Bug#1041363: nft BUG: kernel NULL pointer dereference, address: 0000000000000038
Control: tags -1 + moreinfo
Hi Daniel,
On Tue, Jul 18, 2023 at 02:35:25AM +0200, Daniel Gröber wrote:
> Package: src:linux
> Version: 6.1.27-1
> Severity: normal
>
> Dear Maintainer,
>
> I got the following BUG on my router while working on my nftables
> ruleset. After this happened network connectivity was broken quite severely
> so some internal state might have gotten messed up too. An attempted reboot
> never completed and a hard power cut was necessary.
>
> kernel: BUG: kernel NULL pointer dereference, address: 0000000000000038
> kernel: #PF: supervisor read access in kernel mode
> kernel: #PF: error_code(0x0000) - not-present page
> kernel: PGD 0 P4D 0
> kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI
> kernel: CPU: 2 PID: 902522 Comm: kworker/2:3 Tainted: G W 6.1.0-9-amd64 #1 Debian 6.1.27-1
> kernel: Hardware name: PC Engines apu3/apu3, BIOS v4.11.0.3 01/29/2020
> kernel: Workqueue: events nf_tables_trans_destroy_work [nf_tables]
> kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
> kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
> kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
> kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
> kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
> kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
> kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
> kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
> kernel: FS: 0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
> kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
> kernel: Call Trace:
> kernel: <TASK>
> kernel: nft_set_elem_destroy+0xe5/0x100 [nf_tables]
> kernel: nft_set_pipapo_match_destroy+0x65/0x80 [nf_tables]
> kernel: nft_pipapo_destroy+0x2e/0x1b0 [nf_tables]
> kernel: nft_set_destroy+0x95/0x120 [nf_tables]
> kernel: nf_tables_trans_destroy_work+0x303/0x330 [nf_tables]
> kernel: process_one_work+0x1c7/0x380
> kernel: worker_thread+0x4d/0x380
> kernel: ? _raw_spin_lock_irqsave+0x23/0x50
> kernel: ? rescuer_thread+0x3a0/0x3a0
> kernel: kthread+0xe9/0x110
> kernel: ? kthread_complete_and_exit+0x20/0x20
> kernel: ret_from_fork+0x22/0x30
> kernel: </TASK>
> kernel: Modules linked in: mptcp_diag sctp_diag raw_diag unix_diag af_packet_diag netlink_diag nf_conntrack_netlink sctp udp_diag tcp_diag inet_diag ip_set_hash_ip ip_s>
> kernel: zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath cdc_ether l>
> kernel: CR2: 0000000000000038
> kernel: ---[ end trace 0000000000000000 ]---
> kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables]
> kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 38 48 85 c0 75 c5>
> kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246
> kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200
> kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58
> kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d
> kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00
> kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80
> kernel: FS: 0000000000000000(0000) GS:ffff9407b5f00000(0000) knlGS:0000000000000000
> kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0
> kernel: note: kworker/2:3[902522] exited with irqs disabled
As this is not the newest kernel in bookworm, please test with
6.1.38-1.
Are you able to reliably reproduce the issue and can share the poc?
Regards,
Salvatore
Reply to: