warning stack trace while playing with apparmor namespaces

Bug #1593874 reported by Tycho Andersen on 2016-06-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Xenial
Undecided
Unassigned

Bug Description

I'm not sure what exactly I was doing when this happened, but something fairly basic (creating containers, adding/removing profiles). Let me know if you need more than the trace and I can try and figure out how to reproduce.

Jun 17 20:20:06 dev kernel: [13314.032676] ------------[ cut here ]------------
Jun 17 20:20:06 dev kernel: [13314.032689] WARNING: CPU: 3 PID: 8964 at /build/linux-oXTOqc/linux-4.4.0/security/apparmor/label.c:82 __aa_proxy_redirect+0xff/0x130()
Jun 17 20:20:06 dev kernel: [13314.032692] AppArmor WARN __aa_proxy_redirect: ((!!queued_write_can_lock(&(&(&(((((&((orig)->vec[0])))[(((orig)->size)) - 1])->ns))->labels)->lock)->raw_lock))):
Jun 17 20:20:06 dev kernel: [13314.032693] Modules linked in: binfmt_misc veth xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_tcpudp bridge stp llc iptable_filter ip_tables x_tables isofs zfs(PO) zunicode(PO) zcommon(PO) znvpair(PO) spl(O) zavl(PO) ppdev kvm_intel kvm joydev serio_raw irqbypass parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear psmouse floppy
Jun 17 20:20:06 dev kernel: [13314.032751] CPU: 3 PID: 8964 Comm: lxd Tainted: P        W  O    4.4.0-24-generic #43-Ubuntu
Jun 17 20:20:06 dev kernel: [13314.032753] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Jun 17 20:20:06 dev kernel: [13314.032756]  0000000000000286 00000000dc104ca4 ffff880044db3d18 ffffffff813eab23
Jun 17 20:20:06 dev kernel: [13314.032760]  ffff880044db3d60 ffffffff81cec7f0 ffff880044db3d50 ffffffff810810d2
Jun 17 20:20:06 dev kernel: [13314.032763]  ffff880047f04360 ffff88007a08d360 ffff88004a551b00 ffff88004a551b38
Jun 17 20:20:06 dev kernel: [13314.032766] Call Trace:
Jun 17 20:20:06 dev kernel: [13314.032773]  [<ffffffff813eab23>] dump_stack+0x63/0x90
Jun 17 20:20:06 dev kernel: [13314.032777]  [<ffffffff810810d2>] warn_slowpath_common+0x82/0xc0
Jun 17 20:20:06 dev kernel: [13314.032780]  [<ffffffff8108116c>] warn_slowpath_fmt+0x5c/0x80
Jun 17 20:20:06 dev kernel: [13314.032784]  [<ffffffff81380292>] ? __list_remove_profile+0x62/0xe0
Jun 17 20:20:06 dev kernel: [13314.032788]  [<ffffffff8138abcf>] __aa_proxy_redirect+0xff/0x130
Jun 17 20:20:06 dev kernel: [13314.032792]  [<ffffffff81395dc6>] destroy_ns+0x86/0xa0
Jun 17 20:20:06 dev kernel: [13314.032794]  [<ffffffff81395d0f>] __aa_remove_ns+0x2f/0x60
Jun 17 20:20:06 dev kernel: [13314.032798]  [<ffffffff81382a63>] aa_remove_profiles+0x193/0x270
Jun 17 20:20:06 dev kernel: [13314.032800]  [<ffffffff81379721>] ? __aa_kvmalloc+0x41/0x60
Jun 17 20:20:06 dev kernel: [13314.032803]  [<ffffffff8137724e>] profile_remove+0x9e/0x1f0
Jun 17 20:20:06 dev kernel: [13314.032808]  [<ffffffff8120c468>] __vfs_write+0x18/0x40
Jun 17 20:20:06 dev kernel: [13314.032811]  [<ffffffff8120cdf9>] vfs_write+0xa9/0x1a0
Jun 17 20:20:06 dev kernel: [13314.032814]  [<ffffffff8120bd8f>] ? do_sys_open+0x1bf/0x2a0
Jun 17 20:20:06 dev kernel: [13314.032818]  [<ffffffff8120dab5>] SyS_write+0x55/0xc0
Jun 17 20:20:06 dev kernel: [13314.032823]  [<ffffffff81825bf2>] entry_SYSCALL_64_fastpath+0x16/0x71
Jun 17 20:20:06 dev kernel: [13314.032826] ---[ end trace 2eb06377c45f3d4c ]---

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1593874

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Joseph Salisbury (jsalisbury) wrote :

Did this issue start happening after an update/upgrade? Was there a prior kernel version where you were not having this particular problem?

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.7 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.7-rc4-yakkety/

Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Tim Gardner (timg-tpi) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (22.8 KiB)

This bug was fixed in the package linux - 4.4.0-38.57

---------------
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
    (LP: #1612135)
    - Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
    - fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
    - SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
    (LP: #1591655)
    - x86/insn: perf tools: Fix vcvtph2ps instruction decoding
    - x86/insn: Add AVX-512 support to the instruction decoder
    - perf tools: Add AVX-512 support to the instruction decoder used by Intel PT
    - perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
    ioremap() call on 32bit kernel (LP: #1608652)
    - lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
    - tools/power turbostat: decode more CPUID fields
    - tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
    - tools/power turbostat: decode HWP registers
    - tools/power turbostat: Decode MSR_MISC_PWR_MGMT
    - tools/power turbostat: allow sub-sec intervals
    - tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
    - tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
    - tools/power turbostat: re-name "%Busy" field to "Busy%"
    - tools/power turbostat: add --out option for saving output in a file
    - tools/power turbostat: fix compiler warnings
    - tools/power turbostat: make fewer systems calls
    - tools/power turbostat: show IRQs per CPU
    - tools/power turbostat: show GFXMHz
    - tools/power turbostat: show GFX%rc6
    - tools/power turbostat: detect and work around syscall jitter
    - tools/power turbostat: indicate SMX and SGX support
    - tools/power turbostat: call __cpuid() instead of __get_cpuid()
    - tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
    - tools/power turbostat: bugfix: TDP MSRs print bits fixing
    - tools/power turbostat: SGX state should print only if --debug
    - tools/power turbostat: print IRTL MSRs
    - tools/power turbostat: initial BXT support
    - tools/power turbostat: decode BXT TSC frequency via CPUID
    - tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
    - drm/i915/vlv: Make intel_crt_reset() per-encoder
    - drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
    - drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
    - drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
    - intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
    - [Config] CONFIG_EDAC_SKX=m
    - EDAC, skx_edac: Ad...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path looku...

Read more...

Changed in linux (Ubuntu):
status: Expired → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers