Hi J. R. Okajima, Here's a fix for what might potentially be a 10 years old bug (it's at least 4 years, 10 months old per a public report [1].)
The key change is very simple (set `path.mnt` in vfsub_lookup_one_len()) but its caller chain is large enough (reviewed/modified ~30 functions). Fortunately most of them already had `path.mnt` set or easy to obtain. This does fix the issue with the provided reproducer, but it does not exercise every path that changed. So, ... Could you please run it through your internal test suite? I recall it seemed to test a whole lot of stuff, and it even caught a regression in a patchset we worked on previously (CVE-2020-11935 [2]), thus it would definitely help with validating this fix. Thanks! Mauricio [1] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic [2] https://ubuntu.com/security/CVE-2020-11935 Mauricio Faria de Oliveira (2): aufs: deduplicate vfsub_lookup_one_len[_unlocked]() aufs: vfsub_lookup_one_len[_unlocked](): set struct path.mnt fs/aufs/cpup.c | 4 +++- fs/aufs/dentry.c | 24 +++++++++++++++--------- fs/aufs/dentry.h | 2 +- fs/aufs/dirren.c | 15 +++++++-------- fs/aufs/export.c | 2 +- fs/aufs/i_op_del.c | 6 +++++- fs/aufs/i_op_ren.c | 10 ++++++++-- fs/aufs/plink.c | 5 +++-- fs/aufs/vfsub.c | 43 +++++++++++++++++++++---------------------- fs/aufs/vfsub.h | 11 +++++++---- fs/aufs/whout.c | 23 ++++++++++++++--------- fs/aufs/whout.h | 5 +++-- fs/aufs/xino.c | 4 ++-- 13 files changed, 90 insertions(+), 64 deletions(-) -- 2.30.2
