[H/F/B][PATCH 0/1] aufs: fix kernel bug with apparmor and fuseblk

Mauricio Faria de Oliveira mfo at canonical.com
Fri Oct 22 15:47:13 UTC 2021

BugLink: https://bugs.launchpad.net/bugs/1948470


 * AppArmor-enabled applications on the aufs filesystem
   might hit a kernel bug when getting file attributes.

 * The aufs filesystem explicitly assigns a NULL pointer
   to `struct path.mnt` for `vfs_getattr()`, which calls
   into AppArmor that checks `struct path.mnt->mnt_flags`,
   triggering a kernel NULL pointer dereference.

 * This is almost 10 years old [1,2], reproducible w/ the
   Linux v3.2 kernel, but it's rare as apparently it needs
   a fuseblk mount as an aufs branch, and file creation/
   open (O_CREAT), with a filename that exists only in a
   lower aufs branch. On Linux v5.15-rc* it doesn't need
   AppArmor anymore.


 * The patch fixing this issue does set `struct path.mnt`
   properly, by taking `struct path` as parameter instead
   of just `struct dentry` (and making up an incomplete
   `struct path` w/ that `dentry` and `mnt = NULL`.)

 * Since it changes the signature of a key, leaf function
   with several callers, the patch is a bit long/refactor,
   but it has been tested by the upstream aufs maintainer
   with a private test-suite.

[Test Plan]

 * Synthetic reproducer available in [1] and comment #1.

[Regression Potential]

 * Regressions would probably manifest as kernel errors
   mostly in the lookup and open paths, but more subtle
   manifestations would be possible as well.

 * The patch modifies a fair number of functions, even if
   doing so in simple ways. The synthetic reproducer only
   covers one of those functions.

 * The other code paths have been tested by the maintainer
   w/ the mainline kernel, and should be equivalent to our
   kernel as none of such changed for cherry-pick/backport.

 * The upstream aufs maintainer runs a private test suite
   that covers several features and use cases of aufs, so
   hopefully that provides some relief to take this patch.

[Other Info]

 * Impish no longer ships aufs; no fix needed.
 * Hirsute/Focal/Bionic do/need it. (H only for backports)
 * Hirsute/Focal are clean cherry-picks.
 * Bionic is a trivial backport.

[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic

[Kernel Traces]

    BUG: kernel NULL pointer dereference, address: 0000000000000010
    CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure
    Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine,
    BIOS 090008 12/07/2018
    RIP: 0010:aa_path_name+0x55/0x370
    Call Trace:
    ? request_wait_answer+0xc4/0x200
    vfsub_update_h_iattr+0x95/0xb0 [aufs]
    ? lookup_dcache+0x44/0x70
    ? lookup_one_len+0x66/0x90
    vfsub_lookup_one_len+0x50/0x70 [aufs]
    au_sio_lkup_one+0x8e/0xa0 [aufs]
    au_lkup_dentry+0x3fa/0x660 [aufs]
    aufs_lookup.part.35+0x11c/0x210 [aufs]
    aufs_atomic_open+0xec/0x3c0 [aufs]
    ? aufs_lookup+0x30/0x30 [aufs]
    ? path_openat+0xe30/0x16a0
    ? unlock_page_memcg+0x12/0x20
    ? filemap_map_pages+0x17d/0x3b0
    ? __check_object_size+0xdb/0x1b0
    ? __alloc_fd+0xb2/0x170
    ? do_sys_open+0x1ba/0x2e0
    RIP: 0033:0x4a06fa

J. R. Okajima (1):
  aufs: bugfix, stop omitting path->mnt

 fs/aufs/cpup.c     |  6 ++--
 fs/aufs/dentry.c   | 35 ++++++++++++--------
 fs/aufs/dentry.h   |  2 +-
 fs/aufs/dirren.c   |  9 +++--
 fs/aufs/export.c   |  2 +-
 fs/aufs/i_op_del.c | 11 +++++--
 fs/aufs/i_op_ren.c | 14 +++++---
 fs/aufs/plink.c    | 62 +++++++++++++++++------------------
 fs/aufs/vfsub.c    | 33 +++++++++++--------
 fs/aufs/vfsub.h    | 10 +++---
 fs/aufs/whout.c    | 82 ++++++++++++++++++++++++----------------------
 fs/aufs/whout.h    |  4 +--
 fs/aufs/xino.c     | 11 ++++---
 13 files changed, 156 insertions(+), 125 deletions(-)


More information about the kernel-team mailing list