
> kernel panic at security_cred_free->kfree
Those would appear to be bugs in the kernel credential handling code
rather than in SELinux; SELinux is just the messenger. What kernel
version are you using?
>
>
>
>
>
> _Code snippet _
>
> static void selinux_cred_free(struct cred *cred)
>
> {
>
> struct task_security_struct *tsec = cred->security;
>
> /*
>
> * cred->security == NULL if security_cred_alloc_blank() or
>
> * security_prepare_creds() returned an error.
>
> */
>
> BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
>
> cred->security = (void *) 0x7UL;
>
> kfree(tsec);
>
> }
>
>
>
>
>
> *_Case 1 logs:_*
>
>
>
> 16.406699: <6> chmod (1290): undefined instruction: pc=b6e675a8
>
> 16.406741: <6> Code: ea000002 00000000 f26ee1fe e12fff1e (ee190f1d)
>
> 16.865789: <6> binder: 307:307 BC_REQUEST_DEATH_NOTIFICATION death
> notification already set
>
> 16.911807: <6> usb_notifier: usb: usbgadget_ready,gadget_state:2
>
> 16.913535: <6> RKP RO CRED ALLOC -> order 0, c1542000
>
> 17.001396: <6> Unable to handle kernel NULL pointer dereference at
> virtual address 0000000b
>
> 17.001444: <6> pgd = c0004000
>
> 17.001469: <2> [0000000b] *pgd=00000000
>
> 17.001538: <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
>
> 17.001575: <2> Modules linked in: mhi(O)
>
> 17.001611: <6> CPU: 1 PID: 1320 Comm: kworker/u8:5 Tainted: G
> W O 3.10.40-3767095 #1
>
> 17.001650: <6> task: f5661a40 ti: f3aa0000 task.ti: f3aa0000
>
> 17.001684: <2> PC is at task_has_perm+0x1c/0x58
>
> 17.001711: <2> LR is at task_has_perm+0x14/0x58
>
> 17.001744: <2> pc : [<c0376504>] lr : [<c03764fc>] psr: 600f0013
>
> sp : f3aa1eb8 ip : c1514480 fp : f3aa0000
>
> 17.001801: <2> r10: fffffff6 r9 : f3aa1f68 r8 : f3aa0000
>
> 17.001831: <2> r7 : f3e1de80 r6 : f5661a40 r5 : f44fc440 r4 :
> 00000004
>
> 17.001863: <2> r3 : 00000007 r2 : 00000001 r1 : f5661a40 r0 :
> f44fc440
>
> 17.001897: <2> Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM
> Segment kernel
>
> 17.001932: <2> Control: 10c5787d Table: 3456406a DAC: 00000015
>
> 17.001965: <2>
>
> PC: 0xc0376484:
>
> ....
>
> ....
>
>
>
> 17.008257: <2> [<c0376504>] (task_has_perm+0x1c/0x58) from
> [<c0374770>] (security_task_wait+0x14/0x1c)
>
> 17.008313: <2> [<c0374770>] (security_task_wait+0x14/0x1c) from
> [<c0179364>] (wait_consider_task+0x74/0xaa0)
>
> 17.008367: <2> [<c0179364>] (wait_consider_task+0x74/0xaa0) from
> [<c0179ee8>] (do_wait+0x158/0x268)
>
> 17.008422: <2> [<c0179ee8>] (do_wait+0x158/0x268) from
> [<c017a3e8>] (SyS_wait4+0xa0/0xc0)
>
> 17.008469: <2> [<c017a3e8>] (SyS_wait4+0xa0/0xc0) from
> [<c018b9f0>] (wait_for_helper+0x7c/0xa0)
>
> 17.008521: <2> [<c018b9f0>] (wait_for_helper+0x7c/0xa0) from
> [<c0105fd8>] (ret_from_fork+0x14/0x3c)
>
> 17.008567: <6> Code: e1a04002 ebf86d6c e5953350 e593305c (e5937004)
>
> 17.008628: <6> ---[ end trace dec6997083161641 ]---
>
> 17.008660: <6> Kernel panic - not syncing: Fatal exception
>
>
>
> *_Case 2 logs :_*
>
>
>
>
>
> 210667.169453: <6> Unable to handle kernel paging request at virtual
> address 1c314076
>
> 210667.169468: <6> pgd = c0004000
>
> 210667.169477: <2> [1c314076] *pgd=00000000
>
> 210667.169491: <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
>
> 210667.169500: <2> Modules linked in: touchx [last unloaded: wlan]
>
> 210667.169523: <6> CPU: 3 PID: 24 Comm: ksoftirqd/3 Tainted: G
> W O 3.10.40-eng-g3951ac3 #1
>
> 210667.169532: <6> task: e76a0a80 ti: e76aa000 task.ti: e76aa000
>
> 210667.169546: <2> PC is at kfree+0xdc/0x220
>
> 210667.169562: <2> LR is at security_cred_free+0x14/0x1c
>
> 210667.169571: <2> pc : [<c02395f0>] lr : [<c035e7a4>] psr: 000f0013
>
> sp : e76abe60 ip : c0191a68 fp : 00000fff
>
> 210667.169581: <2> r10: 00000001 r9 : 00000008 r8 : c119b440
>
> 210667.169589: <2> r7 : c124fc40 r6 : e76aa000 r5 : 90520440 r4 :
> 1c314076
>
> 210667.169597: <2> r3 : 50f1f241 r2 : c5000000 r1 : 1c314076 r0 :
> 90520440
>
> 210667.169606: <2> Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA ARM
> Segment kernel
>
> 210667.169615: <2> Control: 10c5787d Table: 2357c06a DAC: 00000015
>
> 210667.169624: <2>
>
>
>
> ....
>
> ....
>
> 210667.172236: <2> [<c02395f0>] (kfree+0xdc/0x220) from [<c035e7a4>]
> (security_cred_free+0x14/0x1c)
>
> 210667.172255: <2> [<c035e7a4>] (security_cred_free+0x14/0x1c) from
> [<c0191a98>] (put_cred_rcu+0x30/0xac)
>
> 210667.172274: <2> [<c0191a98>] (put_cred_rcu+0x30/0xac) from
> [<c01da6cc>] (rcu_process_callbacks+0x338/0x590)
>
> 210667.172294: <2> [<c01da6cc>] (rcu_process_callbacks+0x338/0x590)
> from [<c0174598>] (__do_softirq+0x150/0x2b4)
>
> 210667.172311: <2> [<c0174598>] (__do_softirq+0x150/0x2b4) from
> [<c0174720>] (run_ksoftirqd+0x24/0x58)
>
> 210667.172327: <2> [<c0174720>] (run_ksoftirqd+0x24/0x58) from
> [<c0193708>] (smpboot_thread_fn+0x20c/0x224)
>
> 210667.172343: <2> [<c0193708>] (smpboot_thread_fn+0x20c/0x224) from
> [<c018c3b0>] (kthread+0xa0/0xac)
>
> 210667.172360: <2> [<c018c3b0>] (kthread+0xa0/0xac) from [<c0105f18>]
> (ret_from_fork+0x14/0x3c)
>
> 210667.172372: <6> Code: f57ff05f e7923003 e3130902 11a04001 (e5943000)
>
> 210667.172382: <6> ---[ end trace e99c3ffdc45a06ec ]---
>
> 210667.186836: <6> Kernel panic - not syncing: Fatal exception in
> interrupt
>
>
>
> Thanks,
>
> Avijit
>
>
>
>
>
>
>
> _______________________________________________
> Seandroid-list mailing list
> [email protected]
> To unsubscribe, send email to [email protected].
> To get help, send an email containing "help" to
> [email protected].
>
_______________________________________________
Seandroid-list mailing list
[email protected]
To unsubscribe, send email to [email protected].
To get help, send an email containing "help" to
[email protected].
