[Bug 1856949] Re: cifs: kernel NULL pointer dereference, address: 0000000000000038

Wed, 18 Dec 2019 23:11:47 -0800 

** Description changed:

-     [598428.945633] BUG: kernel NULL pointer dereference, address: 
0000000000000038
-     ...
-     [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
-     [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
-     ...
-     [598428.945834] Call Trace:
-     [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
-     [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
-     [598428.945909]  process_one_work+0x1db/0x380
-     [598428.945914]  worker_thread+0x4d/0x400
-     [598428.945921]  kthread+0x104/0x140
-     [598428.945925]  ? process_one_work+0x380/0x380
-     [598428.945931]  ? kthread_park+0x80/0x80
-     [598428.945937]  ret_from_fork+0x35/0x40
+ [Impact]
+ 
+ Currently when the client creates a cifsFileInfo structure for
+ a newly opened file, it allocates a list of byte-range locks
+ with a pointer to the new cfile and attaches this list to the
+ inode's lock list. The latter happens before initializing all
+ other fields, e.g. cfile->tlink. Thus a partially initialized
+ cifsFileInfo structure becomes available to other threads that
+ walk through the inode's lock list. One example of such a thread
+ may be an oplock break worker thread that tries to push all
+ cached byte-range locks. This causes NULL-pointer dereference
+ in smb2_push_mandatory_locks() when accessing cfile->tlink:
+ 
+ [598428.945633] BUG: kernel NULL pointer dereference, address: 
0000000000000038
+ ...
+ [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
+ [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
+ ...
+ [598428.945834] Call Trace:
+ [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
+ [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
+ [598428.945909]  process_one_work+0x1db/0x380
+ [598428.945914]  worker_thread+0x4d/0x400
+ [598428.945921]  kthread+0x104/0x140
+ [598428.945925]  ? process_one_work+0x380/0x380
+ [598428.945931]  ? kthread_park+0x80/0x80
+ [598428.945937]  ret_from_fork+0x35/0x40
+ 
+ 
+ [Test Case]
+ 
+ TBD.
+ 
+ 
+ [Fix]
+ 
+ Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix
+ NULL-pointer dereference in smb2_push_mandatory_locks")
+ 
+ [Regression Potential]
+ 
+ Low. The patch is fairly simple and it's tagged for stable kernels. In
+ fact it is already in some of the released upstream stable kernels.

** No longer affects: linux (Ubuntu Focal)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1856949

Title:
  cifs: kernel NULL pointer dereference, address: 0000000000000038

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856949/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to