prevent kernel panic with overlayfs + shiftfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Medium
|
Unassigned | ||
Jammy |
Fix Released
|
Medium
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The patch that we have recently re-introduced to properly support overlayfs on top of shiftfs can introduce potential kernel panics, for example:
BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 447.039738] #PF: supervisor read access in kernel mode
[ 447.040369] #PF: error_code(0x0000) - not-present page
[ 447.041002] PGD 0 P4D 0
[ 447.041325] Oops: 0000 [#1] SMP NOPTI
[ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic #29~20.04.1-Ubuntu
[ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-
[ 447.043979] RIP: 0010:aa_
[ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
[ 447.046837] RSP: 0018:ffffaefe80
[ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX: 0000000000000004
[ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI: ffffffff9c22a2ac
[ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09: 0000000000000000
[ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12: ffff96e401215eb8
[ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15: 0000000000000004
[ 447.051942] FS: 00007eff3c0f8c8
[ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4: 00000000003506f0
[ 447.054571] Call Trace:
[ 447.054883] <TASK>
[ 447.055154] ? unlock_
[ 447.055668] ? page_remove_
[ 447.056180] common_
[ 447.056669] apparmor_
[ 447.057237] security_
[ 447.057898] rw_verify_
[ 447.058392] vfs_read+0x6d/0x1a0
[ 447.058842] ksys_read+0xb1/0xe0
[ 447.059276] __x64_sys_
[ 447.059732] do_syscall_
[ 447.060183] ? __set_current_
[ 447.060738] ? exit_to_
[ 447.061434] ? syscall_
[ 447.062099] ? do_syscall_
[ 447.062603] ? irqentry_
[ 447.063210] ? irqentry_
[ 447.063678] ? exc_page_
[ 447.064165] ? asm_exc_
[ 447.064675] entry_SYSCALL_
[ 447.065298] RIP: 0033:0x7eff3c2cb002
[Test case]
It is really easy to trigger this specific kernel panic running the lxc autopackage test.
[Fix]
This bug happens because we don't need to decrement anymore the refcount for the previous vm_file value in ovl_vm_
[Regression potential]
This patch affects only overlayfs (only when AUFS is enabled), so we may see regressions in overlayfs in kernels that have AUFS enabled (focal hwe and cloud kernels).
CVE References
Changed in linux (Ubuntu Jammy): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Jammy): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Impish): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Impish): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1973620
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.