General protection fault with 5.18.0-rc4 (Complete system freeze)

[woutershep]

I'm not fully sure what triggers it, it seems to work for a while and then randomly the entire system freezes. To help diagnose i did a kernel build with KASAN enabled:

[11920.875992] ==================================================================
[11920.876000] BUG: KASAN: slab-out-of-bounds in fill_ace_for_sid.constprop.0+0x430/0x4c0
[11920.876017] Write of size 4 at addr ffff8881e5b18dc0 by task kworker/7:0/15657

[11920.876028] CPU: 7 PID: 15657 Comm: kworker/7:0 Tainted: G                T 5.18.0-rc4 #41
[11920.876036] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./ROMED8-2T, BIOS P3.20 03/31/2021
[11920.876043] Workqueue: ksmbd-io handle_ksmbd_work
[11920.876054] Call Trace:
[11920.876058]  <TASK>
[11920.876062]  dump_stack_lvl+0x34/0x45
[11920.876072]  print_report.cold+0x45/0x5a7
[11920.876081]  ? ret_from_fork+0x22/0x30
[11920.876089]  ? get_acl.part.0+0xbb/0x1e0
[11920.876097]  ? fill_ace_for_sid.constprop.0+0x430/0x4c0
[11920.876105]  kasan_report+0xa8/0xd0
[11920.876113]  ? fill_ace_for_sid.constprop.0+0x430/0x4c0
[11920.876120]  fill_ace_for_sid.constprop.0+0x430/0x4c0
[11920.876127]  ? mode_to_access_flags.constprop.0+0x160/0x160
[11920.876134]  ? from_kuid+0x87/0xc0
[11920.876142]  ? map_id_up+0x280/0x280
[11920.876148]  set_posix_acl_entries_dacl+0x387/0x12a0
[11920.876157]  build_sec_desc+0xf63/0x1a70
[11920.876165]  ? parse_sec_desc+0x580/0x580
[11920.876171]  ? btrfs_get_acl+0xc7/0x100
[11920.876180]  ? ksmbd_acls_fattr+0x2f8/0x400
[11920.876187]  smb2_query_info+0xa3a/0x4970
[11920.876194]  ? smb_map_generic_desired_access+0x60/0x60
[11920.876202]  ? psi_group_change+0x854/0xc70
[11920.876209]  ? xas_load+0x20/0x250
[11920.876217]  ? sched_clock_cpu+0x15/0x160
[11920.876224]  ? smb2_query_dir+0x1440/0x1440
[11920.876231]  ? _raw_spin_lock+0x7a/0xd0
[11920.876238]  ? _raw_read_lock_irq+0x40/0x40
[11920.876244]  ? ksmbd_smb2_check_message+0x101d/0x21c0
[11920.876250]  handle_ksmbd_work+0x317/0xfb0
[11920.876258]  process_one_work+0x764/0x1240
[11920.876268]  worker_thread+0x568/0x11f0
[11920.876276]  ? __kthread_parkme+0x97/0x120
[11920.876282]  ? process_one_work+0x1240/0x1240
[11920.876290]  kthread+0x254/0x2e0
[11920.876296]  ? kthread_complete_and_exit+0x20/0x20
[11920.876302]  ret_from_fork+0x22/0x30
[11920.876310]  </TASK>

[11920.876315] Allocated by task 15657:
[11920.876320]  kasan_save_stack+0x1e/0x40
[11920.876326]  __kasan_kmalloc+0x80/0xa0
[11920.876331]  smb2_allocate_rsp_buf+0x194/0x300
[11920.876338]  handle_ksmbd_work+0xa8/0xfb0
[11920.876344]  process_one_work+0x764/0x1240
[11920.876351]  worker_thread+0x568/0x11f0
[11920.876357]  kthread+0x254/0x2e0
[11920.876362]  ret_from_fork+0x22/0x30

[11920.876370] The buggy address belongs to the object at ffff8881e5b18c00
                which belongs to the cache kmalloc-512 of size 512
[11920.876375] The buggy address is located 448 bytes inside of
                512-byte region [ffff8881e5b18c00, ffff8881e5b18e00)

[11920.876383] The buggy address belongs to the physical page:
[11920.876387] page:00000000ff8cf0b8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e5b18
[11920.876395] head:00000000ff8cf0b8 order:3 compound_mapcount:0 compound_pincount:0
[11920.876400] flags: 0x5fff80000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
[11920.876413] raw: 05fff80000010200 0000000000000000 dead000000000001 ffff888100042c80
[11920.876419] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[11920.876423] page dumped because: kasan: bad access detected

[11920.876428] Memory state around the buggy address:
[11920.876431]  ffff8881e5b18c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[11920.876436]  ffff8881e5b18d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[11920.876440] >ffff8881e5b18d80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[11920.876443]                                            ^
[11920.876447]  ffff8881e5b18e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11920.876451]  ffff8881e5b18e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11920.876454] ==================================================================
[11920.876457] Disabling lock debugging due to kernel taint
[11932.246515] general protection fault, probably for non-canonical address 0xf38e85e41096a643: 0000 [#1] SMP KASAN
[11932.246652] KASAN: maybe wild-memory-access in range [0x9c744f2084b53218-0x9c744f2084b5321f]

[namjaejeon]

Thanks for your reporting! Does this problem not occur in low versions than 5.18-rc4?

[namjaejeon]

@woutershep Could you please share how to reproduce it ? I was trying to reproduce it. but can't reproduce it util now.

[namjaejeon]

And I installed 5.18-rc1 on Ubuntu before, and it was randomly frozen regardless of ksmbd, so I downgraded it to 5.17.

[namjaejeon]

Could you please share how to reproduce it ? Did you change file permission in ksmbd share using windows client ?