Ubuntu
linux package

Regression caused by `fuse: Add support for pid namespaces` in 4.4.0-6.21

Bug #1605344 reported by Sheng Yang on 2016-07-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Fix Released	Medium	Unassigned
	Xenial	Fix Released	High	Seth Forshee

Bug Description

SRU Justification

Impact: The pid namespace support in fuse refuses requests from any process whose pid does not map into the pid namespace of the fuse userspace process. This has caused a regression for at least one user.

Fix: Permit requests from processes whose pid does not map. Fill in the pid value in the fuse request with 0.

Regression potential: A fuse filesystem not prepared to handle a pid of 0 in fuse requests might have problems. However such a filesystem would also receive pid values which aren't valid for its namespace when used across pid namespaces in this manner with upstream kernels, so this isn't a major concern.

---

The discussion starts at http://thread.gmane.org/gmane.linux.kernel.cgroups/15960/focus=2269876

Commit in the tree is:

commit a166e6726c6e12e28ac8489ff4e2faff7065a856
Author: Seth Forshee <email address hidden>
Date: Wed Jul 2 16:29:19 2014 -0500

UBUNTU: SAUCE: fuse: Add support for pid namespaces

Description of the issue(copied from my report of lkml):

This patch caused a regression in our major container use case with
FUSE in Ubuntu 16.04, as patch was checked in as Ubuntu Sauce in
Ubuntu 4.4.0-6.21 kernel.

The use case is:
1. Create a Docker container.
2. Inside the container, start the FUSE backend, and mounted fs.
3. Following step 2 in the container, create a loopback device to map
a file in the mounted fuse to create a block device, which will be
available to the whole system.

It works well before this commit.

The use case is broken because no matter which namespace losetup runs,
the real request from loopback device seems always come from init ns,
thus it will be in different ns running fuse backend. So the request
will got denied, because the ns running fuse won't able to see the
things from higher level(level 0 in fact) pid namespace.
---
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
DistroRelease: Ubuntu 14.04
Package: linux (not installed)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSignature:

Tags: trusty
Uname: Linux 4.4.6 x86_64
UnreportableReason: The running kernel is not an Ubuntu kernel
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

_MarkForUpload: True

See original description

Tags:

CVE References

Revision history for this message

Brad Figg (brad-figg) wrote on 2016-07-21: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1605344

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Sheng Yang (yasker) on 2016-07-21

tags:	added: apport-collected trusty
description:	updated
tags:	added: xenial removed: apport-collected trusty

Revision history for this message

Sheng Yang (yasker) wrote on 2016-07-21:

Hi Brad,

I am running self-compiled Ubuntu 16.04 kernel in 14.04 because I need to bisect the problematic commit. And I opened this bug per Seth's request. He also said he want bug assigned to him.

Do I need to get a new Ubuntu 16.04 environment for reporting this bug?

Joseph Salisbury (jsalisbury) on 2016-07-21

Changed in linux (Ubuntu):
importance:	Undecided → Medium
status:	Incomplete → Triaged

Seth Forshee (sforshee) on 2016-07-21

Changed in linux (Ubuntu Xenial):
status:	New → In Progress
importance:	Undecided → High
assignee:	nobody → Seth Forshee (sforshee)

Revision history for this message

Seth Forshee (sforshee) wrote on 2016-07-25:

Please test the build at the link below and let me know if it fixes the issue. Thanks!

http://people.canonical.com/~sforshee/lp1605344/

Revision history for this message

Sheng Yang (yasker) wrote on 2016-07-26:

Works great for me, thank you Seth!

Revision history for this message

Seth Forshee (sforshee) wrote on 2016-07-28:

0001-UBUNTU-SAUCE-namespace-fuse-Permit-requests-from-oth.patch Edit (1.7 KiB, text/plain)

Seth Forshee (sforshee) on 2016-07-28

description:

updated

Ubuntu Foundations Team Bug Bot (crichton) on 2016-07-28

tags:

added: patch

Kamal Mostafa (kamalmostafa) on 2016-07-28

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Andy Whitcroft (apw) on 2016-08-01

Changed in linux (Ubuntu):
status:	Triaged → Fix Committed

Revision history for this message

Stefan Bader (smb) wrote on 2016-08-16:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Sheng Yang (yasker) wrote on 2016-08-16:

Verified the fix for me on linux version 4.4.0-36-generic.

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-08-29:

Download full text (13.4 KiB)

This bug was fixed in the package linux - 4.4.0-36.55

---------------
linux (4.4.0-36.55) xenial; urgency=low

[ Stefan Bader ]

* Release Tracking Bug
- LP: #1612305

* I2C touchpad does not work on AMD platform (LP: #1612006)
- SAUCE: pinctrl/amd: Remove the default de-bounce time

* CVE-2016-5696
- tcp: make challenge acks less predictable

linux (4.4.0-35.54) xenial; urgency=low

[ Stefan Bader ]

* Release Tracking Bug
- LP: #1611215

* [i915_bpo] Sync with v4.7 (LP: #1609742)
- SAUCE: i915_bpo: Sync with v4.7

* s390/cio: fix reset of channel measurement block (LP: #1609415)
- s390/cio: allow to reset channel measurement block

  * in Ubuntu16.10: Hit on Call traces and system goes down when transactional
    memory tests are running in 32TB Brazos system (LP: #1606786)
    - powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
    - powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint()

  * Power Menu does not display after press the Power Button (LP: #1609204)
    - intel-vbtn: new driver for Intel Virtual Button
    - [config] enable CONFIG_INTEL_VBTN=m

* OptiPlex 7450 AIO hangs when rebooting (LP: #1608762)
- x86/reboot: Add Dell Optiplex 7450 AIO reboot quirk

* virtualbox+usb 3.0 breaks boot, -28 kernel works (LP: #1604058)
- SAUCE: xhci: Fix soft lockup in xhci_pci_probe path when XHCI_STATE_HALTED

* linux-kernel: Freeing IRQ from IRQ context (LP: #1597908)
- block: defer timeouts to a workqueue

  * Tunnel offload indications not stripped from encapsulated packets, causing
    performance overhead (LP: #1602755)
    - tunnels: Remove encapsulation offloads on decap.

  * lm-sensors is throwing "ERROR: Can't get value of subfeature temp1_input:
    I/O error" for be2net driver (LP: #1607387)
    - be2net: perform temperature query in adapter regardless of its interface
      state

* Dell dock MAC Address pass through doesn't work in Ubuntu (LP: #1579984)
- r8152: Add support for setting pass through MAC address on RTL8153-AD

* vmxnet3 LRO IPv6 performance issues (stalling TCP) (LP: #1605494)
- Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets

  * ISST-LTE:pVM:monklp5:Ubuntu16.04.1:system crashed at
    lpfc_sli4_scmd_to_wqidx_distr (LP: #1597974)
    - SAUCE: lpfc: fix oops in lpfc_sli4_scmd_to_wqidx_distr() from
      lpfc_send_taskmgmt()

  * Backport cxlflash shutdown patch to Xenial SRU (LP: #1605405)
    - SAUCE: cxlflash: Verify problem state area is mapped before notifying
      shutdown

This bug was fixed in the package linux - 4.4.0-36.55

---------------
linux (4.4.0-36.55) xenial; urgency=low

[ Stefan Bader ]

* Release Tracking Bug
    - LP: #1612305

* I2C touchpad does not work on AMD platform (LP: #1612006)
    - SAUCE: pinctrl/amd: Remove the default de-bounce time

* CVE-2016-5696
    - tcp: make challenge acks less predictable

linux (4.4.0-35.54) xenial; urgency=low

[ Stefan Bader ]

* Release Tracking Bug
    - LP: #1611215

* [i915_bpo] Sync with v4.7 (LP: #1609742)
    - SAUCE: i915_bpo: Sync with v4.7

* s390/cio: fix reset of channel measurement block (LP: #1609415)
    - s390/cio: allow to reset channel measurement block

* in Ubuntu16.10: Hit on Call traces  and system goes down when transactional
    memory  tests are running in 32TB Brazos system (LP: #1606786)
    - powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
    - powerpc/tm: Fix stack pointer corruption in __tm_recheckpoint()

*  Power Menu does not display after press the Power Button (LP: #1609204)
    - intel-vbtn: new driver for Intel Virtual Button
    - [config] enable CONFIG_INTEL_VBTN=m

* OptiPlex 7450 AIO hangs when rebooting (LP: #1608762)
    - x86/reboot: Add Dell Optiplex 7450 AIO reboot quirk

* virtualbox+usb 3.0 breaks boot, -28 kernel works (LP: #1604058)
    - SAUCE: xhci: Fix soft lockup in xhci_pci_probe path when XHCI_STATE_HALTED

* linux-kernel: Freeing IRQ from IRQ context (LP: #1597908)
    - block: defer timeouts to a workqueue

* Tunnel offload indications not stripped from encapsulated packets, causing
    performance overhead (LP: #1602755)
    - tunnels: Remove encapsulation offloads on decap.

* Dell dock MAC Address pass through doesn't work in Ubuntu (LP: #1579984)
    - r8152: Add support for setting pass through MAC address on RTL8153-AD

* vmxnet3 LRO IPv6 performance issues (stalling TCP) (LP: #1605494)
    - Driver: Vmxnet3: set CHECKSUM_UNNECESSARY for IPv6 packets

* ISST-LTE:pVM:monklp5:Ubuntu16.04.1:system crashed at
    lpfc_sli4_scmd_to_wqidx_distr (LP: #1597974)
    - SAUCE: lpfc: fix oops in lpfc_sli4_scmd_to_wqidx_distr() from
      lpfc_send_taskmgmt()

* Backport cxlflash shutdown patch to Xenial SRU (LP: #1605405)
    - SAUCE: cxlflash: Verify problem state area is mapped before notifying
      shutdown

* Xenial update to v4.4.16 stable release (LP: #1607404)
    - mac80211: fix fast_tx header alignment
    - mac80211: mesh: flush mesh paths unconditionally
    - mac80211_hwsim: Add missing check for HWSIM_ATTR_SIGNAL
    - mac80211: Fix mesh estab_plinks counting in STA removal case
    - EDAC, sb_edac: Fix rank lookup on Broadwell
    - IB/cm: Fix a recently introduced locking bug
    - IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs
    - powerpc/pseries: Fix IBM_ARCH_VEC_NRCORES_OFFSET since POWER8NVL was added
    - powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
    - usb: dwc2: fix regression on big-endian PowerPC/ARM systems
    - USB: EHCI: declare hostpc register as zero-length array
    - usb: common: otg-fsm: add license to usb-otg-fsm
    - mnt: fs_fully_visible test the proper mount for MNT_LOCKED
    - mnt: Account for MS_RDONLY in fs_fully_visible
    - mnt: If fs_fully_visible fails call put_filesystem.
    - of: fix autoloading due to broken modalias with no 'compatible'
    - of: irq: fix of_irq_get[_byname]() kernel-doc
    - locking/ww_mutex: Report recursive ww_mutex locking early
    - locking/qspinlock: Fix spin_unlock_wait() some more
    - locking/static_key: Fix concurrent static_key_slow_inc()
    - x86, build: copy ldlinux.c32 to image.iso
    - kprobes/x86: Clear TF bit in fault on single-stepping
    - x86/amd_nb: Fix boot crash on non-AMD systems
    - Revert "gpiolib: Split GPIO flags parsing and GPIO configuration"
    - uvc: Forward compat ioctls to their handlers directly
    - thermal: cpu_cooling: fix improper order during initialization
    - writeback: use higher precision calculation in domain_dirty_limits()
    - nfsd4/rpc: move backchannel create logic into rpc code
    - nfsd: Always lock state exclusively.
    - nfsd: Extend the mutex holding region around in nfsd4_process_open2()
    - posix_acl: Add set_posix_acl
    - nfsd: check permissions when setting ACLs
    - make nfs_atomic_open() call d_drop() on all ->open_context() errors.
    - NFS: Fix another OPEN_DOWNGRADE bug
    - ARM: imx6ul: Fix Micrel PHY mask
    - ARM: 8578/1: mm: ensure pmd_present only checks the valid bit
    - ARM: 8579/1: mm: Fix definition of pmd_mknotpresent
    - MIPS: KVM: Fix modular KVM under QEMU
    - mm: Export migrate_page_move_mapping and migrate_page_copy
    - UBIFS: Implement ->migratepage()
    - sched/fair: Fix cfs_rq avg tracking underflow
    - packet: Use symmetric hash for PACKET_FANOUT_HASH.
    - net_sched: fix mirrored packets checksum
    - cdc_ncm: workaround for EM7455 "silent" data interface
    - ipv6: Fix mem leak in rt6i_pcpu
    - ARCv2: Check for LL-SC livelock only if LLSC is enabled
    - ARCv2: LLSC: software backoff is NOT needed starting HS2.1c
    - kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES
    - KVM: nVMX: VMX instructions: fix segment checks when L1 is in long mode.
    - HID: elo: kill not flush the work
    - HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands
    - tracing: Handle NULL formats in hold_module_trace_bprintk_format()
    - base: make module_create_drivers_dir race-free
    - iommu/arm-smmu: Wire up map_sg for arm-smmu-v3
    - iommu/vt-d: Enable QI on all IOMMUs before setting root entry
    - iommu/amd: Fix unity mapping initialization race
    - drm/mgag200: Black screen fix for G200e rev 4
    - ipmi: Remove smi_msg from waiting_rcv_msgs list before handle_one_recv_msg()
    - arm64: Rework valid_user_regs
    - vfs: add d_real_inode() helper
    - af_unix: fix hard linked sockets on overlay
    - btrfs: account for non-CoW'd blocks in btrfs_abort_transaction
    - drm/radeon: fix asic initialization for virtualized environments
    - drm/amdgpu/gfx7: fix broken condition check
    - ubi: Make recover_peb power cut aware
    - drm/amdkfd: unbind only existing processes
    - drm/amdkfd: destroy dbgmgr in notifier release
    - drm/dp/mst: Always clear proposed vcpi table for port.
    - drm/nouveau/disp/sor/gf119: both links use the same training register
    - drm/nouveau/gr/gf100-: update sm error decoding from gk20a nvgpu headers
    - drm/nouveau/fbcon: fix out-of-bounds memory accesses
    - drm/nouveau: fix for disabled fbdev emulation
    - drm/nouveau/disp/sor/gf119: select correct sor when poking training pattern
    - drm/i915/ilk: Don't disable SSC source if it's in use
    - drm/i915: Refresh cached DP port register value on resume
    - drm/i915: Update ifdeffery for mutex->owner
    - drm/i915: Update CDCLK_FREQ register on BDW after changing cdclk frequency
    - drm: add missing drm_mode_set_crtcinfo call
    - drm: make drm_atomic_set_mode_prop_for_crtc() more reliable
    - drm: atmel-hlcdc: actually disable scaling when no scaling is required
    - drm/ttm: Make ttm_bo_mem_compat available
    - drm/vmwgfx: Add an option to change assumed FB bpp
    - drm/vmwgfx: Work around mode set failure in 2D VMs
    - drm/vmwgfx: Check pin count before attempting to move a buffer
    - drm/vmwgfx: Delay pinning fbdev framebuffer until after mode set
    - drm/vmwgfx: Fix error paths when mapping framebuffer
    - memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing
    - perf/x86: Fix undefined shift on 32-bit kernels
    - xen/balloon: Fix declared-but-not-defined warning
    - iio: Fix error handling in iio_trigger_attach_poll_func
    - iio:st_pressure: fix sampling gains (bring inline with ABI)
    - iio: light apds9960: Add the missing dev.parent
    - iio: proximity: as3935: correct IIO_CHAN_INFO_RAW output
    - iio: proximity: as3935: remove triggered buffer processing
    - iio: proximity: as3935: fix buffer stack trashing
    - iio: humidity: hdc100x: correct humidity integration time mask
    - iio: humidity: hdc100x: fix IIO_TEMP channel reporting
    - iio: hudmidity: hdc100x: fix incorrect shifting and scaling
    - staging: iio: accel: fix error check
    - iio: accel: kxsd9: fix the usage of spi_w8r8()
    - iio:ad7266: Fix broken regulator error handling
    - iio:ad7266: Fix support for optional regulators
    - iio:ad7266: Fix probe deferral for vref
    - tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
    - hwmon: (dell-smm) Restrict fan control and serial number to CAP_SYS_ADMIN by
      default
    - hwmon: (dell-smm) Disallow fan_type() calls on broken machines
    - hwmon: (dell-smm) Cache fan_type() calls and change fan detection
    - ALSA: dummy: Fix a use-after-free at closing
    - ALSA: hda - Fix the headset mic jack detection on Dell machine
    - ALSA: hda / realtek - add two more Thinkpad IDs (5050,5053) for tpt460 fixup
    - ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
    - ALSA: echoaudio: Fix memory allocation
    - ALSA: timer: Fix negative queue usage by racy accesses
    - ALSA: hda/realtek: Add Lenovo L460 to docking unit fixup
    - ALSA: hda - Add PCI ID for Kabylake-H
    - ALSA: hda - fix read before array start
    - ALSA: hda/realtek - add new pin definition in alc225 pin quirk table
    - ALSA: pcm: Free chmap at PCM free callback, too
    - ALSA: ctl: Stop notification after disconnection
    - ALSA: hda - fix use-after-free after module unload
    - ALSA: hda: add AMD Stoney PCI ID with proper driver caps
    - ARM: sunxi/dt: make the CHIP inherit from allwinner,sun5i-a13
    - ARM: dts: armada-38x: fix MBUS_ID for crypto SRAM on Armada 385 Linksys
    - ARM: mvebu: fix HW I/O coherency related deadlocks
    - ovl: Copy up underlying inode's ->i_mode to overlay inode
    - ovl: verify upper dentry in ovl_remove_and_whiteout()
    - scsi: fix race between simultaneous decrements of ->host_failed
    - 53c700: fix BUG on untagged commands
    - Fix reconnect to not defer smb3 session reconnect long after socket
      reconnect
    - cifs: dynamic allocation of ntlmssp blob
    - File names with trailing period or space need special case conversion
    - xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
    - crypto: qat - make qat_asym_algs.o depend on asn1 headers
    - tmpfs: don't undo fallocate past its last page
    - tmpfs: fix regression hang in fallocate undo
    - drm/i915: Revert DisplayPort fast link training feature
    - ovl: verify upper dentry before unlink and rename
    - Linux 4.4.16

* Regression caused by `fuse: Add support for pid namespaces` in 4.4.0-6.21
    (LP: #1605344)
    - SAUCE: (namespace) fuse: Permit requests from other pid namespaces

* CVE-2016-5400
    - media: fix airspy usb probe error path

* Cannot mount proc in unprivileged containers if /proc/xen is mounted
    (LP: #1607374)
    - SAUCE: xenbus: Use proc_create_mount_point() to create /proc/xen

* Mic mute key does not work for Ideapad laptops (LP: #1607153)
    - ideapad_laptop: Add an event for mic mute hotkey

* NVMe stress test fails after 12 hours on Ubuntu 16.04 (LP: #1604995)
    - block: atari: Return early for unsupported sector size

* Console extremely slow with 4.4 kernels for servers with Matrox G200er2 or
    similar (LP: #1605662)
    - SAUCE: vesafb: Set mtrr:3 (write-combining) as default

* Ubuntu 16.04 - Full EEH Recovery Support for NVMe devices (LP: #1602724)
    - nvme: use a work item to submit async event requests
    - nvme: don't poll the CQ from the kthread
    - nvme: replace the kthread with a per-device watchdog timer
    - NVMe: Fix reset/remove race
    - nvme: Avoid reset work on watchdog timer function during error recovery
    - NVMe: Always use MSI/MSI-x interrupts

* [LTC-Test] - NMI watchdog Bug and call traces when trinity is executed.
    (LP: #1602524)
    - ext4: factor out determining of hole size
    - ext4: return hole from ext4_map_blocks()
    - ext4: more efficient SEEK_DATA implementation

* changelog: add CVEs as first class citizens (LP: #1604344)
    - avoid duplicate CVE numbers in changelog

* [LTCTest][Opal][OP820] Machine crashed with Oops: Kernel access of bad area,
    sig: 11 [#1] while executing Froze PE Error injection (LP: #1603449)
    - powerpc/eeh: Fix invalid cached PE primary bus

* Hotplug remove and re-add adds PCI adapter to next PCI domain (PCI)
    (LP: #1603574)
    - powerpc/pci: Assign fixed PHB number based on device-tree properties

* nvme - reset_controller is not working after adapter's firmware upgrade
    (adapter quirk is needed) (LP: #1602726)
    - NVMe: Create discard zero quirk white list
    - nvme/quirk: Add a delay before checking for adapter readiness

* ovs nat: conntrack netlink event are missing (LP: #1603468)
    - openvswitch: fix conntrack netlink event delivery

* FlashGT - In Tuleta 8284-22A with card in card slot P1-C9, system Fails to
    boot operating system (LP: #1602785)
    - cxl: Ignore CAPI adapters misplaced in switched slots

* CVE-2016-5728
    - misc: mic: Fix for double fetch security bug in VOP driver

* CVE-2016-5244 (LP: #1589041)
    - rds: fix an infoleak in rds_inc_info_copy

* Miscellaneous Ubuntu changes
    - Added Snapcraft files
    - SAUCE: snapcraft: cleanup and remove unnecessary elements

-- Stefan Bader <stefan.bader@canonical.com>  Thu, 11 Aug 2016 17:34:14 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Po-Hsu Lin (cypressyew) on 2019-10-03

Changed in linux (Ubuntu):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-UBUNTU-SAUCE-namespace-fuse-Permit-requests-from-oth.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

Regression caused by `fuse: Add support for pid namespaces` in 4.4.0-6.21

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux package