[SRU][K/J/I][PATCH 0/1] prevent kernel panic with overlayfs + shiftfs

Andrea Righi andrea.righi at canonical.com
Mon May 16 15:36:12 UTC 2022 

BugLink: https://bugs.launchpad.net/bugs/1973620

[Impact]

The patch that we have recently re-introduced to properly support
overlayfs on top of shiftfs can introduce potential kernel panics, for
example:

    BUG: kernel NULL pointer dereference, address: 0000000000000008
    [ 447.039738] #PF: supervisor read access in kernel mode
    [ 447.040369] #PF: error_code(0x0000) - not-present page
    [ 447.041002] PGD 0 P4D 0
    [ 447.041325] Oops: 0000 [#1] SMP NOPTI
    [ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic #29~20.04.1-Ubuntu
    [ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014
    [ 447.043979] RIP: 0010:aa_file_perm+0x3a/0x470
    [ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
    [ 447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246
    [ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX: 0000000000000004
    [ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI: ffffffff9c22a2ac
    [ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09: 0000000000000000
    [ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12: ffff96e401215eb8
    [ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15: 0000000000000004
    [ 447.051942] FS: 00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000) knlGS:0000000000000000
    [ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4: 00000000003506f0
    [ 447.054571] Call Trace:
    [ 447.054883] <TASK>
    [ 447.055154] ? unlock_page_memcg+0x2f/0x40
    [ 447.055668] ? page_remove_rmap+0x4b/0x320
    [ 447.056180] common_file_perm+0x72/0x170
    [ 447.056669] apparmor_file_permission+0x1c/0x20
    [ 447.057237] security_file_permission+0x30/0x1a0
    [ 447.057898] rw_verify_area+0x35/0x60
    [ 447.058392] vfs_read+0x6d/0x1a0
    [ 447.058842] ksys_read+0xb1/0xe0
    [ 447.059276] __x64_sys_read+0x1a/0x20
    [ 447.059732] do_syscall_64+0x5c/0xc0
    [ 447.060183] ? __set_current_blocked+0x3b/0x60
    [ 447.060738] ? exit_to_user_mode_prepare+0x3d/0x1c0
    [ 447.061434] ? syscall_exit_to_user_mode+0x27/0x50
    [ 447.062099] ? do_syscall_64+0x69/0xc0
    [ 447.062603] ? irqentry_exit_to_user_mode+0x9/0x20
    [ 447.063210] ? irqentry_exit+0x19/0x30
    [ 447.063678] ? exc_page_fault+0x89/0x160
    [ 447.064165] ? asm_exc_page_fault+0x8/0x30
    [ 447.064675] entry_SYSCALL_64_after_hwframe+0x44/0xae
    [ 447.065298] RIP: 0033:0x7eff3c2cb002

[Test case]

It is really easy to trigger this specific kernel panic running the lxc
autopackage test.

[Fix]

This bug happens because we don't need to decrement anymore the refcount
for the previous vm_file value in ovl_vm_prfile_set(). So the fix simply
consists of removing the unnecessary fput().

[Regression potential]

This patch affects only overlayfs (only when AUFS is enabled), so we may
see regressions in overlayfs in kernels that have AUFS enabled (focal
hwe and cloud kernels).

More information about the kernel-team mailing list