Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038

To: Daniel Gröber <dxld@darkboxed.org>, 1041363@bugs.debian.org
Subject: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Jul 2023 22:07:39 +0200
Message-id: <[🔎] ZLw3C7+HkOJ+vBc0@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1041363@bugs.debian.org
In-reply-to: <[🔎] 20230718003525.gi5ugprtw5drd2cr@House.clients.dxld.at>
References: <[🔎] 20230718003525.gi5ugprtw5drd2cr@House.clients.dxld.at> <[🔎] 20230718003525.gi5ugprtw5drd2cr@House.clients.dxld.at>

Control: tags -1 + moreinfo

Hi Daniel,

On Tue, Jul 18, 2023 at 02:35:25AM +0200, Daniel Gröber wrote:
> Package: src:linux
> Version: 6.1.27-1
> Severity: normal
> 
> Dear Maintainer,
> 
> I got the following BUG on my router while working on my nftables
> ruleset. After this happened network connectivity was broken quite severely
> so some internal state might have gotten messed up too. An attempted reboot
> never completed and a hard power cut was necessary.
> 
>     kernel: BUG: kernel NULL pointer dereference, address: 0000000000000038
>     kernel: #PF: supervisor read access in kernel mode
>     kernel: #PF: error_code(0x0000) - not-present page
>     kernel: PGD 0 P4D 0 
>     kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI
>     kernel: CPU: 2 PID: 902522 Comm: kworker/2:3 Tainted: G        W          6.1.0-9-amd64 #1  Debian 6.1.27-1
>     kernel: Hardware name: PC Engines apu3/apu3, BIOS v4.11.0.3 01/29/2020
>     kernel: Workqueue: events nf_tables_trans_destroy_work [nf_tables]
>     kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
>     kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
>     kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
>     kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
>     kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
>     kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
>     kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
>     kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
>     kernel: FS:  0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
>     kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
>     kernel: Call Trace:
>     kernel:  <TASK>
>     kernel:  nft_set_elem_destroy+0xe5/0x100 [nf_tables]
>     kernel:  nft_set_pipapo_match_destroy+0x65/0x80 [nf_tables]
>     kernel:  nft_pipapo_destroy+0x2e/0x1b0 [nf_tables]
>     kernel:  nft_set_destroy+0x95/0x120 [nf_tables]
>     kernel:  nf_tables_trans_destroy_work+0x303/0x330 [nf_tables]
>     kernel:  process_one_work+0x1c7/0x380
>     kernel:  worker_thread+0x4d/0x380
>     kernel:  ? _raw_spin_lock_irqsave+0x23/0x50
>     kernel:  ? rescuer_thread+0x3a0/0x3a0
>     kernel:  kthread+0xe9/0x110
>     kernel:  ? kthread_complete_and_exit+0x20/0x20
>     kernel:  ret_from_fork+0x22/0x30
>     kernel:  </TASK>
>     kernel: Modules linked in: mptcp_diag sctp_diag raw_diag unix_diag af_packet_diag netlink_diag nf_conntrack_netlink sctp udp_diag tcp_diag inet_diag ip_set_hash_ip ip_s>
>     kernel:  zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath cdc_ether l>
>     kernel: CR2: 0000000000000038
>     kernel: ---[ end trace 0000000000000000 ]---
>     kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
>     kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
>     kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
>     kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
>     kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
>     kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
>     kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
>     kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
>     kernel: FS:  0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
>     kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
>     kernel: note: kworker/2:3[902522] exited with irqs disabled

As this is not the newest kernel in bookworm, please test with
6.1.38-1. 

Are you able to reliably reproduce the issue and can share the poc?

Regards,
Salvatore

Reply to:

Follow-Ups:
- Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
  - From: Daniel Gröber <dxld@darkboxed.org>

References:
- Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
  - From: Daniel Gröber <dxld@darkboxed.org>

Prev by Date: linux-signed-i386_5.10.179+2_source.changes ACCEPTED into oldstable-proposed-updates
Next by Date: Processed: Re: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
Previous by thread: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
Next by thread: Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
Index(es):
- Date
- Thread