BUG: kernel NULL pointer dereference, address: 0000000000000070

BUG: kernel NULL pointer dereference, address: 0000000000000070

[Mikhail Gavrilov]

Hi folks.
My friend today launched stress-ng multiple times and he could twice
time reproduce the odd bug, which looks like a bug in the wifi driver.

lspci detects this device as:
Network controller: Realtek Semiconductor Co., Ltd. RTL8822BE
802.11a/b/g/n/ac WiFi adapter

I decided to report here because every time after this bug happens the
system became fully unresponsive. Which is really very annoying.

stress-ng-iomix (147381): drop_caches: 3
stress-ng-iomix (147417): drop_caches: 3
stress-ng-iomix (147415): drop_caches: 3
rtw_pci 0000:04:00.0: stop vif ea:01:4e:ce:99:c5 on port 0
rtw_pci 0000:04:00.0: start vif 06:72:1e:97:fc:83 on port 0
BUG: kernel NULL pointer dereference, address: 0000000000000070
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP NOPTI
CPU: 1 PID: 819 Comm: irq/76-rtwpci Not tainted
5.5.0-0.rc4.git0.1.fc32.x86_64 #1
Hardware name: System manufacturer System Product Name/ROG STRIX
X470-I GAMING, BIOS 3004 12/16/2019
RIP: 0010:rtw_pci_tx_isr+0x96/0x230 [rtwpci]
Code: 0e 01 00 00 48 8b 44 24 08 44 0f b6 64 24 13 48 c1 e0 06 49 83
c4 01 48 89 04 24 49 c1 e4 06 49 01 dc 4c 89 e7 e8 8a d1 96 ce <8b> 50
70 48 8b 70 48 49 89 c6 48 8b 03 48 8d b8 b0 00 00 00 48 8b
RSP: 0018:ffffad9f00d6fe08 EFLAGS: 00010086
RAX: 0000000000000000 RBX: ffff9b66766e5d68 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000086
RBP: 000000000000006a R08: 0000000000000000 R09: 0000000000000059
R10: 0000000000000000 R11: ffff9b667da6ae38 R12: ffff9b66766e5ee8
R13: ffff9b66766e1e80 R14: 0000000000000005 R15: ffff9b66766e07c0
FS:  0000000000000000(0000) GS:ffff9b667da40000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000070 CR3: 0000000333690000 CR4: 00000000003406e0
Call Trace:
 rtw_pci_interrupt_threadfn+0x15b/0x210 [rtwpci]
 ? irq_finalize_oneshot.part.0+0xf0/0xf0
 irq_thread_fn+0x20/0x60
 irq_thread+0xdc/0x170
 ? irq_forced_thread_fn+0x80/0x80
 kthread+0xf9/0x130
 ? irq_thread_check_affinity+0xf0/0xf0
 ? kthread_park+0x90/0x90
 ret_from_fork+0x22/0x40
Modules linked in: salsa20_generic camellia_generic
camellia_aesni_avx2 camellia_aesni_avx_x86_64 camellia_x86_64
cast6_avx_x86_64 cast6_generic cast_common serpent_avx2
serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic
twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64 twofish_common
ofb tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 uinput rfcomm
xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_nat_tftp
nf_conntrack_tftp tun bridge stp llc nft_objref
nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet
nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4
nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_tables
ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw
ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security
ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables
iptable_filter cmac bnep sunrpc
 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio rtwpci
snd_hda_codec_hdmi rtw88 snd_hda_intel snd_intel_dspcfg edac_mce_amd
snd_usb_audio uvcvideo videobuf2_vmalloc videobuf2_memops
snd_hda_codec snd_usbmidi_lib videobuf2_v4l2 snd_hda_core
videobuf2_common mac80211 btusb snd_rawmidi kvm snd_hwdep btrtl
videodev snd_seq btbcm btintel snd_seq_device irqbypass bluetooth
cfg80211 snd_pcm eeepc_wmi mc joydev crct10dif_pclmul snd_timer
crc32_pclmul asus_wmi ecdh_generic snd sparse_keymap rfkill sp5100_tco
ccp ecc video soundcore libarc4 wmi_bmof pcspkr i2c_piix4
ghash_clmulni_intel k10temp gpio_amdpt gpio_generic acpi_cpufreq
binfmt_misc ip_tables amdgpu amd_iommu_v2 gpu_sched ttm drm_kms_helper
drm igb crc32c_intel uas dca i2c_algo_bit usb_storage wmi pinctrl_amd
fuse
CR2: 0000000000000070
---[ end trace 5e058b15ff4e55d6 ]---


# /usr/src/kernels/`uname -r`/scripts/faddr2line
/lib/debug/lib/modules/`uname
-r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
rtw_pci_tx_isr+0x96
rtw_pci_tx_isr+0x96/0x230:
rtw_pci_tx_isr at
/usr/src/debug/kernel-5.4.fc32/linux-5.5.0-0.rc4.git0.1.fc32.x86_64/drivers/net/wireless/realtek/rtw88/pci.c:836

# eu-addr2line -e /lib/debug/lib/modules/`uname
-r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
rtw_pci_tx_isr+0x96
drivers/net/wireless/realtek/rtw88/pci.c:836:3

$ uname -r
5.5.0-0.rc4.git0.1.fc32.x86_64

--
Best Regards,
Mike Gavrilov.

RE: kernel NULL pointer dereference, address: 0000000000000070

[Tony Chuang]

> Subject: BUG: kernel NULL pointer dereference, address: 0000000000000070
> 
> Hi folks.
> My friend today launched stress-ng multiple times and he could twice
> time reproduce the odd bug, which looks like a bug in the wifi driver.
> 
> lspci detects this device as:
> Network controller: Realtek Semiconductor Co., Ltd. RTL8822BE
> 802.11a/b/g/n/ac WiFi adapter
> 
> I decided to report here because every time after this bug happens the
> system became fully unresponsive. Which is really very annoying.
> 
> stress-ng-iomix (147381): drop_caches: 3
> stress-ng-iomix (147417): drop_caches: 3
> stress-ng-iomix (147415): drop_caches: 3
> rtw_pci 0000:04:00.0: stop vif ea:01:4e:ce:99:c5 on port 0
> rtw_pci 0000:04:00.0: start vif 06:72:1e:97:fc:83 on port 0
> BUG: kernel NULL pointer dereference, address: 0000000000000070
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] SMP NOPTI
> CPU: 1 PID: 819 Comm: irq/76-rtwpci Not tainted
> 5.5.0-0.rc4.git0.1.fc32.x86_64 #1
> Hardware name: System manufacturer System Product Name/ROG STRIX
> X470-I GAMING, BIOS 3004 12/16/2019
> RIP: 0010:rtw_pci_tx_isr+0x96/0x230 [rtwpci]
> Code: 0e 01 00 00 48 8b 44 24 08 44 0f b6 64 24 13 48 c1 e0 06 49 83
> c4 01 48 89 04 24 49 c1 e4 06 49 01 dc 4c 89 e7 e8 8a d1 96 ce <8b> 50
> 70 48 8b 70 48 49 89 c6 48 8b 03 48 8d b8 b0 00 00 00 48 8b
> RSP: 0018:ffffad9f00d6fe08 EFLAGS: 00010086
> RAX: 0000000000000000 RBX: ffff9b66766e5d68 RCX: 0000000000000000
> RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000086
> RBP: 000000000000006a R08: 0000000000000000 R09: 0000000000000059
> R10: 0000000000000000 R11: ffff9b667da6ae38 R12: ffff9b66766e5ee8
> R13: ffff9b66766e1e80 R14: 0000000000000005 R15: ffff9b66766e07c0
> FS:  0000000000000000(0000) GS:ffff9b667da40000(0000)
> knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000070 CR3: 0000000333690000 CR4: 00000000003406e0
> Call Trace:
>  rtw_pci_interrupt_threadfn+0x15b/0x210 [rtwpci]
>  ? irq_finalize_oneshot.part.0+0xf0/0xf0
>  irq_thread_fn+0x20/0x60
>  irq_thread+0xdc/0x170
>  ? irq_forced_thread_fn+0x80/0x80
>  kthread+0xf9/0x130
>  ? irq_thread_check_affinity+0xf0/0xf0
>  ? kthread_park+0x90/0x90
>  ret_from_fork+0x22/0x40
> Modules linked in: salsa20_generic camellia_generic
> camellia_aesni_avx2 camellia_aesni_avx_x86_64 camellia_x86_64
> cast6_avx_x86_64 cast6_generic cast_common serpent_avx2
> serpent_avx_x86_64 serpent_sse2_x86_64 serpent_generic twofish_generic
> twofish_avx_x86_64 twofish_x86_64_3way twofish_x86_64
> twofish_common
> ofb tgr192 wp512 rmd320 rmd256 rmd160 rmd128 md4 uinput rfcomm
> xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_nat_tftp
> nf_conntrack_tftp tun bridge stp llc nft_objref
> nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet
> nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4
> nf_reject_ipv6 nft_reject nft_ct nf_tables_set nft_chain_nat nf_tables
> ebtable_nat ebtable_broute ip6table_nat ip6table_mangle ip6table_raw
> ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6
> nf_defrag_ipv4 libcrc32c iptable_mangle iptable_raw iptable_security
> ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables
> iptable_filter cmac bnep sunrpc
>  snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio rtwpci
> snd_hda_codec_hdmi rtw88 snd_hda_intel snd_intel_dspcfg edac_mce_amd
> snd_usb_audio uvcvideo videobuf2_vmalloc videobuf2_memops
> snd_hda_codec snd_usbmidi_lib videobuf2_v4l2 snd_hda_core
> videobuf2_common mac80211 btusb snd_rawmidi kvm snd_hwdep btrtl
> videodev snd_seq btbcm btintel snd_seq_device irqbypass bluetooth
> cfg80211 snd_pcm eeepc_wmi mc joydev crct10dif_pclmul snd_timer
> crc32_pclmul asus_wmi ecdh_generic snd sparse_keymap rfkill sp5100_tco
> ccp ecc video soundcore libarc4 wmi_bmof pcspkr i2c_piix4
> ghash_clmulni_intel k10temp gpio_amdpt gpio_generic acpi_cpufreq
> binfmt_misc ip_tables amdgpu amd_iommu_v2 gpu_sched ttm
> drm_kms_helper
> drm igb crc32c_intel uas dca i2c_algo_bit usb_storage wmi pinctrl_amd
> fuse
> CR2: 0000000000000070
> ---[ end trace 5e058b15ff4e55d6 ]---
> 
> 
> # /usr/src/kernels/`uname -r`/scripts/faddr2line
> /lib/debug/lib/modules/`uname
> -r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
> rtw_pci_tx_isr+0x96
> rtw_pci_tx_isr+0x96/0x230:
> rtw_pci_tx_isr at
> /usr/src/debug/kernel-5.4.fc32/linux-5.5.0-0.rc4.git0.1.fc32.x86_64/drivers/
> net/wireless/realtek/rtw88/pci.c:836
> 
> # eu-addr2line -e /lib/debug/lib/modules/`uname
> -r`/kernel/drivers/net/wireless/realtek/rtw88/rtwpci.ko.debug
> rtw_pci_tx_isr+0x96
> drivers/net/wireless/realtek/rtw88/pci.c:836:3
> 
> $ uname -r
> 5.5.0-0.rc4.git0.1.fc32.x86_64
> 
> --
> Best Regards,
> Mike Gavrilov.
> 

I think the driver is dereferencing a NULL skb.
And I've sent a patch for it.
https://patchwork.kernel.org/patch/11320567/

Yan-Hsuan