Race in aufs leads to use-after-free
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Incomplete
|
High
|
Seth Forshee | ||
Bug Description
SRU Justification
Impact: A race in aufs can result in use of a DYNOP object which is being freed after its reference count reaches 0, leading to an oops.
Fix: Upstream fix to aufs to ignore objects whose reference count is 0.
Regression Potential: Low, limited to aufs and confirmed in testing to fix the issue.
---
I have found and reported a critical bug in aufs (as shipped with the latest Ubuntu kernels, both on Bionic and Xenial), which potentially affects anyone running Docker on Ubuntu using aufs graph driver. The fix has been developed, tested at least by me to fix the issue, and committed into upstream aufs git repos
The nature of the bug is, in case of multiple parallels aufs mounts and unmounts, the kernel can screw up krefs, and once that happens, the only remedy is to reboot it (as commands like mount/umount or cat /proc/mounts are all stuck in syscalls).
I would appreciate syncing aufs with the latest upstream release from git, as it was done a few times already, or at least taking the below fix (whatever suits maintainers better).
The fixed versions are the ones marked with 20190610, and from what I see they are available for all kernel versions since 4.14 (for example, 4.15 tree is here: https:/
Original bug report: https:/
Fix: https:/
| Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote Missing required logs. | #1 |
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| Kir Kolyshkin (kolyshkin) wrote Re: updates to aufs | #2 |
| Changed in linux (Ubuntu): | |
| status: | Incomplete → Confirmed |
| Seth Forshee (sforshee) wrote | #3 |
| Changed in linux (Ubuntu): | |
| assignee: | nobody → Seth Forshee (sforshee) |
| importance: | Undecided → High |
| Kir Kolyshkin (kolyshkin) wrote | #4 |
| Seth Forshee (sforshee) wrote | #5 |
| summary: |
- updates to aufs + Race in aufs leads to use-after-free |
| description: | updated |
| Changed in linux (Ubuntu): | |
| status: | Confirmed → Incomplete |
| Seth Forshee (sforshee) wrote | #6 |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1832795
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.