Crashes with a Windows 10 client

[romanrm]

Hello,

I upgraded my Windows client from Windows 7 to Windows 10, trying to run the same task as before (Windows Backup to the network share), but the ksmb server now crashes:

[Wed Jan  7 18:20:44 1970] ksmbd: sock_read failed: -11
[Wed Jan  7 18:20:44 1970] 8<--- cut here ---
[Wed Jan  7 18:20:44 1970] Unable to handle kernel NULL pointer dereference at virtual address 00000010
[Wed Jan  7 18:20:44 1970] [00000010] *pgd=80000040204003, *pmd=00000000
[Wed Jan  7 18:20:44 1970] Internal error: Oops: 206 [#1] SMP ARM
[Wed Jan  7 18:20:44 1970] Modules linked in: cmac sha512_generic sha512_arm nls_utf8 ksmbd crc32_generic cifs_arc4 sit tunnel4 ip_tunnel xt_comment xt_multiport xt_limit xt_length xt_tcpudp xt_CT ip6t_rpfilter ipt_rpfilter ip6table_nat ip6table_raw ip6table_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_raw iptable_mangle nf_tables nfnetlink ip6table_filter ip6_tables iptable_filter ip_tables x_tables cpufreq_userspace cpufreq_powersave cpufreq_ondemand cpufreq_conservative tcp_bbr dm_crypt dm_mod ecb des_generic evdev aes_arm_bs crypto_simd cryptd axp20x_adc axp20x_pek industrialio sun4i_backend lima gpu_sched drm_shmem_helper r8188eu(C) sunxi_cir nvmem_sunxi_sid sunxi_wdt rc_core sun4i_ts libarc4 sunxi_cedrus(C) v4l2_mem2mem videobuf2_dma_contig sg videobuf2_memops videobuf2_v4l2 sun4i_ss videobuf2_common videodev libdes mc leds_gpio cpufreq_dt ext4 crc16 mbcache jbd2 btrfs blake2b_neon blake2b_generic xor xor_neon raid6_pq zstd_compress libcrc32c crc32c_generic sd_mod
[Wed Jan  7 18:20:44 1970]  t10_pi crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_common axp20x_regulator ahci_sunxi libahci_platform dwmac_sunxi libahci stmmac_platform stmmac pcs_xpcs phylink of_mdio fixed_phy fwnode_mdio libata libphy sun4i_frontend drm_dma_helper ptp sun4i_tcon sun8i_tcon_top pps_core i2c_mv64xxx ohci_platform ehci_platform ohci_hcd scsi_mod ehci_hcd drm_kms_helper usbcore scsi_common drm sunxi_mmc phy_sun4i_usb
[Wed Jan  7 18:20:44 1970] CPU: 1 PID: 120 Comm: kworker/1:2 Tainted: G         C         6.1.0-0.deb11.6-armmp-lpae #1  Debian 6.1.15-1~bpo11+1
[Wed Jan  7 18:20:44 1970] Hardware name: Allwinner sun7i (A20) Family
[Wed Jan  7 18:20:44 1970] Workqueue: ksmbd-io __smb2_oplock_break_noti [ksmbd]
[Wed Jan  7 18:20:44 1970] PC is at apparmor_socket_sendmsg+0x18/0x20
[Wed Jan  7 18:20:44 1970] LR is at security_socket_sendmsg+0x40/0x5c
[Wed Jan  7 18:20:44 1970] pc : [<c080410c>]    lr : [<c07b69ac>]    psr: a0070013
[Wed Jan  7 18:20:44 1970] sp : f08f1e20  ip : 0000005c  fp : ff7f3005
[Wed Jan  7 18:20:44 1970] r10: c2698000  r9 : d077a100  r8 : 00000001
[Wed Jan  7 18:20:44 1970] r7 : 00000000  r6 : f08f1e50  r5 : 0000005c  r4 : c1300160
[Wed Jan  7 18:20:44 1970] r3 : 00000000  r2 : 0000005c  r1 : 00000002  r0 : c12e9234
[Wed Jan  7 18:20:44 1970] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[Wed Jan  7 18:20:44 1970] Control: 30c5387d  Table: 5148d080  DAC: fed4d90d
[Wed Jan  7 18:20:44 1970] Register r0 information: non-slab/vmalloc memory
[Wed Jan  7 18:20:44 1970] Register r1 information: non-paged memory
[Wed Jan  7 18:20:44 1970] Register r2 information: non-paged memory
[Wed Jan  7 18:20:44 1970] Register r3 information: NULL pointer
[Wed Jan  7 18:20:44 1970] Register r4 information: non-slab/vmalloc memory
[Wed Jan  7 18:20:44 1970] Register r5 information: non-paged memory
[Wed Jan  7 18:20:44 1970] Register r6 information: 2-page vmalloc region starting at 0xf08f0000 allocated at kernel_clone+0x9c/0x374
[Wed Jan  7 18:20:44 1970] Register r7 information: NULL pointer
[Wed Jan  7 18:20:44 1970] Register r8 information: non-paged memory
[Wed Jan  7 18:20:44 1970] Register r9 information: slab kmalloc-64 start d077a100 pointer offset 0 size 64
[Wed Jan  7 18:20:44 1970] Register r10 information: slab task_struct start c2698000 pointer offset 0
[Wed Jan  7 18:20:44 1970] Register r11 information: 0-page vmalloc region starting at 0xff7dc000 allocated at pcpu_get_vm_areas+0x0/0x1168
[Wed Jan  7 18:20:44 1970] Register r12 information: non-paged memory
[Wed Jan  7 18:20:44 1970] Process kworker/1:2 (pid: 120, stack limit = 0xb18a409d)
[Wed Jan  7 18:20:44 1970] Stack: (0xf08f1e20 to 0xf08f2000)
[Wed Jan  7 18:20:44 1970] 1e20: f08f1e50 00000000 d1efb480 0000005c 00000001 c0bd73a4 f08f1ec4 00000001
[Wed Jan  7 18:20:44 1970] 1e40: d1efb480 bf816060 0000005c ef6ac500 00000000 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1e60: 00010001 00000000 0000005c f08f1ec4 00000001 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1e80: 00004000 00000000 00000000 00000000 00000000 00000000 c2698000 d5739a39
[Wed Jan  7 18:20:44 1970] 1ea0: c3c52210 bf816000 0000005c c3c52200 c3c52210 bf81264c 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1ec0: bf80fbb0 c3a66000 0000005c bf834d44 0000003a c24958a4 c3c52200 d5739a39
[Wed Jan  7 18:20:44 1970] 1ee0: c3a66000 c3c52200 d0fbe200 c24958a4 c2495840 bf80fc9c d0d6b604 d0a38200
[Wed Jan  7 18:20:44 1970] 1f00: 2e17e000 c152e4c0 00000000 c24958a4 c279ac80 ef6ac180 ff7f3000 00000000
[Wed Jan  7 18:20:44 1970] 1f20: 00000040 c0467798 c2698000 c2698000 ef6ac180 ef6ac180 ef6ac19c c279ac80
[Wed Jan  7 18:20:44 1970] 1f40: ef6ac180 c279ac98 ef6ac19c c1604d40 00000008 c2698000 ef6ac180 c0467ed8
[Wed Jan  7 18:20:44 1970] 1f60: c279ac80 c1789825 f0871ecc c27fa8c0 c2698000 c0467e7c c279ac80 c3824cc0
[Wed Jan  7 18:20:44 1970] 1f80: f0871ecc 00000000 00000000 c046f90c c27fa8c0 c046f834 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1fa0: 00000000 00000000 00000000 c0400160 00000000 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970]  apparmor_socket_sendmsg from security_socket_sendmsg+0x40/0x5c
[Wed Jan  7 18:20:44 1970]  security_socket_sendmsg from sock_sendmsg+0x1c/0x4c
[Wed Jan  7 18:20:44 1970]  sock_sendmsg from ksmbd_tcp_writev+0x60/0x88 [ksmbd]
[Wed Jan  7 18:20:44 1970]  ksmbd_tcp_writev [ksmbd] from ksmbd_conn_write+0xb8/0x19c [ksmbd]
[Wed Jan  7 18:20:44 1970]  ksmbd_conn_write [ksmbd] from __smb2_oplock_break_noti+0x138/0x1ec [ksmbd]
[Wed Jan  7 18:20:44 1970]  __smb2_oplock_break_noti [ksmbd] from process_one_work+0x1f4/0x4bc
[Wed Jan  7 18:20:44 1970]  process_one_work from worker_thread+0x5c/0x50c
[Wed Jan  7 18:20:44 1970]  worker_thread from kthread+0xd8/0xf4
[Wed Jan  7 18:20:44 1970]  kthread from ret_from_fork+0x14/0x34
[Wed Jan  7 18:20:44 1970] Exception stack(0xf08f1fb0 to 0xf08f1ff8)
[Wed Jan  7 18:20:44 1970] 1fa0:                                     00000000 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[Wed Jan  7 18:20:44 1970] 1fe0: 00000000 00000000 00000000 00000000 00000013 00000000
[Wed Jan  7 18:20:44 1970] Code: e1a03000 e3a01002 e3090234 e34c012e (e5932010) 
[Wed Jan  7 18:20:44 1970] ---[ end trace 0000000000000000 ]---

[romanrm]

Setting "oplocks = no" for the share seems to solve it.

[namjaejeon]

Can you reproduce this issue again ? Because kernel oops does not happen in ksmbd module.

[Wed Jan 7 18:20:44 1970] PC is at apparmor_socket_sendmsg+0x18/0x20
[Wed Jan 7 18:20:44 1970] LR is at security_socket_sendmsg+0x40/0x5c

[romanrm]

Yes I tried the same after a reboot, and got the same result. For the 3rd attempt I disabled oplocks as above, and did not get the error that time.