aufs: kernel bug with apparmor and fuseblk

Steps to Reproduce:

1) test app

 # cat openat.c
 #include <stdio.h>
 #include <fcntl.h>

 int main() {
  int rc;
  rc = openat(AT_FDCWD, "test", O_RDWR | O_CREAT | S_IRWXU);
  if (rc < 0) {
          perror("openat");
          return 1;
  }
  return 0;
 }

 # gcc -o openat openat.c

2) ntfs-3g mount (fuseblk)

 # truncate -s 1g ntfs.img
 # DEV=$(losetup -f --show ntfs.img)
 # mkfs.ntfs --fast $DEV

 # mkdir ntfs
 # mount -t ntfs-3g $DEV ntfs

 # mount | grep ntfs | grep fuseblk
 /dev/loop6 on /home/ubuntu/ntfs type fuseblk (rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096)

3) aufs mount (with 'test' file in the read-only branch)

 # mkdir ro aufs
 # touch ro/test
 # mount -t aufs -o br=ntfs:ro none aufs

4) enable apparmor for the test app (even in complain mode with aa-genprof)

 # aa-genprof ./openat &
 ...
 Please start the application to be profiled in
 another window and exercise its functionality now.
 ...
 <press enter>
 [1]+ Stopped aa-genprof ./openat

5) remove 'test' file from read-write branch (still exists in read-only branch)

 # cd aufs
 # rm test

6) run the test app

 # ../openat
 Killed

7) check kernel logs

 # dmesg

Test with focal-proposed (5.4.0-90.101)
---

Original:

# ../openat
Killed

[ 286.989830] BUG: kernel NULL pointer dereference, address: 0000000000000010
...
[ 286.996507] CPU: 2 PID: 5529 Comm: openat Not tainted 5.4.0-90-generic #101-Ubuntu
[ 286.997358] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 286.998397] RIP: 0010:d_namespace_path.constprop.0+0x48/0x300
...
[ 287.008418] Call Trace:
[ 287.016112] aa_path_name+0x42/0xb0
[ 287.016616] path_name.isra.0+0x5f/0xe0
[ 287.017153] profile_path_perm.part.0+0x58/0xa0
[ 287.017768] aa_path_perm+0xdd/0x130
[ 287.018293] common_perm+0x96/0x110
[ 287.018795] common_perm_cond+0x4c/0x70
[ 287.019353] apparmor_inode_getattr+0x1d/0x20
[ 287.019948] security_inode_getattr+0x35/0x50
[ 287.020542] vfs_getattr+0x22/0x50
[ 287.021042] vfsub_update_h_iattr+0x95/0xb0 [aufs]
[ 287.021687] ? lookup_dcache+0x46/0x70
[ 287.022216] ? lookup_one_len+0x68/0x90
[ 287.022755] vfsub_lookup_one_len+0x61/0x70 [aufs]
[ 287.023413] au_wh_test+0x26/0xa0 [aufs]
[ 287.023978] au_lkup_dentry+0x1ba/0x670 [aufs]
[ 287.024598] aufs_lookup.part.0+0x119/0x200 [aufs]
[ 287.025250] aufs_atomic_open+0x19d/0x400 [aufs]
[ 287.025881] ? aufs_permission+0x1a9/0x2f0 [aufs]
[ 287.026536] ? security_path_mknod+0x4c/0x70
[ 287.027130] lookup_open+0x364/0x6e0
[ 287.027658] do_last+0x2cb/0x900
[ 287.028141] ? __alloc_file+0x94/0x110
[ 287.028678] path_openat+0x8d/0x290
[ 287.029184] ? do_async_page_fault+0x39/0x70
[ 287.029773] do_filp_open+0x91/0x100
[ 287.030292] ? strncpy_from_user+0xbd/0x150
[ 287.030879] ? __alloc_fd+0xb8/0x150
[ 287.031402] do_sys_open+0x17e/0x290
[ 287.031920] __x64_sys_openat+0x20/0x30
[ 287.032469] do_syscall_64+0x57/0x190
[ 287.032997] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 287.033682] RIP: 0033:0x7f299dccf026

Patched:

# ../openat
# echo $?
0

# uname -rv
5.4.0-90-generic #101+test20211022b2 SMP Fri Oct 22 10:34:51 -03 2021

Test with bionic-proposed (4.15.0-162.170)
---

Original:

# ../openat
Killed

[ 442.526300] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
...
[ 442.539854] CPU: 1 PID: 5644 Comm: openat Not tainted 4.15.0-162-generic #170-Ubuntu
[ 442.540733] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 442.541755] RIP: 0010:aa_path_name+0x55/0x370
...
[ 442.549808] Call Trace:
[ 442.550211] path_name+0x60/0xe0
[ 442.550687] profile_path_perm.part.7+0x57/0xa0
[ 442.551293] aa_path_perm+0xe2/0x130
[ 442.551819] common_perm+0x59/0x130
[ 442.552323] common_perm_cond+0x4c/0x70
[ 442.552856] apparmor_inode_getattr+0x1d/0x20
[ 442.553444] security_inode_getattr+0x47/0x60
[ 442.554038] vfs_getattr+0x21/0x40
[ 442.554538] vfsub_update_h_iattr+0x95/0xb0 [aufs]
[ 442.555172] ? __lookup_hash+0x22/0xa0
[ 442.555697] ? lookup_one_len+0x113/0x120
[ 442.556323] vfsub_lookup_one_len+0x50/0x70 [aufs]
[ 442.557065] au_wh_test+0x25/0xe0 [aufs]
[ 442.557615] au_lkup_dentry+0x484/0x620 [aufs]
[ 442.558225] aufs_lookup.part.33+0x11c/0x210 [aufs]
[ 442.562787] aufs_atomic_open+0x102/0x3b0 [aufs]
[ 442.563427] ? aufs_permission+0x190/0x2d0 [aufs]
[ 442.564098] ? __inode_permission+0x5b/0x160
[ 442.564689] path_openat+0xde1/0x18b0
[ 442.565214] ? path_openat+0xde1/0x18b0
[ 442.565756] do_filp_open+0x9b/0x110
[ 442.566266] ? __check_object_size+0xc8/0x1b0
[ 442.566862] ? __alloc_fd+0xb2/0x170
[ 442.567376] do_sys_open+0x1ba/0x2c0
[ 442.567908] ? do_sys_open+0x1ba/0x2c0
[ 442.568453] SyS_openat+0x14/0x20
[ 442.568939] do_syscall_64+0x73/0x130
[ 442.569458] entry_SYSCALL_64_after_hwframe+0x41/0xa6
[ 442.570117] RIP: 0033:0x7f079564af83

Patched:

# ../openat
# echo $?
0

# uname -rv
4.15.0-162-generic #170+test20211022b1 SMP Fri Oct 22 10:59:39 -03 2021

Hirsute doesn't ship aufs anymore; no testing needed, just patching.

commit 4fb9ce7538c89f81e3fa5bfae881c9b49e7137e0
Author: Seth Forshee <email address hidden>
Date: Fri Feb 19 14:46:24 2021 -0600

    UBUNTU: [Config] CONFIG_AUFS_FS=n

    We're keeping aufs in the source tree for backports but disabling
    it starting in hirsute. Update the configs and annotations
    accordingly.

    Signed-off-by: Seth Forshee <email address hidden>

[H/F/B][PATCH 0/1] aufs: fix kernel bug with apparmor and fuseblk
https://lists.ubuntu.com/archives/kernel-team/2021-October/125163.html

This bug is awaiting verification that the linux/5.11.0-41.45 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-hirsute' to 'verification-done-hirsute'. If the problem still exists, change the tag 'verification-needed-hirsute' to 'verification-failed-hirsute'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux/5.4.0-91.102 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the linux/4.15.0-163.171 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Verified bionic, focal, and hirsute (hwe kernel in focal) with steps in comment #1.

The kernel packages in -updates hit the issue.
The kernel packages in -proposed don't hit it.

ubuntu@mfo-aufs-bionic:~/aufs$ uname -rv
4.15.0-163-generic #171-Ubuntu SMP Fri Nov 5 11:55:11 UTC 2021

ubuntu@mfo-aufs-focal:~$ uname -rv
5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021

ubuntu@mfo-aufs-focal:~/aufs$ uname -rv
5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021

This bug was fixed in the package linux - 4.15.0-163.171

---------------
linux (4.15.0-163.171) bionic; urgency=medium

  * bionic/linux: 4.15.0-163.171 -proposed tracker (LP: #1949874)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * Unable to build net/reuseport_bpf and other tests in ubuntu_kernel_selftests
    on Bionic with make command (LP: #1949889)
    - selftests: Fix loss of test output in run_kselftests.sh
    - selftests: Makefile set KSFT_TAP_LEVEL to prevent nested TAP headers
    - selftests: fix headers_install circular dependency
    - selftests: fix bpf build/test workflow regression when KBUILD_OUTPUT is set
    - selftests: vm: Fix test build failure when built by itself

  * KVM emulation failure when booting into VM crash kernel with multiple CPUs
    (LP: #1948862)
    - KVM: x86: Properly reset MMU context at vCPU RESET/INIT

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * ACL updates on OCFS2 are not revalidated (LP: #1947161)
    - ocfs2: fix remounting needed after setfacl command

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"
    - cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is
      active

  * Some test in ubuntu_bpf test_verifier failed on i386 Bionic kernel
    (LP: #1788578)
    - bpf: fix context access in tracing progs on 32 bit archs

  * test_bpf.sh from ubuntu_kernel_selftests.net from linux ADT test failure
    with linux/4.15.0-149.153 i386 (Segmentation fault) (LP: #1934414)
    - selftests/bpf: make test_verifier run most programs
    - bpf: add couple of test cases for div/mod by zero
    - bpf: add further test cases around div/mod and others

  * Bionic update: upstream stable patchset 2021-11-02 (LP: #1949512)
    - usb: gadget: r8a66597: fix a loop in set_feature()
    - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
    - cifs: fix incorrect check for null pointer in header_assemble
    - xen/x86: fix PV trap handling on secondary processors
    - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
    - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
    - staging: greybus: uart: fix tty use after free
    - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
    - USB: serial: mos7840: remove duplicated 0xac24 device ID
    - USB: serial: option: add Telit LN920 compositions
    - USB: serial: option: remove duplicate USB device ID
    - USB: serial: option: add device id for Foxco...

This bug was fixed in the package linux - 5.4.0-91.102

---------------
linux (5.4.0-91.102) focal; urgency=medium

  * focal/linux: 5.4.0-91.102 -proposed tracker (LP: #1949840)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * KVM emulation failure when booting into VM crash kernel with multiple CPUs
    (LP: #1948862)
    - KVM: x86: Properly reset MMU context at vCPU RESET/INIT

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * ACL updates on OCFS2 are not revalidated (LP: #1947161)
    - ocfs2: fix remounting needed after setfacl command

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"

  * Reassign I/O Path of ConnectX-5 Port 1 before Port 2 causes NULL dereference
    (LP: #1943464)
    - s390/pci: fix leak of PCI device structure
    - s390/pci: fix use after free of zpci_dev
    - s390/pci: fix zpci_zdev_put() on reserve

  * [SRU][F] USB: serial: pl2303: add support for PL2303HXN (LP: #1948377)
    - USB: serial: pl2303: add support for PL2303HXN
    - USB: serial: pl2303: fix line-speed handling on newer chips

  * Focal update: v5.4.151 upstream stable release (LP: #1947888)
    - tty: Fix out-of-bound vmalloc access in imageblit
    - cpufreq: schedutil: Use kobject release() method to free sugov_tunables
    - cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory
    - usb: cdns3: fix race condition before setting doorbell
    - fs-verity: fix signed integer overflow with i_size near S64_MAX
    - hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary
      structure field
    - scsi: ufs: Fix illegal offset in UPIU event trace
    - mac80211: fix use-after-free in CCMP/GCMP RX
    - x86/kvmclock: Move this_cpu_pvti into kvmclock.h
    - drm/amd/display: Pass PCI deviceid into DC
    - ipvs: check that ip_vs_conn_tab_bits is between 8 and 20
    - hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced
      from sysfs
    - mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug
    - mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap
    - mac80211: mesh: fix potentially unaligned access
    - mac80211-hwsim: fix late beacon hrtimer handling
    - sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
    - hwmon: (tmp421) report /P...

This bug was fixed in the package linux - 5.11.0-41.45

---------------
linux (5.11.0-41.45) hirsute; urgency=medium

  * hirsute/linux: 5.11.0-41.45 -proposed tracker (LP: #1949801)

  * Packaging resync (LP: #1786013)
    - [Packaging] update Ubuntu.md
    - debian/dkms-versions -- update from kernel-versions (main/2021.11.08)

  * aufs: kernel bug with apparmor and fuseblk (LP: #1948470)
    - SAUCE: aufs: bugfix, stop omitting path->mnt

  * ebpf: bpf_redirect fails with ip6 gre interfaces (LP: #1947164)
    - net: handle ARPHRD_IP6GRE in dev_is_mac_header_xmit()

  * require CAP_NET_ADMIN to attach N_HCI ldisc (LP: #1949516)
    - Bluetooth: hci_ldisc: require CAP_NET_ADMIN to attach N_HCI ldisc

  * CVE-2021-3744 // CVE-2021-3764
    - crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()

  * ppc64 BPF JIT mod by 1 will not return 0 (LP: #1948351)
    - powerpc/bpf: Fix BPF_MOD when imm == 1

  * Fix Screen freeze after resume from suspend with iGPU [1002:6987]
    (LP: #1949050)
    - drm/amdgpu: reenable BACO support for 699F:C7 polaris12 SKU
    - drm/amdgpu: add missing cleanups for Polaris12 UVD/VCE on suspend
    - drm/amdgpu: Fix crash on device remove/driver unload

  * Intel I225-IT ethernet controller: igc: probe of 0000:02:00.0 failed with
    error -1 (LP: #1945576)
    - igc: Remove _I_PHY_ID checking
    - igc: Remove phy->type checking

  * Fail to detect audio output from external monitor (LP: #1948767)
    - ALSA: hda: intel: Allow repeatedly probing on codec configuration errors

  * Drop "UBUNTU: SAUCE: cachefiles: Page leaking in
    cachefiles_read_backing_file while vmscan is active" (LP: #1947709)
    - Revert "UBUNTU: SAUCE: cachefiles: Page leaking in
      cachefiles_read_backing_file while vmscan is active"

  * Hirsute update: upstream stable patchset 2021-11-03 (LP: #1949640)
    - mm: fix uninitialized use in overcommit_policy_handler
    - usb: gadget: r8a66597: fix a loop in set_feature()
    - usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave
    - usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA
    - usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
    - cifs: fix incorrect check for null pointer in header_assemble
    - xen/x86: fix PV trap handling on secondary processors
    - usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
    - USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
    - USB: cdc-acm: fix minor-number release
    - Revert "USB: bcma: Add a check for devm_gpiod_get"
    - binder: make sure fd closes complete
    - staging: greybus: uart: fix tty use after free
    - Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
    - usb: dwc3: core: balance phy init and exit
    - USB: serial: mos7840: remove duplicated 0xac24 device ID
    - USB: serial: option: add Telit LN920 compositions
    - USB: serial: option: remove duplicate USB device ID
    - USB: serial: option: add device id for Foxconn T99W265
    - mcb: fix error handling in mcb_alloc_bus()
    - erofs: fix up erofs_lookup tracepoint
    - btrfs: prevent __btrfs_dump_space_info() to underflow its free space
    - serial: 8250: 8250_omap: Fix RX_LVL re...