This bug was fixed in the package linux - 4.15.0-163.171
---------------
linux (4.15.0-163.171) bionic; urgency=medium
* bionic/linux: 4.15.0-163.171 -proposed tracker (LP: #1949874)
* Packaging resync (LP: #1786013)
- [Packaging] update Ubuntu.md
- debian/dkms-versions -- update from kernel-versions (main/2021.11.08)
* Unable to build net/reuseport_bpf and other tests in ubuntu_kernel_selftests
on Bionic with make command (LP: #1949889)
- selftests: Fix loss of test output in run_kselftests.sh
- selftests: Makefile set KSFT_TAP_LEVEL to prevent nested TAP headers
- selftests: fix headers_install circular dependency
- selftests: fix bpf build/test workflow regression when KBUILD_OUTPUT is
set
- selftests: vm: Fix test build failure when built by itself
* KVM emulation failure when booting into VM crash kernel with multiple CPUs
(LP: #1948862)
- KVM: x86: Properly reset MMU context at vCPU RESET/INIT
* aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
- SAUCE: aufs: bugfix, stop omitting path->mnt
* ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
- net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()
* require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
- Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc
* ACL updates on OCFS2 are not revalidated (LP: #1947161)
- ocfs2: fix remounting needed after setfacl command
* ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
- powerpc/bpf: Fix BPF_MOD when imm == 1
* Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
- Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
cachefiles_read_backing_file while vmscan is active"
- cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is
active
* Some test in ubuntu_bpf test_verifier failed on i386 Bionic kernel
(LP: #1788578)
- bpf: fix context access in tracing progs on 32 bit archs
* test_bpf.sh from ubuntu_kernel_selftests.net from linux ADT test failure
with linux/4.15.0-149.153 i386 (Segmentation fault) (LP: #1934414)
- selftests/bpf: make test_verifier run most programs
- bpf: add couple of test cases for div/mod by zero
- bpf: add further test cases around div/mod and others
* Bionic update: upstream stable patchset 2021-11-02 (LP: #1949512)
- usb: gadget: r8a66597: fix a loop in set_feature()
- usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
- cifs: fix incorrect check for null pointer in header_assemble
- xen/x86: fix PV trap handling on secondary processors
- usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
- USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
- staging: greybus: uart: fix tty use after free
- Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
- USB: serial: mos7840: remove duplicated 0xac24 device ID
- USB: serial: option: add Telit LN920 compositions
- USB: serial: option: remove duplicate USB device ID
- USB: serial: option: add device id for Foxconn T99W265
- mcb: fix error handling in mcb_alloc_bus()
- serial: mvebu-uart: fix driver's tx_empty callback
- net: hso: fix muxed tty registration
- bnxt_en: Fix TX timeout when TX ring size is set to the smallest
- net/mlx4_en: Don't allow aRFS for encapsulated packets
- scsi: iscsi: Adjust iface sysfs attr detection
- thermal/core: Potential buffer overflow in
thermal_build_list_of_policies()
- irqchip/gic-v3-its: Fix potential VPE leak on error
- md: fix a lock order reversal in md_alloc
- blktrace: Fix uaf in blk_trace access after removing by sysfs
- net: macb: fix use after free on rmmod
- net: stmmac: allow CSR clock of 300MHz
- m68k: Double cast io functions to unsigned long
- xen/balloon: use a kernel thread instead a workqueue
- compiler.h: Introduce absolute_pointer macro
- net: i825xx: Use absolute_pointer for memcpy from fixed memory location
- sparc: avoid stringop-overread errors
- qnx4: avoid stringop-overread errors
- parisc: Use absolute_pointer() to define PAGE0
- arm64: Mark __stack_chk_guard as __ro_after_init
- alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to
volatile
- net: 6pack: Fix tx timeout and slot time
- spi: Fix tegra20 build with CONFIG_PM=n
- arm64: dts: marvell: armada-37xx: Extend PCIe MEM space
- PCI: aardvark: Fix checking for PIO Non-posted Request
- PCI: aardvark: Fix checking for PIO status
- xen/balloon: fix balloon kthread freezing
- qnx4: work around gcc false positive warning bug
- tty: Fix out-of-bound vmalloc access in imageblit
- cpufreq: schedutil: Use kobject release() method to free sugov_tunables
- cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
- mac80211: fix use-after-free in CCMP/GCMP RX
- ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
- mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
- mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
- sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
- hwmon: (tmp421) fix rounding for negative values
- e100: fix length calculation in e100_get_regs_len
- e100: fix buffer overrun in e100_get_regs
- scsi: csiostor: Add module softdep on cxgb4
- af_unix: fix races in sk_peer_pid and sk_peer_cred accesses
- ipack: ipoctal: fix stack information leak
- ipack: ipoctal: fix tty registration race
- ipack: ipoctal: fix tty-registration error handling
- ipack: ipoctal: fix missing allocation-failure check
- ipack: ipoctal: fix module reference leak
- ext4: fix potential infinite loop in ext4_dx_readdir()
- net: udp: annotate data race around udp_sk(sk)->corkflag
- EDAC/synopsys: Fix wrong value type assignment for edac_mode
- ARM: 9077/1: PLT: Move struct plt_entries definition to header
- ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link()
- ARM: 9079/1: ftrace: Add MODULE_PLTS support
- ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE
- arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55
- hso: fix bailout in error case of probe
- usb: hso: fix error handling code of hso_create_net_device
- usb: hso: remove the bailout parameter
- crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
- HID: betop: fix slab-out-of-bounds Write in betop_probe
- netfilter: ipset: Fix oversized kvmalloc() calls
- HID: usbhid: free raw_report buffers in usbhid_stop
- cred: allow get_cred() and put_cred() to be given NULL.
- gpio: uniphier: Fix void functions to remove return value
- tty: synclink_gt, drop unneeded forward declarations
- tty: synclink_gt: rename a conflicting function name
- drm/amd/display: Pass PCI deviceid into DC
- hwmon: (tmp421) Replace S_<PERMS> with octal values
- hwmon: (tmp421) report /PVLD condition as fault
* ACL updates on OCFS2 are not revalidated (LP: #1947161) // Bionic update:
upstream stable patchset 2021-11-02 (LP: #1949512)
- ocfs2: drop acl cache for directories too
-- Kleber Sacilotto de Souza <kleber.so...@canonical.com> Fri, 05 Nov
2021 12:22:08 +0100
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Focal)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1948470
Title:
aufs: kernel bug with apparmor and fuseblk
Status in linux package in Ubuntu:
Invalid
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Focal:
Fix Released
Status in linux source package in Hirsute:
Fix Released
Status in linux source package in Impish:
Invalid
Status in linux source package in Jammy:
Invalid
Bug description:
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it. (H only for backports)
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2]
https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure
#60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS
090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
