New variant of kernel bug appeard in both 4.18.0-17 (package manager)
and in 4.15.0-48 (provided by @kaihengfeng). System didn't crash
(compared to "buffer overflow in strcat" where cifs can't recover). Have
seen this one twice, both within 3-7 hours after reboot.
Apr 22 17:28:23 Linux version 4.15.0-48-generic (root@bionic) (gcc version
7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)) #51~lp1824981 SMP Thu Apr 18 17:30:16 UTC
20
19 (Ubuntu 4.15. .18)
[...]
Apr 22 23:40:47 BUG: unable to handle kernel NULL pointer dereference at
0000000000000038
Apr 22 23:40:47 IP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs]
Apr 22 23:40:47 PGD 0 P4D 0
Apr 22 23:40:47 Oops: 0000 [#1] SMP PTI
Apr 22 23:40:47 Modules linked in: [...]
Apr 22 23:40:47 CPU: 78 PID: 44260 Comm: kworker/78:1 Not tainted
4.15.0-48-generic #51~lp1824981
Apr 22 23:40:47 Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7
02/08/2018
Apr 22 23:40:47 Workqueue: cifsoplockd cifs_oplock_break [cifs]
Apr 22 23:40:47 RIP: 0010:smb2_push_mandatory_locks+0x104/0x3b0 [cifs]
Apr 22 23:40:47 RSP: 0018:ffffa779e81f7de0 EFLAGS: 00010246
Apr 22 23:40:47 RAX: 0000000000000000 RBX: ffff9bddf145ab18 RCX:
ffffdc6c8d3d0c00
Apr 22 23:40:47 RDX: 0000000000000000 RSI: 0000000000000000 RDI:
ffff9baa0f430000
Apr 22 23:40:47 RBP: ffffa779e81f7e30 R08: 0000000000027f20 R09:
ffffdc6c8d3d0c00
Apr 22 23:40:47 R10: 0000000000000002 R11: ffff9baa0f420000 R12:
0000000000000aaa
Apr 22 23:40:47 R13: ffff9bddf145ab18 R14: ffff9bddf145ab00 R15:
ffff9bb9870e1e00
Apr 22 23:40:47 FS: 0000000000000000(0000) GS:ffff9bb6411c0000(0000)
knlGS:0000000000000000
Apr 22 23:40:47 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 22 23:40:47 CR2: 0000000000000038 CR3: 0000004367a0a004 CR4:
00000000007606e0
Apr 22 23:40:47 DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
Apr 22 23:40:47 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
Apr 22 23:40:47 PKRU: 55555554
Apr 22 23:40:47 Call Trace:
Apr 22 23:40:47 cifs_oplock_break+0x125/0x3f0 [cifs]
Apr 22 23:40:47 process_one_work+0x1de/0x410
Apr 22 23:40:47 worker_thread+0x32/0x410
Apr 22 23:40:47 kthread+0x121/0x140
Apr 22 23:40:47 ? process_one_work+0x410/0x410
Apr 22 23:40:47 ? kthread_create_worker_on_cpu+0x70/0x70
Apr 22 23:40:47 ret_from_fork+0x35/0x40
Apr 22 23:40:47 Code: [...]
Apr 22 23:40:47 RIP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs] RSP:
ffffa779e81f7de0
Apr 22 23:40:47 CR2: 0000000000000038
Apr 22 23:40:47 ---[ end trace f5366d81972abce8 ]---
[full details see kernel.log attached]
# cat /proc/fs/cifs/Stats
Resources in use
CIFS Session: 1
Share (unique mount targets): 2
SMB Request/Response Buffer: 1 Pool size: 5
SMB Small Req/Resp Buffer: 1 Pool size: 30
Operations (MIDs): 0
0 session 0 share reconnects
Total vfs operations: 13063177 maximum at one time: 38
1) \\server\share
SMBs: 25616550
Negotiates: 0 sent 0 failed
SessionSetups: 0 sent 0 failed
Logoffs: 0 sent 0 failed
TreeConnects: 9916 sent 0 failed
TreeDisconnects: 0 sent 0 failed
Creates: 0 sent 151514 failed
Closes: 0 sent 2 failed
Flushes: 0 sent 0 failed
Reads: 0 sent 0 failed
Writes: 0 sent 0 failed
Locks: 0 sent 0 failed
IOCTLs: 0 sent 0 failed
Cancels: 0 sent 0 failed
Echos: 0 sent 0 failed
QueryDirectories: 0 sent 1768 failed
ChangeNotifies: 0 sent 0 failed
QueryInfos: 0 sent 1 failed
SetInfos: 0 sent 0 failed
OplockBreaks: 0 sent 2324 failed
** Attachment added: "4.15.0-48.51~lp1824981-generic_kernel.log"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+attachment/5258116/+files/4.15.0-48.51~lp1824981-generic_kernel.log
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824981
Title:
cifs set_oplock buffer overflow in strcat
Status in linux package in Ubuntu:
Confirmed
Bug description:
Ubuntu 18.04.2 LTS
Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux
DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM
top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90
Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie
%Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0
st
KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache
KiB Swap: 999420 total, 999420 free, 0 used. 33477683+avail Mem
We've seen the following bug many times since we introduced new
machines running Ubuntu 18. Wasn't an issue older machines running
Ubuntu 16. Three different machines are affected, so it's rather not a
hardware issue.
| detected buffer overflow in strcat
| ------------[ cut here ]------------
| kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052!
| invalid opcode: 0000 [#1] SMP PTI
| Modules linked in: [...]
| Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018
| RIP: 0010:fortify_panic+0x13/0x22
| [...]
| Call Trace:
| smb21_set_oplock_level+0x147/0x1a0 [cifs]
| smb3_set_oplock_level+0x22/0x90 [cifs]
| smb2_set_fid+0x76/0xb0 [cifs]
| cifs_new_fileinfo+0x259/0x390 [cifs]
| ? smb2_get_lease_key+0x40/0x40 [cifs]
| ? cifs_new_fileinfo+0x259/0x390 [cifs]
| cifs_open+0x3db/0x8d0 [cifs]
| [...]
(Full dmesg output attached)
After hitting this bug there are many cifs related dmesg entries,
processes lock up and eventually the systems freezes.
The share is mounted using:
//server/share /mnt/server/ cifs
defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks
Currently we're testing the cifs mount options "cache=none" as the bug
seems to be oplock related.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
