** Changed in: linux-hwe-6.14 (Ubuntu Noble)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2113992
Title:
Creating a VXLAN interface with a Fan mapping causes a NULL pointer
dereference caught by ubuntu_fan_smoke_test:sut-scan
Status in linux package in Ubuntu:
Invalid
Status in linux-gcp package in Ubuntu:
Invalid
Status in linux-hwe-6.14 package in Ubuntu:
New
Status in linux source package in Noble:
Invalid
Status in linux-gcp source package in Noble:
Invalid
Status in linux-hwe-6.14 source package in Noble:
Fix Committed
Status in linux source package in Plucky:
In Progress
Status in linux-gcp source package in Plucky:
New
Status in linux-hwe-6.14 source package in Plucky:
Invalid
Bug description:
SRU Justification:
[Impact]
Creating a VXLAN link with a Fan map reliably results in a kernel NULL
pointer dereference.
[ 1035.676861] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1035.678459] #PF: supervisor read access in kernel mode
[ 1035.679321] #PF: error_code(0x0000) - not-present page
[ 1035.680092] PGD 0 P4D 0
[ 1035.680509] Oops: Oops: 0000 [#1] PREEMPT SMP PTI
[ 1035.681179] CPU: 1 UID: 0 PID: 8470 Comm: ip Not tainted 6.14.0-15-generic
#15-Ubuntu
[ 1035.682291] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS
unknown 2/2/2022
...
This affects 6.14 kernels only.
[Fix]
Author: Jacob Martin <jacob.mar...@canonical.com>
Date: Fri Jun 13 10:33:42 2025 -0500
UBUNTU: SAUCE: fan: vxlan: parse fan-map from IFLA_VXLAN_FAN_MAP
attribute ID
BugLink: https://bugs.launchpad.net/bugs/2113992
Before 6c11379b104e ("vxlan: Add an attribute to make VXLAN header
validation configurable"), IFLA_IPTUN_FAN_MAP and IFLA_VXLAN_FAN_MAP
shared the same integer value, allowing them to be used interchangeably
without issue, even though they represented attributes for different
link types. The introduction of IFLA_VXLAN_RESERVED_BITS led to
IFLA_VXLAN_FAN_MAP's integer value being incremented by 1 (33 to 34).
Thus the presence of attribute IFLA_VXLAN_FAN_MAP is checked but parsing
of the fan-map is attempted by accessing IFLA_IPTUN_FAN_MAP, causing a
NULL pointer dereference when creating a VXLAN device with a Fan
mapping.
This is resolved by adjusting the vxlan_parse_fan_map() function to
access the correct IFLA_VXLAN_FAN_MAP attribute instead of
IFLA_IPTUN_FAN_MAP.
Fixes: 9ce64bb8afd8 ("UBUNTU: SAUCE: fan: add VXLAN implementation")
Signed-off-by: Jacob Martin <jacob.mar...@canonical.com>
[Test Plan]
The NULL pointer dereference can be reproduced 100% of the time with the
following:
# ip link add vxlan0 type vxlan dstport 0 local 192.168.0.1 id 16384000
fan-map 240.0.0.0/8:192.168.0.0/16
Thus, this can be used to easily verify the issue was resolved.
I also ran the ubuntu_fan_smoke_test autotest test after patching the
kernel, and verified that it now passes.
[Where problems could occur]
This change affects the vxlan driver, specifically the code that parses
an optional Ubuntu Fan configuration. Issues could manifest as
misbehavior of the vxlan driver.
-------------- above SRU justification added by ~jacobmartin
--------------
SRU cycle 2025.05.19 regression test results showed a kernel panic
caused by test ubuntu_fan_smoke_test:sut-scan for plucky:linux-gcp
6.14.0-1008.8
The failure was subsequently determined to affect the generic kernel
as well.
[ 1012.062312] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 1012.069603] #PF: supervisor read access in kernel mode
[ 1012.074864] #PF: error_code(0x0000) - not-present page
[ 1012.080097] PGD 0 P4D 0
[ 1012.082728] Oops: Oops: 0000 [#1] SMP NOPTI
[ 1012.087010] CPU: 2 UID: 0 PID: 4687 Comm: ip Not tainted 6.14.0-1008-gcp
#8-Ubuntu
[ 1012.094688] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 05/29/2025
[ 1012.104000] RIP: 0010:vxlan_nl2conf+0xa5/0xff0 [vxlan]
[ 1012.109256] Code: 48 85 c0 0f 84 4c 06 00 00 8b 40 04 89 43 04 b8 02 00 00
00 66 89 03 49 83 bc 24 10 01 00 00 00 74 6d 49 8b 84 24 08 01 00 00 <0f> b7 38
8d 57 fc 0f b7 d2 83 fa 03 7e 57 49 81 c2 80 0a 00 00 48
[ 1012.128119] RSP: 0018:ffffa1f802c63380 EFLAGS: 00010286
[ 1012.133439] RAX: 0000000000000000 RBX: ffffa1f802c63418 RCX:
0000000000000000
[ 1012.140668] RDX: ffff95bcce0d2000 RSI: 0000000000000000 RDI:
ffffa1f802c63490
[ 1012.147898] RBP: ffffa1f802c63400 R08: 0000000000000000 R09:
ffffa1f802c63760
[ 1012.155128] R10: ffff95bcce0d2000 R11: 0000000000000000 R12:
ffff95bd2f144a48
[ 1012.162356] R13: ffffa1f802c63760 R14: 00ffffff00000008 R15:
0000000000000000
[ 1012.169588] FS: 00007eb23310c840(0000) GS:ffff95cbbf700000(0000)
knlGS:0000000000000000
[ 1012.177777] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1012.183618] CR2: 0000000000000000 CR3: 000000015b6a3002 CR4:
0000000000370ef0
[ 1012.190850] Call Trace:
[ 1012.193393] <TASK>
[ 1012.195589] ? alloc_netdev_mqs+0x3bc/0x560
[ 1012.199869] ? __kvmalloc_node_noprof+0x5f/0x100
[ 1012.204584] vxlan_newlink+0x58/0xb0 [vxlan]
[ 1012.208971] ? vxlan_newlink+0x58/0xb0 [vxlan]
[ 1012.213515] rtnl_newlink_create+0x118/0x2a0
[ 1012.217884] __rtnl_newlink+0xc4/0x3f0
[ 1012.221730] rtnl_newlink+0x4df/0x960
[ 1012.225513] rtnetlink_rcv_msg+0x22f/0x440
[ 1012.229705] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.234590] ? update_io_ticks+0x79/0x80
[ 1012.238620] ? __pfx_rtnetlink_rcv_msg+0x10/0x10
[ 1012.243334] netlink_rcv_skb+0x55/0x100
[ 1012.247270] rtnetlink_rcv+0x15/0x30
[ 1012.250940] netlink_unicast+0x229/0x350
[ 1012.254957] netlink_sendmsg+0x214/0x460
[ 1012.258974] ____sys_sendmsg+0x3b4/0x3f0
[ 1012.262994] ___sys_sendmsg+0x9a/0xf0
[ 1012.266754] __sys_sendmsg+0x8d/0xf0
[ 1012.270426] __x64_sys_sendmsg+0x1d/0x30
[ 1012.274441] x64_sys_call+0x6f9/0x2310
[ 1012.278285] do_syscall_64+0x7e/0x170
[ 1012.282045] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.286929] ? filemap_map_pages+0x523/0x5d0
[ 1012.291293] ? __lruvec_stat_mod_folio+0x79/0xd0
[ 1012.296006] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.300891] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.305778] ? do_read_fault+0xee/0x1e0
[ 1012.309711] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.314596] ? do_fault+0x151/0x210
[ 1012.318180] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.323065] ? handle_pte_fault+0x97/0x1f0
[ 1012.327260] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.332406] ? __handle_mm_fault+0x3d2/0x7a0
[ 1012.336773] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.341657] ? rseq_get_rseq_cs+0x22/0x240
[ 1012.345853] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.350737] ? rseq_ip_fixup+0x8d/0x1a0
[ 1012.354683] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.359568] ? arch_exit_to_user_mode_prepare.isra.0+0xc8/0xd0
[ 1012.365495] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.370380] ? irqentry_exit_to_user_mode+0x2d/0x1d0
[ 1012.375441] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.380325] ? irqentry_exit+0x21/0x40
[ 1012.384171] ? srso_alias_return_thunk+0x5/0xfbef5
[ 1012.389055] ? exc_page_fault+0x96/0x1a0
[ 1012.393084] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 1012.398230] RIP: 0033:0x7eb23329f2a6
[ 1012.401906] Code: 00 00 48 8b 15 53 1b 17 00 64 89 02 48 c7 c2 ff ff ff ff
48 8b 5d f8 c9 48 89 d0 c3 0f 1f 84 00 00 00 00 00 48 8b 45 10 0f 05 <48> 63 d0
3d 00 f0 ff ff 77 10 48 8b 5d f8 48 89 d0 c9 c3 0f 1f 80
[ 1012.421218] RSP: 002b:00007ffe067eedb0 EFLAGS: 00000202 ORIG_RAX:
000000000000002e
[ 1012.428886] RAX: ffffffffffffffda RBX: 00007eb23310c840 RCX:
00007eb23329f2a6
[ 1012.436223] RDX: 0000000000000000 RSI: 00007ffe067eee40 RDI:
0000000000000003
[ 1012.443452] RBP: 00007ffe067eedc0 R08: 0000000000000000 R09:
0000000000000000
[ 1012.450680] R10: 0000000000000000 R11: 0000000000000202 R12:
0000000000000048
[ 1012.457908] R13: 00005c51e00c1040 R14: 000000000000002c R15:
00007ffe067ef4c8
[ 1012.465141] </TASK>
[ 1012.467419] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel
xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat bridge xfrm_user xfrm_algo
xt_addrtype nft_compat nf_tables overlay binfmt_misc 8021q garp mrp stp llc
nls_iso8859_1 input_leds sch_fq_codel nvme_fabrics efi_pstore dm_multipath
vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock
vmw_vmci dmi_sysfs ip_tables x_tables autofs4 btrfs blake2b_generic raid10
raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
raid1 raid0 linear polyval_clmulni polyval_generic ghash_clmulni_intel psmouse
sha256_ssse3 sha1_ssse3 gve serio_raw virtio_rng aesni_intel crypto_simd cryptd
[ 1012.527936] CR2: 0000000000000000
[ 1012.531362] ---[ end trace 0000000000000000 ]---
[ 1012.556588] RIP: 0010:vxlan_nl2conf+0xa5/0xff0 [vxlan]
[ 1012.561837] Code: 48 85 c0 0f 84 4c 06 00 00 8b 40 04 89 43 04 b8 02 00 00
00 66 89 03 49 83 bc 24 10 01 00 00 00 74 6d 49 8b 84 24 08 01 00 00 <0f> b7 38
8d 57 fc 0f b7 d2 83 fa 03 7e 57 49 81 c2 80 0a 00 00 48
[ 1012.580702] RSP: 0018:ffffa1f802c63380 EFLAGS: 00010286
[ 1012.586044] RAX: 0000000000000000 RBX: ffffa1f802c63418 RCX:
0000000000000000
[ 1012.593273] RDX: ffff95bcce0d2000 RSI: 0000000000000000 RDI:
ffffa1f802c63490
[ 1012.600501] RBP: ffffa1f802c63400 R08: 0000000000000000 R09:
ffffa1f802c63760
[ 1012.607728] R10: ffff95bcce0d2000 R11: 0000000000000000 R12:
ffff95bd2f144a48
[ 1012.614960] R13: ffffa1f802c63760 R14: 00ffffff00000008 R15:
0000000000000000
[ 1012.622190] FS: 00007eb23310c840(0000) GS:ffff95cbbf700000(0000)
knlGS:0000000000000000
[ 1012.630374] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1012.636213] CR2: 0000000000000000 CR3: 000000015b6a3002 CR4:
0000000000370ef0
[ 1012.643445] Kernel panic - not syncing: Fatal exception
[ 1012.649071] Kernel Offset: 0x1d000000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
[ 1012.686314] Rebooting in 10 seconds..
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2113992/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
