Closed zhanglei002 closed 4 months ago
namjaejeon
commented
1 year ago @zhanglei002 Hm... Could you please help me reproduce this issue ? Want to know what code line cause this issue in __smb2_oplock_break_noti() ? or share the method with me to reproduce it..
sergey-senozhatsky
commented
1 year ago My guess that it's a NULL rsp deref in rsp->StructureSize
rsp = smb2_get_msg(work->response_buf);
rsp->StructureSize = cpu_to_le16(24); @zhanglei002 if you compile your own kernel then usually feeding a backtrace to ./scripts/decode_stacktrace.sh should provide a very detailed info on what exactly went wrong.
namjaejeon
commented
1 year ago My guess that it's a NULL rsp deref in rsp->StructureSize
@sergey-senozhatsky Thanks for your help. However, rsp could not be NULL... stranged..
zhanglei002
commented
1 year ago @zhanglei002 if you compile your own kernel then usually feeding a backtrace to
./scripts/decode_stacktrace.shshould provide a very detailed info on what exactly went wrong.
Sorry, I didn't compile the kernel myself. here is the disassembly of the code, hope it helps.
8a71: 48 83 e7 f8 and $0xfffffffffffffff8,%rdi
8a75: 48 c7 40 04 00 00 00 movq $0x0,0x4(%rax)
8a7c: 00
8a7d: 48 c7 40 3e 00 00 00 movq $0x0,0x3e(%rax)
8a84: 00
8a85: 29 f8 sub %edi,%eax
8a87: 8d 48 46 lea 0x46(%rax),%ecx
8a8a: 31 c0 xor %eax,%eax
8a8c: c1 e9 03 shr $0x3,%ecx
8a8f: f3 48 ab rep stos %rax,%es:(%rdi)
8a92: bf 18 00 00 00 mov $0x18,%edi
8a97: 48 8b 45 00 mov 0x0(%rbp),%rax
8a9b: 48 8b 40 30 mov 0x30(%rax),%rax. <----- crashed here
8a9f: c7 42 04 fe 53 4d 42 movl $0x424d53fe,0x4(%rdx)
8aa6: 66 89 72 10 mov %si,0x10(%rdx)
8aaa: 89 c1 mov %eax,%ecx
8aac: c7 42 14 01 00 00 00 movl $0x1,0x14(%rdx)
8ab3: 0f c9 bswap %ecx
8ab5: 89 0a mov %ecx,(%rdx)
8ab7: b9 40 00 00 00 mov $0x40,%ecx
8abc: 66 89 4a 08 mov %cx,0x8(%rdx)
8ac0: 31 c9 xor %ecx,%ecxOh, ok.
movl $0x424d53fe,0x4(%rdx)is rsp_hdr->ProtocolId = SMB2_PROTO_NUMBER;. So that 0x30 offset is ->header_size in cpu_to_be32(conn->vals->header_size);, in other words we had NULL conn->vals.
namjaejeon
commented
1 year ago in other words we had NULL conn->vals.
@sergey-senozhatsky Thank you so much for pointing me out to the exact code line of the problem.
@zhanglei002 Okay, I checked, but there is no code that sets conn->vals to NULL. And even freeing conn is protected by r_count until requests completes. Could you please reproduce this again ? if yes, Let me know this way to find root-cause..
nitroxis
commented
1 year ago I'm having the same issue:
BUG: kernel NULL pointer dereference, address: 0000000000000030
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 296343 Comm: kworker/0:80 Tainted: G W 6.1.2-arch1-1-custom #1 fa4fa69c5531771b9ea460fbd6f0abc25d5c1495
Hardware name: ASUSTeK COMPUTER INC. P10S WS/P10S WS, BIOS 3801 11/19/2019
Workqueue: ksmbd-io __smb2_oplock_break_noti [ksmbd]
RIP: 0010:__smb2_oplock_break_noti+0xbe/0x1b0 [ksmbd]
Code: c7 40 2c 00 00 00 00 48 c7 40 34 00 00 00 00 48 c7 40 3c 00 00 00 00 b9 40 00 00 00 be 12 00 00 00 48 8b 55 00 bf 18 00 00 00 <48> 8b 52 30 66 89 48 08 0f 38 f1 10 c7 40 04 fe 53 4d 42 66 89 70
RSP: 0018:ffff9dddce677e68 EFLAGS: 00010246
RAX: ffff9252c9def000 RBX: ffff9252394c7690 RCX: 0000000000000040
RDX: 0000000000000000 RSI: 0000000000000012 RDI: 0000000000000018
RBP: ffff92529c0c7400 R08: 0000000000000200 R09: ffff9252c9def000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff9252394c7600
R13: ffff925226bf2cc0 R14: ffff9252d5bb1400 R15: ffff9252394c7698
FS: 0000000000000000(0000) GS:ffff92594ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000030 CR3: 000000002c810006 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
process_one_work+0x1c4/0x380
worker_thread+0x51/0x3a0
? rescuer_thread+0x3a0/0x3a0
kthread+0xdb/0x110
? kthread_complete_and_exit+0x20/0x20
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in: tcp_diag udp_diag inet_diag cmac nls_utf8 ksmbd cifs_arc4 f2fs crc32_generic lz4hc_compress uas usb_storage xt_connmark xt_comment iptable_raw xt_mark xt_nat veth nf_conntrack_netlink nfnetlink br_netfilter wireguard curve25519_x86_64 libchacha20poly1305 chacha_x86_64 poly1305_x86_64 libcurve25519_generic libchacha ip6_udp_tunnel udp_tunnel bridge stp llc ip6table_filter ip6_tables xt_MASQUERADE xt_addrtype iptable_nat nf_nat xt_TCPMSS iptable_mangle xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_pkttype iptable_filter ext4 crc16 mbcache jbd2 rpcrdma sunrpc rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm nls_iso8859_1 vfat fat snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic intel_rapl_msr intel_rapl_common snd_hda_intel snd_intel_dspcfg essiv snd_intel_sdw_acpi authenc snd_hda_codec snd_hda_core snd_hwdep intel_tcc_cooling mei_pxp iTCO_wdt snd_pcm mei_hdcp x86_pkg_temp_thermal
intel_pmc_bxt ee1004 iTCO_vendor_support eeepc_wmi intel_powerclamp asus_wmi snd_timer coretemp rapl ledtrig_audio intel_cstate snd mei_me sparse_keymap i2c_i801 intel_uncore platform_profile wmi_bmof soundcore mxm_wmi i2c_smbus mei mlx4_ib ib_uverbs ib_core acpi_pad mac_hid nct6775 nct6775_core hwmon_vid dm_multipath crypto_user fuse bpf_preload ip_tables x_tables btrfs blake2b_generic libcrc32c crc32c_generic xor raid6_pq dm_crypt cbc encrypted_keys trusted asn1_encoder tee dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic gf128mul bcache ghash_clmulni_intel sha512_ssse3 aesni_intel crypto_simd nvme cryptd igb mpt3sas nvme_core dca nvme_common raid_class xhci_pci xhci_pci_renesas scsi_transport_sas pcspkr i915 drm_buddy intel_gtt video wmi drm_display_helper cec ttm iwlmvm iwlwifi mac80211 libarc4 cfg80211 rfkill mlx4_en mlx4_core
CR2: 0000000000000030
---[ end trace 0000000000000000 ]---
RIP: 0010:__smb2_oplock_break_noti+0xbe/0x1b0 [ksmbd]
Code: c7 40 2c 00 00 00 00 48 c7 40 34 00 00 00 00 48 c7 40 3c 00 00 00 00 b9 40 00 00 00 be 12 00 00 00 48 8b 55 00 bf 18 00 00 00 <48> 8b 52 30 66 89 48 08 0f 38 f1 10 c7 40 04 fe 53 4d 42 66 89 70
RSP: 0018:ffff9dddce677e68 EFLAGS: 00010246
RAX: ffff9252c9def000 RBX: ffff9252394c7690 RCX: 0000000000000040
RDX: 0000000000000000 RSI: 0000000000000012 RDI: 0000000000000018
RBP: ffff92529c0c7400 R08: 0000000000000200 R09: ffff9252c9def000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff9252394c7600
R13: ffff925226bf2cc0 R14: ffff9252d5bb1400 R15: ffff9252394c7698
FS: 0000000000000000(0000) GS:ffff92594ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000030 CR3: 000000002c810006 CR4: 00000000003706f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400Disassembly:
0: c7 40 2c 00 00 00 00 movl $0x0,0x2c(%rax)
7: 48 c7 40 34 00 00 00 movq $0x0,0x34(%rax)
e: 00
f: 48 c7 40 3c 00 00 00 movq $0x0,0x3c(%rax)
16: 00
17: b9 40 00 00 00 mov $0x40,%ecx
1c: be 12 00 00 00 mov $0x12,%esi
21: 48 8b 55 00 mov 0x0(%rbp),%rdx
25: bf 18 00 00 00 mov $0x18,%edi
2a:* 48 8b 52 30 mov 0x30(%rdx),%rdx <-- trapping instruction
2e: 66 89 48 08 mov %cx,0x8(%rax)
32: 0f 38 f1 10 movbe %edx,(%rax)
36: c7 40 04 fe 53 4d 42 movl $0x424d53fe,0x4(%rax)
3d: 66 data16
3e: 89 .byte 0x89
3f: 70 .byte 0x70@nitroxis Hm.. I am checking it, but not finding any clue yet. Is there any error log from ksmbd ? or will be good if you know how to reproduce...
nitroxis
commented
1 year ago I believe the last thing I did was to enable multi-channel in ksmbd and then restart it. My goal was to get RDMA to work, but I did not get that far as the crash happened first.
Here are the relevant log lines before the crash happened:
ksmbd: kill command received
ksmbd: sock_read failed: -108
ksmbd: Failed to bind socket: -98
ksmbd: Failed to shutdown socket: -107
ksmbd: Failed to bind socket: -98
ksmbd: Failed to shutdown socket: -107
ksmbd: Failed to bind socket: -98
ksmbd: Failed to shutdown socket: -107
ksmbd: smb_direct: ib device added: name rocep1s0
ksmbd: smb_direct: init RDMA listener. cm_id=000000002d4e7708
ksmbd: sock_read failed: -108
mlx4_en: enp1s0: Link Down
mlx4_en: enp1s0: Link Up
mlx4_en: enp1s0: Link Down
mlx4_en: enp1s0: Link Up
mlx4_en: enp1s0: Link Down
mlx4_en: enp1s0: Link Up
mlx4_en: enp1s0: Link Down
mlx4_en: enp1s0: Link Up
BUG: kernel NULL pointer dereference, address: 0000000000000030
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present pageThe link down/up happened because I changed network settings on the other machine. They did not coincide with the crash though. But maybe it is related
namjaejeon
commented
1 year ago I think you gave me some pretty important hint. I will try to reproduce in the similar way. Thanks. One more, What version did this problem occur on? If you used ksmbd in the kernel rather than github's ksmbd, please tell us the kernel version.
nitroxis
commented
1 year ago I was using the module that comes with kernel version 6.1.2 in Arch Linux.
perforlin
commented
1 year ago I have encountered a similar issue. It happens when SMB2 connections are disconnected and reconnected. The "old" connection is freed but is still being used. Here follows a log with KASAN.
[ 197.025720][ T240] ================================================================== [ 197.034303][ T240] BUG: KASAN: use-after-free in oplock_break+0x854/0x1160 [ksmbd] [ 197.042306][ T240] Write of size 4 at addr ffffff8016af30cc by task kworker/2:8/240 [ 197.050229][ T240] [ 197.052604][ T240] CPU: 2 PID: 240 Comm: kworker/2:8 Kdump: loaded Tainted: G O 5.10.52-axis9-devel #1 [ 197.063614][ T240] Hardware name: AXIS S3008 Recorder (DT) [ 197.069758][ T240] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd] [ 197.076062][ T240] Call trace: [ 197.079527][ T240] dump_backtrace+0x0/0x360 [ 197.084067][ T240] show_stack+0x24/0x30 [ 197.088263][ T240] dump_stack+0x158/0x1a8 [ 197.092724][ T240] print_address_description.constprop.0+0x2c/0x560 [ 197.099321][ T240] kasan_report+0x11c/0x1b0 [ 197.103946][ T240] check_memory_region+0xfc/0x1a4 [ 197.108990][ T240] __kasan_check_write+0x3c/0x50 [ 197.114107][ T240] oplock_break+0x854/0x1160 [ksmbd] [ 197.119447][ T240] smb_grant_oplock+0x15c0/0x2ab4 [ksmbd] [ 197.125214][ T240] smb2_open+0x3298/0x790c [ksmbd] [ 197.130374][ T240] handle_ksmbd_work+0x318/0xd9c [ksmbd] [ 197.136004][ T240] process_one_work+0x5cc/0x12b4 [ 197.141038][ T240] worker_thread+0x460/0xe5c [ 197.145632][ T240] kthread+0x394/0x43c [ 197.149809][ T240] ret_from_fork+0x10/0x38 [ 197.154223][ T240] [ 197.156551][ T240] Allocated by task 940: [ 197.160799][ T240] kasan_save_stack+0x28/0x60 [ 197.165476][ T240] kasan_kmalloc.constprop.0+0xe4/0xf0 [ 197.171110][ T240] kasan_kmalloc+0x10/0x20 [ 197.175633][ T240] kmem_cache_alloc_trace+0x25c/0x4d0 [ 197.181074][ T240] ksmbd_conn_alloc+0x4c/0x590 [ksmbd] [ 197.186688][ T240] ksmbd_kthread_fn+0x1c8/0x5b0 [ksmbd] [ 197.192236][ T240] kthread+0x394/0x43c [ 197.196413][ T240] ret_from_fork+0x10/0x38 [ 197.200818][ T240] [ 197.203140][ T240] Freed by task 1048: [ 197.207119][ T240] kasan_save_stack+0x28/0x60 [ 197.211896][ T240] kasan_set_track+0x28/0x40 [ 197.216482][ T240] kasan_set_free_info+0x24/0x50 [ 197.221531][ T240] kasan_slab_free+0x180/0x220 [ 197.226472][ T240] kasan_slab_free+0x14/0x20 [ 197.231057][ T240] kfree+0x160/0x520 [ 197.235130][ T240] ksmbd_conn_free+0x158/0x1c4 [ksmbd] [ 197.240641][ T240] ksmbd_tcp_disconnect+0x94/0x190 [ksmbd] [ 197.246602][ T240] ksmbd_conn_handler_loop+0x430/0x730 [ksmbd] [ 197.252754][ T240] kthread+0x394/0x43c [ 197.256927][ T240] ret_from_fork+0x10/0x38 [ 197.261342][ T240] [ 197.263671][ T240] The buggy address belongs to the object at ffffff8016af3000 [ 197.263671][ T240] which belongs to the cache kmalloc-1k of size 1024 [ 197.277838][ T240] The buggy address is located 204 bytes inside of [ 197.277838][ T240] 1024-byte region [ffffff8016af3000, ffffff8016af3400) [ 197.291415][ T240] The buggy address belongs to the page: [ 197.297054][ T240] page:ffffff803e5abc00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x96af0 [ 197.307310][ T240] head:ffffff803e5abc00 order:3 compound_mapcount:0 compound_pincount:0 [ 197.315746][ T240] flags: 0x800000010200(slab|head) [ 197.320858][ T240] raw: 0000800000010200 0000000000000000 0000000f00000001 ffffff8000103800 [ 197.329554][ T240] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 197.338190][ T240] page dumped because: kasan: bad access detected [ 197.344657][ T240] [ 197.346974][ T240] Memory state around the buggy address: [ 197.352601][ T240] ffffff8016af2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 197.360770][ T240] ffffff8016af3000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.368944][ T240] >ffffff8016af3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.377002][ T240] ^ [ 197.383516][ T240] ffffff8016af3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.391684][ T240] ffffff8016af3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 197.399739][ T240] ==================================================================
The "previous" connection used by the oplock_break function is freed at disconnect. The smb_grant_oplock function must make sure the "previous" connection is still valid. I have a setup where I can reproduce "my version" of the issue (hopefully same root case as in this ticket) and I'm working on a fix.
perforlin
commented
1 year ago I have tested a fix from Namjae that resolves this issue. Thanks a lot for the effort! The patch I'm referring to is https://github.com/cifsd-team/ksmbd/commit/11aa06fbc7307b3ff68ebbdb96d42484d9b5ae6a
Kernel: Linux 6.0.0-1-MANJARO ksmbd-tools version : 3.4.5