Hi, running 5.10-rc3, I have come across a null pointer dereference. It occured while trying to connect to a 802.1x/EAP-protected network using iwd. However, the bug seems to be limited to iwd's usage of the keyctl API (unrelated to the wireless subsystem).
The bug seems related to the recent changes related to the SM2/SM3 algorithms, commits 215525639631a and 3093e7c16e12d. I am including both the kernel logs as well as the system logs immediately before and after the null pointer dereference. public_key_verify_signature+0x189 is crypto/asymmetric_keys/public_key.c:359, i.e. if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) { [...] Note that this block was introduced in commit 215525639631a. kernel: wlan0: authenticate with <redacted> kernel: wlan0: send auth to <redacted> (try 1/3) kernel: wlan0: authenticated kernel: wlan0: associate with <redacted> (try 1/3) kernel: wlan0: RX AssocResp from <redacted> (capab=0x411 status=0 aid=24) kernel: wlan0: associated iwd[492]: EAP server tried method 52 while client was configured for method 25 kernel: BUG: kernel NULL pointer dereference, address: 0000000000000000 kernel: wlan0: Limiting TX power to 23 (23 - 0) dBm as advertised by <redacted> kernel: #PF: supervisor read access in kernel mode kernel: #PF: error_code(0x0000) - not-present page kernel: PGD 0 P4D 0 kernel: Oops: 0000 [#1] PREEMPT SMP PTI kernel: CPU: 1 PID: 492 Comm: iwd Tainted: G W T 5.10.0-rc3-custom #133 kernel: Hardware name: LENOVO 20HES01100/20HES01100, BIOS N1QET88W (1.63 ) 04/22/2020 kernel: RIP: 0010:public_key_verify_signature+0x189/0x3f0 kernel: Code: 48 8b 40 d0 44 89 c2 4c 89 fe 4c 89 e7 e8 4f 90 e7 00 85 c0 0f 85 67 01 00 00 48 8b 75 30 48 c7 c7 60 7d 85 9d > kernel: RSP: 0018:ffff9fd6406ffd50 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff8e1090272a40 RCX: 0000000000000004 kernel: RDX: ffff8e1082680400 RSI: 0000000000000000 RDI: ffffffff9d857d60 kernel: RBP: ffff9fd6406ffe88 R08: ffff8e10900ac820 R09: 0000000000000008 kernel: R10: 0000000000000000 R11: 000000000000010a R12: ffff8e1082681200 kernel: R13: ffff8e1082680900 R14: ffff9fd6406ffd88 R15: ffff8e10864df600 kernel: FS: 00007fbcb627e740(0000) GS:ffff8e13f2680000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000000 CR3: 0000000110304005 CR4: 00000000003706e0 kernel: Call Trace: kernel: asymmetric_key_verify_signature+0x5e/0x80 kernel: keyctl_pkey_verify+0xb6/0x110 kernel: do_syscall_64+0x33/0x40 kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9 kernel: RIP: 0033:0x7fbcb637bd5d kernel: Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b > kernel: RSP: 002b:00007ffd7e69d648 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa kernel: RAX: ffffffffffffffda RBX: 00007ffd7e69d6d0 RCX: 00007fbcb637bd5d kernel: RDX: 000056210c5a3420 RSI: 00007ffd7e69d650 RDI: 000000000000001c kernel: RBP: 000056210c5a3420 R08: 000056210c5a7a6d R09: 0000003024d797a1 kernel: R10: 00007ffd7e69d6d0 R11: 0000000000000246 R12: 000056210c5a7a6d kernel: R13: 000056210c3b0b30 R14: 000056210c5a7a24 R15: 00007ffd7e69d6d0 kernel: Modules linked in: usblp kernel: CR2: 0000000000000000 kernel: ---[ end trace ffdad8803dc4f4a6 ]--- kernel: RIP: 0010:public_key_verify_signature+0x189/0x3f0 kernel: Code: 48 8b 40 d0 44 89 c2 4c 89 fe 4c 89 e7 e8 4f 90 e7 00 85 c0 0f 85 67 01 00 00 48 8b 75 30 48 c7 c7 60 7d 85 9d > kernel: RSP: 0018:ffff9fd6406ffd50 EFLAGS: 00010246 kernel: RAX: 0000000000000000 RBX: ffff8e1090272a40 RCX: 0000000000000004 kernel: RDX: ffff8e1082680400 RSI: 0000000000000000 RDI: ffffffff9d857d60 kernel: RBP: ffff9fd6406ffe88 R08: ffff8e10900ac820 R09: 0000000000000008 kernel: R10: 0000000000000000 R11: 000000000000010a R12: ffff8e1082681200 kernel: R13: ffff8e1082680900 R14: ffff9fd6406ffd88 R15: ffff8e10864df600 kernel: FS: 00007fbcb627e740(0000) GS:ffff8e13f2680000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 0000000000000000 CR3: 0000000110304005 CR4: 00000000003706e0 systemd[1]: iwd.service: Main process exited, code=killed, status=9/KILL systemd[1]: iwd.service: Failed with result 'signal'. Please advise if you need any further information. Kind regards, Tobias