Public bug reported:
[Impact]
The patch that we have recently re-introduced to properly support
overlayfs on top of shiftfs can introduce potential kernel panics, for
example:
BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 447.039738] #PF: supervisor read access in kernel mode
[ 447.040369] #PF: error_code(0x0000) - not-present page
[ 447.041002] PGD 0 P4D 0
[ 447.041325] Oops: 0000 [#1] SMP NOPTI
[ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic
#29~20.04.1-Ubuntu
[ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS
Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014
[ 447.043979] RIP: 0010:aa_file_perm+0x3a/0x470
[ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25
28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b
68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
[ 447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246
[ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX:
0000000000000004
[ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI:
ffffffff9c22a2ac
[ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09:
0000000000000000
[ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff96e401215eb8
[ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15:
0000000000000004
[ 447.051942] FS: 00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000)
knlGS:0000000000000000
[ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4:
00000000003506f0
[ 447.054571] Call Trace:
[ 447.054883] <TASK>
[ 447.055154] ? unlock_page_memcg+0x2f/0x40
[ 447.055668] ? page_remove_rmap+0x4b/0x320
[ 447.056180] common_file_perm+0x72/0x170
[ 447.056669] apparmor_file_permission+0x1c/0x20
[ 447.057237] security_file_permission+0x30/0x1a0
[ 447.057898] rw_verify_area+0x35/0x60
[ 447.058392] vfs_read+0x6d/0x1a0
[ 447.058842] ksys_read+0xb1/0xe0
[ 447.059276] __x64_sys_read+0x1a/0x20
[ 447.059732] do_syscall_64+0x5c/0xc0
[ 447.060183] ? __set_current_blocked+0x3b/0x60
[ 447.060738] ? exit_to_user_mode_prepare+0x3d/0x1c0
[ 447.061434] ? syscall_exit_to_user_mode+0x27/0x50
[ 447.062099] ? do_syscall_64+0x69/0xc0
[ 447.062603] ? irqentry_exit_to_user_mode+0x9/0x20
[ 447.063210] ? irqentry_exit+0x19/0x30
[ 447.063678] ? exc_page_fault+0x89/0x160
[ 447.064165] ? asm_exc_page_fault+0x8/0x30
[ 447.064675] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 447.065298] RIP: 0033:0x7eff3c2cb002
[Test case]
It is really easy to trigger this specific kernel panic running the lxc
autopackage test.
[Fix]
This bug happens because we don't need to decrement anymore the refcount
for the previous vm_file value in ovl_vm_prfile_set(). So the fix simply
consists of removing the unnecessary fput().
[Regression potential]
This patch affects only overlayfs (only when AUFS is enabled), so we may
see regressions in overlayfs in kernels that have AUFS enabled (focal
hwe and cloud kernels).
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Incomplete
** Affects: linux (Ubuntu Impish)
Importance: Undecided
Status: Incomplete
** Affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: Incomplete
** Affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: Incomplete
** Also affects: linux (Ubuntu Impish)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Kinetic)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1973620
Title:
prevent kernel panic with overlayfs + shiftfs
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Impish:
Incomplete
Status in linux source package in Jammy:
Incomplete
Status in linux source package in Kinetic:
Incomplete
Bug description:
[Impact]
The patch that we have recently re-introduced to properly support
overlayfs on top of shiftfs can introduce potential kernel panics, for
example:
BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 447.039738] #PF: supervisor read access in kernel mode
[ 447.040369] #PF: error_code(0x0000) - not-present page
[ 447.041002] PGD 0 P4D 0
[ 447.041325] Oops: 0000 [#1] SMP NOPTI
[ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic
#29~20.04.1-Ubuntu
[ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS
Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014
[ 447.043979] RIP: 0010:aa_file_perm+0x3a/0x470
[ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04
25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c>
8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
[ 447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246
[ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX:
0000000000000004
[ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI:
ffffffff9c22a2ac
[ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09:
0000000000000000
[ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff96e401215eb8
[ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15:
0000000000000004
[ 447.051942] FS: 00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000)
knlGS:0000000000000000
[ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4:
00000000003506f0
[ 447.054571] Call Trace:
[ 447.054883] <TASK>
[ 447.055154] ? unlock_page_memcg+0x2f/0x40
[ 447.055668] ? page_remove_rmap+0x4b/0x320
[ 447.056180] common_file_perm+0x72/0x170
[ 447.056669] apparmor_file_permission+0x1c/0x20
[ 447.057237] security_file_permission+0x30/0x1a0
[ 447.057898] rw_verify_area+0x35/0x60
[ 447.058392] vfs_read+0x6d/0x1a0
[ 447.058842] ksys_read+0xb1/0xe0
[ 447.059276] __x64_sys_read+0x1a/0x20
[ 447.059732] do_syscall_64+0x5c/0xc0
[ 447.060183] ? __set_current_blocked+0x3b/0x60
[ 447.060738] ? exit_to_user_mode_prepare+0x3d/0x1c0
[ 447.061434] ? syscall_exit_to_user_mode+0x27/0x50
[ 447.062099] ? do_syscall_64+0x69/0xc0
[ 447.062603] ? irqentry_exit_to_user_mode+0x9/0x20
[ 447.063210] ? irqentry_exit+0x19/0x30
[ 447.063678] ? exc_page_fault+0x89/0x160
[ 447.064165] ? asm_exc_page_fault+0x8/0x30
[ 447.064675] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 447.065298] RIP: 0033:0x7eff3c2cb002
[Test case]
It is really easy to trigger this specific kernel panic running the
lxc autopackage test.
[Fix]
This bug happens because we don't need to decrement anymore the
refcount for the previous vm_file value in ovl_vm_prfile_set(). So the
fix simply consists of removing the unnecessary fput().
[Regression potential]
This patch affects only overlayfs (only when AUFS is enabled), so we
may see regressions in overlayfs in kernels that have AUFS enabled
(focal hwe and cloud kernels).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1973620/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
