| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALkECRiG71myv7Y3yGgo=tYFak8SWJ0_BfEM-OKnQoq4Bbr3Sg@mail.gmail.com> Date: Sun, 6 Apr 2025 16:54:53 +0800 From: Abagail ren <renzezhongucas@...il.com> To: netdev@...r.kernel.org Cc: syzkaller@...glegroups.com Subject: [BUG] General protection fault in percpu_counter_add_batch() during netns cleanup Hi maintainers, During fuzzing of the Linux Kernel. We encountered a general protection fault in `percpu_counter_add_batch()` during the `cleanup_net` workqueue execution on kernel `v6.12-rc6`. The crash happens while cleaning up a WireGuard interface, triggered by `wg_socket_clear_peer_endpoint_src()`. ## Crash Details Oops: general protection fault, probably for non-canonical address 0xfc3ffbf11006d3ec: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xe1ffff8880369f60-0xe1ffff8880369f67] CPU: 0 PID: 10492 Comm: kworker/u8:4 Not tainted 6.12.0-rc6 #2 Hardware: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:percpu_counter_add_batch+0x36/0x1f0 lib/percpu_counter.c:98 → Faulting instruction: `cmpb $0x0,(%rdx,%rax,1)` Call Trace: <TASK> dst_entries_add include/net/dst_ops.h:59 [inline] dst_count_dec net/core/dst.c:162 [inline] dst_count_dec net/core/dst.c:159 [inline] dst_release net/core/dst.c:168 [inline] dst_release+0x23b/0x260 net/core/dst.c:165 dst_cache_reset_now net/core/dst_cache.c:183 [inline] dst_cache_reset_now+0x197/0x2c0 net/core/dst_cache.c:169 wg_socket_clear_peer_endpoint_src+0x3c/0x50 drivers/net/wireguard/socket.c:312 wg_netns_pre_exit+0x13f/0x220 drivers/net/wireguard/device.c:423 ops_pre_exit_list net/core/net_namespace.c:163 [inline] cleanup_net+0x48d/0xba0 net/core/net_namespace.c:606 process_one_work+0x99c/0x1b80 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x677/0xe90 kernel/workqueue.c:3391 kthread+0x2c7/0x3b0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> ## Reproducer Notes - Triggered during `netns` destruction with WireGuard active. - May be related to invalid or freed `percpu_counter` being used after peer/device destruction. ## Environment - Kernel: `6.12.0-rc6` - Platform: QEMU (x86_64) - Repro: Detaching network interfaces and destroying netns containing WireGuard devices. I checked the mailing list. I am not sure if the patch already repaired this: https://lore.kernel.org/all/20250326173634.31096-1-atenart@kernel.org/ If it's already fixed, sorry for the interruption. Please let me know if more traces are helpful. Best Regards Zezhong Ren Content of type "text/html" skipped View attachment "crash_report_net_core.txt" of type "text/plain" (4571 bytes) Download attachment "config_0612_c6" of type "application/octet-stream" (273871 bytes)
Powered by blists - more mailing lists