Crash with oplocks = no

[romanrm]

Hello,

As a workaround to a prior issue #193, I had "oplocks = no" set for a share. Returning to try out ksmbd again, now with a newer kernel 6.1.94, I instantly got a different crash than before:

[Fri Nov  1 23:22:30 2024] 8<--- cut here ---
[Fri Nov  1 23:22:30 2024] Unable to handle kernel NULL pointer dereference at virtual address 00000032
[Fri Nov  1 23:22:30 2024] [00000032] *pgd=80000040204003, *pmd=00000000
[Fri Nov  1 23:22:30 2024] Internal error: Oops: 206 [#1] SMP ARM
[Fri Nov  1 23:22:30 2024] Modules linked in: cmac sha512_generic sha512_arm nls_utf8 hid_generic usbhid hid vhci_hcd usbip_core ksmbd crc32_generic cifs_arc4 sit tunnel4 ip_tunnel xt_comment xt_multiport xt_limit xt_length xt_tcpudp xt_CT ip6table_nat ip6table_raw ip6table_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_raw iptable_mangle ip6table_filter ip6_tables iptable_filter ip_tables x_tables cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative nbd tcp_bbr dm_crypt dm_mod ecb des_generic evdev aes_arm_bs crypto_simd cryptd axp20x_adc axp20x_pek industrialio sun4i_backend lima gpu_sched drm_shmem_helper r8188eu(C) sun4i_ts nvmem_sunxi_sid sunxi_wdt sunxi_cir sunxi_cedrus(C) rc_core libarc4 sg v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common sun4i_ss libdes videodev mc leds_gpio cpufreq_dt ext4 crc16 mbcache jbd2 btrfs blake2b_neon blake2b_generic xor xor_neon raid6_pq zstd_compress libcrc32c crc32c_generic sd_mod
[Fri Nov  1 23:22:30 2024]  t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_common axp20x_regulator dwmac_sunxi stmmac_platform stmmac pcs_xpcs phylink ahci_sunxi of_mdio libahci_platform libahci fixed_phy fwnode_mdio sun4i_frontend libphy drm_dma_helper libata sun4i_tcon sun8i_tcon_top i2c_mv64xxx ohci_platform ohci_hcd ehci_platform scsi_mod drm_kms_helper ehci_hcd usbcore drm phy_sun4i_usb scsi_common sunxi_mmc
[Fri Nov  1 23:22:31 2024] CPU: 1 PID: 122 Comm: kworker/1:4 Tainted: G         C         6.1.0-0.deb11.22-armmp-lpae #1  Debian 6.1.94-1~bpo11+1
[Fri Nov  1 23:22:31 2024] Hardware name: Allwinner sun7i (A20) Family
[Fri Nov  1 23:22:31 2024] Workqueue: ksmbd-io handle_ksmbd_work [ksmbd]
[Fri Nov  1 23:22:31 2024] PC is at close_id_del_oplock+0x168/0x1d0 [ksmbd]
[Fri Nov  1 23:22:31 2024] LR is at __ksmbd_close_fd+0xf0/0x314 [ksmbd]
[Fri Nov  1 23:22:31 2024] pc : [<bf7d4d5c>]    lr : [<bf7d0318>]    psr: 20070013
[Fri Nov  1 23:22:31 2024] sp : f0925e68  ip : 00000000  fp : 00000001
[Fri Nov  1 23:22:31 2024] r10: c2632500  r9 : bf7fae00  r8 : 00000005
[Fri Nov  1 23:22:31 2024] r7 : c44a91e4  r6 : c2632500  r5 : c2632500  r4 : c44a91e4
[Fri Nov  1 23:22:31 2024] r3 : 00000000  r2 : 00000000  r1 : 00000000  r0 : c2632500
[Fri Nov  1 23:22:31 2024] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[Fri Nov  1 23:22:31 2024] Control: 30c5387d  Table: 44152400  DAC: 6de2b52f
[Fri Nov  1 23:22:31 2024] Register r0 information: slab maple_node start c2632500 pointer offset 0
[Fri Nov  1 23:22:31 2024] Register r1 information: NULL pointer
[Fri Nov  1 23:22:31 2024] Register r2 information: NULL pointer
[Fri Nov  1 23:22:31 2024] Register r3 information: NULL pointer
[Fri Nov  1 23:22:31 2024] Register r4 information: slab kmalloc-256 start c44a9100 pointer offset 228 size 256
[Fri Nov  1 23:22:31 2024] Register r5 information: slab maple_node start c2632500 pointer offset 0
[Fri Nov  1 23:22:31 2024] Register r6 information: slab maple_node start c2632500 pointer offset 0
[Fri Nov  1 23:22:31 2024] Register r7 information: slab kmalloc-256 start c44a9100 pointer offset 228 size 256
[Fri Nov  1 23:22:31 2024] Register r8 information: non-paged memory
[Fri Nov  1 23:22:31 2024] Register r9 information: 55-page vmalloc region starting at 0xbf7ca000 allocated at load_module+0xa30/0x20e4
[Fri Nov  1 23:22:31 2024] Register r10 information: slab maple_node start c2632500 pointer offset 0
[Fri Nov  1 23:22:31 2024] Register r11 information: non-paged memory
[Fri Nov  1 23:22:31 2024] Register r12 information: NULL pointer
[Fri Nov  1 23:22:31 2024] Process kworker/1:4 (pid: 122, stack limit = 0x4c01db5a)
[Fri Nov  1 23:22:31 2024] Stack: (0xf0925e68 to 0xf0926000)
[Fri Nov  1 23:22:31 2024] 5e60:                   c44a91e4 00000000 c2632500 c44a91e4 00000005 bf7fae00
[Fri Nov  1 23:22:31 2024] 5e80: c2632500 bf7d0318 c2632530 c2632500 c24833c0 00000000 c44a91e4 00000005
[Fri Nov  1 23:22:31 2024] 5ea0: 00000000 c2632500 00000001 bf7d0a18 c401e404 00000000 c24833c0 c8bd4858
[Fri Nov  1 23:22:31 2024] 5ec0: 00000005 bf7e9d34 c44a91f0 c44a9100 00000001 c9c53000 c2483434 00000006
[Fri Nov  1 23:22:31 2024] 5ee0: bf7fae14 bf7fa994 bf7f279c c24833c0 00000018 bf7d17ec c2729984 bf7f2770
[Fri Nov  1 23:22:31 2024] 5f00: 2e176000 c2483434 c2741400 ef6acd80 ff7fd200 00000000 00000040 c26aee00
[Fri Nov  1 23:22:31 2024] 5f20: ff7fd205 c0467bc4 c26aee00 c26aee00 ef6acd80 ef6acd80 ef6acd9c c2741400
[Fri Nov  1 23:22:31 2024] 5f40: ef6acd80 c2741418 ef6acd9c c1604d40 00000008 c26aee00 ef6acd80 c0468304
[Fri Nov  1 23:22:31 2024] 5f60: c2741400 c178b6b1 f092decc c26b8880 c26aee00 c04682a8 c2741400 c26b8240
[Fri Nov  1 23:22:31 2024] 5f80: f092decc 00000000 00000000 c046fd30 c26b8880 c046fc58 00000000 00000000
[Fri Nov  1 23:22:31 2024] 5fa0: 00000000 00000000 00000000 c0400164 00000000 00000000 00000000 00000000
[Fri Nov  1 23:22:31 2024] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[Fri Nov  1 23:22:31 2024] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[Fri Nov  1 23:22:31 2024]  close_id_del_oplock [ksmbd] from __ksmbd_close_fd+0xf0/0x314 [ksmbd]
[Fri Nov  1 23:22:31 2024]  __ksmbd_close_fd [ksmbd] from ksmbd_close_fd+0x8c/0xf4 [ksmbd]
[Fri Nov  1 23:22:31 2024]  ksmbd_close_fd [ksmbd] from smb2_close+0x244/0x494 [ksmbd]
[Fri Nov  1 23:22:31 2024]  smb2_close [ksmbd] from handle_ksmbd_work+0x1ac/0x4c0 [ksmbd]
[Fri Nov  1 23:22:31 2024]  handle_ksmbd_work [ksmbd] from process_one_work+0x1f4/0x4bc
[Fri Nov  1 23:22:31 2024]  process_one_work from worker_thread+0x5c/0x50c
[Fri Nov  1 23:22:31 2024]  worker_thread from kthread+0xd8/0xf4
[Fri Nov  1 23:22:31 2024]  kthread from ret_from_fork+0x14/0x30
[Fri Nov  1 23:22:31 2024] Exception stack(0xf0925fb0 to 0xf0925ff8)
[Fri Nov  1 23:22:31 2024] 5fa0:                                     00000000 00000000 00000000 00000000
[Fri Nov  1 23:22:31 2024] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[Fri Nov  1 23:22:31 2024] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[Fri Nov  1 23:22:31 2024] Code: e3300000 1afffffa eaffffe2 e5903024 (e5d32032) 
[Fri Nov  1 23:22:31 2024] ---[ end trace 0000000000000000 ]---

This happens when starting Windows Backup onto the share.

Removing "oplocks = no" from config solves the issue (and prior issue #193 which required this workaround, did not reappear).

[namjaejeon]

@romanrm Thanks for your check, I will check it and share the fix with you.

[namjaejeon]

@romanrm It's quite difficult to reproduce. can you find which line make null pointer dereferencing in close_id_del_oplock() ?

[namjaejeon]

@romanrm I have found there was a problem in linux-6.1.96. but It is fixed from the latest linux version.

Please check the following patch.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/smb/server?h=v6.12-rc7&id=5fb282ba4fef8985a5acf2b32681f2ec07732561

Thanks.