[Kernel-packages] [Bug 1824717] Re: kernel BUG at fs/attr.c:287 when using shiftfs

Tue, 16 Apr 2019 01:26:41 -0700 

This bug was fixed in the package linux - 5.0.0-13.14

---------------
linux (5.0.0-13.14) disco; urgency=medium

  * linux: 5.0.0-13.14 -proposed tracker (LP: #1824819)

  * Display only has 640x480 (LP: #1824677)
    - Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default"

  * shiftfs: use after free when checking mount options (LP: #1824735)
    - SAUCE: shiftfs: prevent use-after-free when verifying mount options

linux (5.0.0-12.13) disco; urgency=medium

  * linux: 5.0.0-12.13 -proposed tracker (LP: #1824726)

  * Linux 5.0 black screen on boot, display flickers (i915 regression with
    certain laptop panels) (LP: #1824216)
    - drm/i915/dp: revert back to max link rate and lane count on eDP

  * kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717)
    - SAUCE: shiftfs: fix passing of attrs to underaly for setattr

 -- Seth Forshee <seth.fors...@canonical.com>  Mon, 15 Apr 2019 09:11:23
-0500

** Changed in: linux (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824717

Title:
  kernel BUG at fs/attr.c:287 when using shiftfs

Status in linux package in Ubuntu:
  Fix Released

Bug description:
  SRU Justification

  Impact: It is possible to hit a BUG statement in notify_change() with
  shiftfs (below). This occurs when one of ATTR_KILL_SUID or
  ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE
  before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs
  to notify_change(), and the BUG statement is hit due to ATTR_MODE
  being set with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.

  Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE
  if one of these bits is set, allowning the lower fs to interpret the
  kill bits in its own way. Also fix a bug where changes to the attrs
  from setattr_prepare() are not propagated to the attrs used for the
  lower fs.

  Regression Potential: Limited to shiftfs, matches the behavior of
  other stacked filesystems, and has been tested (see below).

  Test Case: Tested in the lxd CI environment where the bug was
  originally discovered. No regressions were seen, and the BUG statement
  was not hit.

  ---

  [18558.819079] ------------[ cut here ]------------
  [18558.819082] kernel BUG at fs/attr.c:287!
  [18558.823490] invalid opcode: 0000 [#1] SMP PTI
  [18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P           O      
5.0.0-10-generic #11+shiftfsv201904110736
  [18558.838152] Hardware name: Google Google Compute Engine/Google Compute 
Engine, BIOS Google 01/01/2011
  [18558.872092] RIP: 0010:notify_change+0x412/0x460
  [18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf 
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
  [18558.896179] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
  [18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 
0000000000000000
  [18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 
000000005cb1105d
  [18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 
0000000000000000
  [18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12: 
ffff89fa79f756c0
  [18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15: 
ffffb706dbaf7d50
  [18558.938616] FS:  00007fe41f039040(0000) GS:ffff89fc61a80000(0000) 
knlGS:0000000000000000
  [18558.946928] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 
00000000001606e0
  [18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
  [18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400
  [18558.975018] Call Trace:
  [18558.977810]  ? setattr_prepare+0x178/0x200
  [18558.982160]  shiftfs_setattr+0xec/0x140
  [18558.986149]  notify_change+0x2d9/0x460
  [18558.990014]  chown_common+0x1c8/0x1e0
  [18558.993917]  do_fchownat+0x93/0xf0
  [18558.997551]  __x64_sys_chown+0x22/0x30
  [18559.001522]  do_syscall_64+0x5a/0x110
  [18559.005481]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  [18559.010652] RIP: 0033:0x7fe41e9193e7
  [18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0 
e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01 
f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
  [18559.033294] RSP: 002b:00007fff73c89d48 EFLAGS: 00000297 ORIG_RAX: 
000000000000005c
  [18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX: 
00007fe41e9193e7
  [18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 
00005614237e0190
  [18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09: 
000000000000002e
  [18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12: 
00007fff73c8a210
  [18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15: 
00000000ffffffff
  [18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables 
ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment 
xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 
nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter 
ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO) 
zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac 
pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm 
ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables 
autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy 
async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear 
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net 
aes_x86_64 nvme crypto_simd cryptd glue_helper net_failover psmouse nvme_core 
failover virtio_scsi i2c_piix4
  [18559.161878] ---[ end trace a06dfd01d379d33b ]---
  [18559.166628] RIP: 0010:notify_change+0x412/0x460
  [18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf 
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
  [18559.190333] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
  [18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 
0000000000000000
  [18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 
000000005cb1105d
  [18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 
0000000000000000
  [18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12: 
ffff89fa79f756c0
  [18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15: 
ffffb706dbaf7d50
  [18559.236285] FS:  00007fe41f039040(0000) GS:ffff89fc61a80000(0000) 
knlGS:0000000000000000
  [18559.244522] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 
00000000001606e0
  [18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
  [18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824717/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to