From patchwork Mon May 16 15:36:13 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrea Righi <andrea.righi@canonical.com>
X-Patchwork-Id: 1631681
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=LcbkziR8;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L23JH1KVdz9ryY
	for <incoming@patchwork.ozlabs.org>; Tue, 17 May 2022 01:36:31 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1nqclm-0005bL-Cw; Mon, 16 May 2022 15:36:26 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <andrea.righi@canonical.com>) id 1nqclj-0005aw-R2
 for kernel-team@lists.ubuntu.com; Mon, 16 May 2022 15:36:23 +0000
Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com
 [209.85.218.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5A4E53F5F6
 for <kernel-team@lists.ubuntu.com>; Mon, 16 May 2022 15:36:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1652715383;
 bh=20iRFyCMSdHk5NIi3UpKede/wFIYVrQkuMjXcRfiuK0=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=LcbkziR8kTPRAiKlR6x0k1pjYDCigE8pIDU9ix/tDPFyIUspgxLfFbG0q1VlCckvJ
 Z9x4KvLUlqyW1sf978k35HjVKpRrc9N898595WEHRqWLkgxj9r9Pk/eZe8WDm07ZU9
 k01fqUZLu5tJnRMF/M2jpM6+rtQec35DAGbQOZ5jqBuh2vpTcD7jb7rEA3ZFskrJ6d
 12qyrvng+nPIfamhwug8cOhiJsayjXkQpULJg7nx0rvIt1zybgzIp6Gej8yPq+yKHy
 a2qoiYlbmY4ze6LfuDtRRb8l5dxDk4M8W6QsuLxkHrCP2ieG0KbD1n+l2kpCB5uVxM
 WRbGGrqOITKcQ==
Received: by mail-ej1-f72.google.com with SMTP id
 jx8-20020a170906ca4800b006f88b28f2f6so5998840ejb.11
 for <kernel-team@lists.ubuntu.com>; Mon, 16 May 2022 08:36:23 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=20iRFyCMSdHk5NIi3UpKede/wFIYVrQkuMjXcRfiuK0=;
 b=kby/5FwB3UxekBHjaTQ0XV7y3WQo6sgBYm/MrTBhfaLAtOCLRcI+gZvfP+lnNrm964
 KGBajdLNIwjzhi1UTRshb32pFjj9OwLKdS0pLk0mWceWDv9914uSS+jLxd9hhBo9GL2U
 dE2xdtSoUC/RcagU9aYtX7HeDWxn0GirEb4gkUPddgf2mIDN2hJEg1GlKvK5dOssT7si
 wAWBVNUISpXUVoCe3i3cQnU5xas9iXNa8eLYBMji9ojBptjLTYJrZ6AsW/HRZ6+XRpNK
 Zyk2QZnWsnAiYxcs7Dg0M5ptGzO3B11YSBf0FHjYR0eRFibKI21tOqHJajyFfMB4WeOC
 albg==
X-Gm-Message-State: AOAM530AmnHg5bOKkgITqo9CJjGy1cs3j1GRLrCALS+avKpQmNxWj5Sq
 T/Grq4Q4C/orcXyC6QYx0aTbF8+yQ5V41LaIYLXza1PVybBfjY8zPZjZ8IAcxqZXkGZqG0WaOrV
 QTnbxM2w9kc3GZLa8Ekcwjd7QY1194fo1Q9bOM5KKlw==
X-Received: by 2002:a05:6402:5242:b0:427:cade:4737 with SMTP id
 t2-20020a056402524200b00427cade4737mr13797758edd.398.1652715381831;
 Mon, 16 May 2022 08:36:21 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwrqP+oFeuGmgpiLGDghh3QjGqB+v8DP4Hyxm4AyEnBTcLmVXk7MPZc4KaV5HAFWAY8pQL6Jw==
X-Received: by 2002:a05:6402:5242:b0:427:cade:4737 with SMTP id
 t2-20020a056402524200b00427cade4737mr13797744edd.398.1652715381641;
 Mon, 16 May 2022 08:36:21 -0700 (PDT)
Received: from arighi-desktop.homenet.telecomitalia.it
 ([2001:67c:1560:8007::aac:c1b6]) by smtp.gmail.com with ESMTPSA id
 z3-20020a17090674c300b006f3ef214e1csm24616ejl.130.2022.05.16.08.36.20
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 16 May 2022 08:36:21 -0700 (PDT)
From: Andrea Righi <andrea.righi@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][K/J/I][PATCH 1/1] UBUNTU: SAUCE: overlayfs: prevent
 dereferencing struct file in ovl_vm_prfile_set()
Date: Mon, 16 May 2022 17:36:13 +0200
Message-Id: <20220516153613.192488-2-andrea.righi@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220516153613.192488-1-andrea.righi@canonical.com>
References: <20220516153613.192488-1-andrea.righi@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1973620

With the following commit we re-introduced a SAUCE patch that has been
dropped starting with 5.13:

 37e9bac9203b ("UBUNTU: SAUCE: overlayfs: fix incorrect mnt_id of files opened from map_files")

However the forward-ported patch introduced a potential NULL pointer
dereference bug:

BUG: kernel NULL pointer dereference, address: 0000000000000008
[  447.039738] #PF: supervisor read access in kernel mode
[  447.040369] #PF: error_code(0x0000) - not-present page
[  447.041002] PGD 0 P4D 0
[  447.041325] Oops: 0000 [#1] SMP NOPTI
[  447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic #29~20.04.1-Ubuntu
[  447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014
[  447.043979] RIP: 0010:aa_file_perm+0x3a/0x470
[  447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
[  447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246
[  447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX: 0000000000000004
[  447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI: ffffffff9c22a2ac
[  447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09: 0000000000000000
[  447.050121] R10: 0000000000000000 R11: 0000000000000000 R12: ffff96e401215eb8
[  447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15: 0000000000000004
[  447.051942] FS:  00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000) knlGS:0000000000000000
[  447.052981] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4: 00000000003506f0
[  447.054571] Call Trace:
[  447.054883]  <TASK>
[  447.055154]  ? unlock_page_memcg+0x2f/0x40
[  447.055668]  ? page_remove_rmap+0x4b/0x320
[  447.056180]  common_file_perm+0x72/0x170
[  447.056669]  apparmor_file_permission+0x1c/0x20
[  447.057237]  security_file_permission+0x30/0x1a0
[  447.057898]  rw_verify_area+0x35/0x60
[  447.058392]  vfs_read+0x6d/0x1a0
[  447.058842]  ksys_read+0xb1/0xe0
[  447.059276]  __x64_sys_read+0x1a/0x20
[  447.059732]  do_syscall_64+0x5c/0xc0
[  447.060183]  ? __set_current_blocked+0x3b/0x60
[  447.060738]  ? exit_to_user_mode_prepare+0x3d/0x1c0
[  447.061434]  ? syscall_exit_to_user_mode+0x27/0x50
[  447.062099]  ? do_syscall_64+0x69/0xc0
[  447.062603]  ? irqentry_exit_to_user_mode+0x9/0x20
[  447.063210]  ? irqentry_exit+0x19/0x30
[  447.063678]  ? exc_page_fault+0x89/0x160
[  447.064165]  ? asm_exc_page_fault+0x8/0x30
[  447.064675]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  447.065298] RIP: 0033:0x7eff3c2cb002

This panic happens only when AUFS is enabled (that is required to
"activates" this feature).

This bug happens because we don't need to decrement anymore the refcount
for the previous vm_file value in ovl_vm_prfile_set(). So make sure to
drop the offending fput() to prevent the kernel panic above.

Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
---
 fs/overlayfs/file.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c
index 362dd17b8a00..2e4ebebdb7d1 100644
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -515,8 +515,6 @@ static void ovl_vm_prfile_set(struct vm_area_struct *vma,
 	get_file(file);
 	vma->vm_region->vm_prfile = file;
 #endif
-	/* Drop reference count from previous vm_file value */
-	fput(file);
 }
 #else /* !CONFIG_AUFS_FS */
 static void ovl_vm_prfile_set(struct vm_area_struct *vma,