cifs: kernel NULL pointer dereference, address: 0000000000000038
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Committed
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Disco |
Won't Fix
|
Undecided
|
Unassigned | ||
Eoan |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Currently when the client creates a cifsFileInfo structure for
a newly opened file, it allocates a list of byte-range locks
with a pointer to the new cfile and attaches this list to the
inode's lock list. The latter happens before initializing all
other fields, e.g. cfile->tlink. Thus a partially initialized
cifsFileInfo structure becomes available to other threads that
walk through the inode's lock list. One example of such a thread
may be an oplock break worker thread that tries to push all
cached byte-range locks. This causes NULL-pointer dereference
in smb2_push_
[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
...
[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[598428.945793] RIP: 0010:smb2_
...
[598428.945834] Call Trace:
[598428.945870] ? cifs_revalidate
[598428.945901] cifs_oplock_
[598428.945909] process_
[598428.945914] worker_
[598428.945921] kthread+0x104/0x140
[598428.945925] ? process_
[598428.945931] ? kthread_
[598428.945937] ret_from_
[Test Case]
TBD.
[Fix]
Backport commit 6f582b273ec2333
[Regression Potential]
Low. The patch is fairly simple and it's tagged for stable kernels. In fact it is already in some of the released upstream stable kernels.
CVE References
description: | updated |
no longer affects: | linux (Ubuntu Focal) |
Changed in linux (Ubuntu Xenial): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Disco): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Eoan): | |
status: | Incomplete → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Changed in linux (Ubuntu Disco): | |
status: | Fix Committed → Won't Fix |
Changed in linux (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Changed in linux (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1856949
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.