Kernel panic due to BUG: unable to handle kernel NULL pointer dereference at smb2_push_mandatory_locks
Issue
-
The system crashes with a kernel panic due to a NULL pointer dereference inside the cifs function "smb2_push_mandatory_locks()".
-
Example stack trace seen in /var/crash/*/vmcore-dmesg.txt or in vmcore:
[42316.412512] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
[42316.412586] IP: [<ffffffffc06c3446>] smb2_push_mandatory_locks+0x116/0x3cd [cifs]
[42316.412673] PGD 8000001f4e7f2067 PUD 1f7fbb8067 PMD 0
[42316.412716] Oops: 0000 [#1] SMP
[42316.412745] Modules linked in: cmac arc4 md4 nls_utf8 cifs dns_resolver binfmt_misc vmw_vsock_vmci_transport vsock xfs libcrc32c sb_edac edac_core coretemp iosf_mbi crc32_pclmul ghash_clmulni_intel aesni_intel lrw ppdev gf128mul glue_helper vmw_balloon ablk_helper pcspkr cryptd joydev sg i2c_piix4 parport_pc parport shpchp vmw_vmci nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif crct10dif_generic ata_generic pata_acpi vmwgfx drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm ahci libahci ata_piix crct10dif_pclmul crct10dif_common crc32c_intel libata vmxnet3 serio_raw i2c_core vmw_pvscsi floppy dm_mirror dm_region_hash dm_log dm_mod
[42316.413369] CPU: 1 PID: 56936 Comm: kworker/1:2 Not tainted 3.10.0-693.17.1.el7.x86_64 #1
[42316.413630] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/17/2015
[42316.413889] Workqueue: cifsiod cifs_oplock_break [cifs]
[42316.414082] task: ffff881faf688fd0 ti: ffff881f42bb4000 task.ti: ffff881f42bb4000
[42316.414305] RIP: 0010:[<ffffffffc06c3446>] [<ffffffffc06c3446>] smb2_push_mandatory_locks+0x116/0x3cd [cifs]
[42316.414567] RSP: 0018:ffff881f42bb7d60 EFLAGS: 00010246
[42316.414757] RAX: 0000000000000000 RBX: ffff881fae727118 RCX: ffffea007cfae45c
[42316.414985] RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffff881f3eba0000
[42316.415215] RBP: ffff881f42bb7dc8 R08: ffffffff81919eff R09: ffffea007cfae800
[42316.415445] R10: ffffea007cfae440 R11: ffff881f3eb90000 R12: ffff881fae727118
[42316.415677] R13: 0000000000000aaa R14: ffff881fae727100 R15: ffff881f4ca30a00
[42316.415912] FS: 0000000000000000(0000) GS:ffff881fbe640000(0000) knlGS:0000000000000000
[42316.416158] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[42316.416367] CR2: 0000000000000038 CR3: 0000001fbc484000 CR4: 00000000000607e0
[42316.416659] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[42316.416961] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[42316.417215] Call Trace:
[42316.417400] [<ffffffffc06966b1>] cifs_oplock_break+0x111/0x390 [cifs]
[42316.417647] [<ffffffff810aa59a>] process_one_work+0x17a/0x440
[42316.417828] [<ffffffff810ab266>] worker_thread+0x126/0x3c0
[42316.417870] [<ffffffff810ab140>] ? manage_workers.isra.24+0x2a0/0x2a0
[42316.417917] [<ffffffff810b270f>] kthread+0xcf/0xe0
[42316.417954] [<ffffffff810b2640>] ? insert_kthread_work+0x40/0x40
[42316.418000] [<ffffffff816b8798>] ret_from_fork+0x58/0x90
[42316.418039] [<ffffffff810b2640>] ? insert_kthread_work+0x40/0x40
[42316.418080] Code: 65 48 8b 04 25 00 0e 01 00 4d 89 fb 48 89 45 b0 48 89 45 a0 90 4d 8b 7e 10 49 8b 5e 18 4d 8d 66 18 49 8b 87 90 00 00 00 4c 39 e3 <48> 8b 40 38 48 89 45 d0 0f 84 a8 00 00 00 4c 89 75 b8 4c 89 da
[42316.418337] RIP [<ffffffffc06c3446>] smb2_push_mandatory_locks+0x116/0x3cd [cifs]
[42316.418408] RSP <ffff881f42bb7d60>
[42316.418433] CR2: 0000000000000038
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Seen on 4.18.0-147.el8 + various cifs patches
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.