oops when propagating mounts into containers - RIP: 0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0

Bug #1572316 reported by Tycho Andersen on 2016-04-19
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Seth Forshee
Trusty
High
Seth Forshee
Vivid
High
Seth Forshee
Wily
High
Seth Forshee
Xenial
High
Seth Forshee
Yakkety
High
Seth Forshee
linux-lts-utopic (Ubuntu)
Undecided
Unassigned
Trusty
High
Seth Forshee
Vivid
Undecided
Unassigned
Wily
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

SRU Justification:

Impact: Propagation to some mount tree configurations can cause the kernel to oops. This is trivially reproducible using lxd.

Fix: Upstream cherry pick.

Regression Potential: Both Eric and I have tested the fix and believe that the post-fix code will handle all cases the same as before except for the ones which weren't being handled correctly. I believe the regression potential is small.

---

If I use LXD on xenial with a configuration that does something like: (/nfs in my case is an nfs mount, but based on the kernel code in question anything is probably okay):

devices:
  bind:
    type: disk
    source: /nfs
    path: /nfs
    recursive: "true"

and then start the container and on the host, do a new mount:

sudo mount $ipaddr:/some/nfs/path /nfs/newpath

You get the following kernel oops:

Apr 11 21:59:36 stock2 kernel: [ 1648.993034] Oops: 0000 [#1] SMP
Apr 11 21:59:36 stock2 kernel: [ 1648.993415] Modules linked in: binfmt_misc veth rpcsec_gss_krb5 auth_rpcgss nfsv4 nfs lockd grace fscache xt_CHECKSUM iptable_mangle xt_tcpudp ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack bridge stp llc iptable_filter ip_tables x_tables zfs(PO) zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) ppdev kvm_intel parport_pc joydev kvm input_leds mac_hid irqbypass parport i2c_piix4 8250_fintek serio_raw ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr sunrpc iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt psmouse fb_sys_fops floppy drm pata_acpi
Apr 11 21:59:36 stock2 kernel: [ 1649.002015] CPU: 2 PID: 9449 Comm: mount.nfs Tainted: P O 4.4.0-18-generic #34+tych0201604111025
Apr 11 21:59:36 stock2 kernel: [ 1649.003037] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Apr 11 21:59:36 stock2 kernel: [ 1649.004042] task: ffff880074c1a580 ti: ffff880067d30000 task.ti: ffff880067d30000
Apr 11 21:59:36 stock2 kernel: [ 1649.004810] RIP: 0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
Apr 11 21:59:36 stock2 kernel: [ 1649.005654] RSP: 0018:ffff880067d33d68 EFLAGS: 00010297
Apr 11 21:59:36 stock2 kernel: [ 1649.006211] RAX: ffff88003bb4ca80 RBX: ffff880074ad8300 RCX: ffff880074503500
Apr 11 21:59:36 stock2 kernel: [ 1649.006934] RDX: 0000000000000000 RSI: 000000000000019c RDI: 0000000000000000
Apr 11 21:59:36 stock2 kernel: [ 1649.007656] RBP: ffff880067d33d78 R08: ffff8800363bad80 R09: ffffffff813eac5c
Apr 11 21:59:36 stock2 kernel: [ 1649.008390] R10: ffffea00002b5800 R11: 0000000000018711 R12: ffff8800363ba600
Apr 11 21:59:36 stock2 kernel: [ 1649.009111] R13: ffff880067d33dc0 R14: ffff880074ad8300 R15: 0000000000000000
Apr 11 21:59:36 stock2 kernel: [ 1649.009835] FS: 00007f653eac4880(0000) GS:ffff88007cd00000(0000) knlGS:0000000000000000
Apr 11 21:59:36 stock2 kernel: [ 1649.010642] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
Apr 11 21:59:36 stock2 kernel: [ 1649.011237] CR2: 0000000000000010 CR3: 0000000077a4e000 CR4: 00000000000006e0
Apr 11 21:59:36 stock2 kernel: [ 1649.011984] Stack:
Apr 11 21:59:36 stock2 kernel: [ 1649.012255] ffff880074ad8300 ffff8800363ba600 ffff880067d33db0 ffffffff8123d060
Apr 11 21:59:36 stock2 kernel: [ 1649.013070] ffff88003bb4ca80 ffff8800363ba600 ffff88000c211980 0000000000000000
Apr 11 21:59:36 stock2 kernel: [ 1649.013892] ffff880067d33e98 ffff880067d33df8 ffffffff8122dd97 ffff88003bb4c900
Apr 11 21:59:36 stock2 kernel: [ 1649.014751] Call Trace:
Apr 11 21:59:36 stock2 kernel: [ 1649.015053] [<ffffffff8123d060>] propagate_mnt+0x120/0x150
Apr 11 21:59:36 stock2 kernel: [ 1649.015643] [<ffffffff8122dd97>] attach_recursive_mnt+0x147/0x230
Apr 11 21:59:36 stock2 kernel: [ 1649.016286] [<ffffffff8122ded8>] graft_tree+0x58/0x90
Apr 11 21:59:36 stock2 kernel: [ 1649.016809] [<ffffffff8122df9e>] do_add_mount+0x8e/0xd0
Apr 11 21:59:36 stock2 kernel: [ 1649.017342] [<ffffffff8122ed70>] do_mount+0x2c0/0xe00
Apr 11 21:59:36 stock2 kernel: [ 1649.017863] [<ffffffff8122e924>] ? copy_mount_options+0xb4/0x220
Apr 11 21:59:36 stock2 kernel: [ 1649.018466] [<ffffffff8122fbdf>] SyS_mount+0x9f/0x100
Apr 11 21:59:36 stock2 kernel: [ 1649.018996] [<ffffffff818243b2>] entry_SYSCALL_64_fastpath+0x16/0x71
Apr 11 21:59:36 stock2 kernel: [ 1649.019631] Code: 39 90 d8 00 00 00 75 ec 8b b0 10 01 00 00 48 89 3d 80 e1 f8 00 48 89 05 81 e1 f8 00 39 b1 10 01 00 00 74 19 48 8b bf d8 00 00 00 <48> 8b 47 10 48 89 3d 5f e1 f8 00 48 89 05 60 e1 f8 00 8b 43 30
Apr 11 21:59:36 stock2 kernel: [ 1649.022395] RIP [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
Apr 11 21:59:36 stock2 kernel: [ 1649.022990] RSP <ffff880067d33d68>
Apr 11 21:59:36 stock2 kernel: [ 1649.023362] CR2: 0000000000000010
Apr 11 21:59:36 stock2 kernel: [ 1649.027053] ---[ end trace 46ce79a38cba28a5 ]---

Seth Forshee (sforshee) on 2016-04-19
Changed in linux (Ubuntu):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → Confirmed
Seth Forshee (sforshee) wrote :

This doesn't have to be an nfs mount, I've been able to reproduce it using an ext4 loopback mount.

fcole90 (fcole90) wrote :

Hi, I'm having a kernel oops with similar trace, but for me it happens at login time. Maybe there's an automatic mount.
Mine is https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1578325

fcole90 (fcole90) on 2016-05-04
summary: - oops when propagating mounts into containers
+ oops when propagating mounts into containers - RIP:
+ 0010:[<ffffffff8123cb3e>] [<ffffffff8123cb3e>] propagate_one+0xbe/0x1c0
Seth Forshee (sforshee) wrote :

Fix sent to Linus:

http://<email address hidden>

I've tested this on xenial and it fixes the oops. I'll send out patches shortly.

Seth Forshee (sforshee) on 2016-05-05
description: updated
Changed in linux (Ubuntu Wily):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Vivid):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Trusty):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in linux (Ubuntu Yakkety):
status: Confirmed → In Progress
Seth Forshee (sforshee) on 2016-05-05
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Yakkety):
status: New → Invalid
Changed in linux-lts-utopic (Ubuntu Trusty):
assignee: nobody → Seth Forshee (sforshee)
importance: Undecided → High
status: New → In Progress
description: updated
Seth Forshee (sforshee) on 2016-05-06
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Vivid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Wily):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux-lts-utopic (Ubuntu Trusty):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-needed-vivid
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-wily
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Seth Forshee (sforshee) wrote :

Verified that the problem is fixed in all four kernels.

tags: added: verification-done-trusty verification-done-vivid verification-done-wily verification-done-xenial
removed: verification-needed-trusty verification-needed-vivid verification-needed-wily verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (16.9 KiB)

This bug was fixed in the package linux - 4.4.0-23.41

---------------
linux (4.4.0-23.41) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582431

  * zfs: disable module checks for zfs when cross-compiling (LP: #1581127)
    - [Packaging] disable zfs module checks when cross-compiling

  * Xenial update to v4.4.10 stable release (LP: #1580754)
    - Revert "UBUNTU: SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for
      recursive method calls"
    - Revert "UBUNTU: SAUCE: nbd: ratelimit error msgs after socket close"
    - Revert: "powerpc/tm: Check for already reclaimed tasks"
    - RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
    - ipvs: handle ip_vs_fill_iph_skb_off failure
    - ipvs: correct initial offset of Call-ID header search in SIP persistence
      engine
    - ipvs: drop first packet to redirect conntrack
    - mfd: intel-lpss: Remove clock tree on error path
    - nbd: ratelimit error msgs after socket close
    - ata: ahci_xgene: dereferencing uninitialized pointer in probe
    - mwifiex: fix corner case association failure
    - CNS3xxx: Fix PCI cns3xxx_write_config()
    - clk-divider: make sure read-only dividers do not write to their register
    - soc: rockchip: power-domain: fix err handle while probing
    - clk: rockchip: free memory in error cases when registering clock branches
    - clk: meson: Fix meson_clk_register_clks() signature type mismatch
    - clk: qcom: msm8960: fix ce3_core clk enable register
    - clk: versatile: sp810: support reentrance
    - clk: qcom: msm8960: Fix ce3_src register offset
    - lpfc: fix misleading indentation
    - ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p
      initialisation
    - mac80211: fix statistics leak if dev_alloc_name() fails
    - tracing: Don't display trigger file for events that can't be enabled
    - MD: make bio mergeable
    - Minimal fix-up of bad hashing behavior of hash_64()
    - mm, cma: prevent nr_isolated_* counters from going negative
    - mm/zswap: provide unique zpool name
    - ARM: EXYNOS: Properly skip unitialized parent clock in power domain on
    - ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel
    - xen: Fix page <-> pfn conversion on 32 bit systems
    - xen/balloon: Fix crash when ballooning on x86 32 bit PAE
    - xen/evtchn: fix ring resize when binding new events
    - HID: wacom: Add support for DTK-1651
    - HID: Fix boot delay for Creative SB Omni Surround 5.1 with quirk
    - Input: zforce_ts - fix dual touch recognition
    - proc: prevent accessing /proc/<PID>/environ until it's ready
    - mm: update min_free_kbytes from khugepaged after core initialization
    - batman-adv: fix DAT candidate selection (must use vid)
    - batman-adv: Check skb size before using encapsulated ETH+VLAN header
    - batman-adv: Fix broadcast/ogm queue limit on a removed interface
    - batman-adv: Reduce refcnt of removed router when updating route
    - writeback: Fix performance regression in wb_over_bg_thresh()
    - MAINTAINERS: Remove asterisk from EFI directory names
    - x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO
    - ARM: cpuidle: Pass on arm_cpuidle_s...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-87.133

---------------
linux (3.13.0-87.133) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1585315

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864

linux (3.13.0-87.132) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582398

  [ Kamal Mostafa ]

  * [Config] Drop ozwpan from the ABI

  [ Luis Henriques ]

  * [Config] CONFIG_USB_WPAN_HCD=n
    - LP: #1463740
    - CVE-2015-4004

  [ Prarit Bhargava ]

  * SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive
    method calls
    - LP: #1577898

  [ Upstream Kernel Changes ]

  * usbnet: cleanup after bind() in probe()
    - LP: #1567191
    - CVE-2016-3951
  * KVM: x86: bit-ops emulation ignores offset on 64-bit
    - LP: #1423672
  * USB: usbip: fix potential out-of-bounds write
    - LP: #1572666
    - CVE-2016-3955
  * x86/mm/32: Enable full randomization on i386 and X86_32
    - LP: #1568523
    - CVE-2016-3672
  * Input: gtco - fix crash on detecting device without endpoints
    - LP: #1575706
    - CVE-2016-2187
  * atl2: Disable unimplemented scatter/gather feature
    - LP: #1561403
    - CVE-2016-2117
  * ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock
    - LP: #1577905
  * fs/pnode.c: treat zero mnt_group_id-s as unequal
    - LP: #1572316
  * propogate_mnt: Handle the first propogated copy being a slave
    - LP: #1572316
  * drm: Balance error path for GEM handle allocation
    - LP: #1579610
  * x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
    - LP: #1538429
    - CVE-2016-2069
  * x86/mm: Improve switch_mm() barrier comments
    - LP: #1538429
    - CVE-2016-2069
  * net: fix infoleak in llc
    - LP: #1578496
    - CVE-2016-4485
  * net: fix infoleak in rtnetlink
    - LP: #1578497
    - CVE-2016-4486

 -- Kamal Mostafa <email address hidden> Tue, 24 May 2016 11:04:30 -0700

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-utopic - 3.16.0-73.95~14.04.1

---------------
linux-lts-utopic (3.16.0-73.95~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler

 -- Andy Whitcroft <email address hidden> Thu, 09 Jun 2016 08:46:24 +0100

Changed in linux-lts-utopic (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.19.0-61.69

---------------
linux (3.19.0-61.69) vivid; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

 -- Andy Whitcroft <email address hidden> Wed, 08 Jun 2016 22:25:58 +0100

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.2.0-38.45

---------------
linux (4.2.0-38.45) wily; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

 -- Andy Whitcroft <email address hidden> Wed, 08 Jun 2016 22:10:39 +0100

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-24.43

---------------
linux (4.4.0-24.43) xenial; urgency=low

  [ Kamal Mostafa ]

  * CVE-2016-1583 (LP: #1588871)
    - ecryptfs: fix handling of directory opening
    - SAUCE: proc: prevent stacking filesystems on top
    - SAUCE: ecryptfs: forbid opening files without mmap handler
    - SAUCE: sched: panic on corrupted stack end

  * arm64: statically link rtc-efi (LP: #1583738)
    - [Config] Link rtc-efi statically on arm64

 -- Kamal Mostafa <email address hidden> Fri, 03 Jun 2016 10:02:16 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers