namjaejeon / ksmbd

ksmbd kernel server(SMB/CIFS server)
https://github.com/cifsd-team/ksmbd
280 stars 63 forks source link

kernel panic __put_cred() #486

Open djdisodo opened 3 months ago

djdisodo commented 3 months ago
[  934.138815] ksmbd: kill command received
[  971.046438] Kernel BUG [#1]
[  971.049335] Modules linked in: ksmbd(FO) aes_generic(F) sha512_generic(F) sd_mod(F) sg(F) uas(F) aic8800_fdrv(F) usb_storage(F) scsi_mod(F) cfg80211(F) cvitek_remoteproc(F) aic8800_bsp(F) rtc_cvitek(F) adc_cvitek(F) pwm_cvitek(F) cvitek_mailbox(F) crc32_generic(F) libdes(F) [last unloaded: ksmbd]
[  971.076502] CPU: 0 PID: 1252 Comm: kworker/0:0 Tainted: GF          O      5.10.4-20240527-2+ #1
[  971.085671] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
[  971.091254] epc: ffffffe00024150e ra : ffffffdf80dad208 sp : ffffffe00708fca0
[  971.098622]  gp : ffffffe000ae9858 tp : ffffffe007efab00 t0 : ffffffe00708fd38
[  971.106079]  t1 : ffffffdf80da8316 t2 : 000001ffffffffff s0 : ffffffe003709180
[  971.113536]  s1 : ffffffe0051ec780 a0 : ffffffe003709180 a1 : ffffffe0051ecdc0
[  971.120993]  a2 : 0000000200000022 a3 : ffffffe003709180 a4 : 0000000000000000
[  971.128450]  a5 : ffffffe003709180 a6 : 0000000000000001 a7 : ffffffe007047e08
[  971.135907]  s2 : ffffffe0051ec780 s3 : 0000000000000000 s4 : ffffffe000aeb088
[  971.143363]  s5 : ffffffe007047e00 s6 : ffffffe0045eaae0 s7 : 0000000000000000
[  971.150820]  s8 : ffffffe00708fcd8 s9 : 000000000000ff50 s10: 0000000000000000
[  971.158277]  s11: 0000000000000000 t3 : 000001ffffffffff t4 : 000001ffffffffff
[  971.165733]  t5 : 0000000000000000 t6 : ffffffe007cb5820
[  971.171218] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003
[  971.179391] Call Trace:
[  971.181936] [<ffffffe00024150e>] __put_cred+0x6/0x30
[  971.187150] [<ffffffdf80db7702>] smb2_query_dir+0x3fa/0x4f6 [ksmbd]
[  971.193718] [<ffffffdf80da5328>] handle_ksmbd_work+0x1a8/0x2ea [ksmbd]
[  971.200474] [<ffffffe00023cc04>] process_one_work+0xfc/0x18c
[  971.206321] [<ffffffe00023cf7a>] worker_thread+0x12c/0x1e0
[  971.211992] [<ffffffe000240466>] kthread_create_worker_on_cpu+0x38/0x3c
[  971.218825] [<ffffffe00023ce4a>] rescuer_thread+0x18c/0x190
[  971.224581] [<ffffffe000240518>] kthread+0xae/0xb4
[  971.229532] [<ffffffe000240466>] kthread_create_worker_on_cpu+0x38/0x3c
[  971.236370] [<ffffffe00022b068>] ret_from_syscall_rejected+0x8/0xc
[  971.242986] ---[ end trace 14a0ad77e6974c64 ]---
[  994.429514] cmd timed-out
[  994.432301] tkn[71]  flags:0032  result: -4  cmd:4096-SCANU_START_REQ          - reqcfm(4105-SCANU_START_CFM_ADDTIONAL)

this occured when i tried to open share

removing this line allowed me to browse (not an actual fix)

using image including kernel from here https://github.com/Fishwaldo/sophgo-sg200x-debian

module built out of tree

namjaejeon commented 3 months ago

Hm.. What ksmbd source are you using ?

djdisodo commented 3 months ago

@namjaejeon from this repo c7019fc3e166b1f33a2dea918786bb973cea2501

namjaejeon commented 3 months ago

ksmbd_override_fsids() and ksmbd_revert_fsids() should be called in pairs. Can you make sure that ksmbd_revert_fsids() is called without calling ksmbd_override_fsids()? If you check smb2_query_dir() in smb2pdu.c, You will understand what I said.

djdisodo commented 3 months ago

@namjaejeon it seems like ksmbd_override_fsids will always be called once ksmbd_override_fsids is called ksmbd_revert_fsids call appears twice in function and it's always followed by return 0 so i have no idea

djdisodo commented 3 months ago

sorry i sent wrong binary

here's the compiled binary ksmbd.ko.gz

namjaejeon commented 3 months ago

@djdisodo

ksmbd_revert_fsids call appears twice in function

If ksmbd_revert_fsids() will be called twice, this problem can happen. Can you explain how ksmbd_revert_fsids() will called twice ? When I have checked the code, I have not found that point.

*.ko file is not helpful. You can find the clue in your test setup because you can reproduce it.

djdisodo commented 3 months ago

i meant that it just appears in the code twice but not in a way that will be called twice because it was followed by return 0

i'll check my setup