Control: tags -1 + moreinfo Hi Daniel,
On Tue, Jul 18, 2023 at 02:35:25AM +0200, Daniel Gröber wrote: > Package: src:linux > Version: 6.1.27-1 > Severity: normal > > Dear Maintainer, > > I got the following BUG on my router while working on my nftables > ruleset. After this happened network connectivity was broken quite severely > so some internal state might have gotten messed up too. An attempted reboot > never completed and a hard power cut was necessary. > > kernel: BUG: kernel NULL pointer dereference, address: 0000000000000038 > kernel: #PF: supervisor read access in kernel mode > kernel: #PF: error_code(0x0000) - not-present page > kernel: PGD 0 P4D 0 > kernel: Oops: 0000 [#1] PREEMPT SMP NOPTI > kernel: CPU: 2 PID: 902522 Comm: kworker/2:3 Tainted: G W > 6.1.0-9-amd64 #1 Debian 6.1.27-1 > kernel: Hardware name: PC Engines apu3/apu3, BIOS v4.11.0.3 01/29/2020 > kernel: Workqueue: events nf_tables_trans_destroy_work [nf_tables] > kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables] > kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 > 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 > 38 48 85 c0 75 c5> > kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246 > kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200 > kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58 > kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d > kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00 > kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80 > kernel: FS: 0000000000000000(0000) GS:ffff9407b5f00000(0000) > knlGS:0000000000000000 > kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0 > kernel: Call Trace: > kernel: <TASK> > kernel: nft_set_elem_destroy+0xe5/0x100 [nf_tables] > kernel: nft_set_pipapo_match_destroy+0x65/0x80 [nf_tables] > kernel: nft_pipapo_destroy+0x2e/0x1b0 [nf_tables] > kernel: nft_set_destroy+0x95/0x120 [nf_tables] > kernel: nf_tables_trans_destroy_work+0x303/0x330 [nf_tables] > kernel: process_one_work+0x1c7/0x380 > kernel: worker_thread+0x4d/0x380 > kernel: ? _raw_spin_lock_irqsave+0x23/0x50 > kernel: ? rescuer_thread+0x3a0/0x3a0 > kernel: kthread+0xe9/0x110 > kernel: ? kthread_complete_and_exit+0x20/0x20 > kernel: ret_from_fork+0x22/0x30 > kernel: </TASK> > kernel: Modules linked in: mptcp_diag sctp_diag raw_diag unix_diag > af_packet_diag netlink_diag nf_conntrack_netlink sctp udp_diag tcp_diag > inet_diag ip_set_hash_ip ip_s> > kernel: zstd_compress raid10 raid456 async_raid6_recov async_memcpy > async_pq async_xor async_tx xor raid6_pq libcrc32c crc32c_generic raid1 raid0 > multipath cdc_ether l> > kernel: CR2: 0000000000000038 > kernel: ---[ end trace 0000000000000000 ]--- > kernel: RIP: 0010:nft_set_elem_expr_destroy+0x56/0xa0 [nf_tables] > kernel: Code: 6b 20 d9 48 8b 03 48 8b 40 78 48 8b 78 30 e8 f1 6e 54 d8 48 > 8b 03 8b 40 10 01 c5 48 01 c3 41 0f b6 04 24 39 c5 73 2f 48 8b 13 <48> 8b 42 > 38 48 85 c0 75 c5> > kernel: RSP: 0018:ffffb4e1484cfd28 EFLAGS: 00010246 > kernel: RAX: 0000000000000000 RBX: ffff940746193d08 RCX: ffff940764e89200 > kernel: RDX: 0000000000000000 RSI: ffff940746193d00 RDI: ffffb4e1484cfd58 > kernel: RBP: 0000000000000000 R08: 0000000000000003 R09: 000000008020001d > kernel: R10: 0000000000000000 R11: 0000000000000000 R12: ffff940746193d00 > kernel: R13: ffffb4e1484cfd58 R14: dead000000000122 R15: ffff940746c23e80 > kernel: FS: 0000000000000000(0000) GS:ffff9407b5f00000(0000) > knlGS:0000000000000000 > kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > kernel: CR2: 0000000000000038 CR3: 000000006eac2000 CR4: 00000000000406e0 > kernel: note: kworker/2:3[902522] exited with irqs disabled As this is not the newest kernel in bookworm, please test with 6.1.38-1. Are you able to reliably reproduce the issue and can share the poc? Regards, Salvatore
