This bug is awaiting verification that the linux/5.11.0-41.45 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-hirsute ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1948470 Title: aufs: kernel bug with apparmor and fuseblk Status in linux package in Ubuntu: Invalid Status in linux source package in Bionic: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Hirsute: Fix Committed Status in linux source package in Impish: Invalid Status in linux source package in Jammy: Invalid Bug description: [Impact] * AppArmor-enabled applications on the aufs filesystem might hit a kernel bug when getting file attributes. * The aufs filesystem explicitly assigns a NULL pointer to `struct path.mnt` for `vfs_getattr()`, which calls into AppArmor that checks `struct path.mnt->mnt_flags`, triggering a kernel NULL pointer dereference. * This is almost 10 years old [1,2], reproducible w/ the Linux v3.2 kernel, but it's rare as apparently it needs a fuseblk mount as an aufs branch, and file creation/ open (O_CREAT), with a filename that exists only in a lower aufs branch. On Linux v5.15-rc* it doesn't need AppArmor anymore. [Fix] * The patch fixing this issue does set `struct path.mnt` properly, by taking `struct path` as parameter instead of just `struct dentry` (and making up an incomplete `struct path` w/ that `dentry` and `mnt = NULL`.) * Since it changes the signature of a key, leaf function with several callers, the patch is a bit long/refactor, but it has been tested by the upstream aufs maintainer with a private test-suite. [Test Plan] * Synthetic reproducer available in [1] and comment #1. [Regression Potential] * Regressions would probably manifest as kernel errors mostly in the lookup and open paths, but more subtle manifestations would be possible as well. * The patch modifies a fair number of functions, even if doing so in simple ways. The synthetic reproducer only covers one of those functions. * The other code paths have been tested by the maintainer w/ the mainline kernel, and should be equivalent to our kernel as none of such changed for cherry-pick/backport. * The upstream aufs maintainer runs a private test suite that covers several features and use cases of aufs, so hopefully that provides some relief to take this patch. [Other Info] * Impish no longer ships aufs; no fix needed. * Hirsute/Focal/Bionic do/need it. (H only for backports) * Hirsute/Focal are clean cherry-picks. * Bionic is a trivial backport. [1] https://sourceforge.net/p/aufs/mailman/message/37363599/ [2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic [Kernel Traces] BUG: kernel NULL pointer dereference, address: 0000000000000010 ... CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018 RIP: 0010:aa_path_name+0x55/0x370 ... Call Trace: ? request_wait_answer+0xc4/0x200 path_name+0x60/0xe0 profile_path_perm.part.9+0x57/0xa0 aa_path_perm+0xe2/0x130 common_perm+0x59/0x130 common_perm_cond+0x4c/0x70 apparmor_inode_getattr+0x1d/0x20 security_inode_getattr+0x35/0x50 vfs_getattr+0x21/0x40 vfsub_update_h_iattr+0x95/0xb0 [aufs] ? lookup_dcache+0x44/0x70 ? lookup_one_len+0x66/0x90 vfsub_lookup_one_len+0x50/0x70 [aufs] au_sio_lkup_one+0x8e/0xa0 [aufs] au_lkup_dentry+0x3fa/0x660 [aufs] aufs_lookup.part.35+0x11c/0x210 [aufs] aufs_atomic_open+0xec/0x3c0 [aufs] path_openat+0xe30/0x16a0 ? aufs_lookup+0x30/0x30 [aufs] ? path_openat+0xe30/0x16a0 ? unlock_page_memcg+0x12/0x20 ? filemap_map_pages+0x17d/0x3b0 do_filp_open+0x9b/0x110 ? __check_object_size+0xdb/0x1b0 ? __alloc_fd+0xb2/0x170 do_sys_open+0x1ba/0x2e0 ? do_sys_open+0x1ba/0x2e0 __x64_sys_openat+0x20/0x30 do_syscall_64+0x5e/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4a06fa To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
