[Kernel-packages] [Bug 1856949] Re: cifs: kernel NULL pointer dereference, address: 0000000000000038

Juerg Haefliger Wed, 18 Dec 2019 23:12:15 -0800

** Description changed:

-     [598428.945633] BUG: kernel NULL pointer dereference, address: 
0000000000000038
-     ...
-     [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
-     [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
-     ...
-     [598428.945834] Call Trace:
-     [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
-     [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
-     [598428.945909]  process_one_work+0x1db/0x380
-     [598428.945914]  worker_thread+0x4d/0x400
-     [598428.945921]  kthread+0x104/0x140
-     [598428.945925]  ? process_one_work+0x380/0x380
-     [598428.945931]  ? kthread_park+0x80/0x80
-     [598428.945937]  ret_from_fork+0x35/0x40
+ [Impact]
+ 
+ Currently when the client creates a cifsFileInfo structure for
+ a newly opened file, it allocates a list of byte-range locks
+ with a pointer to the new cfile and attaches this list to the
+ inode's lock list. The latter happens before initializing all
+ other fields, e.g. cfile->tlink. Thus a partially initialized
+ cifsFileInfo structure becomes available to other threads that
+ walk through the inode's lock list. One example of such a thread
+ may be an oplock break worker thread that tries to push all
+ cached byte-range locks. This causes NULL-pointer dereference
+ in smb2_push_mandatory_locks() when accessing cfile->tlink:
+ 
+ [598428.945633] BUG: kernel NULL pointer dereference, address: 
0000000000000038
+ ...
+ [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
+ [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
+ ...
+ [598428.945834] Call Trace:
+ [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
+ [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
+ [598428.945909]  process_one_work+0x1db/0x380
+ [598428.945914]  worker_thread+0x4d/0x400
+ [598428.945921]  kthread+0x104/0x140
+ [598428.945925]  ? process_one_work+0x380/0x380
+ [598428.945931]  ? kthread_park+0x80/0x80
+ [598428.945937]  ret_from_fork+0x35/0x40
+ 
+ 
+ [Test Case]
+ 
+ TBD.
+ 
+ 
+ [Fix]
+ 
+ Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix
+ NULL-pointer dereference in smb2_push_mandatory_locks")
+ 
+ [Regression Potential]
+ 
+ Low. The patch is fairly simple and it's tagged for stable kernels. In
+ fact it is already in some of the released upstream stable kernels.


** No longer affects: linux (Ubuntu Focal)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1856949

Title:
  cifs: kernel NULL pointer dereference, address: 0000000000000038

Status in linux package in Ubuntu:
  Incomplete
Status in linux source package in Xenial:
  Incomplete
Status in linux source package in Bionic:
  Incomplete
Status in linux source package in Disco:
  Incomplete
Status in linux source package in Eoan:
  Incomplete

Bug description:
  [Impact]

  Currently when the client creates a cifsFileInfo structure for
  a newly opened file, it allocates a list of byte-range locks
  with a pointer to the new cfile and attaches this list to the
  inode's lock list. The latter happens before initializing all
  other fields, e.g. cfile->tlink. Thus a partially initialized
  cifsFileInfo structure becomes available to other threads that
  walk through the inode's lock list. One example of such a thread
  may be an oplock break worker thread that tries to push all
  cached byte-range locks. This causes NULL-pointer dereference
  in smb2_push_mandatory_locks() when accessing cfile->tlink:

  [598428.945633] BUG: kernel NULL pointer dereference, address: 
0000000000000038
  ...
  [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
  [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
  ...
  [598428.945834] Call Trace:
  [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
  [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
  [598428.945909]  process_one_work+0x1db/0x380
  [598428.945914]  worker_thread+0x4d/0x400
  [598428.945921]  kthread+0x104/0x140
  [598428.945925]  ? process_one_work+0x380/0x380
  [598428.945931]  ? kthread_park+0x80/0x80
  [598428.945937]  ret_from_fork+0x35/0x40

  
  [Test Case]

  TBD.

  
  [Fix]

  Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix
  NULL-pointer dereference in smb2_push_mandatory_locks")

  [Regression Potential]

  Low. The patch is fairly simple and it's tagged for stable kernels. In
  fact it is already in some of the released upstream stable kernels.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856949/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

[Kernel-packages] [Bug 1856949] Re: cifs: kernel NULL pointer dereference, address: 0000000000000038

Reply via email to