Bug 1986138 - Lockd invalid cast to nlm_lockowner
Summary: Lockd invalid cast to nlm_lockowner
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: kernel
Version: 8.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: beta
: 8.5
Assignee: Benjamin Coddington
QA Contact: Zhi Li
Depends On:
Blocks: 1991327 2000899 2010820
TreeView+ depends on / blocked
Reported: 2021-07-26 18:10 UTC by Benjamin Coddington
Modified: 2021-11-10 06:19 UTC (History)
16 users (show)

Fixed In Version: kernel-4.18.0-341.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1991327 2000899 2010820 (view as bug list)
Last Closed: 2021-11-09 19:25:28 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Gitlab redhat/rhel/src/kernel rhel-8 merge_requests 1245 0 None None None 2021-08-26 13:21:21 UTC
Red Hat Knowledge Base (Solution) 6134051 0 None None None 2021-07-26 19:32:41 UTC
Red Hat Product Errata RHSA-2021:4356 0 None None None 2021-11-09 19:26:12 UTC

Description Benjamin Coddington 2021-07-26 18:10:37 UTC
A F_GETLK sent to lockd that returns a conflicting lock can cause a crash because the fl_owner is not guaranteed to be struct nlm_lockowner.  We need provisionally pending patch:


Here's a simple demonstration for a system that has exported /exports and mounted that export on a NFSv3 mount on /mnt/localhost:

#define _GNU_SOURCE
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <fcntl.h>

#define LOCALFILE    "/exports/foo"
#define NFSFILE    "/mnt/localhost/foo"

main(int argc, char **argv)
	int local_fd, nfs_fd, ret;

	struct flock lck_one = {
		.l_whence = SEEK_SET,
		.l_start  = 0,
		.l_len    = 4,

	struct flock lck_two = {
		.l_whence = SEEK_SET,
		.l_start  = 0,
		.l_len    = 4,

	local_fd = open(LOCALFILE, O_RDWR|O_CREAT, 0666);
	nfs_fd = open(NFSFILE, O_RDWR|O_CREAT, 0666);

	lck_one.l_type = F_WRLCK;
	ret = fcntl(local_fd, F_SETLKW, &lck_one);
	ret = fcntl(nfs_fd, F_GETLK, &lck_two);

Comment 29 Zhi Li 2021-09-14 01:36:27 UTC
Moving to VERIFIED according to Comment#26.

Comment 31 Dave Wysochanski 2021-09-14 14:43:21 UTC
This is a regression from 8.2.0 kernels (4.18.0-193*el8), with a simple fix, per Roberto's analysis of the commit in question:
Since 8.3 we got this commit :
    [fs] lockd: Show pid of lockd for remote locks
-       conflock->svid = lock->fl.fl_pid;
+       conflock->svid = ((struct nlm_lockowner *)lock->fl.fl_owner)->pid;  <<<---

Comment 38 errata-xmlrpc 2021-11-09 19:25:28 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.