From patchwork Mon May 16 14:42:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Righi X-Patchwork-Id: 1631625 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=k66AbjRZ; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L225q266gz9s5V for ; Tue, 17 May 2022 00:42:22 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1nqbvK-0000NX-Kh; Mon, 16 May 2022 14:42:14 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1nqbvJ-0000My-Db for kernel-team@lists.ubuntu.com; Mon, 16 May 2022 14:42:13 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 271993F338 for ; Mon, 16 May 2022 14:42:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1652712133; bh=IzxqGTZ2OcxgGJ81xKZ4oqK19SlSDNlZmI+oQkydoGs=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=k66AbjRZW0Z6+UZGEqxeMDNTU9ERrsCaZNlpUstdQ8gu403EZwLy+3zmH3SS1EcAl mOTNh/wyYSi5cTRLYMB4Byk9lrEZhPo+nw9OTEC7uAsFbJPVifjqluvvpHSnP4Ccg0 ZKb3A3KYaCtfNqJgPsCS8KmLBdLn+BtG0bW5eIQYNSeUvENKD5MxcFYQrnJ1mdm2y+ sHkFqzdPYD6eRlFwMunGfIS8yN26iKUKibWBqwbIO03vOz8ViYSQPahGrUpdZD9hBf jX5BgyA/y23N3hyw1lXq9jf7k4vaQrDmVi7G/2rjzTDNkVG2cdDxwIZ15fxq8ECKoW 83V12OWUnseow== Received: by mail-ed1-f71.google.com with SMTP id n9-20020aa7d049000000b0042aab725949so2803356edo.23 for ; Mon, 16 May 2022 07:42:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:from:to:subject:message-id:mime-version :content-disposition; bh=IzxqGTZ2OcxgGJ81xKZ4oqK19SlSDNlZmI+oQkydoGs=; b=0tDBkQH174H22DbwaRctQ2ojKISvOLiJ9NT/m3MrAo2mlFjwG1rDptxBOFnj0jF8dq KWYxoY3TTxJt42lmVd6oM3Dc/ZuzTFzzOgeuLcz/frj6Z8Y8VdB38gt8wbgKcqbeCqID pK+OyaU38CcXg6xmlW9IpUuctMzgq0PR+b5oXuAM1VzQqgt7RSQ89JE/2m+/oshxU77s kS8iitBc4uSLWT4gP4HjAZ8E2KMkcaX1TtjKknUypELKOZfCrUUv8YGmpcC8ddElmYXx vczHDQK/a0ZOKUToXF/Lyk1gPV9HG/P30YvPNwLfAFCyDmfqrHKP9u0qg2NUB2K+NqXG b4HA== X-Gm-Message-State: AOAM533CZwuYfQyYiN9QlgiPkhKrqL9bE6EcQhShv29taz9o2czMLS9Z vh1FneR+K8mCI2p87RZcfta7nQQFDFVzXfhn7x/AC+0h/5tsyCjcDO5ZshypY4OmVP0AejBunjY D48WgpxT74rfneZ1i4E6RUBJpjuzSIKsAOgoKk+fc+w== X-Received: by 2002:a05:6402:4496:b0:42a:acb5:daed with SMTP id er22-20020a056402449600b0042aacb5daedmr7780293edb.229.1652712132822; Mon, 16 May 2022 07:42:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxM5jrT6wWpFQvn5Lt7PNhMtJGfz7Ryf2fi/a3WIgTK5SNuzMOA8rJxz+sfPSFPSwF/rZJMXA== X-Received: by 2002:a05:6402:4496:b0:42a:acb5:daed with SMTP id er22-20020a056402449600b0042aacb5daedmr7780281edb.229.1652712132584; Mon, 16 May 2022 07:42:12 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c1b6]) by smtp.gmail.com with ESMTPSA id r6-20020aa7d146000000b0042ab9da73e6sm897704edo.94.2022.05.16.07.42.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 May 2022 07:42:12 -0700 (PDT) Date: Mon, 16 May 2022 16:42:10 +0200 From: Andrea Righi To: kernel-team@lists.ubuntu.com Subject: [PATCH][SRU][I] UBUNTU: SAUCE: overlayfs: prevent dereferencing struct file in ovl_vm_prfile_set() Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1967924 With the following commit we re-introduced a SAUCE patch that has been dropped starting with 5.13: 8a44684a4078 ("UBUNTU: SAUCE: overlayfs: fix incorrect mnt_id of files opened from map_files") However the forward-ported patch introduced a potential NULL pointer dereference bug: BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 447.039738] #PF: supervisor read access in kernel mode [ 447.040369] #PF: error_code(0x0000) - not-present page [ 447.041002] PGD 0 P4D 0 [ 447.041325] Oops: 0000 [#1] SMP NOPTI [ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic #29~20.04.1-Ubuntu [ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014 [ 447.043979] RIP: 0010:aa_file_perm+0x3a/0x470 [ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5 [ 447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246 [ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX: 0000000000000004 [ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI: ffffffff9c22a2ac [ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09: 0000000000000000 [ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12: ffff96e401215eb8 [ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15: 0000000000000004 [ 447.051942] FS: 00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000) knlGS:0000000000000000 [ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4: 00000000003506f0 [ 447.054571] Call Trace: [ 447.054883] [ 447.055154] ? unlock_page_memcg+0x2f/0x40 [ 447.055668] ? page_remove_rmap+0x4b/0x320 [ 447.056180] common_file_perm+0x72/0x170 [ 447.056669] apparmor_file_permission+0x1c/0x20 [ 447.057237] security_file_permission+0x30/0x1a0 [ 447.057898] rw_verify_area+0x35/0x60 [ 447.058392] vfs_read+0x6d/0x1a0 [ 447.058842] ksys_read+0xb1/0xe0 [ 447.059276] __x64_sys_read+0x1a/0x20 [ 447.059732] do_syscall_64+0x5c/0xc0 [ 447.060183] ? __set_current_blocked+0x3b/0x60 [ 447.060738] ? exit_to_user_mode_prepare+0x3d/0x1c0 [ 447.061434] ? syscall_exit_to_user_mode+0x27/0x50 [ 447.062099] ? do_syscall_64+0x69/0xc0 [ 447.062603] ? irqentry_exit_to_user_mode+0x9/0x20 [ 447.063210] ? irqentry_exit+0x19/0x30 [ 447.063678] ? exc_page_fault+0x89/0x160 [ 447.064165] ? asm_exc_page_fault+0x8/0x30 [ 447.064675] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 447.065298] RIP: 0033:0x7eff3c2cb002 This panic happens only when AUFS is enabled (that is required to "activates" this feature). This bug happens because we don't need to decrement anymore the refcount for the previous vm_file value in ovl_vm_prfile_set(). So make sure to drop the offending fput() to prevent the kernel panic above. Signed-off-by: Andrea Righi Acked-by: Kleber Sacilotto de Souza --- fs/overlayfs/file.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c index 362dd17b8a00..2e4ebebdb7d1 100644 --- a/fs/overlayfs/file.c +++ b/fs/overlayfs/file.c @@ -515,8 +515,6 @@ static void ovl_vm_prfile_set(struct vm_area_struct *vma, get_file(file); vma->vm_region->vm_prfile = file; #endif - /* Drop reference count from previous vm_file value */ - fput(file); } #else /* !CONFIG_AUFS_FS */ static void ovl_vm_prfile_set(struct vm_area_struct *vma,