lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CALkECRjxuNBBYrTwa8-pOX6BTCXM7YBWZX-O-FOjrsbqdXXqzw@mail.gmail.com>
Date: Tue, 8 Apr 2025 15:14:06 +0800
From: Abagail ren <renzezhongucas@...il.com>
To: netdev@...r.kernel.org
Cc: syzkaller@...glegroups.com
Subject: BUG] General protection fault in percpu_counter_add_batch() during
 netns cleanup

Hi maintainers,

In case the previous message was rejected due to attachments, I am
resending this report in plain text format.

During fuzzing of the Linux kernel, we encountered a general protection
fault in `percpu_counter_add_batch()` during execution of the
`cleanup_net` workqueue. The crash was triggered during destruction of a
network namespace containing a WireGuard interface. This was reproduced
on kernel version v6.12-rc6.

Crash Details:

Oops: general protection fault, probably for non-canonical address
0xfc3ffbf11006d3ec: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xe1ffff8880369f60-0xe1ffff8880369f67]

CPU: 0 PID: 10492 Comm: kworker/u8:4 Not tainted 6.12.0-rc6 #2
Hardware: QEMU Standard PC (i440FX + PIIX, 1996)

RIP: 0010:percpu_counter_add_batch+0x36/0x1f0 lib/percpu_counter.c:98
Faulting instruction:
    cmpb $0x0,(%rdx,%rax,1)

Call Trace:
 dst_entries_add                    include/net/dst_ops.h:59
 dst_count_dec                      net/core/dst.c:159
 dst_release                        net/core/dst.c:165
 dst_cache_reset_now                net/core/dst_cache.c:169
 wg_socket_clear_peer_endpoint_src drivers/net/wireguard/socket.c:312
 wg_netns_pre_exit                  drivers/net/wireguard/device.c:423
 ops_pre_exit_list                  net/core/net_namespace.c:163
 cleanup_net                        net/core/net_namespace.c:606
 process_one_work                   kernel/workqueue.c:3229
 worker_thread                      kernel/workqueue.c:3391
 kthread                            kernel/kthread.c:389
 ret_from_fork                      arch/x86/kernel/process.c:147

Reproducer Notes:

The issue was triggered during `netns` teardown while a WireGuard device
was active. It appears to involve use-after-free of a `percpu_counter`
structure, likely after its owning peer or device was destroyed.

Environment:

 - Kernel: 6.12.0-rc6
 - Platform: QEMU (x86_64)
 - Trigger: `netns` teardown with WireGuard devices present

Related discussion (possible fix?):

https://lore.kernel.org/all/20250326173634.31096-1-atenart@kernel.org/

If this has already been resolved, apologies for the noise. Please let
me know if more trace or repro information would be useful.

Best regards,
Zezhong Ren

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ