Hello,

an IPFire user has reported seeing this oops a couple of times a day. I have been looking through the Git repository if there are any reports or fixes for this, but could not find any. This kernel has been in production for some time now, but WireGuard has not been widely available in IPFire, yet.

I am filing this under Netfilter, but potentially this is a WireGuard bug.

13:44:28 kernel:  ==================================================================
13:44:28 kernel:  BUG: KFENCE: use-after-free read in ipt_do_table+0x1b9/0x7d0
13:44:28 kernel:  
13:44:28 kernel:  Use-after-free read at 0x00000000cb4559ce (in kfence-#227):
13:44:28 kernel:   ipt_do_table+0x1b9/0x7d0
13:44:28 kernel:   nf_hook_slow+0x42/0x120
13:44:28 kernel:   ip_output+0x126/0x1f0
13:44:28 kernel:   ip_sublist_rcv+0x335/0x350
13:44:28 kernel:   ip_list_rcv+0x130/0x170
13:44:28 kernel:   __netif_receive_skb_list_core+0x2c8/0x2f0
13:44:28 kernel:   netif_receive_skb_list_internal+0x1b6/0x300
13:44:28 kernel:   napi_complete_done+0x72/0x230
13:44:28 kernel:   wg_packet_rx_poll+0x40c/0x8e0 [wireguard]
13:44:28 kernel:   __napi_poll+0x28/0x170
13:44:28 kernel:   net_rx_action+0x323/0x410
13:44:28 kernel:   handle_softirqs+0xf9/0x2d0
13:44:28 kernel:   run_ksoftirqd+0x45/0x50
13:44:28 kernel:   smpboot_thread_fn+0x188/0x230
13:44:28 kernel:   kthread+0xde/0x110
13:44:28 kernel:   ret_from_fork+0x31/0x50
13:44:28 kernel:   ret_from_fork_asm+0x1a/0x30
13:44:28 kernel:  
13:44:28 kernel:  kfence-#227: 0x00000000ae01ff22-0x00000000ea544824, size=2048, cache=kmalloc-rnd-12-2k
13:44:28 kernel:  
13:44:28 kernel:  allocated by task 15100 on cpu 1 at 512417.565579s (0.000127s ago):
13:44:28 kernel:   kmalloc_reserve+0x64/0x100
13:44:28 kernel:   pskb_expand_head+0x95/0x380
13:44:28 kernel:   __pskb_pull_tail+0x5b/0x4d0
13:44:28 kernel:   skb_cow_data+0x77/0x320
13:44:28 kernel:   decrypt_packet+0xd6/0x1d0 [wireguard]
13:44:28 kernel:   wg_packet_decrypt_worker+0x66/0x1b0 [wireguard]
13:44:28 kernel:   process_one_work+0x174/0x330
13:44:28 kernel:   worker_thread+0x266/0x3a0
13:44:28 kernel:   kthread+0xde/0x110
13:44:28 kernel:   ret_from_fork+0x31/0x50
13:44:28 kernel:   ret_from_fork_asm+0x1a/0x30
13:44:28 kernel:  
13:44:28 kernel:  freed by task 28 on cpu 1 at 512417.565609s (0.000131s ago):
13:44:28 kernel:   pskb_expand_head+0x1d2/0x380
13:44:28 kernel:   __pskb_pull_tail+0x5b/0x4d0
13:44:28 kernel:   match+0x18c/0x6e0 [xt_layer7]
13:44:28 kernel:   ipt_do_table+0x2c5/0x7d0
13:44:28 kernel:   nf_hook_slow+0x42/0x120
13:44:28 kernel:   ip_output+0x126/0x1f0
13:44:28 kernel:   ip_sublist_rcv+0x335/0x350
13:44:28 kernel:   ip_list_rcv+0x130/0x170
13:44:28 kernel:   __netif_receive_skb_list_core+0x2c8/0x2f0
13:44:28 kernel:   netif_receive_skb_list_internal+0x1b6/0x300
13:44:28 kernel:   napi_complete_done+0x72/0x230
13:44:28 kernel:   wg_packet_rx_poll+0x40c/0x8e0 [wireguard]
13:44:28 kernel:   __napi_poll+0x28/0x170
13:44:28 kernel:   net_rx_action+0x323/0x410
13:44:28 kernel:   handle_softirqs+0xf9/0x2d0
13:44:28 kernel:   run_ksoftirqd+0x45/0x50
13:44:28 kernel:   smpboot_thread_fn+0x188/0x230
13:44:28 kernel:   kthread+0xde/0x110
13:44:28 kernel:   ret_from_fork+0x31/0x50
13:44:28 kernel:   ret_from_fork_asm+0x1a/0x30
13:44:28 kernel:  
13:44:28 kernel:  CPU: 1 UID: 0 PID: 28 Comm: ksoftirqd/1 Tainted: G    B              6.12.23-ipfire #1
13:44:28 kernel:  Tainted: [B]=BAD_PAGE
13:44:28 kernel:  Hardware name: Default string Default string/Default string, BIOS 5.27 11/21/2024
13:44:28 kernel:  ==================================================================

The kernel configuration is available here: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/kernel/kernel.config.x86_64-ipfire;h=fbe89b8200e0dbe64fc6af31c16480e6eaa94b82;hb=HEAD

If you need any further information, please let me know. We would be very grateful if you could help us getting to the bottom of this.

Best,
-Michael