Test with bionic-proposed (4.15.0-162.170) --- Original:
# ../openat Killed [ 442.526300] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 ... [ 442.539854] CPU: 1 PID: 5644 Comm: openat Not tainted 4.15.0-162-generic #170-Ubuntu [ 442.540733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 442.541755] RIP: 0010:aa_path_name+0x55/0x370 ... [ 442.549808] Call Trace: [ 442.550211] path_name+0x60/0xe0 [ 442.550687] profile_path_perm.part.7+0x57/0xa0 [ 442.551293] aa_path_perm+0xe2/0x130 [ 442.551819] common_perm+0x59/0x130 [ 442.552323] common_perm_cond+0x4c/0x70 [ 442.552856] apparmor_inode_getattr+0x1d/0x20 [ 442.553444] security_inode_getattr+0x47/0x60 [ 442.554038] vfs_getattr+0x21/0x40 [ 442.554538] vfsub_update_h_iattr+0x95/0xb0 [aufs] [ 442.555172] ? __lookup_hash+0x22/0xa0 [ 442.555697] ? lookup_one_len+0x113/0x120 [ 442.556323] vfsub_lookup_one_len+0x50/0x70 [aufs] [ 442.557065] au_wh_test+0x25/0xe0 [aufs] [ 442.557615] au_lkup_dentry+0x484/0x620 [aufs] [ 442.558225] aufs_lookup.part.33+0x11c/0x210 [aufs] [ 442.562787] aufs_atomic_open+0x102/0x3b0 [aufs] [ 442.563427] ? aufs_permission+0x190/0x2d0 [aufs] [ 442.564098] ? __inode_permission+0x5b/0x160 [ 442.564689] path_openat+0xde1/0x18b0 [ 442.565214] ? path_openat+0xde1/0x18b0 [ 442.565756] do_filp_open+0x9b/0x110 [ 442.566266] ? __check_object_size+0xc8/0x1b0 [ 442.566862] ? __alloc_fd+0xb2/0x170 [ 442.567376] do_sys_open+0x1ba/0x2c0 [ 442.567908] ? do_sys_open+0x1ba/0x2c0 [ 442.568453] SyS_openat+0x14/0x20 [ 442.568939] do_syscall_64+0x73/0x130 [ 442.569458] entry_SYSCALL_64_after_hwframe+0x41/0xa6 [ 442.570117] RIP: 0033:0x7f079564af83 Patched: # ../openat # echo $? 0 # uname -rv 4.15.0-162-generic #170+test20211022b1 SMP Fri Oct 22 10:59:39 -03 2021 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Hirsute: In Progress Status in linux source package in Impish: Invalid Status in linux source package in Jammy: Invalid Bug description: [Impact] * AppArmor-enabled applications on the aufs filesystem might hit a kernel bug when getting file attributes. * The aufs filesystem explicitly assigns a NULL pointer to `struct path.mnt` for `vfs_getattr()`, which calls into AppArmor that checks `struct path.mnt->mnt_flags`, triggering a kernel NULL pointer dereference. * This is almost 10 years old [1,2], reproducible w/ the Linux v3.2 kernel, but it's rare as apparently it needs a fuseblk mount as an aufs branch, and file creation/ open (O_CREAT), with a filename that exists only in a lower aufs branch. On Linux v5.15-rc* it doesn't need AppArmor anymore. [Fix] * The patch fixing this issue does set `struct path.mnt` properly, by taking `struct path` as parameter instead of just `struct dentry` (and making up an incomplete `struct path` w/ that `dentry` and `mnt = NULL`.) * Since it changes the signature of a key, leaf function with several callers, the patch is a bit long/refactor, but it has been tested by the upstream aufs maintainer with a private test-suite. [Test Plan] * Synthetic reproducer available in [1] and comment #1. [Regression Potential] * Regressions would probably manifest as kernel errors mostly in the lookup and open paths, but more subtle manifestations would be possible as well. * The patch modifies a fair number of functions, even if doing so in simple ways. The synthetic reproducer only covers one of those functions. * The other code paths have been tested by the maintainer w/ the mainline kernel, and should be equivalent to our kernel as none of such changed for cherry-pick/backport. * The upstream aufs maintainer runs a private test suite that covers several features and use cases of aufs, so hopefully that provides some relief to take this patch. [Other Info] * Impish no longer ships aufs; no fix needed. * Hirsute/Focal/Bionic do/need it. (H only for backports) * Hirsute/Focal are clean cherry-picks. * Bionic is a trivial backport. [1] https://sourceforge.net/p/aufs/mailman/message/37363599/ [2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic [Kernel Traces] BUG: kernel NULL pointer dereference, address: 0000000000000010 ... CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:aa_path_name+0x55/0x370 ... Call Trace: ? request_wait_answer+0xc4/0x200 path_name+0x60/0xe0 profile_path_perm.part.9+0x57/0xa0 aa_path_perm+0xe2/0x130 common_perm+0x59/0x130 common_perm_cond+0x4c/0x70 apparmor_inode_getattr+0x1d/0x20 security_inode_getattr+0x35/0x50 vfs_getattr+0x21/0x40 vfsub_update_h_iattr+0x95/0xb0 [aufs] ? lookup_dcache+0x44/0x70 ? lookup_one_len+0x66/0x90 vfsub_lookup_one_len+0x50/0x70 [aufs] au_sio_lkup_one+0x8e/0xa0 [aufs] au_lkup_dentry+0x3fa/0x660 [aufs] aufs_lookup.part.35+0x11c/0x210 [aufs] aufs_atomic_open+0xec/0x3c0 [aufs] path_openat+0xe30/0x16a0 ? aufs_lookup+0x30/0x30 [aufs] ? path_openat+0xe30/0x16a0 ? unlock_page_memcg+0x12/0x20 ? filemap_map_pages+0x17d/0x3b0 do_filp_open+0x9b/0x110 ? __check_object_size+0xdb/0x1b0 ? __alloc_fd+0xb2/0x170 do_sys_open+0x1ba/0x2e0 ? do_sys_open+0x1ba/0x2e0 __x64_sys_openat+0x20/0x30 do_syscall_64+0x5e/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4a06fa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
