Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038

To: submit@bugs.debian.org
Subject: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
From: Daniel Gröber <dxld@darkboxed.org>
Date: Tue, 18 Jul 2023 02:35:25 +0200
Message-id: <[🔎] 20230718003525.gi5ugprtw5drd2cr@House.clients.dxld.at>
Reply-to: Daniel Gröber <dxld@darkboxed.org>, 1041363@bugs.debian.org

Package: src:linux
Version: 6.1.27-1
Severity: normal

Dear Maintainer,

I got the following BUG on my router while working on my nftables
ruleset. After this happened network connectivity was broken quite severely
so some internal state might have gotten messed up too. An attempted reboot
never completed and a hard power cut was necessary.

    kernel: BUG: kernel NULL pointer dereference, address: 0000000000000038
    kernel: #PF: supervisor read access in kernel mode
    kernel: #PF: error_code(0x0000) - not-present page
    kernel: PGD 0 P4D 0 
    kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI
    kernel: CPU: 2 PID: 902522 Comm: kworker/2:3 Tainted: G        W          6.1.0-9-amd64 #1  Debian 6.1.27-1
    kernel: Hardware name: PC Engines apu3/apu3, BIOS v4.11.0.3 01/29/2020
    kernel: Workqueue: events nf_tables_trans_destroy_work [nf_tables]
    kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
    kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
    kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
    kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
    kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
    kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
    kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
    kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
    kernel: FS:  0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
    kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
    kernel: Call Trace:
    kernel:  <TASK>
    kernel:  nft_set_elem_destroy+0xe5/0x100 [nf_tables]
    kernel:  nft_set_pipapo_match_destroy+0x65/0x80 [nf_tables]
    kernel:  nft_pipapo_destroy+0x2e/0x1b0 [nf_tables]
    kernel:  nft_set_destroy+0x95/0x120 [nf_tables]
    kernel:  nf_tables_trans_destroy_work+0x303/0x330 [nf_tables]
    kernel:  process_one_work+0x1c7/0x380
    kernel:  worker_thread+0x4d/0x380
    kernel:  ? _raw_spin_lock_irqsave+0x23/0x50
    kernel:  ? rescuer_thread+0x3a0/0x3a0
    kernel:  kthread+0xe9/0x110
    kernel:  ? kthread_complete_and_exit+0x20/0x20
    kernel:  ret_from_fork+0x22/0x30
    kernel:  </TASK>
    kernel: Modules linked in: mptcp_diag sctp_diag raw_diag unix_diag af_packet_diag netlink_diag nf_conntrack_netlink sctp udp_diag tcp_diag inet_diag ip_set_hash_ip ip_s>
    kernel:  zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath cdc_ether l>
    kernel: CR2: 0000000000000038
    kernel: ---[ end trace 0000000000000000 ]---
    kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
    kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
    kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
    kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
    kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
    kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
    kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
    kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
    kernel: FS:  0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
    kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
    kernel: note: kworker/2:3[902522] exited with irqs disabled

Thanks,
--Daniel

-- System Information:
Debian Release: 12.0
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-9-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply to:

Follow-Ups:
- Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Processed: Re: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: linux_6.1.27-1~bpo11+1_source.changes ACCEPTED into bullseye-backports
Next by Date: Bug#1040343: linux-image-5.10.0-9-amd64: Kernel silenty de-supported nfsv3 UDP mounts
Previous by thread: linux_6.1.27-1~bpo11+1_source.changes ACCEPTED into bullseye-backports
Next by thread: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
Index(es):
- Date
- Thread