** Description changed: - [598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038 - ... - [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs] - [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs] - ... - [598428.945834] Call Trace: - [598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs] - [598428.945901] cifs_oplock_break+0x13d/0x450 [cifs] - [598428.945909] process_one_work+0x1db/0x380 - [598428.945914] worker_thread+0x4d/0x400 - [598428.945921] kthread+0x104/0x140 - [598428.945925] ? process_one_work+0x380/0x380 - [598428.945931] ? kthread_park+0x80/0x80 - [598428.945937] ret_from_fork+0x35/0x40 + [Impact] + + Currently when the client creates a cifsFileInfo structure for + a newly opened file, it allocates a list of byte-range locks + with a pointer to the new cfile and attaches this list to the + inode's lock list. The latter happens before initializing all + other fields, e.g. cfile->tlink. Thus a partially initialized + cifsFileInfo structure becomes available to other threads that + walk through the inode's lock list. One example of such a thread + may be an oplock break worker thread that tries to push all + cached byte-range locks. This causes NULL-pointer dereference + in smb2_push_mandatory_locks() when accessing cfile->tlink: + + [598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038 + ... + [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs] + [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs] + ... + [598428.945834] Call Trace: + [598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs] + [598428.945901] cifs_oplock_break+0x13d/0x450 [cifs] + [598428.945909] process_one_work+0x1db/0x380 + [598428.945914] worker_thread+0x4d/0x400 + [598428.945921] kthread+0x104/0x140 + [598428.945925] ? process_one_work+0x380/0x380 + [598428.945931] ? kthread_park+0x80/0x80 + [598428.945937] ret_from_fork+0x35/0x40 + + + [Test Case] + + TBD. + + + [Fix] + + Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix + NULL-pointer dereference in smb2_push_mandatory_locks") + + [Regression Potential] + + Low. The patch is fairly simple and it's tagged for stable kernels. In + fact it is already in some of the released upstream stable kernels.
** No longer affects: linux (Ubuntu Focal) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1856949 Title: cifs: kernel NULL pointer dereference, address: 0000000000000038 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856949/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs