freeing apparmor profiles cause irq stack overflow

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1056078

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Attached is a reproducer script used to trigger this bug. You can increase the number of iterations if it doesn't crash your system.

Can you also test the latest mainline kernel[0] to see if it also exhibits this bug?

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v3.6-rc7-quantal/

Yes, this bug is present on the latest kernel.

The attached patch (done against natty), seems to address the issue. It specifically addresses the recursion of free_profile that is causing the stack corruption.

A test kernel with the patch applied can be found at
http://people.canonical.com/~jj/linux-image-2.6.38-16-server_2.6.38-16.67~lp1056078_amd64.deb
http://people.canonical.com/~jj/linux-headers-2.6.38-16-server_2.6.38-16.67~lp1056078_amd64.deb

Ok I've tested the patch on Quantal and it does indeed fix the issue. I was able to even increase the number of iterations in the reproducer to 100000 and not incur a crash. In addition, I ran this multiple times.

This bug is awaiting verification that the kernel for Precise in -proposed solves the problem (3.2.0-32.51). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug was fixed in the package linux - 3.5.0-16.24

---------------
linux (3.5.0-16.24) quantal-proposed; urgency=low

  [ Andy Whitcroft ]

  * SAUCE: ata_piix: add a disable_driver option
    - LP: #994870

  [ Christian König ]

  * (pre-stable) drm/radeon: make 64bit fences more robust v3 (3.5 stable)
    - LP: #1029582

  [ David Henningsson ]

  * SAUCE: ALSA: hda - use both input paths on Conexant auto parser
    - LP: #1037642
  * SAUCE: ALSA: hda - fix control names for multiple speaker out on
    IDT/STAC
    - LP: #1046734

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: ALSA: hda/via - don't report presence on HPs with no presence
    support
    - LP: #1052499
  * SAUCE: ext4: fix crash when accessing /proc/mounts concurrently
    - LP: #1053019
  * SAUCE: ALSA: hda/realtek - Fix detection of ALC271X codec
    - LP: #1006690

  [ Kyle Fazzari ]

  * SAUCE: input: Cypress PS/2 Trackpad fix disabling tap-to-click
    - LP: #1048816

  [ Leann Ogasawara ]

  * [Config] Disable CONFIG_DRM_AST
    - LP: #1053290

  [ Stefan Bader ]

  * [Config] Disable the Cirrus QEMU drm driver
    - LP: #1038055

  [ Upstream Kernel Changes ]

  * Revert "KVM: VMX: Fix KVM_SET_SREGS with big real mode segments"
    - LP: #1045027
  * x86, efi: Handover Protocol
  * drm/i915: HDMI - Clear Audio Enable bit for Hot Plug
    - LP: #1056729
  * UBUNTU SAUCE: apparmor: fix IRQ stack overflow
    - LP: #1056078
  * drm/nouveau: fix booting with plymouth + dumb support
    - LP: #1043518
  * ALSA: hda - Add DeviceID for Haswell HDA
    - LP: #1057698
  * ALSA: hda - add Haswell HDMI codec id
    - LP: #1057698
  * ALSA: hda - Fix driver type of Haswell controller to AZX_DRIVER_SCH
    - LP: #1057698
  * ALSA: hda_intel: Add Device IDs for Intel Lynx Point-LP PCH
    - LP: #1011438, #1057698

  [ Wang Xingchao ]

  * SAUCE: ALSA: hda - Add another pci id for Haswell board
    - LP: #1057698

  [ Wen-chien Jesse Sung ]

  * SAUCE: drm/i915: Explicitly disable RC6 for certain models
    - LP: #1002170, #1008867
 -- Leann Ogasawara <email address hidden> Thu, 27 Sep 2012 13:55:52 -0700

I have verified this does fix the issue in Precise.

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

This bug was fixed in the package linux - 3.2.0-32.51

---------------
linux (3.2.0-32.51) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1056036

  [ Keng-Yu Lin ]

  * SAUCE: Intel xhci: Only switch the switchable ports
    - LP: #1034814

  [ Kyle Fazzari ]

  * SAUCE: input: Cypress PS/2 Trackpad fix disabling tap-to-click
    - LP: #1048816

  [ Seth Forshee ]

  * SAUCE: Input: synaptics - Adjust threshold for treating position values
    as negative
    - LP: #1046512

  [ Stefan Bader ]

  * Revert "SAUCE: Force xsave off on older Xen hypervisors"
    - LP: #1044550

  [ Upstream Kernel Changes ]

  * Revert "HID: wiimote: fix invalid power_supply_powers call"
    - LP: #1048605
  * Revert "drm/radeon: fix bo creation retry path"
    - LP: #1049899
  * HID: wiimote: fix invalid power_supply_powers call
    - LP: #1048605
  * HID: add ASUS AIO keyboard model AK1D
    - LP: #1027789, #1049899
  * nfs: tear down caches in nfs_init_writepagecache when allocation fails
    - LP: #1049899
  * NFS: Use kcalloc() when allocating arrays
    - LP: #1049899
  * NFSv4.1 fix page number calculation bug for filelayout decode buffers
    - LP: #1049899
  * fix page number calculation bug for block layout decode buffer
    - LP: #1049899
  * pnfs: defer release of pages in layoutget
    - LP: #1049899
  * ext4: avoid kmemcheck complaint from reading uninitialized memory
    - LP: #1049899
  * fuse: verify all ioctl retry iov elements
    - LP: #1049899
  * Bluetooth: Fix legacy pairing with some devices
    - LP: #1049899
  * xhci: Increase reset timeout for Renesas 720201 host.
    - LP: #1049899
  * xhci: Add Etron XHCI_TRUST_TX_LENGTH quirk.
    - LP: #1049899
  * USB: ftdi_sio: Add VID/PID for Kondo Serial USB
    - LP: #1049899
  * USB: option: Add Vodafone/Huawei K5005 support
    - LP: #1049899
  * USB: add USB_VENDOR_AND_INTERFACE_INFO() macro
    - LP: #1049899
  * USB: support the new interfaces of Huawei Data Card devices in option
    driver
    - LP: #1049899
  * usb: serial: mos7840: Fixup mos7840_chars_in_buffer()
    - LP: #1049899
  * usb: gadget: u_ether: fix kworker 100% CPU issue with still used
    interfaces in eth_stop
    - LP: #1049899
  * ARM: 7483/1: vfp: only advertise VFPv4 in hwcaps if CONFIG_VFPv3 is
    enabled
    - LP: #1049899
  * ARM: 7488/1: mm: use 5 bits for swapfile type encoding
    - LP: #1049899
  * ARM: 7489/1: errata: fix workaround for erratum #720789 on UP systems
    - LP: #1049899
  * drm/i915: ignore eDP bpc settings from vbt
    - LP: #1049899
  * ALSA: hda - fix Copyright debug message
    - LP: #1049899
  * sched: fix divide by zero at {thread_group,task}_times
    - LP: #1049899
  * ath9k: fix decrypt_error initialization in ath_rx_tasklet()
    - LP: #1049899
  * drm/nvd0/disp: mask off high 16 bit of negative cursor x-coordinate
    - LP: #1049899
  * drm/i915: reorder edp disabling to fix ivb MacBook Air
    - LP: #1049899
  * audit: don't free_chunk() after fsnotify_add_mark()
    - LP: #1049899
  * audit: fix refcounting in audit-tree
    - LP: #1049899
  * vfs: canonicalize create mode in build_open_flags()
    - LP: #1049899
  * PCI: EHCI: Fix crash d...

This bug is awaiting verification that the kernel for Lucid in -proposed solves the problem (2.6.32-45.99). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

This bug is awaiting verification that the kernel for Oneiric in -proposed solves the problem (3.0.0-27.44). Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-oneiric' to 'verification-done-oneiric'.

If verification is not done by one week from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Marking verified in Lucid and Oneiric. This bug has been well tested by PES as well as upstream.

This bug was fixed in the package linux - 2.6.32-45.99

---------------
linux (2.6.32-45.99) lucid-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1067331

  [ Tim Gardner ]

  * SAUCE: omnibook: Expose PWD for standalone builds
    - LP: #505420

  [ Upstream Kernel Changes ]

  * Revert "xfs: Fix possible memory corruption in xfs_readlink,
    CVE-2011-4077"
    - LP: #1064480
  * UBUNTU SAUCE: apparmor: fix IRQ stack overflow
    - LP: #1056078
  * net/9p: fix virtio transport to correctly update status on connect
    - LP: #676823
  * 9p: Fix the kernel crash on a failed mount
    - LP: #676823
  * netxen: support for GbE port settings
    - LP: #1064480
  * Fix sparc build with newer tools.
    - LP: #1064480
  * powerpc/pmac: Fix SMP kernels on pre-core99 UP machines
    - LP: #1064480
  * Bluetooth: btusb: fix bInterval for high/super speed isochronous
    endpoints
    - LP: #1064480
  * fix pgd_lock deadlock
    - LP: #1064480
  * futex: Fix uninterruptible loop due to gate_area
    - LP: #1064480
  * time: Improve sanity checking of timekeeping inputs
    - LP: #1064480
  * time: Avoid making adjustments if we haven't accumulated anything
    - LP: #1064480
  * time: Move ktime_t overflow checking into timespec_valid_strict
    - LP: #1064480
  * drm/i915: Attempt to fix watermark setup on 85x (v2)
    - LP: #1064480
  * ioat2: kill pending flag
    - LP: #1064480
  * usb: Fix deadlock in hid_reset when Dell iDRAC is reset
    - LP: #1064480
  * oprofile: use KM_NMI slot for kmap_atomic
    - LP: #1064480
  * tty_audit: fix tty_audit_add_data live lock on audit disabled
    - LP: #1064480
  * bonding: 802.3ad - fix agg_device_up
    - LP: #1064480
  * usbnet: increase URB reference count before usb_unlink_urb
    - LP: #1064480
  * usbnet: don't clear urb->dev in tx_complete
    - LP: #1064480
  * sched: Fix signed unsigned comparison in check_preempt_tick()
    - LP: #1064480
  * x86/PCI: amd: factor out MMCONFIG discovery
    - LP: #1064480
  * PNP: fix "work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB"
    - LP: #1064480
  * KVM: x86: disallow multiple KVM_CREATE_IRQCHIP
    - LP: #1064480
  * KVM: ia64: fix build due to typo
    - LP: #1064480
  * xfs: Fix possible memory corruption in xfs_readlink
    - LP: #1064480
  * xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()
    - LP: #1064480
  * dl2k: use standard #defines from mii.h.
    - LP: #1064480
  * tcp: Don't change unlocked socket state in tcp_v4_err().
    - LP: #1064480
  * x86: Derandom delay_tsc for 64 bit
    - LP: #1064480
  * ipsec: be careful of non existing mac headers
    - LP: #1064480
  * block, sx8: fix pointer math issue getting fw version
    - LP: #1064480
  * nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
    - LP: #1064480
  * USB: ftdi_sio: fix problem when the manufacture is a NULL string
    - LP: #1064480
  * ntp: Fix integer overflow when setting time
    - LP: #1064480
  * SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()
    - LP: #1064480
  * ext4: check for zero length extent
    - LP: #1064480
  * xfs: Fix oops on IO error during xlog_recover_pr...

This bug was fixed in the package linux - 3.0.0-27.44

---------------
linux (3.0.0-27.44) oneiric-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1067266

  [ James M Leddy ]

  * SAUCE: input: fix weird issue of synaptics psmouse sync lost after
    resume
    - LP: #717970

  [ Upstream Kernel Changes ]

  * UBUNTU SAUCE: apparmor: fix IRQ stack overflow
    - LP: #1056078
  * net_sched: gact: Fix potential panic in tcf_gact().
    - LP: #1060430
  * isdnloop: fix and simplify isdnloop_init()
    - LP: #1060430
  * net/core: Fix potential memory leak in dev_set_alias()
    - LP: #1060430
  * af_packet: remove BUG statement in tpacket_destruct_skb
    - LP: #1060430
  * ipv6: addrconf: Avoid calling netdevice notifiers with RCU read-side
    lock
    - LP: #1060430
  * atm: fix info leak in getsockopt(SO_ATMPVC)
    - LP: #1060430
  * atm: fix info leak via getsockname()
    - LP: #1060430
  * Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
    - LP: #1060430
  * Bluetooth: HCI - Fix info leak via getsockname()
    - LP: #1060430
  * Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
    - LP: #1060430
  * Bluetooth: RFCOMM - Fix info leak via getsockname()
    - LP: #1060430
  * Bluetooth: L2CAP - Fix info leak via getsockname()
    - LP: #1060430
  * llc: fix info leak via getsockname()
    - LP: #1060430
  * dccp: fix info leak via getsockopt(DCCP_SOCKOPT_CCID_TX_INFO)
    - LP: #1060430
  * ipvs: fix info leak in getsockopt(IP_VS_SO_GET_TIMEOUT)
    - LP: #1060430
  * net: fix info leak in compat dev_ifconf()
    - LP: #1060430
  * netlink: fix possible spoofing from non-root processes
    - LP: #1060430
  * l2tp: avoid to use synchronize_rcu in tunnel free function
    - LP: #1060430
  * net: ipv4: ipmr_expire_timer causes crash when removing net namespace
    - LP: #1060430
  * workqueue: reimplement work_on_cpu() using system_wq
    - LP: #1060430
  * cpufreq/powernow-k8: workqueue user shouldn't migrate the kworker to
    another CPU
    - LP: #1060430
  * cciss: fix handling of protocol error
    - LP: #1060430
  * vfs: make O_PATH file descriptors usable for 'fstat()'
    - LP: #1060430
  * vfs: dcache: use DCACHE_DENTRY_KILLED instead of DCACHE_DISCONNECTED in
    d_kill()
    - LP: #1060430
  * netconsole: remove a redundant netconsole_target_put()
    - LP: #1060430
  * target: Fix ->data_length re-assignment bug with SCSI overflow
    - LP: #1060430
  * ALSA: ice1724: Use linear scale for AK4396 volume control.
    - LP: #1060430
  * Staging: speakup: fix an improperly-declared variable.
    - LP: #1060430
  * staging: vt6656: [BUG] - Failed connection, incorrect endian.
    - LP: #1060430
  * staging: r8712u: fix bug in r8712_recv_indicatepkt()
    - LP: #1060430
  * staging: comedi: das08: Correct AO output for das08jr-16-ao
    - LP: #1060430
  * USB: option: replace ZTE K5006-Z entry with vendor class rule
    - LP: #1060430
  * perf_event: Switch to internal refcount, fix race with close()
    - LP: #1060430
  * mmc: mxs-mmc: fix deadlock in SDIO IRQ case
    - LP: #1060430
  * mmc: sdhci-esdhc: break out early if clock is 0
    - LP: #1060430
  * ahci: Add alternate ident...