Test with focal-proposed (5.4.0-90.101) --- Original:
# ../openat Killed [ 286.989830] BUG: kernel NULL pointer dereference, address: 0000000000000010 ... [ 286.996507] CPU: 2 PID: 5529 Comm: openat Not tainted 5.4.0-90-generic #101-Ubuntu [ 286.997358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 286.998397] RIP: 0010:d_namespace_path.constprop.0+0x48/0x300 ... [ 287.008418] Call Trace: [ 287.016112] aa_path_name+0x42/0xb0 [ 287.016616] path_name.isra.0+0x5f/0xe0 [ 287.017153] profile_path_perm.part.0+0x58/0xa0 [ 287.017768] aa_path_perm+0xdd/0x130 [ 287.018293] common_perm+0x96/0x110 [ 287.018795] common_perm_cond+0x4c/0x70 [ 287.019353] apparmor_inode_getattr+0x1d/0x20 [ 287.019948] security_inode_getattr+0x35/0x50 [ 287.020542] vfs_getattr+0x22/0x50 [ 287.021042] vfsub_update_h_iattr+0x95/0xb0 [aufs] [ 287.021687] ? lookup_dcache+0x46/0x70 [ 287.022216] ? lookup_one_len+0x68/0x90 [ 287.022755] vfsub_lookup_one_len+0x61/0x70 [aufs] [ 287.023413] au_wh_test+0x26/0xa0 [aufs] [ 287.023978] au_lkup_dentry+0x1ba/0x670 [aufs] [ 287.024598] aufs_lookup.part.0+0x119/0x200 [aufs] [ 287.025250] aufs_atomic_open+0x19d/0x400 [aufs] [ 287.025881] ? aufs_permission+0x1a9/0x2f0 [aufs] [ 287.026536] ? security_path_mknod+0x4c/0x70 [ 287.027130] lookup_open+0x364/0x6e0 [ 287.027658] do_last+0x2cb/0x900 [ 287.028141] ? __alloc_file+0x94/0x110 [ 287.028678] path_openat+0x8d/0x290 [ 287.029184] ? do_async_page_fault+0x39/0x70 [ 287.029773] do_filp_open+0x91/0x100 [ 287.030292] ? strncpy_from_user+0xbd/0x150 [ 287.030879] ? __alloc_fd+0xb8/0x150 [ 287.031402] do_sys_open+0x17e/0x290 [ 287.031920] __x64_sys_openat+0x20/0x30 [ 287.032469] do_syscall_64+0x57/0x190 [ 287.032997] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 287.033682] RIP: 0033:0x7f299dccf026 Patched: # ../openat # echo $? 0 # uname -rv 5.4.0-90-generic #101+test20211022b2 SMP Fri Oct 22 10:34:51 -03 2021 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Hirsute: In Progress Status in linux source package in Impish: Invalid Status in linux source package in Jammy: Invalid Bug description: [Impact] * AppArmor-enabled applications on the aufs filesystem might hit a kernel bug when getting file attributes. * The aufs filesystem explicitly assigns a NULL pointer to `struct path.mnt` for `vfs_getattr()`, which calls into AppArmor that checks `struct path.mnt->mnt_flags`, triggering a kernel NULL pointer dereference. * This is almost 10 years old [1,2], reproducible w/ the Linux v3.2 kernel, but it's rare as apparently it needs a fuseblk mount as an aufs branch, and file creation/ open (O_CREAT), with a filename that exists only in a lower aufs branch. On Linux v5.15-rc* it doesn't need AppArmor anymore. [Fix] * The patch fixing this issue does set `struct path.mnt` properly, by taking `struct path` as parameter instead of just `struct dentry` (and making up an incomplete `struct path` w/ that `dentry` and `mnt = NULL`.) * Since it changes the signature of a key, leaf function with several callers, the patch is a bit long/refactor, but it has been tested by the upstream aufs maintainer with a private test-suite. [Test Plan] * Synthetic reproducer available in [1] and comment #1. [Regression Potential] * Regressions would probably manifest as kernel errors mostly in the lookup and open paths, but more subtle manifestations would be possible as well. * The patch modifies a fair number of functions, even if doing so in simple ways. The synthetic reproducer only covers one of those functions. * The other code paths have been tested by the maintainer w/ the mainline kernel, and should be equivalent to our kernel as none of such changed for cherry-pick/backport. * The upstream aufs maintainer runs a private test suite that covers several features and use cases of aufs, so hopefully that provides some relief to take this patch. [Other Info] * Impish no longer ships aufs; no fix needed. * Hirsute/Focal/Bionic do/need it. (H only for backports) * Hirsute/Focal are clean cherry-picks. * Bionic is a trivial backport. [1] https://sourceforge.net/p/aufs/mailman/message/37363599/ [2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic [Kernel Traces] BUG: kernel NULL pointer dereference, address: 0000000000000010 ... CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:aa_path_name+0x55/0x370 ... Call Trace: ? request_wait_answer+0xc4/0x200 path_name+0x60/0xe0 profile_path_perm.part.9+0x57/0xa0 aa_path_perm+0xe2/0x130 common_perm+0x59/0x130 common_perm_cond+0x4c/0x70 apparmor_inode_getattr+0x1d/0x20 security_inode_getattr+0x35/0x50 vfs_getattr+0x21/0x40 vfsub_update_h_iattr+0x95/0xb0 [aufs] ? lookup_dcache+0x44/0x70 ? lookup_one_len+0x66/0x90 vfsub_lookup_one_len+0x50/0x70 [aufs] au_sio_lkup_one+0x8e/0xa0 [aufs] au_lkup_dentry+0x3fa/0x660 [aufs] aufs_lookup.part.35+0x11c/0x210 [aufs] aufs_atomic_open+0xec/0x3c0 [aufs] path_openat+0xe30/0x16a0 ? aufs_lookup+0x30/0x30 [aufs] ? path_openat+0xe30/0x16a0 ? unlock_page_memcg+0x12/0x20 ? filemap_map_pages+0x17d/0x3b0 do_filp_open+0x9b/0x110 ? __check_object_size+0xdb/0x1b0 ? __alloc_fd+0xb2/0x170 do_sys_open+0x1ba/0x2e0 ? do_sys_open+0x1ba/0x2e0 __x64_sys_openat+0x20/0x30 do_syscall_64+0x5e/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4a06fa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
