Steps to Reproduce:
1) test app
# cat openat.c
#include <stdio.h>
#include <fcntl.h>
int main() {
int rc;
rc = openat(AT_FDCWD, "test", O_RDWR | O_CREAT | S_IRWXU);
if (rc < 0) {
perror("openat");
return 1;
}
return 0;
}
# gcc -o openat openat.c
2) ntfs-3g mount (fuseblk)
# truncate -s 1g ntfs.img
# DEV=$(losetup -f --show ntfs.img)
# mkfs.ntfs --fast $DEV
# mkdir ntfs
# mount -t ntfs-3g $DEV ntfs
# mount | grep ntfs | grep fuseblk
/dev/loop6 on /home/ubuntu/ntfs type fuseblk
(rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096)
3) aufs mount (with 'test' file in the read-only branch)
# mkdir ro aufs
# touch ro/test
# mount -t aufs -o br=ntfs:ro none aufs
4) enable apparmor for the test app (even in complain mode with aa-
genprof)
# aa-genprof ./openat &
...
Please start the application to be profiled in
another window and exercise its functionality now.
...
<press enter>
[1]+ Stopped aa-genprof ./openat
5) remove 'test' file from read-write branch (still exists in read-only
branch)
# cd aufs
# rm test
6) run the test app
# ../openat
Killed
7) check kernel logs
# dmesg
** Description changed:
- aufs: kernel bug with apparmor and fuseblk
-
[Impact]
- * AppArmor-enabled applications on the aufs filesystem
- might hit a kernel bug when getting file attributes.
-
- * The aufs filesystem explicitly assigns a NULL pointer
- to `struct path.mnt` for `vfs_getattr()`, which calls
- into AppArmor that checks `struct path.mnt->mnt_flags`,
- triggering a kernel NULL pointer dereference.
-
- * This is almost 10 years old [1,2], reproducible w/ the
- Linux v3.2 kernel, but it's rare as apparently it needs
- a fuseblk mount as an aufs branch, and file creation/
- open (O_CREAT), with a filename that exists only in a
- lower aufs branch. On Linux v5.15-rc* it doesn't need
- AppArmor anymore.
+ * AppArmor-enabled applications on the aufs filesystem
+ might hit a kernel bug when getting file attributes.
+
+ * The aufs filesystem explicitly assigns a NULL pointer
+ to `struct path.mnt` for `vfs_getattr()`, which calls
+ into AppArmor that checks `struct path.mnt->mnt_flags`,
+ triggering a kernel NULL pointer dereference.
+
+ * This is almost 10 years old [1,2], reproducible w/ the
+ Linux v3.2 kernel, but it's rare as apparently it needs
+ a fuseblk mount as an aufs branch, and file creation/
+ open (O_CREAT), with a filename that exists only in a
+ lower aufs branch. On Linux v5.15-rc* it doesn't need
+ AppArmor anymore.
[Fix]
- * The patch fixing this issue does set `struct path.mnt`
- properly, by taking `struct path` as parameter instead
- of just `struct dentry` (and making up an incomplete
- `struct path` w/ that `dentry` and `mnt = NULL`.)
-
- * Since it changes the signature of a key, leaf function
- with several callers, the patch is a bit long/refactor,
- but it has been tested by the upstream aufs maintainer
- with a private test-suite.
-
+ * The patch fixing this issue does set `struct path.mnt`
+ properly, by taking `struct path` as parameter instead
+ of just `struct dentry` (and making up an incomplete
+ `struct path` w/ that `dentry` and `mnt = NULL`.)
+
+ * Since it changes the signature of a key, leaf function
+ with several callers, the patch is a bit long/refactor,
+ but it has been tested by the upstream aufs maintainer
+ with a private test-suite.
+
[Test Plan]
- * Synthetic reproducer available in [1] and comment #1.
+ * Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
- * Regressions would probably manifest as kernel errors
- mostly in the lookup and open paths, but more subtle
- manifestations would be possible as well.
-
- * The patch modifies a fair number of functions, even if
- doing so in simple ways. The synthetic reproducer only
- covers one of those functions.
-
- * The other code paths have been tested by the maintainer
- w/ the mainline kernel, and should be equivalent to our
- kernel as none of such changed for cherry-pick/backport.
-
- * The upstream aufs maintainer runs a private test suite
- that covers several features and use cases of aufs, so
- hopefully that provides some relief to take this patch.
-
+ * Regressions would probably manifest as kernel errors
+ mostly in the lookup and open paths, but more subtle
+ manifestations would be possible as well.
+
+ * The patch modifies a fair number of functions, even if
+ doing so in simple ways. The synthetic reproducer only
+ covers one of those functions.
+
+ * The other code paths have been tested by the maintainer
+ w/ the mainline kernel, and should be equivalent to our
+ kernel as none of such changed for cherry-pick/backport.
+
+ * The upstream aufs maintainer runs a private test suite
+ that covers several features and use cases of aufs, so
+ hopefully that provides some relief to take this patch.
+
[Other Info]
- * Impish no longer ships aufs; no fix needed.
- * Hirsute/Focal/Bionic do/need it.
- * Hirsute/Focal are clean cherry-picks.
- * Bionic is a trivial backport.
-
+ * Impish no longer ships aufs; no fix needed.
+ * Hirsute/Focal/Bionic do/need it.
+ * Hirsute/Focal are clean cherry-picks.
+ * Bionic is a trivial backport.
+
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2]
https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure
#60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS
090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1948470
Title:
aufs: kernel bug with apparmor and fuseblk
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
