RE: kernel panic in selinux driver

[Avijit Das]

> Date: Fri, 16 Jan 2015 09:07:50 -0500
> From: s...@tycho.nsa.gov
> To: avijitn...@live.com; seandroid-list@tycho.nsa.gov
> Subject: Re: kernel panic in selinux driver
> 
> On 01/16/2015 04:24 AM, Avijit Das wrote:
> > Hi All,
> > 
> >  
> > 
> > I am seeing kernel panic in selinux code sometime during boot up and on
> > random scenarios. Has anyone encountered similar issue. Any help in this
> > is highly appreciated. 
> Those would appear to be bugs in the kernel credential handling code
> rather than in SELinux; SELinux is just the messenger. What kernel
> version are you using?
[Avijit] I am using kernel version 3.10 


> >  
> > 
> > *Case 1:*
> > 
> > Device crashes during boot time. The crash happened at task_has_perm()
> > as the real_cred->security was 0x7(freed) . so I think this is a race
> > condition between calling task_has_perm and switching credential data of
> > the task.
> > 
> >  
> > 
> > *Case 2: *
> > 
> > kernel panic at security_cred_free->kfree
> 
> Those would appear to be bugs in the kernel credential handling code
> rather than in SELinux; SELinux is just the messenger.  What kernel
> version are you using?
> 
> > 
> >  
> > 
> >  
> > 
> > _Code snippet _
> > 
> > static void selinux_cred_free(struct cred *cred)
> > 
> > {
> > 
> >     struct task_security_struct *tsec = cred->security;
> > 
> >     /*
> > 
> >     * cred->security == NULL if security_cred_alloc_blank() or
> > 
> >     * security_prepare_creds() returned an error.
> > 
> >     */
> > 
> >     BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
> > 
> >     cred->security = (void *) 0x7UL;
> > 
> >     kfree(tsec);
> > 
> > }
> > 
> >  
> > 
> >  
> > 
> > *_Case 1 logs:_*
> > 
> >  
> > 
> >     16.406699:   <6> chmod (1290): undefined instruction: pc=b6e675a8
> > 
> >     16.406741:   <6> Code: ea000002 00000000 f26ee1fe e12fff1e (ee190f1d) 
> > 
> >     16.865789:   <6> binder: 307:307 BC_REQUEST_DEATH_NOTIFICATION death
> > notification already set
> > 
> >     16.911807:   <6> usb_notifier: usb: usbgadget_ready,gadget_state:2
> > 
> >     16.913535:   <6> RKP RO CRED ALLOC -> order 0, c1542000
> > 
> >     17.001396:   <6> Unable to handle kernel NULL pointer dereference at
> > virtual address 0000000b
> > 
> >     17.001444:   <6> pgd = c0004000
> > 
> >     17.001469:   <2> [0000000b] *pgd=00000000
> > 
> >     17.001538:   <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> > 
> >     17.001575:   <2> Modules linked in: mhi(O)
> > 
> >     17.001611:   <6> CPU: 1 PID: 1320 Comm: kworker/u8:5 Tainted: G    
> >    W  O 3.10.40-3767095 #1
> > 
> >     17.001650:   <6> task: f5661a40 ti: f3aa0000 task.ti: f3aa0000
> > 
> >     17.001684:   <2> PC is at task_has_perm+0x1c/0x58
> > 
> >     17.001711:   <2> LR is at task_has_perm+0x14/0x58
> > 
> >     17.001744:   <2> pc : [<c0376504>]    lr : [<c03764fc>]    psr: 600f0013
> > 
> > sp : f3aa1eb8  ip : c1514480  fp : f3aa0000
> > 
> >     17.001801:   <2> r10: fffffff6  r9 : f3aa1f68  r8 : f3aa0000
> > 
> >     17.001831:   <2> r7 : f3e1de80  r6 : f5661a40  r5 : f44fc440  r4 :
> > 00000004
> > 
> >     17.001863:   <2> r3 : 00000007  r2 : 00000001  r1 : f5661a40  r0 :
> > f44fc440
> > 
> >     17.001897:   <2> Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
> >  Segment kernel
> > 
> >     17.001932:   <2> Control: 10c5787d  Table: 3456406a  DAC: 00000015
> > 
> >     17.001965:   <2> 
> > 
> > PC: 0xc0376484:
> > 
> > ....
> > 
> > ....
> > 
> >  
> > 
> >     17.008257:   <2> [<c0376504>] (task_has_perm+0x1c/0x58) from
> > [<c0374770>] (security_task_wait+0x14/0x1c)
> > 
> >     17.008313:   <2> [<c0374770>] (security_task_wait+0x14/0x1c) from
> > [<c0179364>] (wait_consider_task+0x74/0xaa0)
> > 
> >     17.008367:   <2> [<c0179364>] (wait_consider_task+0x74/0xaa0) from
> > [<c0179ee8>] (do_wait+0x158/0x268)
> > 
> >     17.008422:   <2> [<c0179ee8>] (do_wait+0x158/0x268) from
> > [<c017a3e8>] (SyS_wait4+0xa0/0xc0)
> > 
> >     17.008469:   <2> [<c017a3e8>] (SyS_wait4+0xa0/0xc0) from
> > [<c018b9f0>] (wait_for_helper+0x7c/0xa0)
> > 
> >     17.008521:   <2> [<c018b9f0>] (wait_for_helper+0x7c/0xa0) from
> > [<c0105fd8>] (ret_from_fork+0x14/0x3c)
> > 
> >     17.008567:   <6> Code: e1a04002 ebf86d6c e5953350 e593305c (e5937004) 
> > 
> >     17.008628:   <6> ---[ end trace dec6997083161641 ]---
> > 
> >     17.008660:   <6> Kernel panic - not syncing: Fatal exception
> > 
> >  
> > 
> > *_Case 2 logs :_*
> > 
> >  
> > 
> >  
> > 
> > 210667.169453:   <6> Unable to handle kernel paging request at virtual
> > address 1c314076
> > 
> > 210667.169468:   <6> pgd = c0004000
> > 
> > 210667.169477:   <2> [1c314076] *pgd=00000000
> > 
> > 210667.169491:   <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> > 
> > 210667.169500:   <2> Modules linked in: touchx [last unloaded: wlan]
> > 
> > 210667.169523:   <6> CPU: 3 PID: 24 Comm: ksoftirqd/3 Tainted: G      
> >  W  O 3.10.40-eng-g3951ac3 #1
> > 
> > 210667.169532:   <6> task: e76a0a80 ti: e76aa000 task.ti: e76aa000
> > 
> > 210667.169546:   <2> PC is at kfree+0xdc/0x220
> > 
> > 210667.169562:   <2> LR is at security_cred_free+0x14/0x1c
> > 
> > 210667.169571:   <2> pc : [<c02395f0>]    lr : [<c035e7a4>]    psr: 000f0013
> > 
> > sp : e76abe60  ip : c0191a68  fp : 00000fff
> > 
> > 210667.169581:   <2> r10: 00000001  r9 : 00000008  r8 : c119b440
> > 
> > 210667.169589:   <2> r7 : c124fc40  r6 : e76aa000  r5 : 90520440  r4 :
> > 1c314076
> > 
> > 210667.169597:   <2> r3 : 50f1f241  r2 : c5000000  r1 : 1c314076  r0 :
> > 90520440
> > 
> > 210667.169606:   <2> Flags: nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM
> >  Segment kernel
> > 
> > 210667.169615:   <2> Control: 10c5787d  Table: 2357c06a  DAC: 00000015
> > 
> > 210667.169624:   <2> 
> > 
> >  
> > 
> > ....
> > 
> > ....
> > 
> > 210667.172236:   <2> [<c02395f0>] (kfree+0xdc/0x220) from [<c035e7a4>]
> > (security_cred_free+0x14/0x1c)
> > 
> > 210667.172255:   <2> [<c035e7a4>] (security_cred_free+0x14/0x1c) from
> > [<c0191a98>] (put_cred_rcu+0x30/0xac)
> > 
> > 210667.172274:   <2> [<c0191a98>] (put_cred_rcu+0x30/0xac) from
> > [<c01da6cc>] (rcu_process_callbacks+0x338/0x590)
> > 
> > 210667.172294:   <2> [<c01da6cc>] (rcu_process_callbacks+0x338/0x590)
> > from [<c0174598>] (__do_softirq+0x150/0x2b4)
> > 
> > 210667.172311:   <2> [<c0174598>] (__do_softirq+0x150/0x2b4) from
> > [<c0174720>] (run_ksoftirqd+0x24/0x58)
> > 
> > 210667.172327:   <2> [<c0174720>] (run_ksoftirqd+0x24/0x58) from
> > [<c0193708>] (smpboot_thread_fn+0x20c/0x224)
> > 
> > 210667.172343:   <2> [<c0193708>] (smpboot_thread_fn+0x20c/0x224) from
> > [<c018c3b0>] (kthread+0xa0/0xac)
> > 
> > 210667.172360:   <2> [<c018c3b0>] (kthread+0xa0/0xac) from [<c0105f18>]
> > (ret_from_fork+0x14/0x3c)
> > 
> > 210667.172372:   <6> Code: f57ff05f e7923003 e3130902 11a04001 (e5943000) 
> > 
> > 210667.172382:   <6> ---[ end trace e99c3ffdc45a06ec ]---
> > 
> > 210667.186836:   <6> Kernel panic - not syncing: Fatal exception in
> > interrupt
> > 
> >  
> > 
> > Thanks,
> > 
> > Avijit
> > 
> >  
> > 
> >  
> > 
> > 
> > 
> > _______________________________________________
> > Seandroid-list mailing list
> > Seandroid-list@tycho.nsa.gov
> > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to 
> > seandroid-list-requ...@tycho.nsa.gov.
> > 
> 
                                          
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to 
seandroid-list-requ...@tycho.nsa.gov.