mac80211_hwsim unable to handle kernel NULL pointer dereference at0000000000000000

Bug #1825058 reported by tdotreppe on 2019-04-16
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
You-Sheng Yang
Bionic
Undecided
Unassigned
Cosmic
Undecided
Unassigned

Bug Description

[Impact]
Kernel NULL pointer dereference in mac80211_hwsim.

[Fix]
a1881c9b8a1e mac80211_hwsim: Timer should be initialized before device registered

This fix has been included in 4.19.9 or above.

[Test Case]
$ git clone https://github.com/aircrack-ng/aircrack-ng
# Tested with 69a406c
$ cd aircrack-ng
$ grep 'sudo apt' README.md | bash
$ autoreconf -i
$ ./configure --with-experimental
$ make check
$ sudo bash scripts/airmon-ng.linux check kill
$ sudo make integration

# Run integration test again and check dmesg
$ sudo bash scripts/airmon-ng.linux check kill
$ sudo make integration

Verified with VMs setup locally.

[Regression Risk]
Low. Move forward data structure initialization only. This patch has
also been included in LTS stable kernel.

==== Original Bug Report ====

The issue happens on 16.04 with linux-image-4.15.0-47-generic (as well as linux-image-4.15.0-45-generic). It also happens with linux-image-4.15.0-47-generic on 18.04 as well as the HWE kernel (4.18.0-17-generic). All test were done on 64 bit in a virtual machine and can be reproduced. It doesn't happen on 18.10 (mac80211_hwsim has other issues on this kernel that are solved in 19.04, most likely unrelated to this) or 19.04.

Output:

[ 406.036796] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 406.048785] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 406.110060] mac80211_hwsim: initializing netlink
[ 406.153872] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 406.154217] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[ 406.316376] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 406.316829] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 406.894434] device wlan1 entered promiscuous mode
[ 407.623768] mac80211_hwsim: initializing netlink
[ 407.627809] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[ 407.761474] device wlan0 entered promiscuous mode
[ 412.293557] mac80211_hwsim: initializing netlink
[ 412.298984] ieee80211 phy3: Selected rate control algorithm 'minstrel_ht'
[ 412.410453] device wlan0 entered promiscuous mode
[ 417.040581] mac80211_hwsim: initializing netlink
[ 417.045603] ieee80211 phy4: Selected rate control algorithm 'minstrel_ht'
[ 417.048093] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[ 417.221470] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 417.223812] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 417.755334] device wlan1 entered promiscuous mode
[ 419.690453] mac80211_hwsim: initializing netlink
[ 419.696569] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[ 419.697137] ieee80211 phy7: Selected rate control algorithm 'minstrel_ht'
[ 419.870739] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 419.871090] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 420.406242] device wlan1 entered promiscuous mode
[ 422.434785] mac80211_hwsim: initializing netlink
[ 422.435399] ieee80211 phy8: Selected rate control algorithm 'minstrel_ht'
[ 422.579207] device wlan0 entered promiscuous mode
[ 427.126059] mac80211_hwsim: initializing netlink
[ 427.128889] ieee80211 phy9: Selected rate control algorithm 'minstrel_ht'
[ 427.133435] ieee80211 phy10: Selected rate control algorithm 'minstrel_ht'
[ 427.135756] ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
[ 427.385722] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 427.386258] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 427.932765] device wlan2 entered promiscuous mode
[ 430.923486] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 434.757426] wlan1: authenticate with 02:00:00:00:00:00
[ 434.757476] wlan1: send auth to 02:00:00:00:00:00 (try 1/3)
[ 434.758851] wlan1: authenticated
[ 434.758940] mac80211_hwsim hwsim1 wlan1: disabling HT/VHT due to WEP/TKIP use
[ 434.758942] mac80211_hwsim hwsim1 wlan1: disabling HT as WMM/QoS is not supported by the AP
[ 434.758943] mac80211_hwsim hwsim1 wlan1: disabling VHT as WMM/QoS is not supported by the AP
[ 434.761333] wlan1: associate with 02:00:00:00:00:00 (try 1/3)
[ 434.761750] wlan1: RX AssocResp from 02:00:00:00:00:00 (capab=0x11 status=0 aid=1)
[ 434.761761] wlan1: associated
[ 434.762107] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 437.039513] wlan1: deauthenticating from 02:00:00:00:00:00 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 437.133996] mac80211_hwsim: initializing netlink
[ 437.138685] ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
[ 437.139801] ieee80211 phy13: Selected rate control algorithm 'minstrel_ht'
[ 437.140661] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 437.140668] IP: hrtimer_active+0xd/0x50
[ 437.140689] PGD 0 P4D 0
[ 437.140692] Oops: 0000 [#1] SMP PTI
[ 437.140693] Modules linked in: mac80211_hwsim(+) arc4 mac80211 cfg80211 coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_ens1371 snd_ac97_codec aesni_intel gameport ac97_bus vmw_balloon snd_pcm aes_x86_64 crypto_simd glue_helper cryptd intel_rapl_perf snd_seq_midi snd_seq_midi_event snd_rawmidi input_leds joydev serio_raw snd_seq vmwgfx ttm drm_kms_helper snd_seq_device snd_timer snd drm fb_sys_fops soundcore syscopyarea sysfillrect sysimgblt shpchp mac_hid vmw_vsock_vmci_transport vsock vmw_vmci sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 hid_generic usbhid hid psmouse mptspi ahci libahci e1000 mptscsih mptbase scsi_transport_spi i2c_piix4 pata_acpi [last unloaded: mac80211_hwsim]
[ 437.140726] CPU: 0 PID: 27091 Comm: wpa_supplicant Not tainted 4.15.0-47-generic #50-Ubuntu
[ 437.140727] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 437.140729] RIP: 0010:hrtimer_active+0xd/0x50
[ 437.140730] RSP: 0018:ffffac6b42837b68 EFLAGS: 00010246
[ 437.140731] RAX: 0000000000000000 RBX: ffff99611ded6720 RCX: 0000000000000000
[ 437.140732] RDX: 0000000000000000 RSI: ffff99611ded5618 RDI: ffff99611ded6720
[ 437.140733] RBP: ffffac6b42837b68 R08: 0000000000000000 R09: ffff99611ded4760
[ 437.140734] R10: 00000000000003ff R11: 0000000000000000 R12: 0000000000000000
[ 437.140753] R13: ffff99611ded6700 R14: 00000000ffffffff R15: ffff996122936000
[ 437.140754] FS: 00007f3b6104c800(0000) GS:ffff99617b600000(0000) knlGS:0000000000000000
[ 437.140755] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 437.140756] CR2: 0000000000000000 CR3: 0000000077606003 CR4: 00000000003606f0
[ 437.140845] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 437.140847] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 437.140848] Call Trace:
[ 437.140852] hrtimer_try_to_cancel+0x2a/0x110
[ 437.140853] hrtimer_cancel+0x19/0x20
[ 437.140861] mac80211_hwsim_config+0x1cc/0x2d0 [mac80211_hwsim]
[ 437.140876] ieee80211_hw_config+0x1c1/0x350 [mac80211]
[ 437.140886] ieee80211_do_open+0x564/0x860 [mac80211]
[ 437.140896] ieee80211_open+0x52/0x60 [mac80211]
[ 437.140898] __dev_open+0xd3/0x160
[ 437.140900] __dev_change_flags+0x17e/0x1c0
[ 437.140902] dev_change_flags+0x29/0x60
[ 437.140904] devinet_ioctl+0x5de/0x700
[ 437.140907] inet_ioctl+0x56/0x80
[ 437.140909] ? inet_ioctl+0x56/0x80
[ 437.140911] sock_do_ioctl+0x2b/0x60
[ 437.140912] sock_ioctl+0x1a1/0x2c0
[ 437.140915] do_vfs_ioctl+0xa8/0x630
[ 437.140918] ? __sys_recvmsg+0x51/0x90
[ 437.140919] ? __sys_recvmsg+0x51/0x90
[ 437.140921] SyS_ioctl+0x79/0x90
[ 437.140924] do_syscall_64+0x73/0x130
[ 437.140927] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 437.140928] RIP: 0033:0x7f3b5f7fd5d7
[ 437.140947] RSP: 002b:00007ffd6eb15458 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 437.140948] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3b5f7fd5d7
[ 437.140949] RDX: 00007ffd6eb15460 RSI: 0000000000008914 RDI: 0000000000000007
[ 437.140950] RBP: 0000000000000007 R08: 00007ffd6eb1546f R09: 00007f3b5fad2c40
[ 437.140951] R10: 0000000000000007 R11: 0000000000000246 R12: 00007ffd6eb15460
[ 437.140952] R13: 000055bfb1458f50 R14: 0000000000000001 R15: 0000000000000000
[ 437.140954] Code: 89 4f 18 4c 89 4f 20 7c ba 48 83 c0 01 4c 89 da e9 5b ff ff ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 57 30 55 48 89 e5 <48> 8b 02 8b 50 04 f6 c2 01 75 21 80 7f 38 00 75 2b 48 39 78 08
[ 437.140974] RIP: hrtimer_active+0xd/0x50 RSP: ffffac6b42837b68
[ 437.140975] CR2: 0000000000000000
[ 437.140977] ---[ end trace 8d74331518e00fab ]---

Output 2:

[ 43.756417] rfkill: input handler disabled
[ 68.383884] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[ 68.391224] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'
[ 68.420682] mac80211_hwsim: initializing netlink
[ 68.449135] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[ 68.449775] ieee80211 phy1: Selected rate control algorithm 'minstrel_ht'
[ 68.619017] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 68.620189] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 68.638189] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 68.642074] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 68.702978] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 68.712256] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 68.982710] mac80211_hwsim: initializing netlink
[ 68.984991] ieee80211 phy2: Selected rate control algorithm 'minstrel_ht'
[ 69.045866] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 69.106433] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 69.133926] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 69.223211] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 69.345731] device wlan0 entered promiscuous mode
[ 74.005516] mac80211_hwsim: initializing netlink
[ 74.009514] ieee80211 phy3: Selected rate control algorithm 'minstrel_ht'
[ 74.111173] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 74.111307] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 74.133480] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 74.189180] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 74.193947] device wlan0 entered promiscuous mode
[ 78.861183] mac80211_hwsim: initializing netlink
[ 78.862581] ieee80211 phy4: Selected rate control algorithm 'minstrel_ht'
[ 78.879061] ieee80211 phy5: Selected rate control algorithm 'minstrel_ht'
[ 79.011024] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.011196] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.037837] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.068188] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.068328] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.090001] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.269492] mac80211_hwsim: initializing netlink
[ 79.273288] ieee80211 phy6: Selected rate control algorithm 'minstrel_ht'
[ 79.294993] ieee80211 phy7: Selected rate control algorithm 'minstrel_ht'
[ 79.418566] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.419207] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.441601] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.441732] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.469307] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.471547] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 79.664702] mac80211_hwsim: initializing netlink
[ 79.671392] ieee80211 phy8: Selected rate control algorithm 'minstrel_ht'
[ 79.766695] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.766988] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.794044] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.847582] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 79.851159] device wlan0 entered promiscuous mode
[ 84.447352] mac80211_hwsim: initializing netlink
[ 84.449056] ieee80211 phy9: Selected rate control algorithm 'minstrel_ht'
[ 84.461724] ieee80211 phy10: Selected rate control algorithm 'minstrel_ht'
[ 84.464591] ieee80211 phy11: Selected rate control algorithm 'minstrel_ht'
[ 84.666028] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 84.666167] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 84.690446] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 84.719246] IPv6: ADDRCONF(NETDEV_UP): wlan2: link is not ready
[ 84.719422] IPv6: ADDRCONF(NETDEV_UP): wlan2: link is not ready
[ 84.745048] IPv6: ADDRCONF(NETDEV_UP): wlan2: link is not ready
[ 84.757556] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 84.757950] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 84.778793] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 84.998007] mac80211_hwsim: initializing netlink
[ 85.014445] ieee80211 phy12: Selected rate control algorithm 'minstrel_ht'
[ 85.014782] ieee80211 phy13: Selected rate control algorithm 'minstrel_ht'
[ 85.197526] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 85.197721] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 85.233345] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 85.249866] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 85.250698] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 85.275950] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 85.333333] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 85.379878] device wlan1 entered promiscuous mode
[ 95.057749] mac80211_hwsim: initializing netlink
[ 95.072452] ieee80211 phy14: Selected rate control algorithm 'minstrel_ht'
[ 95.072888] ieee80211 phy15: Selected rate control algorithm 'minstrel_ht'
[ 95.240206] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 95.240333] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 95.271167] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 95.295968] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 95.296309] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 95.317319] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 95.423964] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 95.454765] device wlan1 entered promiscuous mode
[ 105.142161] mac80211_hwsim: initializing netlink
[ 105.143819] ieee80211 phy16: Selected rate control algorithm 'minstrel_ht'
[ 105.237719] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 105.237844] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 105.267342] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 105.345384] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 105.519550] device wlan0 entered promiscuous mode
[ 110.659816] mac80211_hwsim: initializing netlink
[ 110.661118] ieee80211 phy17: Selected rate control algorithm 'minstrel_ht'
[ 110.821583] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 110.822521] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 110.853368] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 117.129124] mac80211_hwsim: initializing netlink
[ 117.141829] ieee80211 phy18: Selected rate control algorithm 'minstrel_ht'
[ 117.271440] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 117.271609] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 117.298259] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 176.594975] mac80211_hwsim: initializing netlink
[ 176.605829] ieee80211 phy19: Selected rate control algorithm 'minstrel_ht'
[ 176.608801] ieee80211 phy20: Selected rate control algorithm 'minstrel_ht'
[ 176.794994] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 176.795896] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 177.330822] device wlan1 entered promiscuous mode
[ 177.705780] mac80211_hwsim: initializing netlink
[ 177.708274] ieee80211 phy21: Selected rate control algorithm 'minstrel_ht'
[ 177.842779] device wlan0 entered promiscuous mode
[ 182.410311] mac80211_hwsim: initializing netlink
[ 182.415919] ieee80211 phy22: Selected rate control algorithm 'minstrel_ht'
[ 182.529819] device wlan0 entered promiscuous mode
[ 187.183817] mac80211_hwsim: initializing netlink
[ 187.185800] ieee80211 phy23: Selected rate control algorithm 'minstrel_ht'
[ 187.186318] ieee80211 phy24: Selected rate control algorithm 'minstrel_ht'
[ 187.363226] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 187.363818] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 187.898435] device wlan1 entered promiscuous mode
[ 189.854901] mac80211_hwsim: initializing netlink
[ 189.856496] ieee80211 phy25: Selected rate control algorithm 'minstrel_ht'
[ 189.860203] ieee80211 phy26: Selected rate control algorithm 'minstrel_ht'
[ 190.039309] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 190.040294] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 190.577060] device wlan1 entered promiscuous mode
[ 192.589068] mac80211_hwsim: initializing netlink
[ 192.590565] ieee80211 phy27: Selected rate control algorithm 'minstrel_ht'
[ 192.711314] device wlan0 entered promiscuous mode
[ 197.310173] mac80211_hwsim: initializing netlink
[ 197.311798] ieee80211 phy28: Selected rate control algorithm 'minstrel_ht'
[ 197.313855] ieee80211 phy29: Selected rate control algorithm 'minstrel_ht'
[ 197.318312] ieee80211 phy30: Selected rate control algorithm 'minstrel_ht'
[ 197.572944] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 197.573419] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 198.113615] device wlan2 entered promiscuous mode
[ 201.117009] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
[ 204.949915] wlan1: authenticate with 02:00:00:00:00:00
[ 204.949944] wlan1: send auth to 02:00:00:00:00:00 (try 1/3)
[ 204.950967] wlan1: authenticated
[ 204.951056] mac80211_hwsim hwsim1 wlan1: disabling HT/VHT due to WEP/TKIP use
[ 204.951057] mac80211_hwsim hwsim1 wlan1: disabling HT as WMM/QoS is not supported by the AP
[ 204.951058] mac80211_hwsim hwsim1 wlan1: disabling VHT as WMM/QoS is not supported by the AP
[ 204.953283] wlan1: associate with 02:00:00:00:00:00 (try 1/3)
[ 204.954013] wlan1: RX AssocResp from 02:00:00:00:00:00 (capab=0x11 status=0 aid=1)
[ 204.954024] wlan1: associated
[ 204.954270] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 207.225120] wlan1: deauthenticating from 02:00:00:00:00:00 by local choice (Reason: 3=DEAUTH_LEAVING)
[ 207.313322] mac80211_hwsim: initializing netlink
[ 207.316424] ieee80211 phy31: Selected rate control algorithm 'minstrel_ht'
[ 207.316954] ieee80211 phy32: Selected rate control algorithm 'minstrel_ht'
[ 207.317513] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[ 207.317516] PGD 0 P4D 0
[ 207.317519] Oops: 0000 [#1] SMP PTI
[ 207.317521] CPU: 0 PID: 6920 Comm: wpa_supplicant Not tainted 4.18.0-17-generic #18~18.04.1-Ubuntu
[ 207.317523] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015
[ 207.317527] RIP: 0010:hrtimer_active+0xd/0x50
[ 207.317528] Code: 4f 18 4c 89 4f 20 7c ba 48 83 c0 01 4c 89 da e9 5b ff ff ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 8b 47 30 <8b> 50 10 f6 c2 01 75 1e 80 7f 38 00 75 28 48 39 78 18 74 22 39 50
[ 207.317546] RSP: 0018:ffffc03202963a18 EFLAGS: 00010246
[ 207.317547] RAX: 0000000000000000 RBX: ffff9d32f52ce708 RCX: 0000000000000000
[ 207.317548] RDX: ffff9d32f621c500 RSI: ffff9d32f52cd620 RDI: ffff9d32f52ce708
[ 207.317549] RBP: ffffc03202963a18 R08: 0000000000000000 R09: 0000000000000003
[ 207.317550] R10: 0000000000000000 R11: 00000000000003ff R12: 0000000000000000
[ 207.317551] R13: ffff9d32f52ce6e8 R14: 00000000ffffffff R15: ffff9d32ade90000
[ 207.317553] FS: 00007fd57add4800(0000) GS:ffff9d32fb600000(0000) knlGS:0000000000000000
[ 207.317554] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 207.317555] CR2: 0000000000000010 CR3: 000000002de64006 CR4: 00000000003606f0
[ 207.317594] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 207.317595] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 207.317596] Call Trace:
[ 207.317603] hrtimer_try_to_cancel+0x2a/0x110
[ 207.317605] hrtimer_cancel+0x19/0x20
[ 207.317611] mac80211_hwsim_config+0x1c6/0x2d0 [mac80211_hwsim]
[ 207.317625] ieee80211_hw_config+0x1c1/0x350 [mac80211]
[ 207.317636] ieee80211_do_open+0x572/0x870 [mac80211]
[ 207.317645] ieee80211_open+0x52/0x60 [mac80211]
[ 207.317648] __dev_open+0xd7/0x170
[ 207.317650] __dev_change_flags+0x17e/0x1d0
[ 207.317651] dev_change_flags+0x29/0x60
[ 207.317654] devinet_ioctl+0x588/0x6a0
[ 207.317655] inet_ioctl+0xae/0x1a0
[ 207.317657] ? inet_ioctl+0xae/0x1a0
[ 207.317660] ? _copy_to_user+0x26/0x30
[ 207.317662] ? dev_get_by_name_rcu+0x74/0xa0
[ 207.317663] ? dev_get_by_name_rcu+0x74/0xa0
[ 207.317666] sock_do_ioctl+0x52/0x170
[ 207.317667] ? inet_getname+0x80/0x80
[ 207.317669] ? sock_do_ioctl+0x52/0x170
[ 207.317670] sock_ioctl+0x1e8/0x340
[ 207.317672] ? sock_ioctl+0x1e8/0x340
[ 207.317675] do_vfs_ioctl+0xa8/0x630
[ 207.317676] ? routing_ioctl+0x2b0/0x2b0
[ 207.317678] ? do_vfs_ioctl+0xa8/0x630
[ 207.317680] ? __sys_recvmsg+0x60/0xa0
[ 207.317681] ? __sys_recvmsg+0x60/0xa0
[ 207.317683] ksys_ioctl+0x75/0x80
[ 207.317685] __x64_sys_ioctl+0x1a/0x20
[ 207.317687] do_syscall_64+0x5a/0x120
[ 207.317690] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 207.317691] RIP: 0033:0x7fd5795855d7
[ 207.317692] Code: b3 66 90 48 8b 05 b1 48 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 81 48 2d 00 f7 d8 64 89 01 48
[ 207.317710] RSP: 002b:00007ffe8deaae58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 207.317712] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd5795855d7
[ 207.317713] RDX: 00007ffe8deaae60 RSI: 0000000000008914 RDI: 0000000000000007
[ 207.317714] RBP: 0000000000000007 R08: 00007ffe8deaae6f R09: 00007fd57985ac40
[ 207.317715] R10: 0000000000000007 R11: 0000000000000246 R12: 00007ffe8deaae60
[ 207.317716] R13: 0000562cd254ef50 R14: 0000000000000001 R15: 0000000000000000
[ 207.317717] Modules linked in: mac80211_hwsim(+) arc4 mac80211 cfg80211 coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc vmw_balloon aesni_intel aes_x86_64 crypto_simd cryptd glue_helper intel_rapl_perf joydev input_leds serio_raw vmwgfx ttm drm_kms_helper drm fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid vmw_vsock_vmci_transport vsock vmw_vmci sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 psmouse mptspi mptscsih mptbase ahci libahci e1000 scsi_transport_spi i2c_piix4 pata_acpi [last unloaded: mac80211_hwsim]
[ 207.317778] CR2: 0000000000000010
[ 207.317780] ---[ end trace 90e2389d7805f2b7 ]---
[ 207.317782] RIP: 0010:hrtimer_active+0xd/0x50
[ 207.317783] Code: 4f 18 4c 89 4f 20 7c ba 48 83 c0 01 4c 89 da e9 5b ff ff ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 48 8b 47 30 <8b> 50 10 f6 c2 01 75 1e 80 7f 38 00 75 28 48 39 78 18 74 22 39 50
[ 207.317801] RSP: 0018:ffffc03202963a18 EFLAGS: 00010246
[ 207.317802] RAX: 0000000000000000 RBX: ffff9d32f52ce708 RCX: 0000000000000000
[ 207.317803] RDX: ffff9d32f621c500 RSI: ffff9d32f52cd620 RDI: ffff9d32f52ce708
[ 207.317804] RBP: ffffc03202963a18 R08: 0000000000000000 R09: 0000000000000003
[ 207.317805] R10: 0000000000000000 R11: 00000000000003ff R12: 0000000000000000
[ 207.317806] R13: ffff9d32f52ce6e8 R14: 00000000ffffffff R15: ffff9d32ade90000
[ 207.317808] FS: 00007fd57add4800(0000) GS:ffff9d32fb600000(0000) knlGS:0000000000000000
[ 207.317809] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 207.317810] CR2: 0000000000000010 CR3: 000000002de64006 CR4: 00000000003606f0
[ 207.317866] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 207.317867] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

How to reproduce:
git clone https://github.com/aircrack-ng/aircrack-ng
# Tested with 69a406c
cd aircrack-ng
grep 'sudo apt' README.md > a && bash a
rm a
autoreconf -i
./configure --with-experimental
make check
bash scripts/airmon-ng.linux check kill
make integration

It will freeze after the test/test-aireplay-ng-0007.sh (while running test/test-airbase-ng-0001.sh) test while doing "modprobe mac80211_hwsim radios=2". You may have to run them twice before this happens

tdotreppe (tdotreppe) wrote :

The non-HWE kernel for 16.04 is unaffected.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1825058

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: bionic
tdotreppe (tdotreppe) on 2019-04-17
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Po-Hsu Lin (cypressyew) on 2019-04-17
tags: added: cosmic
Po-Hsu Lin (cypressyew) on 2019-04-17
Changed in linux (Ubuntu):
assignee: nobody → You-Sheng Yang (vicamo)
You-Sheng Yang (vicamo) on 2019-04-17
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Cosmic):
status: New → In Progress
You-Sheng Yang (vicamo) on 2019-04-18
description: updated
Stefan Bader (smb) on 2019-04-18
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Cosmic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-cosmic' to 'verification-done-cosmic'. If the problem still exists, change the tag 'verification-needed-cosmic' to 'verification-failed-cosmic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-cosmic
tdotreppe (tdotreppe) on 2019-04-26
tags: added: verification-done-cosmic
removed: verification-needed-cosmic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
tdotreppe (tdotreppe) on 2019-05-01
tags: added: verification-done-bionic
removed: verification-needed-bionic
Launchpad Janitor (janitor) wrote :
Download full text (12.6 KiB)

This bug was fixed in the package linux - 4.15.0-50.54

---------------
linux (4.15.0-50.54) bionic; urgency=medium

  * CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
    - Documentation/l1tf: Fix small spelling typo
    - x86/cpu: Sanitize FAM6_ATOM naming
    - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
    - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a
      new <linux/bits.h> file
    - tools include: Adopt linux/bits.h
    - x86/msr-index: Cleanup bit defines
    - x86/speculation: Consolidate CPU whitelists
    - x86/speculation/mds: Add basic bug infrastructure for MDS
    - x86/speculation/mds: Add BUG_MSBDS_ONLY
    - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
    - x86/speculation/mds: Add mds_clear_cpu_buffers()
    - x86/speculation/mds: Clear CPU buffers on exit to user
    - x86/kvm/vmx: Add MDS protection when L1D Flush is not active
    - x86/speculation/mds: Conditionally clear CPU buffers on idle entry
    - x86/speculation/mds: Add mitigation control for MDS
    - x86/speculation/mds: Add sysfs reporting for MDS
    - x86/speculation/mds: Add mitigation mode VMWERV
    - Documentation: Move L1TF to separate directory
    - Documentation: Add MDS vulnerability documentation
    - x86/speculation/mds: Add mds=full,nosmt cmdline option
    - x86/speculation: Move arch_smt_update() call to after mitigation decisions
    - x86/speculation/mds: Add SMT warning message
    - x86/speculation/mds: Fix comment
    - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
    - x86/speculation/mds: Add 'mitigations=' support for MDS

  * CVE-2017-5715 // CVE-2017-5753
    - s390/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
    - powerpc/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
    CVE-2018-3646
    - cpu/speculation: Add 'mitigations=' cmdline option
    - x86/speculation: Support 'mitigations=' cmdline option

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

linux (4.15.0-49.53) bionic; urgency=medium

  * linux: 4.15.0-49.53 -proposed tracker (LP: #1826358)

  * Backport support for software count cache flush Spectre v2 mitigation. (CVE)
    (required for POWER9 DD2.3) (LP: #1822870)
    - powerpc/64s: Add support for ori barrier_nospec patching
    - powerpc/64s: Patch barrier_nospec in modules
    - powerpc/64s: Enable barrier_nospec based on firmware settings
    - powerpc: Use barrier_nospec in copy_from_user()
    - powerpc/64: Use barrier_nospec in syscall entry
    - powerpc/64s: Enhance the information in cpu_show_spectre_v1()
    - powerpc/64: Disable the speculation barrier from the command line
    - powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
    - powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
    - powerpc/64: Call setup_barrier_nospec() from setup_arch()
    - powerpc/64: Make meltdown reporting Book3S 64 specific
    - powerpc/lib/code-patching: refactor patch_instruction()
    - powerpc/lib/feature-fixups: use raw_patch_instruction()
    - powerpc/asm: Add a patch_site mac...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux - 4.18.0-20.21

---------------
linux (4.18.0-20.21) cosmic; urgency=medium

  * CVE-2018-12126 // CVE-2018-12127 // CVE-2018-12130
    - Documentation/l1tf: Fix small spelling typo
    - x86/cpu: Sanitize FAM6_ATOM naming
    - kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
    - locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a
      new <linux/bits.h> file
    - tools include: Adopt linux/bits.h
    - x86/msr-index: Cleanup bit defines
    - x86/speculation: Consolidate CPU whitelists
    - x86/speculation/mds: Add basic bug infrastructure for MDS
    - x86/speculation/mds: Add BUG_MSBDS_ONLY
    - x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
    - x86/speculation/mds: Add mds_clear_cpu_buffers()
    - x86/speculation/mds: Clear CPU buffers on exit to user
    - x86/kvm/vmx: Add MDS protection when L1D Flush is not active
    - x86/speculation/mds: Conditionally clear CPU buffers on idle entry
    - x86/speculation/mds: Add mitigation control for MDS
    - x86/speculation/mds: Add sysfs reporting for MDS
    - x86/speculation/mds: Add mitigation mode VMWERV
    - Documentation: Move L1TF to separate directory
    - Documentation: Add MDS vulnerability documentation
    - x86/speculation/mds: Add mds=full,nosmt cmdline option
    - x86/speculation: Move arch_smt_update() call to after mitigation decisions
    - x86/speculation/mds: Add SMT warning message
    - x86/speculation/mds: Fix comment
    - x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
    - x86/speculation/mds: Add 'mitigations=' support for MDS

  * CVE-2017-5715 // CVE-2017-5753
    - s390/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5753 // CVE-2017-5754 // CVE-2018-3639
    - powerpc/speculation: Support 'mitigations=' cmdline option

  * CVE-2017-5715 // CVE-2017-5754 // CVE-2018-3620 // CVE-2018-3639 //
    CVE-2018-3646
    - cpu/speculation: Add 'mitigations=' cmdline option
    - x86/speculation: Support 'mitigations=' cmdline option

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

linux (4.18.0-19.20) cosmic; urgency=medium

  * linux: 4.18.0-19.20 -proposed tracker (LP: #1826171)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync git-ubuntu-log

  * autopkgtests run too often, too much and don't skip enough (LP: #1823056)
    - [Debian] Set +x on rebuild testcase.
    - [Debian] Skip rebuild test, for regression-suite deps.
    - [Debian] Make ubuntu-regression-suite skippable on unbootable kernels.
    - [Debian] make rebuild use skippable error codes when skipping.
    - [Debian] Only run regression-suite, if requested to.

  * CVE-2017-5753
    - s390/keyboard: sanitize array index in do_kdsk_ioctl
    - drm/bufs: Fix Spectre v1 vulnerability
    - drivers/misc/sgi-gru: fix Spectre v1 vulnerability
    - ipv4: Fix potential Spectre v1 vulnerability
    - aio: fix spectre gadget in lookup_ioctx
    - ALSA: emux: Fix potential Spectre v1 vulnerabilities
    - ALSA: pcm: Fix potential Spectre v1 vulnerability
    - ip6mr: Fix potential Spectre v1 vulnerability
    - ALSA: rme9652: Fix potential Spectre v1...

Read more...

Changed in linux (Ubuntu Cosmic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for linux-aws has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers