lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 7 Jan 2020 08:09:02 +0000
From:   Tony Chuang <yhchuang@...ltek.com>
To:     Mikhail Gavrilov <mikhail.v.gavrilov@...il.com>,
        Linux List Kernel Mailing <linux-kernel@...r.kernel.org>,
        Linux List Kernel Mailing <linux-wireless@...r.kernel.org>
CC:     Ришат Римович Терегулов 
        <rtereguloff@...il.com>
Subject: RE: kernel NULL pointer dereference, address: 0000000000000070

> Subject: BUG: kernel NULL pointer dereference, address: 0000000000000070
> 
> Hi folks.
> My friend today launched stress-ng multiple times and he could twice
> time reproduce the odd bug, which looks like a bug in the wifi driver.
> 
> lspci detects this device as:
> Network controller: Realtek Semiconductor Co., Ltd. RTL8822BE
> 802.11a/b/g/n/ac WiFi adapter
> 
> I decided to report here because every time after this bug happens the
> system became fully unresponsive. Which is really very annoying.
> 
> stress-ng-iomix (147381): drop_caches: 3
> stress-ng-iomix (147417): drop_caches: 3
> stress-ng-iomix (147415): drop_caches: 3
> rtw_pci 0000:04:00.0: stop vif ea:01:4e:ce:99:c5 on port 0
> rtw_pci 0000:04:00.0: start vif 06:72:1e:97:fc:83 on port 0
> BUG: kernel NULL pointer dereference, address: 0000000000000070
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] SMP NOPTI
> CPU: 1 PID: 819 Comm: irq/76-rtwpci Not tainted
> 5.5.0-0.rc4.git0.1.fc32.x86_64 #1
> Hardware name: System manufacturer System Product Name/ROG STRIX
> X470-I GAMING, BIOS 3004 12/16/2019
> RIP: 0010:rtw_pci_tx_isr+0x96/0x230 [rtwpci]
> Code: 0e 01 00 00 48 8b 44 24 08 44 0f b6 64 24 13 48 c1 e0 06 49 83
> c4 01 48 89 04 24 49 c1 e4 06 49 01 dc 4c 89 e7 e8 8a d1 96 ce <8b> 50
> 70 48 8b 70 48 49 89 c6 48 8b 03 48 8d b8 b0 00 00 00 48 8b
> RSP: 0018:ffffad9f00d6fe08 EFLAGS: 00010086
> RAX: 0000000000000000 RBX: ffff9b66766e5d68 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000086
> RBP: 000000000000006a R08: 0000000000000000 R09: 0000000000000059
> R10: 0000000000000000 R11: ffff9b667da6ae38 R12: ffff9b66766e5ee8
> R13: ffff9b66766e1e80 R14: 0000000000000005 R15: ffff9b66766e07c0
> FS:  0000000000000000(0000) GS:ffff9b667da40000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000070 CR3: 0000000333690000 CR4: 00000000003406e0
> Call Trace:
>  rtw_pci_interrupt_threadfn+0x15b/0x210 [rtwpci]
>  ? irq_finalize_oneshot.part.0+0xf0/0xf0
>  irq_thread_fn+0x20/0x60
>  irq_thread+0xdc/0x170
>  ? irq_forced_thread_fn+0x80/0x80
>  kthread+0xf9/0x130
>  ? irq_thread_check_affinity+0xf0/0xf0
>  ? kthread_park+0x90/0x90
>  ret_from_fork+0x22/0x40
> Modules linked in: salsa20_generic camellia_generic
> camellia_aesni_avx2 camellia_aesni_avx_x86_64 camellia_x86_64
> cast6_avx_x86_64 cast6_generic cast_common serpent_avx2
> serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic
> twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64
> twofish_common
> ofb tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 uinput rfcomm
> xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_nat_tftp
> nf_conntrack_tftp tun bridge stp llc nft_objref
> nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet
> nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4
> nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_tables
> ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw
> ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security
> ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables
> iptable_filter cmac bnep sunrpc
>  snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio rtwpci
> snd_hda_codec_hdmi rtw88 snd_hda_intel snd_intel_dspcfg edac_mce_amd
> snd_usb_audio uvcvideo videobuf2_vmalloc videobuf2_memops
> snd_hda_codec snd_usbmidi_lib videobuf2_v4l2 snd_hda_core
> videobuf2_common mac80211 btusb snd_rawmidi kvm snd_hwdep btrtl
> videodev snd_seq btbcm btintel snd_seq_device irqbypass bluetooth
> cfg80211 snd_pcm eeepc_wmi mc joydev crct10dif_pclmul snd_timer
> crc32_pclmul asus_wmi ecdh_generic snd sparse_keymap rfkill sp5100_tco
> ccp ecc video soundcore libarc4 wmi_bmof pcspkr i2c_piix4
> ghash_clmulni_intel k10temp gpio_amdpt gpio_generic acpi_cpufreq
> binfmt_misc ip_tables amdgpu amd_iommu_v2 gpu_sched ttm
> drm_kms_helper
> drm igb crc32c_intel uas dca i2c_algo_bit usb_storage wmi pinctrl_amd
> fuse
> CR2: 0000000000000070
> ---[ end trace 5e058b15ff4e55d6 ]---
> 
> 
> # /usr/src/kernels/`uname -r`/scripts/faddr2line
> /lib/debug/lib/modules/`uname
> -r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
> rtw_pci_tx_isr+0x96
> rtw_pci_tx_isr+0x96/0x230:
> rtw_pci_tx_isr at
> /usr/src/debug/kernel-5.4.fc32/linux-5.5.0-0.rc4.git0.1.fc32.x86_64/drivers/
> net/wireless/realtek/rtw88/pci.c:836
> 
> # eu-addr2line -e /lib/debug/lib/modules/`uname
> -r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
> rtw_pci_tx_isr+0x96
> drivers/net/wireless/realtek/rtw88/pci.c:836:3
> 
> $ uname -r
> 5.5.0-0.rc4.git0.1.fc32.x86_64
> 
> --
> Best Regards,
> Mike Gavrilov.
> 

I think the driver is dereferencing a NULL skb.
And I've sent a patch for it.
https://patchwork.kernel.org/patch/11320567/

Yan-Hsuan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ