| 2019-12-19 06:46:14 |
Juerg Haefliger |
bug |
|
|
added bug |
| 2019-12-19 06:48:09 |
Juerg Haefliger |
nominated for series |
|
Ubuntu Focal |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
bug task added |
|
linux (Ubuntu Focal) |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
bug task added |
|
linux (Ubuntu Bionic) |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
nominated for series |
|
Ubuntu Eoan |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
bug task added |
|
linux (Ubuntu Eoan) |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
nominated for series |
|
Ubuntu Xenial |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
bug task added |
|
linux (Ubuntu Xenial) |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
nominated for series |
|
Ubuntu Disco |
|
| 2019-12-19 06:48:09 |
Juerg Haefliger |
bug task added |
|
linux (Ubuntu Disco) |
|
| 2019-12-19 06:57:00 |
Juerg Haefliger |
description |
[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
...
[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
...
[598428.945834] Call Trace:
[598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs]
[598428.945901] cifs_oplock_break+0x13d/0x450 [cifs]
[598428.945909] process_one_work+0x1db/0x380
[598428.945914] worker_thread+0x4d/0x400
[598428.945921] kthread+0x104/0x140
[598428.945925] ? process_one_work+0x380/0x380
[598428.945931] ? kthread_park+0x80/0x80
[598428.945937] ret_from_fork+0x35/0x40 |
[Impact]
Currently when the client creates a cifsFileInfo structure for
a newly opened file, it allocates a list of byte-range locks
with a pointer to the new cfile and attaches this list to the
inode's lock list. The latter happens before initializing all
other fields, e.g. cfile->tlink. Thus a partially initialized
cifsFileInfo structure becomes available to other threads that
walk through the inode's lock list. One example of such a thread
may be an oplock break worker thread that tries to push all
cached byte-range locks. This causes NULL-pointer dereference
in smb2_push_mandatory_locks() when accessing cfile->tlink:
[598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
...
[598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
[598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
...
[598428.945834] Call Trace:
[598428.945870] ? cifs_revalidate_mapping+0x45/0x90 [cifs]
[598428.945901] cifs_oplock_break+0x13d/0x450 [cifs]
[598428.945909] process_one_work+0x1db/0x380
[598428.945914] worker_thread+0x4d/0x400
[598428.945921] kthread+0x104/0x140
[598428.945925] ? process_one_work+0x380/0x380
[598428.945931] ? kthread_park+0x80/0x80
[598428.945937] ret_from_fork+0x35/0x40
[Test Case]
TBD.
[Fix]
Backport commit 6f582b273ec23332074d970a7fb25bef835df71f ("CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks")
[Regression Potential]
Low. The patch is fairly simple and it's tagged for stable kernels. In fact it is already in some of the released upstream stable kernels. |
|
| 2019-12-19 06:59:20 |
Juerg Haefliger |
bug task deleted |
linux (Ubuntu Focal) |
|
|
| 2019-12-19 07:00:07 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2019-12-19 07:00:09 |
Ubuntu Kernel Bot |
linux (Ubuntu Bionic): status |
New |
Incomplete |
|
| 2019-12-19 07:00:10 |
Ubuntu Kernel Bot |
linux (Ubuntu Disco): status |
New |
Incomplete |
|
| 2019-12-19 07:00:12 |
Ubuntu Kernel Bot |
linux (Ubuntu Eoan): status |
New |
Incomplete |
|
| 2019-12-19 07:00:14 |
Ubuntu Kernel Bot |
linux (Ubuntu Xenial): status |
New |
Incomplete |
|
| 2020-01-06 12:16:09 |
Marcelo Cerri |
linux (Ubuntu Xenial): status |
Incomplete |
In Progress |
|
| 2020-01-06 12:16:11 |
Marcelo Cerri |
linux (Ubuntu Bionic): status |
Incomplete |
In Progress |
|
| 2020-01-06 12:16:13 |
Marcelo Cerri |
linux (Ubuntu Disco): status |
Incomplete |
In Progress |
|
| 2020-01-06 12:16:14 |
Marcelo Cerri |
linux (Ubuntu Eoan): status |
Incomplete |
In Progress |
|
| 2020-01-06 12:32:20 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
| 2020-01-06 12:36:33 |
Kleber Sacilotto de Souza |
linux (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
| 2020-01-06 12:36:36 |
Kleber Sacilotto de Souza |
linux (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
| 2020-01-06 12:36:39 |
Kleber Sacilotto de Souza |
linux (Ubuntu Eoan): status |
In Progress |
Fix Committed |
|
| 2020-01-06 14:10:15 |
Marcelo Cerri |
linux (Ubuntu): status |
Incomplete |
Fix Committed |
|
| 2020-01-09 16:09:12 |
Ubuntu Kernel Bot |
tags |
|
verification-needed-xenial |
|
| 2020-01-23 16:52:30 |
Juerg Haefliger |
tags |
verification-needed-xenial |
verification-done-xenial |
|
| 2020-01-23 17:57:40 |
Joseph Salisbury |
bug |
|
|
added subscriber Joseph Salisbury |
| 2020-01-27 12:13:59 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
| 2020-01-27 12:13:59 |
Launchpad Janitor |
cve linked |
|
2019-14615 |
|
| 2020-01-27 12:13:59 |
Launchpad Janitor |
cve linked |
|
2019-18885 |
|
| 2020-01-27 12:13:59 |
Launchpad Janitor |
cve linked |
|
2019-19062 |
|
| 2020-01-27 12:13:59 |
Launchpad Janitor |
cve linked |
|
2019-19332 |
|
| 2020-01-30 14:24:15 |
Guilherme G. Piccoli |
bug |
|
|
added subscriber Guilherme G. Piccoli |
| 2020-07-02 19:58:26 |
Steve Langasek |
linux (Ubuntu Disco): status |
Fix Committed |
Won't Fix |
|
| 2020-07-03 06:49:52 |
Juerg Haefliger |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2020-07-03 06:50:21 |
Juerg Haefliger |
linux (Ubuntu Eoan): status |
Fix Committed |
Fix Released |
|
