Bug 372681 - ecryptfs kernel BUG (and segfault)
ecryptfs kernel BUG (and segfault)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
8
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Sandeen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-09 08:02 EST by Jonathan Underwood
Modified: 2008-02-22 17:27 EST (History)
5 users (show)

See Also:
Fixed In Version: 2.6.24.2-10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-22 17:20:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2007-11-09 08:02:58 EST
Description of problem:
The following session was on Fedora 8 (kernel-2.6.23.1-42.fc8,
ecryptfs-utils-18-1.fc8):

[root@renton ~]# mkdir secret
[root@renton ~]# mount -t ecryptfs /root/secret /root/secret
Select key type to use for newly created files:
 1) openssl
 2) passphrase
Selection: 2
Passphrase:
Verify Passphrase:
Cipher
1) Triple-DES
2) AES-128
3) AES-192
4) AES-256
5) CAST6
6) Blowfish
7) CAST5
8) Twofish
Selection [AES-128]:
Enable plaintext passthrough (y/n): y
Attempting to mount with the following options:
 ecryptfs_passthrough
 ecryptfs_cipher=aes
 ecryptfs_key_bytes=16
 ecryptfs_sig=27aa52467bde3b5d
WARNING: Based on the contents of [/root/.ecryptfs/sig-cache.txt],
it looks like you have never mounted with this key
before. This could mean that you have typed your
passphrase wrong.

Would you like to proceed with the mount (yes/no)? yes
Would you like to append sig [27aa52467bde3b5d] to
[/root/.ecryptfs/sig-cache.txt]
in order to avoid this warning in the future (yes/no)? no
Not adding sig to user sig cache file; continuing with mount.
Mounted eCryptfs
[root@renton ~]# cd secret
[root@renton secret]# ls
[root@renton secret]# touch junk
[root@renton secret]# cat > junk
Segmentation fault
[root@renton secret]#
Message from syslogd@renton at Nov  9 00:31:23 ...
 kernel: ------------[ cut here ]------------

Message from syslogd@renton at Nov  9 00:31:23 ...
 kernel: invalid opcode: 0000 [1] SMP

[root@renton secret]# echo hello > junk
[jgu@renton ~]$                 <-- notice my root shell was killed!
Message from syslogd@renton at Nov  9 00:31:39 ...
 kernel: ------------[ cut here ]------------

Message from syslogd@renton at Nov  9 00:31:39 ...
 kernel: invalid opcode: 0000 [2] SMP

At this point, dmesg shows the following:

SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr
Error opening lower file for lower_dentry [0xffff81004e995270],
lower_mnt [0xffff810037fece00], and flags [0x8003]
ecryptfs_open: Error opening lower file
------------[ cut here ]------------
kernel BUG at include/linux/dcache.h:322!
invalid opcode: 0000 [1] SMP
CPU 1
Modules linked in: cbc aes ecryptfs i915 drm nf_conntrack_ipv4
ipt_REJECT iptable_filter ip_tables nf_conntrack_ipv6 xt_state
nf_conntrack nfnetlink ip6t_REJECT ip6table_filter ip6_tables x_tables
ipv6 cpufreq_ondemand acpi_cpufreq dm_mirror dm_multipath dm_mod arc4
ecb blkcipher snd_hda_intel snd_seq_dummy snd_seq_oss firewire_ohci
snd_seq_midi_event firewire_core snd_seq iwl3945 snd_seq_device
snd_pcm_oss sdhci b44 snd_mixer_oss mmc_core ssb mac80211 ac video
button battery iTCO_wdt crc_itu_t iTCO_vendor_support output i2c_i801
mii snd_pcm joydev i2c_core cfg80211 snd_timer snd_page_alloc
snd_hwdep snd soundcore sr_mod sg cdrom ata_generic ata_piix libata
sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 3445, comm: bash Not tainted 2.6.23.1-42.fc8 #1
RIP: 0010:[<ffffffff8836f1a4>]  [<ffffffff8836f1a4>]
:ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
RSP: 0018:ffff81004eb2bdd8  EFLAGS: 00010246
RAX: ffff81007d6afa98 RBX: ffff81004e995270 RCX: 0000000000000003
RDX: ffff810037fece00 RSI: ffff81004e995270 RDI: ffff81004eb2be28
RBP: ffff810037fece00 R08: ffff81004eb2bd88 R09: 0000000000000000
R10: ffff81004eb2bb78 R11: 00000000000c000c R12: ffff81004e4685b8
R13: ffff81004eb2be28 R14: ffff810037fece00 R15: ffff81004e9951a0
FS:  00002aaaaaac1f50(0000) GS:ffff810037cd8300(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000004873b0 CR3: 000000004eb88000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 3445, threadinfo ffff81004eb2a000, task ffff810078092810)
Stack:  ffff8100523dd500 ffff81004e468380 ffff8100523dd500 ffff81004e4685b8
 ffff81004e4686d8 ffffffff8836f545 ffff81004e468380 ffff810053b50e08
 ffff81004e995270 0000000000000000 0000000000000000 ffff8100523dd500
Call Trace:
 [<ffffffff8836f545>] :ecryptfs:ecryptfs_open+0x12a/0x28b
 [<ffffffff8836f41b>] :ecryptfs:ecryptfs_open+0x0/0x28b
 [<ffffffff8109a0e8>] __dentry_open+0xf4/0x1c5
 [<ffffffff8109a26d>] do_filp_open+0x2a/0x38
 [<ffffffff81099f40>] get_unused_fd_flags+0x72/0x11f
 [<ffffffff8109a2c1>] do_sys_open+0x46/0xc3
 [<ffffffff8100bd45>] tracesys+0xd5/0xda


Code: 0f 0b eb fe f0 ff 06 48 85 ed 74 07 f0 ff 85 c0 00 00 00 41
RIP  [<ffffffff8836f1a4>] :ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
 RSP <ffff81004eb2bdd8>
------------[ cut here ]------------
kernel BUG at include/linux/dcache.h:322!
invalid opcode: 0000 [2] SMP
CPU 1
Modules linked in: cbc aes ecryptfs i915 drm nf_conntrack_ipv4
ipt_REJECT iptable_filter ip_tables nf_conntrack_ipv6 xt_state
nf_conntrack nfnetlink ip6t_REJECT ip6table_filter ip6_tables x_tables
ipv6 cpufreq_ondemand acpi_cpufreq dm_mirror dm_multipath dm_mod arc4
ecb blkcipher snd_hda_intel snd_seq_dummy snd_seq_oss firewire_ohci
snd_seq_midi_event firewire_core snd_seq iwl3945 snd_seq_device
snd_pcm_oss sdhci b44 snd_mixer_oss mmc_core ssb mac80211 ac video
button battery iTCO_wdt crc_itu_t iTCO_vendor_support output i2c_i801
mii snd_pcm joydev i2c_core cfg80211 snd_timer snd_page_alloc
snd_hwdep snd soundcore sr_mod sg cdrom ata_generic ata_piix libata
sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 3322, comm: bash Tainted: G      D 2.6.23.1-42.fc8 #1
RIP: 0010:[<ffffffff8836f1a4>]  [<ffffffff8836f1a4>]
:ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
RSP: 0018:ffff8100502f7dd8  EFLAGS: 00010246
RAX: ffff81007d6afa98 RBX: ffff81004e995270 RCX: 0000000000000003
RDX: ffff810037fece00 RSI: ffff81004e995270 RDI: ffff8100502f7e28
RBP: ffff810037fece00 R08: ffff8100502f7d88 R09: 0000000000000000
R10: ffff8100502f7b78 R11: 00000000000c000c R12: ffff81004e4685b8
R13: ffff8100502f7e28 R14: ffff810037fece00 R15: ffff81004e9951a0
FS:  00002aaaaaac1f50(0000) GS:ffff810037cd8300(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000008d47c0 CR3: 000000004e8df000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 3322, threadinfo ffff8100502f6000, task ffff81005b0eb020)
Stack:  ffff81004fe24400 ffff81004e468380 ffff81004fe24400 ffff81004e4685b8
 ffff81004e4686d8 ffffffff8836f545 ffff81004e468380 ffff810053b50e08
 ffff81004e995270 0000000000000000 0000000000000000 ffff81004fe24400
Call Trace:
 [<ffffffff8836f545>] :ecryptfs:ecryptfs_open+0x12a/0x28b
 [<ffffffff8836f41b>] :ecryptfs:ecryptfs_open+0x0/0x28b
 [<ffffffff8109a0e8>] __dentry_open+0xf4/0x1c5
 [<ffffffff8109a26d>] do_filp_open+0x2a/0x38
 [<ffffffff81099f40>] get_unused_fd_flags+0x72/0x11f
 [<ffffffff8109a2c1>] do_sys_open+0x46/0xc3
 [<ffffffff8100bd45>] tracesys+0xd5/0xda


Code: 0f 0b eb fe f0 ff 06 48 85 ed 74 07 f0 ff 85 c0 00 00 00 41
RIP  [<ffffffff8836f1a4>] :ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
 RSP <ffff8100502f7dd8>



At this point, it's impossible to umount the ecryptfs stack mount:
[root@renton jgu]# umount /root/secret
umount: /root/secret: device is busy
umount: /root/secret: device is busy


Version-Release number of selected component (if applicable):
kernel-2.6.23.1-42.fc8 (x86_64)
ecryptfs-utils-18-1.fc8

How reproducible:
Everytime

Steps to Reproduce:
1.mkdir /root/secret
2.mount -t ecryptfs /root/secret /root/secret
3.cd /root/secret
4.echo hello > junk 
  
Actual results:
Segfault and general brokenness

Expected result:
Create a file on the encrypted fs.

Additional info:
Reported upstream as well:
http://sourceforge.net/mailarchive/forum.php?thread_name=645d17210711081640m6a31b8bar9ba5fed794835adc%40mail.gmail.com&forum_name=ecryptfs-devel
Comment 1 Eric Sandeen 2007-11-10 00:38:00 EST
Hmm:

[root@localhost ~]# mount -t ecryptfs secret secret
Select key type to use for newly created files:
 1) passphrase
 2) openssl
Selection: 1
Passphrase: 
Verify Passphrase: 
Cipher
1) AES-128
2) AES-192
3) AES-256
4) Triple-DES
5) Twofish
6) CAST5
7) CAST6
8) Blowfish
Selection [AES-128]: 
Enable plaintext passthrough (y/n): y
Attempting to mount with the following options:
  ecryptfs_passthrough
  ecryptfs_cipher=aes
  ecryptfs_key_bytes=16
  ecryptfs_sig=253ca7e88811d184
Mounted eCryptfs
[root@localhost ~]# cd secret
[root@localhost secret]# echo foo > junk
[root@localhost secret]# cat junk
foo

that was on 2.6.23.1-30.fc8 #1 SMP Mon Oct 22 18:46:28 EDT 2007 i686 i686 i386
GNU/Linux and ecryptfs-utils-18-1.fc8
....

-Eric
Comment 2 Jonathan Underwood 2007-11-10 06:34:11 EST
Hi Eric,

Your session in Comment #1 was on a 32 bit x86, right? The session I cut and
pasted was from an x86_64. Perhaps then it is 64 bit specific.
Comment 3 Michael Halcrow 2007-11-10 13:16:06 EST
This is a clue as to what went wrong:

---
Error opening lower file for lower_dentry [0xffff81004e995270],
lower_mnt [0xffff810037fece00], and flags [0x8003]
ecryptfs_open: Error opening lower file
---

The version of eCryptfs in 2.6.23 probably doesn't handle failures to open files
in the lower filesystem gracefully. The failure to open the file in the lower
filesystem may have been due to DAC permissions or a MAC (SELinux) denial.
Jonathan: you can verify this by making sure that you have write permission to
your lower directory; also, see if it bombs out when setenforce=0.

(Note that the mechanism for opening the lower file is completely different in
2.6.24-rc, so this bug may not even manifest in the latest release).

Mike
Comment 4 Eric Sandeen 2007-11-10 14:52:07 EST
I did have selinux off, but things still worked ok after re-enabling it. 
Jonathan, I need to get an x86_64 box set up with F8, then can test there.  Did
you have any other selinux-related messages in your failure case, or any other
clues to why the file open failed?

FWIW:
[root@localhost ~]# ls -Zd secret
drwxr-xr-x  root root root:object_r:sysadm_home_t:s0   secret

is the security context for the secret/ dir I tested with.

Creating a new dir when selinux was on, I got:

[root@localhost ~]# ls -Zd secret3
drwxr-xr-x  root root root:object_r:sysadm_home_dir_t:s0 secret3

but that worked fine too.
Comment 5 Jonathan Underwood 2007-11-10 18:34:09 EST
For sanity, I reproduced this just now at the first attempt, and verified the
SElinux permissions:

[root@renton ~]# ls -Zd secret/
drwxr-xr-x  root root system_u:object_r:sysadm_home_dir_t:s0 secret/
[root@renton ~]# mount -t ecryptfs /root/secret /root/secret
Select key type to use for newly created files:
 1) openssl
 2) passphrase
Selection: 2
Passphrase: 
Verify Passphrase: 
Cipher
1) Triple-DES
2) AES-128
3) AES-192
4) AES-256
5) CAST6
6) Blowfish
7) CAST5
8) Twofish
Selection [AES-128]: 
Enable plaintext passthrough (y/n): 
Attempting to mount with the following options:
  ecryptfs_cipher=aes
  ecryptfs_key_bytes=16
  ecryptfs_sig=27aa52467bde3b5d
Mounted eCryptfs
[root@renton ~]# cd secret
[root@renton secret]# touch junk
[root@renton secret]# echo foo > junk
[jgu@renton ~]$ 
Message from syslogd@renton at Nov 10 23:26:10 ...
 kernel: ------------[ cut here ]------------

Message from syslogd@renton at Nov 10 23:26:10 ...
 kernel: invalid opcode: 0000 [1] SMP 

Note how my root shell is killed. Everything related to this in dmesg:

SELinux: initialized (dev ecryptfs, type ecryptfs), uses xattr
Error opening lower file for lower_dentry [0xffff81004de03340], lower_mnt
[0xffff81007e58b500], and flags [0x8003]
ecryptfs_open: Error opening lower file
------------[ cut here ]------------
kernel BUG at include/linux/dcache.h:322!
invalid opcode: 0000 [1] SMP 
CPU 1 
Modules linked in: cbc aes ecryptfs i915 drm nf_conntrack_ipv4 ipt_REJECT
iptable_filter ip_tables nf_conntrack_ipv6 xt_state nf_conntrack nfnetlink
ip6t_REJECT ip6table_filter ip6_tables x_tables ipv6 cpufreq_ondemand
acpi_cpufreq dm_mirror dm_multipath dm_mod snd_hda_intel snd_seq_dummy
snd_seq_oss snd_seq_midi_event snd_seq arc4 snd_seq_device ecb snd_pcm_oss
blkcipher b44 snd_mixer_oss snd_pcm firewire_ohci firewire_core snd_timer ssb
snd_page_alloc snd_hwdep sdhci snd crc_itu_t mii iTCO_wdt soundcore
iTCO_vendor_support mmc_core iwl3945 battery i2c_i801 ac video output button
i2c_core mac80211 joydev cfg80211 sg sr_mod cdrom ata_generic ata_piix libata
sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd
Pid: 3722, comm: bash Not tainted 2.6.23.1-42.fc8 #1
RIP: 0010:[<ffffffff8836c1a4>]  [<ffffffff8836c1a4>]
:ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
RSP: 0018:ffff81004d7d3dd8  EFLAGS: 00010246
RAX: ffff81007d6b3b88 RBX: ffff81004de03340 RCX: 0000000000000003
RDX: ffff81007e58b500 RSI: ffff81004de03340 RDI: ffff81004d7d3e28
RBP: ffff81007e58b500 R08: ffff81004d7d3d88 R09: 0000000000000000
R10: ffff81004d7d3b78 R11: 0000000000100005 R12: ffff81004d7a85b8
R13: ffff81004d7d3e28 R14: ffff81007e58b500 R15: ffff81004de03750
FS:  00002aaaaaac4f50(0000) GS:ffff810037cd8300(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000008d7508 CR3: 000000004cd1d000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process bash (pid: 3722, threadinfo ffff81004d7d2000, task ffff81004c566810)
Stack:  ffff81005c656000 ffff81004d7a8380 ffff81005c656000 ffff81004d7a85b8
 ffff81004d7a86d8 ffffffff8836c545 ffff81004d7a8380 ffff81007e503c08
 ffff81004de03340 0000000000000000 0000000000000000 ffff81005c656000
Call Trace:
 [<ffffffff8836c545>] :ecryptfs:ecryptfs_open+0x12a/0x28b
 [<ffffffff8836c41b>] :ecryptfs:ecryptfs_open+0x0/0x28b
 [<ffffffff8109a0e8>] __dentry_open+0xf4/0x1c5
 [<ffffffff8109a26d>] do_filp_open+0x2a/0x38
 [<ffffffff81099f40>] get_unused_fd_flags+0x72/0x11f
 [<ffffffff8109a2c1>] do_sys_open+0x46/0xc3
 [<ffffffff8100bd45>] tracesys+0xd5/0xda


Code: 0f 0b eb fe f0 ff 06 48 85 ed 74 07 f0 ff 85 c0 00 00 00 41 
RIP  [<ffffffff8836c1a4>] :ecryptfs:ecryptfs_open_lower_file+0x1d/0x83
 RSP <ffff81004d7d3dd8>

i.e no SElinux denial messages.

I then tried the same thing with selinux turned off:

[jgu@renton ~]$ su -
Password: 
[root@renton ~]# cd /root
[root@renton ~]# /usr/sbin/setenforce 0
[root@renton ~]# mkdir secret2
[root@renton ~]# ls -Zd secret/
drwxr-xr-x  root root system_u:object_r:sysadm_home_dir_t:s0 secret/
[root@renton ~]# mount -t ecryptfs /root/secret2 /root/secret2
Select key type to use for newly created files:
 1) openssl
 2) passphrase
Selection: 2
Passphrase: 
Verify Passphrase: 
Cipher
1) Triple-DES
2) AES-128
3) AES-192
4) AES-256
5) CAST6
6) Blowfish
7) CAST5
8) Twofish
Selection [AES-128]: 
Enable plaintext passthrough (y/n): 
Attempting to mount with the following options:
  ecryptfs_cipher=aes
  ecryptfs_key_bytes=16
  ecryptfs_sig=27aa52467bde3b5d
Mounted eCryptfs
[root@renton ~]# cd service2
-bash: cd: service2: No such file or directory
[root@renton ~]# cd secret2
[root@renton secret2]# touch junk
[root@renton secret2]# echo foo > junk
[root@renton secret2]# 

So, it very much does seem to be an SElinux issue causing ecryptfs to bomb out.

For reference:
[root@renton secret2]# ls -Z junk 
-rw-r--r--  root root system_u:object_r:sysadm_home_dir_t:s0 junk
[root@renton secret2]# 

My understanding of SElinux is rather... superficial, so I can't shed much light
on this.
Comment 6 Jonathan Underwood 2007-11-10 18:52:49 EST
Oh, also, just in case it's important: 

[root@renton ~]# rpm -qa | grep selinux
selinux-policy-3.0.8-44.fc8
libselinux-2.0.37-1.fc8
libselinux-python-2.0.37-1.fc8
libselinux-2.0.37-1.fc8
selinux-policy-targeted-3.0.8-44.fc8
Comment 7 Jonathan Underwood 2007-11-24 13:34:24 EST
Still occurs with 
kernel 2.6.23.8-62 and 
libselinux-python-2.0.43-1.fc8
libselinux-2.0.43-1.fc8
libselinux-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-56.fc8
selinux-policy-3.0.8-56.fc8
selinux-policy-devel-3.0.8-56.fc8
Comment 8 Jonathan Underwood 2007-11-24 13:36:37 EST
Added dwalsh, as I think this may be an SElinux problem, given that turning
SElinux off solves it.
Comment 9 Eric Sandeen 2007-12-18 14:22:06 EST
Any chance you can try this again on 2.6.24-rcFOO?

FWIW we've done a fair amount of testing on 2.6.24-rc3-ish, on x86 and x86_64,
with and without selinus, and haven't seen this problem.
Comment 10 Jonathan Underwood 2007-12-18 14:51:08 EST
I will try over the xmas break, but won't have time this week I am afraid. 
Comment 11 Christopher Brown 2008-02-03 19:05:37 EST
Hello,

I'm reviewing this bug as part of the kernel bug triage project, an attempt to
isolate current bugs in the Fedora kernel.

http://fedoraproject.org/wiki/KernelBugTriage

I am CC'ing myself to this bug and will try and assist you in resolving it if I can.

There hasn't been much activity on this bug for a while. Have you been able to
test against a 2.6.24-based kernel?

If the problem no longer exists then please close this bug or I'll do so in a
few days if there is no additional information lodged.
Comment 12 Jonathan Underwood 2008-02-03 20:06:42 EST
I am afraid I have been snowed under with other issues, but 2.6.24 kernels will
presumably hit F8 very soon, when I'll be able to test this once more.
Comment 13 Christopher Brown 2008-02-04 08:53:46 EST
(In reply to comment #12)
> I am afraid I have been snowed under with other issues, but 2.6.24 kernels will
> presumably hit F8 very soon, when I'll be able to test this once more.

Okay, thanks Jonathan. I'm setting this back to NEEDINFO so we know we're
waiting on some testing from you.
Comment 14 Daniel Walsh 2008-02-04 13:27:46 EST
I used this in Rawhide, and it seems to work correctly without any SELinux errors.
Comment 15 Jonathan Underwood 2008-02-22 17:20:54 EST
With kernel-2.6.24.2-10.fc8 I no longer see this problem - I'll close the bug.
Comment 16 Eric Sandeen 2008-02-22 17:27:26 EST
great, thanks for the update.

Note You need to log in before you can comment on or make changes to this bug.