[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug was fixed in the package linux - 5.11.0-41.45 --- linux (5.11.0-41.45) hirsute; urgency=medium * hirsute/linux: 5.11.0-41.45 -proposed tracker (LP: #1949801) * Packaging resync (LP: #1786013) - [Packaging] update Ubuntu.md - debian/dkms-versions -- update from kernel-versions (main/2021.11.08) * aufs: kernel bug with apparmor and fuseblk (LP: #1948470) - SAUCE: aufs: bugfix, stop omitting path->mnt * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164) - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit() * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516) - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc * CVE-2021-3744 // CVE-2021-3764 - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351) - powerpc/bpf: Fix BPF_MOD when imm == 1 * Fix Screen freeze after resume from suspend with iGPU [1002:6987] (LP: #1949050) - drm/amdgpu: reenable BACO support for 699F:C7 polaris12 SKU - drm/amdgpu: add missing cleanups for Polaris12 UVD/VCE on suspend - drm/amdgpu: Fix crash on device remove/driver unload * Intel I225-IT ethernet controller: igc: probe of :02:00.0 failed with error -1 (LP: #1945576) - igc: Remove _I_PHY_ID checking - igc: Remove phy->type checking * Fail to detect audio output from external monitor (LP: #1948767) - ALSA: hda: intel: Allow repeatedly probing on codec configuration errors * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" (LP: #1947709) - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" * Hirsute update: upstream stable patchset 2021-11-03 (LP: #1949640) - mm: fix uninitialized use in overcommit_policy_handler - usb: gadget: r8a66597: fix a loop in set_feature() - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() - cifs: fix incorrect check for null pointer in header_assemble - xen/x86: fix PV trap handling on secondary processors - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter - USB: cdc-acm: fix minor-number release - Revert "USB: bcma: Add a check for devm_gpiod_get" - binder: make sure fd closes complete - staging: greybus: uart: fix tty use after free - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk - usb: dwc3: core: balance phy init and exit - USB: serial: mos7840: remove duplicated 0xac24 device ID - USB: serial: option: add Telit LN920 compositions - USB: serial: option: remove duplicate USB device ID - USB: serial: option: add device id for Foxconn T99W265 - mcb: fix error handling in mcb_alloc_bus() - erofs: fix up erofs_lookup tracepoint - btrfs: prevent __btrfs_dump_space_info() to underflow its free space - serial: 8250: 8250_omap: Fix RX_LVL register offset - serial: mvebu-uart: fix driver's tx_empty callback - scsi: sd_zbc: Ensure buffer size is aligned to SECTOR_SIZE - drm/amd/pm: Update intermediate power state for SI - net: hso: fix muxed tty registration - comedi: Fix memory leak in compat_insnlist() - afs: Fix incorrect triggering of sillyrename on 3rd-party invalidation - afs: Fix updating of i_blocks on file/dir extension - platform/x86/intel: punit_ipc: Drop wrong use of ACPI_PTR() - enetc: Fix illegal access when reading affinity_hint - enetc: Fix uninitialized struct dim_sample field usage - bnxt_en: Fix TX timeout when TX ring size is set to the smallest - net: hns3: fix change RSS 'hfunc' ineffective issue - net: hns3: check queue id range before using - net/smc: add missing error check in smc_clc_prfx_set() - net/smc: fix 'workqueue leaked lock' in smc_conn_abort_work - net: dsa: don't allocate the slave_mii_bus using devres - net: dsa: realtek: register the MDIO bus under devres - kselftest/arm64: signal: Add SVE to the set of features we can check for - kselftest/arm64: signal: Skip tests if required features are missing - s390/qeth: fix NULL deref in qeth_clear_working_pool_list() - gpio: uniphier: Fix void functions to remove return value - qed: rdma - don't wait for resources under hw error recovery flow - net/mlx4_en: Don't allow aRFS for encapsulated packets - atlantic: Fix issue in the pm resume flow. - scsi: iscsi: Adjust iface sysfs attr detection - scsi: target: Fix the pgr/alua_support_store functions - tty: synclink_gt, drop unneeded forward declarations - tty: synclink_gt: rename a conflicting function name - fpga: machxo2-spi: Return an error on failure - fpga:
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug was fixed in the package linux - 5.4.0-91.102 --- linux (5.4.0-91.102) focal; urgency=medium * focal/linux: 5.4.0-91.102 -proposed tracker (LP: #1949840) * Packaging resync (LP: #1786013) - [Packaging] update Ubuntu.md - debian/dkms-versions -- update from kernel-versions (main/2021.11.08) * KVM emulation failure when booting into VM crash kernel with multiple CPUs (LP: #1948862) - KVM: x86: Properly reset MMU context at vCPU RESET/INIT * aufs: kernel bug with apparmor and fuseblk (LP: #1948470) - SAUCE: aufs: bugfix, stop omitting path->mnt * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164) - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit() * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516) - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc * ACL updates on OCFS2 are not revalidated (LP: #1947161) - ocfs2: fix remounting needed after setfacl command * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351) - powerpc/bpf: Fix BPF_MOD when imm == 1 * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" (LP: #1947709) - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" * Reassign I/O Path of ConnectX-5 Port 1 before Port 2 causes NULL dereference (LP: #1943464) - s390/pci: fix leak of PCI device structure - s390/pci: fix use after free of zpci_dev - s390/pci: fix zpci_zdev_put() on reserve * [SRU][F] USB: serial: pl2303: add support for PL2303HXN (LP: #1948377) - USB: serial: pl2303: add support for PL2303HXN - USB: serial: pl2303: fix line-speed handling on newer chips * Focal update: v5.4.151 upstream stable release (LP: #1947888) - tty: Fix out-of-bound vmalloc access in imageblit - cpufreq: schedutil: Use kobject release() method to free sugov_tunables - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory - usb: cdns3: fix race condition before setting doorbell - fs-verity: fix signed integer overflow with i_size near S64_MAX - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field - scsi: ufs: Fix illegal offset in UPIU event trace - mac80211: fix use-after-free in CCMP/GCMP RX - x86/kvmclock: Move this_cpu_pvti into kvmclock.h - drm/amd/display: Pass PCI deviceid into DC - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap - mac80211: mesh: fix potentially unaligned access - mac80211-hwsim: fix late beacon hrtimer handling - sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb - hwmon: (tmp421) report /PVLD condition as fault - hwmon: (tmp421) fix rounding for negative values - net: ipv4: Fix rtnexthop len when RTA_FLOW is present - e100: fix length calculation in e100_get_regs_len - e100: fix buffer overrun in e100_get_regs - selftests, bpf: test_lwt_ip_encap: Really disable rp_filter - scsi: csiostor: Add module softdep on cxgb4 - net: hns3: do not allow call hns3_nic_net_open repeatedly - net: sched: flower: protect fl_walk() with rcu - af_unix: fix races in sk_peer_pid and sk_peer_cred accesses - perf/x86/intel: Update event constraints for ICX - elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings - debugfs: debugfs_create_file_size(): use IS_ERR to check for error - ipack: ipoctal: fix stack information leak - ipack: ipoctal: fix tty registration race - ipack: ipoctal: fix tty-registration error handling - ipack: ipoctal: fix missing allocation-failure check - ipack: ipoctal: fix module reference leak - ext4: fix loff_t overflow in ext4_max_bitmap_size() - ext4: fix reserved space counter leakage - ext4: fix potential infinite loop in ext4_dx_readdir() - HID: u2fzero: ignore incomplete packets without data - net: udp: annotate data race around udp_sk(sk)->corkflag - net: stmmac: don't attach interface until resume finishes - PCI: Fix pci_host_bridge struct device release/free handling - libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind - hso: fix bailout in error case of probe - usb: hso: fix error handling code of hso_create_net_device - usb: hso: remove the bailout parameter - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() - HID: betop: fix slab-out-of-bounds Write in betop_probe - netfilter:
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug was fixed in the package linux - 4.15.0-163.171 --- linux (4.15.0-163.171) bionic; urgency=medium * bionic/linux: 4.15.0-163.171 -proposed tracker (LP: #1949874) * Packaging resync (LP: #1786013) - [Packaging] update Ubuntu.md - debian/dkms-versions -- update from kernel-versions (main/2021.11.08) * Unable to build net/reuseport_bpf and other tests in ubuntu_kernel_selftests on Bionic with make command (LP: #1949889) - selftests: Fix loss of test output in run_kselftests.sh - selftests: Makefile set KSFT_TAP_LEVEL to prevent nested TAP headers - selftests: fix headers_install circular dependency - selftests: fix bpf build/test workflow regression when KBUILD_OUTPUT is set - selftests: vm: Fix test build failure when built by itself * KVM emulation failure when booting into VM crash kernel with multiple CPUs (LP: #1948862) - KVM: x86: Properly reset MMU context at vCPU RESET/INIT * aufs: kernel bug with apparmor and fuseblk (LP: #1948470) - SAUCE: aufs: bugfix, stop omitting path->mnt * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164) - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit() * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516) - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc * ACL updates on OCFS2 are not revalidated (LP: #1947161) - ocfs2: fix remounting needed after setfacl command * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351) - powerpc/bpf: Fix BPF_MOD when imm == 1 * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" (LP: #1947709) - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in cachefiles_read_backing_file while vmscan is active" - cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active * Some test in ubuntu_bpf test_verifier failed on i386 Bionic kernel (LP: #1788578) - bpf: fix context access in tracing progs on 32 bit archs * test_bpf.sh from ubuntu_kernel_selftests.net from linux ADT test failure with linux/4.15.0-149.153 i386 (Segmentation fault) (LP: #1934414) - selftests/bpf: make test_verifier run most programs - bpf: add couple of test cases for div/mod by zero - bpf: add further test cases around div/mod and others * Bionic update: upstream stable patchset 2021-11-02 (LP: #1949512) - usb: gadget: r8a66597: fix a loop in set_feature() - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() - cifs: fix incorrect check for null pointer in header_assemble - xen/x86: fix PV trap handling on secondary processors - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter - staging: greybus: uart: fix tty use after free - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk - USB: serial: mos7840: remove duplicated 0xac24 device ID - USB: serial: option: add Telit LN920 compositions - USB: serial: option: remove duplicate USB device ID - USB: serial: option: add device id for Foxconn T99W265 - mcb: fix error handling in mcb_alloc_bus() - serial: mvebu-uart: fix driver's tx_empty callback - net: hso: fix muxed tty registration - bnxt_en: Fix TX timeout when TX ring size is set to the smallest - net/mlx4_en: Don't allow aRFS for encapsulated packets - scsi: iscsi: Adjust iface sysfs attr detection - thermal/core: Potential buffer overflow in thermal_build_list_of_policies() - irqchip/gic-v3-its: Fix potential VPE leak on error - md: fix a lock order reversal in md_alloc - blktrace: Fix uaf in blk_trace access after removing by sysfs - net: macb: fix use after free on rmmod - net: stmmac: allow CSR clock of 300MHz - m68k: Double cast io functions to unsigned long - xen/balloon: use a kernel thread instead a workqueue - compiler.h: Introduce absolute_pointer macro - net: i825xx: Use absolute_pointer for memcpy from fixed memory location - sparc: avoid stringop-overread errors - qnx4: avoid stringop-overread errors - parisc: Use absolute_pointer() to define PAGE0 - arm64: Mark __stack_chk_guard as __ro_after_init - alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile - net: 6pack: Fix tx timeout and slot time - spi: Fix tegra20 build with CONFIG_PM=n - arm64: dts: marvell: armada-37xx: Extend PCIe MEM space - PCI: aardvark: Fix checking for PIO Non-posted Request - PCI: aardvark: Fix checking for PIO status - xen/balloon: fix balloon kthread freezing - qnx4: work around gcc false positive warning bug - tty: Fix out-of-bound vmalloc access in imageblit - cpufreq: schedutil: Use kobject release() method to free sugov_tunables - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
Verified bionic, focal, and hirsute (hwe kernel in focal) with steps in comment #1. The kernel packages in -updates hit the issue. The kernel packages in -proposed don't hit it. ubuntu@mfo-aufs-bionic:~/aufs$ uname -rv 4.15.0-163-generic #171-Ubuntu SMP Fri Nov 5 11:55:11 UTC 2021 ubuntu@mfo-aufs-focal:~$ uname -rv 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 ubuntu@mfo-aufs-focal:~/aufs$ uname -rv 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 ** Tags removed: verification-needed-bionic verification-needed-focal verification-needed-hirsute ** Tags added: verification-done-bionic verification-done-focal verification-done-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug is awaiting verification that the linux/4.15.0-163.171 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug is awaiting verification that the linux/5.4.0-91.102 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
This bug is awaiting verification that the linux/5.11.0-41.45 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-hirsute ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Hirsute) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
[H/F/B][PATCH 0/1] aufs: fix kernel bug with apparmor and fuseblk https://lists.ubuntu.com/archives/kernel-team/2021-October/125163.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
Hirsute doesn't ship aufs anymore; no testing needed, just patching. commit 4fb9ce7538c89f81e3fa5bfae881c9b49e7137e0 Author: Seth Forshee Date: Fri Feb 19 14:46:24 2021 -0600 UBUNTU: [Config] CONFIG_AUFS_FS=n We're keeping aufs in the source tree for backports but disabling it starting in hirsute. Update the configs and annotations accordingly. Signed-off-by: Seth Forshee ** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
Test with bionic-proposed (4.15.0-162.170) --- Original: # ../openat Killed [ 442.526300] BUG: unable to handle kernel NULL pointer dereference at 0010 ... [ 442.539854] CPU: 1 PID: 5644 Comm: openat Not tainted 4.15.0-162-generic #170-Ubuntu [ 442.540733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 442.541755] RIP: 0010:aa_path_name+0x55/0x370 ... [ 442.549808] Call Trace: [ 442.550211] path_name+0x60/0xe0 [ 442.550687] profile_path_perm.part.7+0x57/0xa0 [ 442.551293] aa_path_perm+0xe2/0x130 [ 442.551819] common_perm+0x59/0x130 [ 442.552323] common_perm_cond+0x4c/0x70 [ 442.552856] apparmor_inode_getattr+0x1d/0x20 [ 442.553444] security_inode_getattr+0x47/0x60 [ 442.554038] vfs_getattr+0x21/0x40 [ 442.554538] vfsub_update_h_iattr+0x95/0xb0 [aufs] [ 442.555172] ? __lookup_hash+0x22/0xa0 [ 442.555697] ? lookup_one_len+0x113/0x120 [ 442.556323] vfsub_lookup_one_len+0x50/0x70 [aufs] [ 442.557065] au_wh_test+0x25/0xe0 [aufs] [ 442.557615] au_lkup_dentry+0x484/0x620 [aufs] [ 442.558225] aufs_lookup.part.33+0x11c/0x210 [aufs] [ 442.562787] aufs_atomic_open+0x102/0x3b0 [aufs] [ 442.563427] ? aufs_permission+0x190/0x2d0 [aufs] [ 442.564098] ? __inode_permission+0x5b/0x160 [ 442.564689] path_openat+0xde1/0x18b0 [ 442.565214] ? path_openat+0xde1/0x18b0 [ 442.565756] do_filp_open+0x9b/0x110 [ 442.566266] ? __check_object_size+0xc8/0x1b0 [ 442.566862] ? __alloc_fd+0xb2/0x170 [ 442.567376] do_sys_open+0x1ba/0x2c0 [ 442.567908] ? do_sys_open+0x1ba/0x2c0 [ 442.568453] SyS_openat+0x14/0x20 [ 442.568939] do_syscall_64+0x73/0x130 [ 442.569458] entry_SYSCALL_64_after_hwframe+0x41/0xa6 [ 442.570117] RIP: 0033:0x7f079564af83 Patched: # ../openat # echo $? 0 # uname -rv 4.15.0-162-generic #170+test20211022b1 SMP Fri Oct 22 10:59:39 -03 2021 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
Test with focal-proposed (5.4.0-90.101) --- Original: # ../openat Killed [ 286.989830] BUG: kernel NULL pointer dereference, address: 0010 ... [ 286.996507] CPU: 2 PID: 5529 Comm: openat Not tainted 5.4.0-90-generic #101-Ubuntu [ 286.997358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 286.998397] RIP: 0010:d_namespace_path.constprop.0+0x48/0x300 ... [ 287.008418] Call Trace: [ 287.016112] aa_path_name+0x42/0xb0 [ 287.016616] path_name.isra.0+0x5f/0xe0 [ 287.017153] profile_path_perm.part.0+0x58/0xa0 [ 287.017768] aa_path_perm+0xdd/0x130 [ 287.018293] common_perm+0x96/0x110 [ 287.018795] common_perm_cond+0x4c/0x70 [ 287.019353] apparmor_inode_getattr+0x1d/0x20 [ 287.019948] security_inode_getattr+0x35/0x50 [ 287.020542] vfs_getattr+0x22/0x50 [ 287.021042] vfsub_update_h_iattr+0x95/0xb0 [aufs] [ 287.021687] ? lookup_dcache+0x46/0x70 [ 287.022216] ? lookup_one_len+0x68/0x90 [ 287.022755] vfsub_lookup_one_len+0x61/0x70 [aufs] [ 287.023413] au_wh_test+0x26/0xa0 [aufs] [ 287.023978] au_lkup_dentry+0x1ba/0x670 [aufs] [ 287.024598] aufs_lookup.part.0+0x119/0x200 [aufs] [ 287.025250] aufs_atomic_open+0x19d/0x400 [aufs] [ 287.025881] ? aufs_permission+0x1a9/0x2f0 [aufs] [ 287.026536] ? security_path_mknod+0x4c/0x70 [ 287.027130] lookup_open+0x364/0x6e0 [ 287.027658] do_last+0x2cb/0x900 [ 287.028141] ? __alloc_file+0x94/0x110 [ 287.028678] path_openat+0x8d/0x290 [ 287.029184] ? do_async_page_fault+0x39/0x70 [ 287.029773] do_filp_open+0x91/0x100 [ 287.030292] ? strncpy_from_user+0xbd/0x150 [ 287.030879] ? __alloc_fd+0xb8/0x150 [ 287.031402] do_sys_open+0x17e/0x290 [ 287.031920] __x64_sys_openat+0x20/0x30 [ 287.032469] do_syscall_64+0x57/0x190 [ 287.032997] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 287.033682] RIP: 0033:0x7f299dccf026 Patched: # ../openat # echo $? 0 # uname -rv 5.4.0-90-generic #101+test20211022b2 SMP Fri Oct 22 10:34:51 -03 2021 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
** Description changed: [Impact] * AppArmor-enabled applications on the aufs filesystem might hit a kernel bug when getting file attributes. * The aufs filesystem explicitly assigns a NULL pointer to `struct path.mnt` for `vfs_getattr()`, which calls into AppArmor that checks `struct path.mnt->mnt_flags`, triggering a kernel NULL pointer dereference. * This is almost 10 years old [1,2], reproducible w/ the Linux v3.2 kernel, but it's rare as apparently it needs a fuseblk mount as an aufs branch, and file creation/ open (O_CREAT), with a filename that exists only in a lower aufs branch. On Linux v5.15-rc* it doesn't need AppArmor anymore. [Fix] * The patch fixing this issue does set `struct path.mnt` properly, by taking `struct path` as parameter instead of just `struct dentry` (and making up an incomplete `struct path` w/ that `dentry` and `mnt = NULL`.) * Since it changes the signature of a key, leaf function with several callers, the patch is a bit long/refactor, but it has been tested by the upstream aufs maintainer with a private test-suite. [Test Plan] * Synthetic reproducer available in [1] and comment #1. [Regression Potential] * Regressions would probably manifest as kernel errors mostly in the lookup and open paths, but more subtle manifestations would be possible as well. * The patch modifies a fair number of functions, even if doing so in simple ways. The synthetic reproducer only covers one of those functions. * The other code paths have been tested by the maintainer w/ the mainline kernel, and should be equivalent to our kernel as none of such changed for cherry-pick/backport. * The upstream aufs maintainer runs a private test suite that covers several features and use cases of aufs, so hopefully that provides some relief to take this patch. [Other Info] * Impish no longer ships aufs; no fix needed. - * Hirsute/Focal/Bionic do/need it. + * Hirsute/Focal/Bionic do/need it. (H only for backports) * Hirsute/Focal are clean cherry-picks. * Bionic is a trivial backport. [1] https://sourceforge.net/p/aufs/mailman/message/37363599/ [2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic [Kernel Traces] BUG: kernel NULL pointer dereference, address: 0010 ... CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:aa_path_name+0x55/0x370 ... Call Trace: ? request_wait_answer+0xc4/0x200 path_name+0x60/0xe0 profile_path_perm.part.9+0x57/0xa0 aa_path_perm+0xe2/0x130 common_perm+0x59/0x130 common_perm_cond+0x4c/0x70 apparmor_inode_getattr+0x1d/0x20 security_inode_getattr+0x35/0x50 vfs_getattr+0x21/0x40 vfsub_update_h_iattr+0x95/0xb0 [aufs] ? lookup_dcache+0x44/0x70 ? lookup_one_len+0x66/0x90 vfsub_lookup_one_len+0x50/0x70 [aufs] au_sio_lkup_one+0x8e/0xa0 [aufs] au_lkup_dentry+0x3fa/0x660 [aufs] aufs_lookup.part.35+0x11c/0x210 [aufs] aufs_atomic_open+0xec/0x3c0 [aufs] path_openat+0xe30/0x16a0 ? aufs_lookup+0x30/0x30 [aufs] ? path_openat+0xe30/0x16a0 ? unlock_page_memcg+0x12/0x20 ? filemap_map_pages+0x17d/0x3b0 do_filp_open+0x9b/0x110 ? __check_object_size+0xdb/0x1b0 ? __alloc_fd+0xb2/0x170 do_sys_open+0x1ba/0x2e0 ? do_sys_open+0x1ba/0x2e0 __x64_sys_openat+0x20/0x30 do_syscall_64+0x5e/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4a06fa -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk
Steps to Reproduce: 1) test app # cat openat.c #include #include int main() { int rc; rc = openat(AT_FDCWD, "test", O_RDWR | O_CREAT | S_IRWXU); if (rc < 0) { perror("openat"); return 1; } return 0; } # gcc -o openat openat.c 2) ntfs-3g mount (fuseblk) # truncate -s 1g ntfs.img # DEV=$(losetup -f --show ntfs.img) # mkfs.ntfs --fast $DEV # mkdir ntfs # mount -t ntfs-3g $DEV ntfs # mount | grep ntfs | grep fuseblk /dev/loop6 on /home/ubuntu/ntfs type fuseblk (rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096) 3) aufs mount (with 'test' file in the read-only branch) # mkdir ro aufs # touch ro/test # mount -t aufs -o br=ntfs:ro none aufs 4) enable apparmor for the test app (even in complain mode with aa- genprof) # aa-genprof ./openat & ... Please start the application to be profiled in another window and exercise its functionality now. ... [1]+ Stopped aa-genprof ./openat 5) remove 'test' file from read-write branch (still exists in read-only branch) # cd aufs # rm test 6) run the test app # ../openat Killed 7) check kernel logs # dmesg ** Description changed: - aufs: kernel bug with apparmor and fuseblk - [Impact] - * AppArmor-enabled applications on the aufs filesystem -might hit a kernel bug when getting file attributes. - - * The aufs filesystem explicitly assigns a NULL pointer -to `struct path.mnt` for `vfs_getattr()`, which calls -into AppArmor that checks `struct path.mnt->mnt_flags`, -triggering a kernel NULL pointer dereference. - - * This is almost 10 years old [1,2], reproducible w/ the -Linux v3.2 kernel, but it's rare as apparently it needs -a fuseblk mount as an aufs branch, and file creation/ -open (O_CREAT), with a filename that exists only in a -lower aufs branch. On Linux v5.15-rc* it doesn't need -AppArmor anymore. + * AppArmor-enabled applications on the aufs filesystem + might hit a kernel bug when getting file attributes. + + * The aufs filesystem explicitly assigns a NULL pointer + to `struct path.mnt` for `vfs_getattr()`, which calls + into AppArmor that checks `struct path.mnt->mnt_flags`, + triggering a kernel NULL pointer dereference. + + * This is almost 10 years old [1,2], reproducible w/ the + Linux v3.2 kernel, but it's rare as apparently it needs + a fuseblk mount as an aufs branch, and file creation/ + open (O_CREAT), with a filename that exists only in a + lower aufs branch. On Linux v5.15-rc* it doesn't need + AppArmor anymore. [Fix] - * The patch fixing this issue does set `struct path.mnt` -properly, by taking `struct path` as parameter instead -of just `struct dentry` (and making up an incomplete -`struct path` w/ that `dentry` and `mnt = NULL`.) - - * Since it changes the signature of a key, leaf function -with several callers, the patch is a bit long/refactor, -but it has been tested by the upstream aufs maintainer -with a private test-suite. - + * The patch fixing this issue does set `struct path.mnt` + properly, by taking `struct path` as parameter instead + of just `struct dentry` (and making up an incomplete + `struct path` w/ that `dentry` and `mnt = NULL`.) + + * Since it changes the signature of a key, leaf function + with several callers, the patch is a bit long/refactor, + but it has been tested by the upstream aufs maintainer + with a private test-suite. + [Test Plan] - * Synthetic reproducer available in [1] and comment #1. + * Synthetic reproducer available in [1] and comment #1. [Regression Potential] - * Regressions would probably manifest as kernel errors -mostly in the lookup and open paths, but more subtle -manifestations would be possible as well. - - * The patch modifies a fair number of functions, even if -doing so in simple ways. The synthetic reproducer only -covers one of those functions. - - * The other code paths have been tested by the maintainer -w/ the mainline kernel, and should be equivalent to our -kernel as none of such changed for cherry-pick/backport. - - * The upstream aufs maintainer runs a private test suite -that covers several features and use cases of aufs, so -hopefully that provides some relief to take this patch. - + * Regressions would probably manifest as kernel errors + mostly in the lookup and open paths, but more subtle + manifestations would be possible as well. + + * The patch modifies a fair number of functions, even if + doing so in simple ways. The synthetic reproducer only + covers one of those