** Description changed:
- [598428.945633] BUG: kernel NULL pointer dereference, address:
0000000000000038
- ...
- [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
- [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
- ...
- [598428.945834] Call Trace:
- [598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs]
- [598428.945901] cifs_oplock_break+0x13d/0x450 [cifs]
- [598428.945909] process_one_work+0x1db/0x380
- [598428.945914] worker_thread+0x4d/0x400
- [598428.945921] kthread+0x104/0x140
- [598428.945925] ? process_one_work+0x380/0x380
- [598428.945931] ? kthread_park+0x80/0x80
- [598428.945937] ret_from_fork+0x35/0x40
+ [Impact]
+
+ Currently when the client creates a cifsFileInfo structure for
+ a newly opened file, it allocates a list of byte-range locks
+ with a pointer to the new cfile and attaches this list to the
+ inode's lock list. The latter happens before initializing all
+ other fields, e.g. cfile->tlink. Thus a partially initialized
+ cifsFileInfo structure becomes available to other threads that
+ walk through the inode's lock list. One example of such a thread
+ may be an oplock break worker thread that tries to push all
+ cached byte-range locks. This causes NULL-pointer dereference
+ in smb2_push_mandatory_locks() when accessing cfile->tlink:
+
+ [598428.945633] BUG: kernel NULL pointer dereference, address:
0000000000000038
+ ...
+ [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
+ [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
+ ...
+ [598428.945834] Call Trace:
+ [598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs]
+ [598428.945901] cifs_oplock_break+0x13d/0x450 [cifs]
+ [598428.945909] process_one_work+0x1db/0x380
+ [598428.945914] worker_thread+0x4d/0x400
+ [598428.945921] kthread+0x104/0x140
+ [598428.945925] ? process_one_work+0x380/0x380
+ [598428.945931] ? kthread_park+0x80/0x80
+ [598428.945937] ret_from_fork+0x35/0x40
+
+
+ [Test Case]
+
+ TBD.
+
+
+ [Fix]
+
+ Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix
+ NULL-pointer dereference in smb2_push_mandatory_locks")
+
+ [Regression Potential]
+
+ Low. The patch is fairly simple and it's tagged for stable kernels. In
+ fact it is already in some of the released upstream stable kernels.
** No longer affects: linux (Ubuntu Focal)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1856949
Title:
cifs: kernel NULL pointer dereference, address: 0000000000000038
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1856949/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
