lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAE4VaGDfiPvz3AzrwrwM4kWB3SCkMci25nPO8W1JmTBd=xHzZg@mail.gmail.com>
Date: Thu, 16 Oct 2025 18:57:57 +0200
From: Jirka Hladky <jhladky@...hat.com>
To: linux-kernel <linux-kernel@...r.kernel.org>
Cc: Kamil Kolakowski <kkolakow@...hat.com>, "spetrovi@...hat.com" <spetrovi@...hat.com>
Subject: BUG: NULL pointer dereference in update_qos_requests() triggered by
 writing to /sys/devices/system/cpu/intel_pstate/min_perf_pct (6.18-rc1)

Hello,

We are observing a kernel panic on various Intel servers (Skylake, Ice
Lake) running kernel 6.18.0-0.rc1. The crash is caused by a NULL
pointer dereference in update_qos_requests() when the tuned daemon
writes CPU QoS settings from the default tuned-performance profile.

Triggering setting:
======================================================
/usr/lib/tuned/tuned-performance/tuned.conf
[cpu]
min_perf_pct=100
governor=performance
energy_perf_bias=performance
energy_performance_preference=performance
======================================================

This tuned profile causes the kernel panic when tuned starts, likely via:

echo 100 > /sys/devices/system/cpu/intel_pstate/min_perf_pct

Example log:

BUG: kernel NULL pointer dereference, address: 0x38
RIP: 0010:update_qos_requests+0x7c/0xf0
PID: 1794 Comm: tuned
Call Trace:
store_min_perf_pct+0xb7/0x120
kernfs_fop_write_iter+0x14d/0x200
vfs_write+0x25d/0x480
ksys_write+0x73/0xf0
do_syscall_64+0x7c/0x800

Thank you!
Jirka

[      OK    ] Started polkit.service  Authorization Manager.
[   14.936180] BUG: kernel NULL pointer dereference, address: 0000000000000038
[   14.943996] #PF: supervisor read access in kernel mode
[   14.949763] #PF: error_code(0x0000) - not-present page
[   14.955531] PGD 178c1a067 P4D 0
[   14.959154] Oops: Oops: 0000 [#1] SMP NOPTI
[   14.963841] CPU: 14 UID: 0 PID: 1991 Comm: tuned Tainted: G S
          ------  ---  6.18.0-0.rc1.16.eln152.x86_64 #1 PREEMPT(lazy)
[   14.977798] Tainted: [S]=CPU_OUT_OF_SPEC
[   14.982200] Hardware name: Abacus electric, s.r.o. -
servis@...cus.cz Super Server/X12SPW-F, BIOS 1.2 02/14/2022
[   14.993621] RIP: 0010:update_qos_requests+0x7c/0xf0
[   14.999101] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
b8 40
[   15.020167] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
[   15.026031] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
[   15.034040] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
[   15.042048] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
[   15.050057] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   15.058065] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
[   15.066074] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
knlGS:0000000000000000
[   15.075156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.081603] CR2: 0000000000000038 CR3: 00000001124e0001 CR4: 0000000000773ef0
[   15.089612] PKRU: 55555554
[   15.092646] Call Trace:
[   15.095390]  <TASK>
[   15.097746]  store_min_perf_pct+0xb7/0x120
[   15.102345]  kernfs_fop_write_iter+0x14d/0x200
[   15.107334]  vfs_write+0x25d/0x480
[   15.111152]  ksys_write+0x73/0xf0
[   15.114871]  do_syscall_64+0x7c/0x800
[   15.118980]  ? __do_sys_newfstat+0x44/0x70
[   15.123570]  ? syscall_exit_work+0x143/0x1b0
[   15.128363]  ? clear_bhb_loop+0x30/0x80
[   15.132660]  ? clear_bhb_loop+0x30/0x80
[   15.136965]  ? clear_bhb_loop+0x30/0x80
[   15.141260]  ? clear_bhb_loop+0x30/0x80
[   15.145566]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
[   15.151236] RIP: 0033:0x7f472b534e4f
[   15.155257] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 59 74
f9 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00
00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 ac 74 f9
ff 48
[   15.176328] RSP: 002b:00007f472984e130 EFLAGS: 00000293 ORIG_RAX:
0000000000000001
[   15.184824] RAX: ffffffffffffffda RBX: 00007f472984f638 RCX: 00007f472b534e4f
[   15.192832] RDX: 0000000000000003 RSI: 00007f472401b670 RDI: 000000000000000a
[   15.200840] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000002
[   15.208849] R10: 00007f47299116c0 R11: 0000000000000293 R12: 00007f472401b670
[   15.216857] R13: 000000000000000a R14: 000055f431e37b00 R15: 000055f431bbbba2
[   15.224866]  </TASK>
[   15.227318] Modules linked in: rfkill sunrpc vfat fat ext4 crc16
mbcache jbd2 intel_rapl_msr iTCO_wdt iTCO_vendor_support
intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common
i10nm_edac skx_edac_common nfit libnvdimm x86_pkg_temp_thermal
intel_powerclamp coretemp kvm_intel kvm dax_hmem cxl_acpi ipmi_ssif
rndis_host cxl_port irqbypass rapl intel_cstate cxl_core intel_th_gth
mei_me cdc_ether isst_if_mbox_pci isst_if_mmio igb i2c_i801 ioatdma
intel_th_pci ast intel_uncore usbnet einj isst_if_common pcspkr
i2c_smbus intel_pch_thermal mei acpi_power_meter intel_th intel_vsec
dca i2c_algo_bit mii ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler
joydev acpi_pad loop fuse dm_mod nfnetlink xfs ahci nvme libahci
nvme_core libata nvme_keyring ghash_clmulni_intel nvme_auth hkdf
[   15.305080] CR2: 0000000000000038
[   15.308798] ---[ end trace 0000000000000000 ]---
[   15.375282] RIP: 0010:update_qos_requests+0x7c/0xf0
[   15.380761] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
b8 40
[   15.401834] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
[   15.407698] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
[   15.415707] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
[   15.423714] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
[   15.431722] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   15.439731] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
[   15.447739] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
knlGS:0000000000000000
[   15.456821] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   15.463268] CR2: 000000000000003





-- 
-Jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ