This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1860041 Title: shiftfs: prevent lower dentries from going negative during unlink Status in linux package in Ubuntu: Fix Committed Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Committed Bug description: SRU Justification Impact: All non-special files (For shiftfs this only includes fifos and - for this case - unix sockets - since we don't allow character and block devices to be created.) go through shiftfs_open() and have their dentry pinned through this codepath preventing it from going negative. But fifos don't use the shiftfs fops but rather use the pipefifo_fops which means they do not go through shiftfs_open() and thus don't have their dentry pinned that way. Thus, the lower dentries for such files can go negative on unlink causing segfaults. The following C program can be used to reproduce the crash: #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <unistd.h> #include <stdlib.h> int main(int argc, char *argv[]) { struct stat stat; unlink("./bbb"); int ret = mknod("./bbb", S_IFIFO|0666, 0); if (ret < 0) exit(1); int fd = open("./bbb", O_RDWR); if (fd < 0) exit(2); if (unlink("./bbb")) exit(4); fstat(fd, &stat); return 0; } Fix: Similar to ecryptfs we need to dget() the lower dentry before calling vfs_unlink() on it and dput() it afterwards. Regression Potential: Limited to shiftfs. Test Case: Compiled a kernel with the fix and used the reproducer above to verify that the kernel cannot be crashed anymore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860041/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
