[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
So far so good. No crahes since upgrade, nuc:~$ uname -a Linux nuc 5.0.0-25-generic #26~18.04.1-Ubuntu SMP Thu Aug 1 13:51:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux nuc:~$ uptime 11:40:24 up 22:12, 2 users, load average: 6,64, 6,65, 6,48 pagraher@nuc:~$ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Released Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
This bug was fixed in the package linux - 5.0.0-25.26 --- linux (5.0.0-25.26) disco; urgency=medium * CVE-2019-1125 - x86/cpufeatures: Carve out CQM features retrieval - x86/cpufeatures: Combine word 11 and 12 into a new scattered features word - x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations - x86/speculation: Enable Spectre v1 swapgs mitigations - x86/entry/64: Use JMP instead of JMPQ - x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS -- Kleber Sacilotto de Souza Thu, 01 Aug 2019 12:04:35 +0200 ** Changed in: linux (Ubuntu Disco) Status: Fix Committed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-1125 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Released Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Hi @granjerox, thanks for your report! Let us know how the test with -proposed goes. And thanks Kleber for the comment/advice here! @connork, I've filled a new LP with the bug I've found, thanks for the attention: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1839849 Cheers, Guilherme -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Thanks @Kleber. I've just done it. I'll report any issue. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Hi @granjerox, The fix for this bug is available in Bionic linux-hwe-18.04 version 5.0.0-25.26, which is currently in -proposed. This package is scheduled to be published in -updates soon (during the next few days). In the meantime, the fixed kernel can be installed by enabling the -proposed pocket, as described in comment #24. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
My server was pretty unstable until I've installed latest mainline kernel 5.2.8-050208-generic and now it seems to work fine. The problems started when I changed from kerneel linux-image- unsigned-4.18.12-041812-generic to linux-image-generic-hwe-18.04 (5.0.0.23.80). -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
I've just faced this crash UptoDate me@nuc:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description:Ubuntu 18.04.3 LTS Release:18.04 Codename: bionic Aug 10 16:14:47 nuc kernel: [12755.073641] detected buffer overflow in strcat Aug 10 16:14:47 nuc kernel: [12755.073660] [ cut here ] Aug 10 16:14:47 nuc kernel: [12755.073662] kernel BUG at /build/linux-hwe-zHO4ZF/linux-hwe-5.0.0/lib/string.c:1073! Aug 10 16:14:47 nuc kernel: [12755.073669] invalid opcode: [#1] SMP PTI Aug 10 16:14:47 nuc kernel: [12755.073673] CPU: 1 PID: 3135 Comm: deluged Not tainted 5.0.0-23-generic #24~18.04.1-Ubuntu Aug 10 16:14:47 nuc kernel: [12755.073675] Hardware name: /D54250WYK, BIOS WYLPT10H.86A.0047.2018.0303.1725 03/03/2018 Aug 10 16:14:47 nuc kernel: [12755.073682] RIP: 0010:fortify_panic+0x13/0x22 Aug 10 16:14:47 nuc kernel: [12755.073685] Code: 4c 89 e2 e8 b1 98 00 00 42 c6 04 20 00 48 89 d8 5b 41 5c 5d c3 0f 0b 55 48 89 fe 48 c7 c7 20 38 fb 86 48 89 e5 e8 72 5c 6e ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 55 31 c9 48 89 fa 48 Aug 10 16:14:47 nuc kernel: [12755.073687] RSP: :b17381e779e0 EFLAGS: 00010282 Aug 10 16:14:47 nuc kernel: [12755.073690] RAX: 0022 RBX: RCX: Aug 10 16:14:47 nuc kernel: [12755.073692] RDX: RSI: 973e5b896448 RDI: 973e5b896448 Aug 10 16:14:47 nuc kernel: [12755.073694] RBP: b17381e779e0 R08: 033e R09: 8776f698 Aug 10 16:14:47 nuc kernel: [12755.073696] R10: b17381e77a90 R11: b17381e77850 R12: 973dd6d15db0 Aug 10 16:14:47 nuc kernel: [12755.073698] R13: d33f5410 R14: R15: 973dd0dac200 Aug 10 16:14:47 nuc kernel: [12755.073701] FS: 7ff3b0fd1700() GS:973e5b88() knlGS: Aug 10 16:14:47 nuc kernel: [12755.073703] CS: 0010 DS: ES: CR0: 80050033 Aug 10 16:14:47 nuc kernel: [12755.073705] CR2: 7ff3ad44f000 CR3: 00011abf0003 CR4: 001606e0 Aug 10 16:14:47 nuc kernel: [12755.073707] Call Trace: Aug 10 16:14:47 nuc kernel: [12755.073746] smb21_set_oplock_level+0x147/0x1a0 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073778] smb3_set_oplock_level+0x22/0x90 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073807] smb2_set_fid+0x76/0xb0 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073834] cifs_new_fileinfo+0x259/0x390 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073862] ? smb2_close_file+0x20/0x20 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073887] ? cifs_new_fileinfo+0x259/0x390 [cifs] -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noti
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Hi Guilherme, Apologies if I missed it, but could you elaborate on the issues you're experiencing with the Disco kernel that are preventing you from verifying this fix? I saw in an earlier comment you were waiting for 5.0.0-24 but that kernel should be available in -updates now. Thanks, Connor -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
You're very welcome Christoph, thanks for the patch! I've verified that with Bionic, but facing some non-related issues with Disco kernel (5.x). Cheers, Guilherme -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Hi Guilherme, I haven't been able to verify the patch as we modified our computing pipeline to remove load from the cifs share. I might be able to create a test setup but this will take some time. Thank you for your support to get the patch into the Ubuntu kernels. I subscribed to #1795659 as you recommended. Cheers, Christoph -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed- xenial'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
I've validated the -proposed kernel for Bionic (4.15.0-56) using the xfstests suite mentioned in the description - couldn't validate Disco yet due to its respin (we need to wait until 5.0.0-24 in order to validate in Disco).The same amount of tests failed in both cases, and no significant performance impact was noticed. Cheers, Guilherme ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-disco -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Tags added: cscc -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Disco) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
SRU sent to kernel-team mailing list: https://lists.ubuntu.com/archives /kernel-team/2019-July/102357.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: In Progress Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Description changed: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: - smb21_set_oplock_level+0xde/0x190 [cifs] - smb3_set_oplock_level+0x22/0x90 [cifs] - smb2_set_fid+0x76/0xb0 [cifs] - cifs_new_fileinfo+0x268/0x3c0 [cifs] - ? smb2_get_lease_key+0x40/0x40 [cifs] - ? cifs_new_fileinfo+0x268/0x3c0 [cifs] - cifs_open+0x57c/0x8d0 [cifs] - do_dentry_open+0x1fe/0x320 + smb21_set_oplock_level+0xde/0x190 [cifs] + smb3_set_oplock_level+0x22/0x90 [cifs] + smb2_set_fid+0x76/0xb0 [cifs] + cifs_new_fileinfo+0x268/0x3c0 [cifs] + ? smb2_get_lease_key+0x40/0x40 [cifs] + ? cifs_new_fileinfo+0x268/0x3c0 [cifs] + cifs_open+0x57c/0x8d0 [cifs] + do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's - already present in Ubuntu kernel version 5.0 and newer, as well as linux - stable branches. + already present in linux stable branches and will soon be in Ubuntu + kernel version 5.0 (when it gets rebased with 5.0.19). [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was - validated by us with xfstests (instructions followed from + validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. ** Description changed: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's - already present in linux stable branches and will soon be in Ubuntu - kernel version 5.0 (when it gets rebased with 5.0.19). + already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was val
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Description changed: - Ubuntu 18.04.2 LTS - Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux + [Impact] - DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM + * We got reports of a kernel crash in cifs module with the following + signature: - top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 - Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie - %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st - KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache - KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem + detected buffer overflow in strcat + kernel BUG at <...>/lib/string.c:1052! + invalid opcode: [#1] SMP PTI + RIP: 0010:fortify_panic+0x13/0x1f + Call Trace: + smb21_set_oplock_level+0xde/0x190 [cifs] + smb3_set_oplock_level+0x22/0x90 [cifs] + smb2_set_fid+0x76/0xb0 [cifs] + cifs_new_fileinfo+0x268/0x3c0 [cifs] + ? smb2_get_lease_key+0x40/0x40 [cifs] + ? cifs_new_fileinfo+0x268/0x3c0 [cifs] + cifs_open+0x57c/0x8d0 [cifs] + do_dentry_open+0x1fe/0x320 + [...] + * By analyzing the code of smb21_set_oplock_level(), we've noticed the + only way fortify function strcat() would get overflow was if the value + of cinode->oplock got corrupted in a another thread leading to a buffer + write bigger then buffer size. In this function, the 'message' buffer + writes are governed by cinode->oplock, so only a different thread + cleaning the oplock value would lead to 'message' overflow. - We've seen the following bug many times since we introduced new machines - running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. - Three different machines are affected, so it's rather not a hardware - issue. + * By the same time we worked this analysis, a fix was proposed upstream + for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat + buffer overflow and reduce raciness in smb21_set_oplock_level()"), by + the same reporter of this LP. The fix is simple and directly addresses + this problem, so we hereby request its SRU into Bionic kernel - it's + already present in Ubuntu kernel version 5.0 and newer, as well as linux + stable branches. + [Test case] - | detected buffer overflow in strcat - | [ cut here ] - | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! - | invalid opcode: [#1] SMP PTI - | Modules linked in: [...] - | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 - | RIP: 0010:fortify_panic+0x13/0x22 - | [...] - | Call Trace: - | smb21_set_oplock_level+0x147/0x1a0 [cifs] - | smb3_set_oplock_level+0x22/0x90 [cifs] - | smb2_set_fid+0x76/0xb0 [cifs] - | cifs_new_fileinfo+0x259/0x390 [cifs] - | ? smb2_get_lease_key+0x40/0x40 [cifs] - | ? cifs_new_fileinfo+0x259/0x390 [cifs] - | cifs_open+0x3db/0x8d0 [cifs] - | [...] + * Unfortunately we cannot reproduce the issue. The patch proposed here was + validated by us with xfstests (instructions followed from + https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. - (Full dmesg output attached) + * Using xfstest with the exclusions proposed in the link above we + managed to get the same results as a non-patched kernel, i.e., the same + tests failed in both kernels, we didn't get worse results with the + patch. Fio also didn't show noticeable performance regression with the + patch. - After hitting this bug there are many cifs related dmesg entries, - processes lock up and eventually the systems freezes. + [Regression potential] - - The share is mounted using: - //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks - - Currently we're testing the cifs mount options "cache=none" as the bug - seems to be oplock related. + * The patch was validated by the cifs filesystem maintainers and by the + aforementioned tests; also, the scope is restricted to cifs only so the + likelihood of regressions is considered low. The commit introduces no + functional changes and the only affected path was just refactored in a + way to prevent overflow and reduce race potential. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: In Progress Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid op
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Changed in: linux (Ubuntu Cosmic) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: In Progress Status in linux source package in Eoan: Fix Committed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Hi Christoph, thank you very much for your work in this LP! Both the debug part and finally your patch. I was looking the same set of issues in parallel, with another user that reported the same crashes. So, regarding your question in comment #15 ("are those gonna be backportet to 4.x-generic?"), I've just nominated this LP for all series with kernels 4.15+, given we had no reports for previous series. That said, we're going to backport your patch as soon some more validation tests are finished. I'm planning to use this LP only for the strcat issue. There's another LP for the smb2_push_mandatory_locks() crash: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1795659 I suggest you to add yourself in that bug, so we can follow-up the discussion there regarding this 2nd crash. There's a candidate patch for the smb2_push_mandatory_locks() issue, you already mentioned it here: b98749cac4a ("CIFS: keep FileInfo handle live during oplock break"). It's unfortunate that you said testing v5.1-rc7 didn't fix that crash - I've discussed this smb2_push_mandatory_locks() crash with Steve and Pavel (from Microsoft) in a private thread and they suggested me exactly this patch in order to fix the issue. Could you test the kernel https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.2-rc1/ (which includes your strcat patch) and see if it still reproduces the smb2_push_mandatory_locks() crash? Would be really helpful for us. You can comment the testing in the other LP (# 1795659), if possible. Cheers, Guilherme -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in Disco: In Progress Status in linux source package in Eoan: Fix Committed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Also affects: linux (Ubuntu Cosmic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Assignee: Christoph Probst (christophprobst) Status: Fix Released ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Eoan) Status: Fix Released => Fix Committed ** Changed in: linux (Ubuntu Disco) Status: New => In Progress ** Changed in: linux (Ubuntu Cosmic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Guilherme G. Piccoli (gpiccoli) ** Changed in: linux (Ubuntu Cosmic) Assignee: (unassigned) => Guilherme G. Piccoli (gpiccoli) ** Changed in: linux (Ubuntu Disco) Assignee: (unassigned) => Guilherme G. Piccoli (gpiccoli) ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => High ** Changed in: linux (Ubuntu Disco) Importance: Undecided => High ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => High ** Changed in: linux (Ubuntu Cosmic) Importance: Undecided => High -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Cosmic: In Progress Status in linux source package in Disco: In Progress Status in linux source package in Eoan: Fix Committed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
** Tags added: sts -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Yes, there are two issues that got mixed up in this single bug report. 1) strcat Imho there are not many ways strcat could overflow in that single function. My patch (especially the strncpy()) should fix the buffer overflow and thereby my inititial issue. Your solution still had that strcat overflow (see #15). 2) null pointer dereference (and everything else) Pavel already wrote "The patch itself is fine but I think we have a bigger problem here". https://patchwork.kernel.org/patch/10931327/#22623923 Regarding your patch: You only used mutex_lock() in smb21_set_oplock_level(). What about other functions changing (or removing) that locked cinode. Does the kernel protect against this or has mutex_lock() to be used in any function operating on cinode? -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Sorry for not following up here, I've been quite busy recently. So there are two bugs here - the first one, strcat overflow, is solved by my test kernel or by your patch. Though I am not sure it's totally correct, I'll raise my concern on mailing list. The second bug, null pointer dereference, requires more investigation. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
From: Steve French Date: Tue, 7 May 2019 11:13:34 -0500 merged into cifs-2.6.git for-next ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Christoph Probst (christophprobst) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
There is now a kernel patch for cifs that is supposed to fix the buffer overflow in strcat. Details see https://patchwork.kernel.org/patch/10931327/ An alternative workaround is to downgrade the connection to SMB2 (mount option vers=2.0) as the bug only affects SMB2.1 and SMB3 code. Regarding the second issue (BUG: unable to handle kernel NULL pointer dereference at 0038) it is likely that it is triggered by a racecondition aswell, which isn't yet fixed. ** Changed in: linux (Ubuntu) Status: Confirmed => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Committed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
We installed the latest upstream kernel 5.1.0-050100rc7-generic (Ubuntu version from https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.1-rc7/) with still triggers a NULL pointer dereference from cifsoplockd. I was hoping "CIFS: keep FileInfo handle live during oplock break"[1] might fix our issue, but it didn't. [1] https://git.samba.org/?p=sfrench/cifs-2.6.git;a=commit;h=b98749cac4a695f084a5ff076f4510b23e353ecd May 1 14:50:47 kernel: [ 4248.964694] BUG: unable to handle kernel NULL pointer dereference at 0038 May 1 14:50:47 kernel: [ 4248.964758] #PF error: [normal kernel read fault] May 1 14:50:47 kernel: [ 4248.964792] PGD 0 P4D 0 May 1 14:50:47 kernel: [ 4248.964815] Oops: [#1] SMP PTI May 1 14:50:47 kernel: [ 4248.964844] CPU: 29 PID: 3884 Comm: kworker/29:2 Not tainted 5.1.0-050100rc7-generic #201904282131 May 1 14:50:47 kernel: [ 4248.964902] Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7 02/08/2018 May 1 14:50:47 kernel: [ 4248.964999] Workqueue: cifsoplockd cifs_oplock_break [cifs] May 1 14:50:47 kernel: [ 4248.965081] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x580 [cifs] May 1 14:50:47 kernel: [ 4248.965124] Code: 48 89 45 b0 4c 39 e0 0f 84 1f 03 00 00 c7 45 c8 00 00 00 00 4d 8b 6c 24 10 49 8b 5c 24 18 4d 8d 5c 24 18 49 8b 85 90 00 00 00 <48> 8b 40 38 48 89 45 d0 4c 39 db 0f 84 99 00 00 00 4c 89 65 c0 4c May 1 14:50:47 kernel: [ 4248.965242] RSP: 0018:b2718e983de0 EFLAGS: 00010283 May 1 14:50:47 kernel: [ 4248.965279] RAX: RBX: 8b44edd83c58 RCX: May 1 14:50:47 kernel: [ 4248.965327] RDX: 1000 RSI: RDI: 8b5f6b80 May 1 14:50:47 kernel: [ 4248.965374] RBP: b2718e983e30 R08: 8b8eff5a81a0 R09: 8b5f6b80 May 1 14:50:47 kernel: [ 4248.965421] R10: fb2efddf7680 R11: 8b44edd83c58 R12: 8b44edd83c40 May 1 14:50:47 kernel: [ 4248.965468] R13: 8b8b4a6d1000 R14: 8b4461428990 R15: 8b8eefbe May 1 14:50:47 kernel: [ 4248.965517] FS: () GS:8b8eff58() knlGS: May 1 14:50:47 kernel: [ 4248.965570] CS: 0010 DS: ES: CR0: 80050033 May 1 14:50:47 kernel: [ 4248.965609] CR2: 0038 CR3: 00581d80e006 CR4: 007606e0 May 1 14:50:47 kernel: [ 4248.965657] DR0: DR1: DR2: May 1 14:50:47 kernel: [ 4248.965704] DR3: DR6: fffe0ff0 DR7: 0400 May 1 14:50:47 kernel: [ 4248.965751] PKRU: 5554 May 1 14:50:47 kernel: [ 4248.965772] Call Trace: May 1 14:50:47 kernel: [ 4248.965843] cifs_oplock_break+0x131/0x430 [cifs] May 1 14:50:47 kernel: [ 4248.965883] process_one_work+0x20f/0x410 May 1 14:50:47 kernel: [ 4248.965915] worker_thread+0x34/0x400 May 1 14:50:47 kernel: [ 4248.965944] kthread+0x120/0x140 May 1 14:50:47 kernel: [ 4248.965970] ? process_one_work+0x410/0x410 May 1 14:50:47 kernel: [ 4248.966002] ? __kthread_parkme+0x70/0x70 May 1 14:50:47 kernel: [ 4248.966034] ret_from_fork+0x35/0x40 May 1 14:50:47 kernel: [ 4248.966063] Modules linked in: binfmt_misc mpt3sas raid_class scsi_transport_sas mptctl mptbase dell_rbu arc4 md4 cmac nls_utf8 cifs ccm fscache bonding nls_iso8859_1 intel_rapl skx_edac nfit x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm joydev input_leds dcdbas irqbypass intel_cstate ipmi_ssif intel_rapl_perf ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter mei_me mei lpc_ich mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic usbhid hid uas usb_storage mgag200 crct10dif_pclmul i2c_algo_bit crc32_pclmul ttm ghash_clmulni_intel drm_kms_helper aesni_intel syscopyarea sysfillrect aes_x86_64 sysimgblt crypto_simd fb_sys_fops cryptd bnx2x glue_helper drm megaraid_sas mdio libcrc32c ahci libahci May 1 14:50:47 kernel: [ 4248.966627] CR2: 0038 May 1 14:50:47 kernel: [ 4248.966654] ---[ end trace 506baa76d6a566b1 ]--- May 1 14:50:47 kernel: [ 4248.989156] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x580 [cifs] May 1 14:50:47 kernel: [ 4248.989203] Code: 48 89 45 b0 4c 39 e0 0f 84 1f 03 00 00 c7 45 c8 00 00 00 00 4d 8b 6c 24 10 49 8b 5c 24 18 4d 8d 5c 24 18 49 8b 85 90 00 00 00 <48> 8b 40 38 48 89 45 d0 4c 39 db 0f 84 99 00 00 00 4c 89 65 c0 4c May 1 14:50:47 kernel: [ 4248.989321] RSP: 0018:b2718e983de0 EFLAGS: 00010283 May 1 14:50:47 kernel: [ 4248.989359] RAX: RBX: 8b44edd83c58 RCX: May 1 14:50:47 kernel: [ 4248.991159] RDX: 1000 RSI: RDI: 8b5f6b80 May 1 14:50:47 kernel: [ 4248.992940] RBP: b2718e983e30 R08: 8b8eff5a81a0 R09: 8b5f6b80 May 1 14:50:47 kernel: [
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
And now a crash with the special 4.15.0-48-generic #51~lp1824981 kernel. So the buffer overflow is NOT fixed with any 4.15 or 4.18 kernel currently available with Ubuntu. We started some IO-intense tasks lately that didn't run the last 2 weeks. That seems to be the trigger for the bug buffer overflow. We're consider to switch to NFS or store more data locally to workaround that issue. Recommendations and alternatives welcome. I've seend that there are some cifs related patches for 5.1RC7 - are those gonna be backportet to 4.x-generic? Apr 30 00:57:23 kernel: [106134.709084] detected buffer overflow in strcat Apr 30 00:57:23 kernel: [106134.709123] [ cut here ] Apr 30 00:57:23 kernel: [106134.709124] kernel BUG at /home/ubuntu/Sources/linux-lp1824981/lib/string.c:1052! Apr 30 00:57:23 kernel: [106134.709149] invalid opcode: [#1] SMP PTI Apr 30 00:57:23 kernel: [106134.709162] Modules linked in: cmac(E) arc4(E) md4(E) nls_utf8(E) cifs(E) ccm(E) fscache(E) ufs(E) qnx4(E) hfsplus(E) hfs(E) minix(E) ntfs(E) msdos(E) jfs(E) xfs(E) cpuid(E) mpt3sas raid_class scsi_transport_sas mptctl mptbase dell_rbu bonding nls_iso8859_1 intel_rapl skx_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass input_leds joydev dell_smbios dcdbas ipmi_ssif dell_wmi_descriptor intel_cstate intel_rapl_perf wmi_bmof ipmi_si ipmi_devintf mei_me shpchp mac_hid mei lpc_ich acpi_power_meter ipmi_msghandler sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear Apr 30 00:57:23 kernel: [106134.709360] hid_generic crct10dif_pclmul mgag200 crc32_pclmul usbhid i2c_algo_bit ghash_clmulni_intel ttm pcbc drm_kms_helper hid uas syscopyarea bnx2x sysfillrect aesni_intel usb_storage sysimgblt aes_x86_64 ptp fb_sys_fops crypto_simd pps_core glue_helper mdio ahci megaraid_sas cryptd drm libcrc32c libahci wmi Apr 30 00:57:23 kernel: [106134.709444] CPU: 36 PID: 23957 Comm: perl Tainted: GE4.15.0-48-generic #51~lp1824981 Apr 30 00:57:23 kernel: [106134.709466] Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 Apr 30 00:57:23 kernel: [106134.709491] RIP: 0010:fortify_panic+0x13/0x22 Apr 30 00:57:23 kernel: [106134.709504] RSP: 0018:ac87f5ba7940 EFLAGS: 00010286 Apr 30 00:57:23 kernel: [106134.709519] RAX: 0022 RBX: 0004 RCX: Apr 30 00:57:23 kernel: [106134.709537] RDX: RSI: 90fc00c96498 RDI: 90fc00c96498 Apr 30 00:57:23 kernel: [106134.709555] RBP: ac87f5ba7940 R08: R09: 06a5 Apr 30 00:57:23 kernel: [106134.709572] R10: ac87f5ba79f0 R11: R12: 9123571e6408 Apr 30 00:57:23 kernel: [106134.709591] R13: 0001 R14: 0003 R15: 90fbf676da00 Apr 30 00:57:23 kernel: [106134.709609] FS: 14abed58dfc0() GS:90fc00c8() knlGS: Apr 30 00:57:23 kernel: [106134.709629] CS: 0010 DS: ES: CR0: 80050033 Apr 30 00:57:23 kernel: [106134.709643] CR2: 14abec7ed110 CR3: 002f1b022002 CR4: 007606e0 Apr 30 00:57:23 kernel: [106134.709661] DR0: DR1: DR2: Apr 30 00:57:23 kernel: [106134.709679] DR3: DR6: fffe0ff0 DR7: 0400 Apr 30 00:57:23 kernel: [106134.709696] PKRU: 5554 Apr 30 00:57:23 kernel: [106134.710224] Call Trace: Apr 30 00:57:23 kernel: [106134.710756] smb21_set_oplock_level+0x147/0x1a0 [cifs] Apr 30 00:57:23 kernel: [106134.711262] smb3_set_oplock_level+0x22/0x90 [cifs] Apr 30 00:57:23 kernel: [106134.711758] smb2_set_fid+0x76/0xb0 [cifs] Apr 30 00:57:23 kernel: [106134.712260] cifs_new_fileinfo+0x259/0x390 [cifs] Apr 30 00:57:23 kernel: [106134.712765] ? smb2_get_lease_key+0x40/0x40 [cifs] Apr 30 00:57:23 kernel: [106134.713276] ? cifs_new_fileinfo+0x259/0x390 [cifs] Apr 30 00:57:23 kernel: [106134.713790] cifs_open+0x3db/0x8d0 [cifs] Apr 30 00:57:23 kernel: [106134.714308] do_dentry_open+0x1c2/0x310 Apr 30 00:57:23 kernel: [106134.714831] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] Apr 30 00:57:23 kernel: [106134.715364] ? do_dentry_open+0x1c2/0x310 Apr 30 00:57:23 kernel: [106134.715899] ? __inode_permission+0x5b/0x160 Apr 30 00:57:23 kernel: [106134.716451] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] Apr 30 00:57:23 kernel: [106134.717004] vfs_open+0x4f/0x80 Apr 30 00:57:23 kernel: [106134.717561] path_openat+0x66e/0x1770 Apr 30 00:57:23 kernel: [106134.718123] ? mem_cgroup_commit_charge+0x82/0x530 Apr 30 00:57:23 kernel: [106134.718693] do_filp_open+0x9b/0x110 Apr 30 00:57:23 kernel: [106134.719267] ? _cond_resched+0x19/0x40 Apr 30 00:57:23 kernel: [106134.719844] ? __kmalloc+0x19b/0x220 Apr 30 0
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Oh no. Had a strcat buffer overflow with 4.15.0-48-generic. Issue is NOT solved. Apr 29 19:29:00 kernel: [78713.491646] detected buffer overflow in strcat Apr 29 19:29:00 kernel: [78713.491685] [ cut here ] Apr 29 19:29:00 kernel: [78713.491686] kernel BUG at /build/linux-fkZVDM/linux-4.15.0/lib/string.c:1052! Apr 29 19:29:00 kernel: [78713.491709] invalid opcode: [#1] SMP PTI Apr 29 19:29:00 kernel: [78713.491721] Modules linked in: ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs mpt3sas raid_class scsi_transport_sas mptctl mptbase cmac arc4 md4 nls_utf8 cifs ccm fscache dell_rbu bonding nls_iso8859_1 intel_rapl skx_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm joydev input_leds dell_smbios irqbypass dcdbas intel_cstate intel_rapl_perf ipmi_ssif wmi_bmof dell_wmi_descriptor shpchp mei_me lpc_ich ipmi_si ipmi_devintf ipmi_msghandler mei mac_hid acpi_power_meter sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear hid_generic crct10dif_pclmul mgag200 crc32_pclmul i2c_algo_bit Apr 29 19:29:00 kernel: [78713.491911] ghash_clmulni_intel usbhid ttm pcbc drm_kms_helper aesni_intel syscopyarea hid sysfillrect aes_x86_64 bnx2x crypto_simd sysimgblt glue_helper ptp fb_sys_fops cryptd pps_core uas drm mdio ahci megaraid_sas usb_storage libcrc32c libahci wmi Apr 29 19:29:00 kernel: [78713.491975] CPU: 24 PID: 2242 Comm: perl Not tainted 4.15.0-48-generic #51-Ubuntu Apr 29 19:29:00 kernel: [78713.491993] Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 Apr 29 19:29:00 kernel: [78713.492014] RIP: 0010:fortify_panic+0x13/0x22 Apr 29 19:29:00 kernel: [78713.492027] RSP: 0018:bb8b35b07940 EFLAGS: 00010286 Apr 29 19:29:00 kernel: [78713.492041] RAX: 0022 RBX: 0004 RCX: Apr 29 19:29:00 kernel: [78713.492058] RDX: RSI: 91acc0b16498 RDI: 91acc0b16498 Apr 29 19:29:00 kernel: [78713.492074] RBP: bb8b35b07940 R08: R09: 0681 Apr 29 19:29:00 kernel: [78713.492090] R10: bb8b35b079f0 R11: R12: 91a0d3461e50 Apr 29 19:29:00 kernel: [78713.492106] R13: 0001 R14: 0003 R15: 91c0acd1ac00 Apr 29 19:29:00 kernel: [78713.492123] FS: 14ed8f19ffc0() GS:91acc0b0() knlGS: Apr 29 19:29:00 kernel: [78713.492141] CS: 0010 DS: ES: CR0: 80050033 Apr 29 19:29:00 kernel: [78713.492155] CR2: 14ed8e3ff110 CR3: 000423a5c001 CR4: 007606e0 Apr 29 19:29:00 kernel: [78713.492171] DR0: DR1: DR2: Apr 29 19:29:00 kernel: [78713.492187] DR3: DR6: fffe0ff0 DR7: 0400 Apr 29 19:29:00 kernel: [78713.492203] PKRU: 5554 Apr 29 19:29:00 kernel: [78713.492210] Call Trace: Apr 29 19:29:00 kernel: [78713.492241] smb21_set_oplock_level+0x147/0x1a0 [cifs] Apr 29 19:29:00 kernel: [78713.492265] smb3_set_oplock_level+0x22/0x90 [cifs] Apr 29 19:29:00 kernel: [78713.492285] smb2_set_fid+0x76/0xb0 [cifs] Apr 29 19:29:00 kernel: [78713.492303] cifs_new_fileinfo+0x259/0x390 [cifs] Apr 29 19:29:00 kernel: [78713.492321] ? smb2_get_lease_key+0x40/0x40 [cifs] Apr 29 19:29:00 kernel: [78713.492338] ? cifs_new_fileinfo+0x259/0x390 [cifs] Apr 29 19:29:00 kernel: [78713.492355] cifs_open+0x3db/0x8d0 [cifs] Apr 29 19:29:00 kernel: [78713.492370] do_dentry_open+0x1c2/0x310 Apr 29 19:29:00 kernel: [78713.492384] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] Apr 29 19:29:00 kernel: [78713.492399] ? do_dentry_open+0x1c2/0x310 Apr 29 19:29:00 kernel: [78713.492411] ? __inode_permission+0x5b/0x160 Apr 29 19:29:00 kernel: [78713.492427] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] Apr 29 19:29:00 kernel: [78713.492441] vfs_open+0x4f/0x80 Apr 29 19:29:00 kernel: [78713.492451] path_openat+0x66e/0x1770 Apr 29 19:29:00 kernel: [78713.492464] ? mem_cgroup_commit_charge+0x82/0x530 Apr 29 19:29:00 kernel: [78713.492477] do_filp_open+0x9b/0x110 Apr 29 19:29:00 kernel: [78713.492489] ? _cond_resched+0x19/0x40 Apr 29 19:29:00 kernel: [78713.493055] ? __kmalloc+0x19b/0x220 Apr 29 19:29:00 kernel: [78713.493574] ? security_prepare_creds+0x9c/0xc0 Apr 29 19:29:00 kernel: [78713.494088] do_open_execat+0x7e/0x1e0 Apr 29 19:29:00 kernel: [78713.494595] ? prepare_creds+0xd5/0x110 Apr 29 19:29:00 kernel: [78713.495095] ? do_open_execat+0x7e/0x1e0 Apr 29 19:29:00 kernel: [78713.495590] do_execveat_common.isra.34+0x1c7/0x810 Apr 29 19:29:00 kernel: [78713.496074] SyS_execve+0x31/0x40 Apr 29 19:29:00 kernel: [78713.496542] do_syscall_64+0x73/0x130 Apr 29 19:29:00 kernel: [78713.496997] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Apr 29 19:29:00 kernel: [78713.
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
4.15.0.47-generic kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! Crashes system (requires hard reboot or SysRQ+b) 4.18.0-17-generic kernel BUG at /build/linux-hwe-4PejID/linux-hwe-4.18.0/lib/string.c:1052! Crashes system (requires hard reboot or SysRQ+b) 4.15.0-48-generic #51~lp1824981 BUG: unable to handle kernel NULL pointer dereference at 0038 Crashes processes (State D) (solved by manual reboot) 4.15.0-48-generic #51-Ubuntu BUG: unable to handle kernel NULL pointer dereference at 0038 Crashes processes (State D) (solved by manual reboot) Initial issue seems to bee solved by 4.15.0-48. Still having the NULL pointer dereference. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Actually there is one waiting in state flush_work, one in call_rwsem_down_read_failed and 12 in call_rwsem_down_write_failed. The "flush_work" task call trace genesplicer D0 53332 52566 0x Call Trace: __schedule+0x291/0x8a0 ? __switch_to_asm+0x40/0x70 ? get_work_pool+0x40/0x40 schedule+0x2c/0x80 schedule_timeout+0x1cf/0x350 ? sched_clock+0x9/0x10 ? sched_clock+0x9/0x10 ? sched_clock_cpu+0x11/0xb0 ? get_work_pool+0x40/0x40 wait_for_completion+0xba/0x140 ? wake_up_q+0x80/0x80 flush_work+0x126/0x1e0 ? worker_detach_from_pool+0xa0/0xa0 __cancel_work_timer+0x131/0x1b0 cancel_work_sync+0x10/0x20 cifsFileInfo_put+0x1ab/0x400 [cifs] cifs_close+0x1e/0x40 [cifs] ? cifs_close+0x1e/0x40 [cifs] __fput+0xea/0x220 fput+0xe/0x10 task_work_run+0x9d/0xc0 exit_to_usermode_loop+0xc0/0xd0 do_syscall_64+0x115/0x130 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x14f9e4ecf947 RSP: 002b:7ffe591c9898 EFLAGS: 0206 ORIG_RAX: 0003 RAX: RBX: 56367a99e260 RCX: 14f9e4ecf947 RDX: 14f9e51a6760 RSI: 0001 RDI: 000b RBP: 14f9e51a72a0 R08: 14f9e53c14c0 R09: R10: 14f9e4f5dcc0 R11: 0206 R12: R13: 7ffe592be0a0 R14: R15: -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
The "NULL pointer dereference" bug create state D pocesses waiting in call_rwsem_down_write_failed. [ +0.000341] genesplicer D0 53349 52579 0x8000 [ +0.000362] Call Trace: [ +0.000346] __schedule+0x291/0x8a0 [ +0.000348] ? mempool_free+0x2f/0x90 [ +0.000347] schedule+0x2c/0x80 [ +0.000356] rwsem_down_write_failed+0x169/0x360 [ +0.000344] ? is_size_safe_to_change+0x3c/0xd0 [cifs] [ +0.000339] call_rwsem_down_write_failed+0x17/0x30 [ +0.000336] ? call_rwsem_down_write_failed+0x17/0x30 [ +0.000332] down_write+0x2d/0x40 [ +0.000331] cifs_new_fileinfo+0xc3/0x3a0 [cifs] [ +0.000332] cifs_open+0x3db/0x8d0 [cifs] [ +0.000329] do_dentry_open+0x1c2/0x310 [ +0.000360] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] [ +0.000340] ? do_dentry_open+0x1c2/0x310 [ +0.000337] ? __inode_permission+0x5b/0x160 [ +0.000342] ? cifs_uncached_writev_complete+0x3f0/0x3f0 [cifs] [ +0.000353] vfs_open+0x4f/0x80 [ +0.000334] path_openat+0x66e/0x1770 [ +0.000335] do_filp_open+0x9b/0x110 [ +0.000331] ? __check_object_size+0xaf/0x1b0 [ +0.000332] do_sys_open+0x1bb/0x2c0 [ +0.000329] ? do_sys_open+0x1bb/0x2c0 [ +0.000327] SyS_openat+0x14/0x20 [ +0.000325] do_syscall_64+0x73/0x130 [ +0.000352] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ +0.000338] RIP: 0033:0x14620e613c8e [ +0.000333] RSP: 002b:7ffcc83c3d30 EFLAGS: 0246 ORIG_RAX: 0101 [ +0.000344] RAX: ffda RBX: 55e697d33260 RCX: 14620e613c8e [ +0.000356] RDX: RSI: 7ffcc83c41c0 RDI: ff9c [ +0.000338] RBP: 55e6965d798b R08: R09: [ +0.000338] R10: R11: 0246 R12: 0008 [ +0.000337] R13: 55e6965d798b R14: R15: -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Yes, it happend once with 4.18.0-17 (see kernel.log below) and once with 4.15.0-48. Haven't seen this one on 4.15.0-46-generic or 4.15.0-47-generic before. Apr 17 18:51:53 Linux version 4.18.0-17-generic (buildd@lgw01-amd64-021) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #18~18.04.1-Ubuntu SMP Fri Mar 15 15:27:12 UTC 2019 (Ubuntu 4.18.0-17.18~18.04.1-generic 4.18.20) Apr 17 18:51:53 Command line: BOOT_IMAGE=/boot/vmlinuz-4.18.0-17-generic root=UUID=7d58d6b0-bdf2-4a7b-bfde-d28a5ea498f6 ro [...] Apr 17 21:01:31 CIFS VFS: error -95 on ioctl to get interface list [...] Apr 17 21:43:48 perf: interrupt took too long (6290 > 6260), lowering kernel.perf_event_max_sample_rate to 31750 Apr 17 21:57:28 BUG: unable to handle kernel NULL pointer dereference at 0038 Apr 17 21:57:28 PGD 0 P4D 0 Apr 17 21:57:28 Oops: [#1] SMP PTI Apr 17 21:57:28 CPU: 13 PID: 21224 Comm: kworker/13:2 Not tainted 4.18.0-17-generic #18~18.04.1-Ubuntu Apr 17 21:57:28 Hardware name: Dell Inc. PowerEdge R900/0X947H, BIOS 1.2.0 11/11/2010 Apr 17 21:57:28 Workqueue: cifsoplockd cifs_oplock_break [cifs] Apr 17 21:57:28 RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs] Apr 17 21:57:28 Code: b0 49 39 c6 0f 84 2d 01 00 00 c7 45 c4 00 00 00 00 [...] Apr 17 21:57:28 RSP: 0018:9f6d481d7de8 EFLAGS: 00010246 Apr 17 21:57:28 RAX: RBX: 94016f151798 RCX: e793bfc47c00 Apr 17 21:57:28 RDX: RSI: RDI: 9401711f Apr 17 21:57:28 RBP: 9f6d481d7e38 R08: 00028160 R09: e793bfc47c00 Apr 17 21:57:28 R10: 0002 R11: 9401711e R12: 0aaa Apr 17 21:57:28 R13: 94016f151798 R14: 94016f151780 R15: 94016e435e00 Apr 17 21:57:28 FS: () GS:94017f14() knlGS: Apr 17 21:57:28 CS: 0010 DS: ES: CR0: 80050033 Apr 17 21:57:28 CR2: 0038 CR3: 000fdb406000 CR4: 06e0 Apr 17 21:57:28 Call Trace: Apr 17 21:57:28 ? cifs_revalidate_mapping+0x45/0x90 [cifs] Apr 17 21:57:28 cifs_oplock_break+0x124/0x410 [cifs] Apr 17 21:57:28 process_one_work+0x1fd/0x3f0 Apr 17 21:57:28 worker_thread+0x34/0x410 Apr 17 21:57:28 kthread+0x121/0x140 Apr 17 21:57:28 ? process_one_work+0x3f0/0x3f0 Apr 17 21:57:28 ? kthread_create_worker_on_cpu+0x70/0x70 Apr 17 21:57:28 ret_from_fork+0x35/0x40 Apr 17 21:57:28 Modules linked in: ipmi_si mpt3sas raid_class mptctl mptbase arc4 md4 cmac nls_utf8 cifs ccm fscache nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c iptable_filter bpfilter dell_rbu binfmt_misc ipmi_ssif radeon ttm drm_kms_helper coretemp drm i2c_algo_bit fb_sys_fops syscopyarea sysfillrect gpio_ich kvm lpc_ich input_leds joydev sysimgblt ipmi_devintf irqbypass sch_fq_codel serio_raw dcdbas ipmi_msghandler mac_hid i7300_edac bonding lp parport ip_tables x_tables autofs4 ses enclosure scsi_transport_sas hid_generic usbhid hid psmouse bnx2 megaraid_sas pata_acpi [last unloaded: ipmi_si] Apr 17 21:57:28 CR2: 0038 Apr 17 21:57:28 ---[ end trace 6742ba53428dc499 ]--- Apr 17 21:57:28 RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs] Apr 17 21:57:28 Code: b0 49 39 c6 0f 84 2d 01 00 00 c7 45 c4 00 00 00 00 [...] Apr 17 21:57:28 RSP: 0018:9f6d481d7de8 EFLAGS: 00010246 Apr 17 21:57:28 RAX: RBX: 94016f151798 RCX: e793bfc47c00 Apr 17 21:57:28 RDX: RSI: RDI: 9401711f Apr 17 21:57:28 RBP: 9f6d481d7e38 R08: 00028160 R09: e793bfc47c00 Apr 17 21:57:28 R10: 0002 R11: 9401711e R12: 0aaa Apr 17 21:57:28 R13: 94016f151798 R14: 94016f151780 R15: 94016e435e00 Apr 17 21:57:28 FS: () GS:94017f14() knlGS: Apr 17 21:57:28 CS: 0010 DS: ES: CR0: 80050033 Apr 17 21:57:28 CR2: 0038 CR3: 000fdb406000 CR4: 06e0 Apr 17 21:58:55 perf: interrupt took too long (7881 > 7862), lowering kernel.perf_event_max_sample_rate to 25250 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem W
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Does this also happen on 4.18.0-17? Apr 22 23:40:47 BUG: unable to handle kernel NULL pointer dereference at 0038 Apr 22 23:40:47 IP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs] -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
New variant of kernel bug appeard in both 4.18.0-17 (package manager) and in 4.15.0-48 (provided by @kaihengfeng). System didn't crash (compared to "buffer overflow in strcat" where cifs can't recover). Have seen this one twice, both within 3-7 hours after reboot. Apr 22 17:28:23 Linux version 4.15.0-48-generic (root@bionic) (gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)) #51~lp1824981 SMP Thu Apr 18 17:30:16 UTC 20 19 (Ubuntu 4.15. .18) [...] Apr 22 23:40:47 BUG: unable to handle kernel NULL pointer dereference at 0038 Apr 22 23:40:47 IP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs] Apr 22 23:40:47 PGD 0 P4D 0 Apr 22 23:40:47 Oops: [#1] SMP PTI Apr 22 23:40:47 Modules linked in: [...] Apr 22 23:40:47 CPU: 78 PID: 44260 Comm: kworker/78:1 Not tainted 4.15.0-48-generic #51~lp1824981 Apr 22 23:40:47 Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 1.3.7 02/08/2018 Apr 22 23:40:47 Workqueue: cifsoplockd cifs_oplock_break [cifs] Apr 22 23:40:47 RIP: 0010:smb2_push_mandatory_locks+0x104/0x3b0 [cifs] Apr 22 23:40:47 RSP: 0018:a779e81f7de0 EFLAGS: 00010246 Apr 22 23:40:47 RAX: RBX: 9bddf145ab18 RCX: dc6c8d3d0c00 Apr 22 23:40:47 RDX: RSI: RDI: 9baa0f43 Apr 22 23:40:47 RBP: a779e81f7e30 R08: 00027f20 R09: dc6c8d3d0c00 Apr 22 23:40:47 R10: 0002 R11: 9baa0f42 R12: 0aaa Apr 22 23:40:47 R13: 9bddf145ab18 R14: 9bddf145ab00 R15: 9bb9870e1e00 Apr 22 23:40:47 FS: () GS:9bb6411c() knlGS: Apr 22 23:40:47 CS: 0010 DS: ES: CR0: 80050033 Apr 22 23:40:47 CR2: 0038 CR3: 004367a0a004 CR4: 007606e0 Apr 22 23:40:47 DR0: DR1: DR2: Apr 22 23:40:47 DR3: DR6: fffe0ff0 DR7: 0400 Apr 22 23:40:47 PKRU: 5554 Apr 22 23:40:47 Call Trace: Apr 22 23:40:47 cifs_oplock_break+0x125/0x3f0 [cifs] Apr 22 23:40:47 process_one_work+0x1de/0x410 Apr 22 23:40:47 worker_thread+0x32/0x410 Apr 22 23:40:47 kthread+0x121/0x140 Apr 22 23:40:47 ? process_one_work+0x410/0x410 Apr 22 23:40:47 ? kthread_create_worker_on_cpu+0x70/0x70 Apr 22 23:40:47 ret_from_fork+0x35/0x40 Apr 22 23:40:47 Code: [...] Apr 22 23:40:47 RIP: smb2_push_mandatory_locks+0x104/0x3b0 [cifs] RSP: a779e81f7de0 Apr 22 23:40:47 CR2: 0038 Apr 22 23:40:47 ---[ end trace f5366d81972abce8 ]--- [full details see kernel.log attached] # cat /proc/fs/cifs/Stats Resources in use CIFS Session: 1 Share (unique mount targets): 2 SMB Request/Response Buffer: 1 Pool size: 5 SMB Small Req/Resp Buffer: 1 Pool size: 30 Operations (MIDs): 0 0 session 0 share reconnects Total vfs operations: 13063177 maximum at one time: 38 1) \\server\share SMBs: 25616550 Negotiates: 0 sent 0 failed SessionSetups: 0 sent 0 failed Logoffs: 0 sent 0 failed TreeConnects: 9916 sent 0 failed TreeDisconnects: 0 sent 0 failed Creates: 0 sent 151514 failed Closes: 0 sent 2 failed Flushes: 0 sent 0 failed Reads: 0 sent 0 failed Writes: 0 sent 0 failed Locks: 0 sent 0 failed IOCTLs: 0 sent 0 failed Cancels: 0 sent 0 failed Echos: 0 sent 0 failed QueryDirectories: 0 sent 1768 failed ChangeNotifies: 0 sent 0 failed QueryInfos: 0 sent 1 failed SetInfos: 0 sent 0 failed OplockBreaks: 0 sent 2324 failed ** Attachment added: "4.15.0-48.51~lp1824981-generic_kernel.log" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+attachment/5258116/+files/4.15.0-48.51~lp1824981-generic_kernel.log -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Here are some details from proc what is happening on our servers. Both running 4.15.0-47-generic. server13 / uptime 2 days # cat /proc/fs/cifs/Stats Resources in use CIFS Session: 1 Share (unique mount targets): 2 SMB Request/Response Buffer: 1 Pool size: 5 SMB Small Req/Resp Buffer: 1 Pool size: 30 Operations (MIDs): 0 7 session 14 share reconnects Total vfs operations: 7223031 maximum at one time: 102 1) \\server\share SMBs: 13497286 Negotiates: 0 sent 0 failed SessionSetups: 0 sent 0 failed Logoffs: 0 sent 0 failed TreeConnects: 502 sent 0 failed TreeDisconnects: 0 sent 0 failed Creates: 0 sent 466291 failed Closes: 0 sent 2 failed Flushes: 0 sent 0 failed Reads: 0 sent 19 failed Writes: 0 sent 0 failed Locks: 0 sent 0 failed IOCTLs: 0 sent 0 failed Cancels: 0 sent 0 failed Echos: 0 sent 0 failed QueryDirectories: 0 sent 14011 failed ChangeNotifies: 0 sent 0 failed QueryInfos: 0 sent 0 failed SetInfos: 0 sent 0 failed OplockBreaks: 0 sent 16 failed server15 / uptime 5 days # cat /proc/fs/cifs/Stats Resources in use CIFS Session: 1 Share (unique mount targets): 2 SMB Request/Response Buffer: 1 Pool size: 5 SMB Small Req/Resp Buffer: 1 Pool size: 30 Operations (MIDs): 0 1 session 2 share reconnects Total vfs operations: 118861442 maximum at one time: 52 1) \\server\share SMBs: 122017565 Negotiates: 0 sent 0 failed SessionSetups: 0 sent 0 failed Logoffs: 0 sent 0 failed TreeConnects: 19970 sent 0 failed TreeDisconnects: 0 sent 0 failed Creates: 0 sent 738187 failed Closes: 0 sent 0 failed Flushes: 0 sent 0 failed Reads: 0 sent 41 failed Writes: 0 sent 0 failed Locks: 0 sent 0 failed IOCTLs: 0 sent 0 failed Cancels: 0 sent 0 failed Echos: 0 sent 0 failed QueryDirectories: 0 sent 9776 failed ChangeNotifies: 0 sent 0 failed QueryInfos: 0 sent 0 failed SetInfos: 0 sent 0 failed OplockBreaks: 0 sent 3301 failed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
I tried Ubuntu kernel "4.18.0-17-generic #18~18.04.1-Ubuntu". Crashed the same way on high load as the 4.15.0-47 does. Now testing 4.15.0-48 from Kai-Heng. Still haven't found the trigger for that bug. Seems to be load related - we're having five servers each running many threads reading/writing gigabytes of data to the share. There might be even 100+ processes trying to set a lock one the same file at the same time. Seems to get better if we reduce the number of parallel threads. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Please test this kernel: https://people.canonical.com/~khfeng/lp1824981/ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat
Seems there is already a discussion thread on Linux-CIFS: https://lore.kernel.org/linux- cifs/cadjhv_utw3yi1ujrvde_kkrf4gnjwnup1tuzuihcefzbo7h...@mail.gmail.com/T/ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Confirmed Bug description: Ubuntu 18.04.2 LTS Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90 Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie %Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache KiB Swap: 999420 total, 999420 free,0 used. 33477683+avail Mem We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue. | detected buffer overflow in strcat | [ cut here ] | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052! | invalid opcode: [#1] SMP PTI | Modules linked in: [...] | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018 | RIP: 0010:fortify_panic+0x13/0x22 | [...] | Call Trace: | smb21_set_oplock_level+0x147/0x1a0 [cifs] | smb3_set_oplock_level+0x22/0x90 [cifs] | smb2_set_fid+0x76/0xb0 [cifs] | cifs_new_fileinfo+0x259/0x390 [cifs] | ? smb2_get_lease_key+0x40/0x40 [cifs] | ? cifs_new_fileinfo+0x259/0x390 [cifs] | cifs_open+0x3db/0x8d0 [cifs] | [...] (Full dmesg output attached) After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes. The share is mounted using: //server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp