lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAE4VaGCd-cwWsJokL+0tW8OAzJqTsk=9X2AOy=7inFaedYW9+w@mail.gmail.com>
Date: Thu, 16 Oct 2025 19:10:21 +0200
From: Jirka Hladky <jhladky@...hat.com>
To: linux-kernel <linux-kernel@...r.kernel.org>
Cc: Kamil Kolakowski <kkolakow@...hat.com>, "spetrovi@...hat.com" <spetrovi@...hat.com>
Subject: Re: BUG: NULL pointer dereference in update_qos_requests() triggered
 by writing to /sys/devices/system/cpu/intel_pstate/min_perf_pct (6.18-rc1)

The kernel panic appears when we boot the system with the nosmt kernel
boot parameter:

grubby --update-kernel DEFAULT --args="nosmt"

On Thu, Oct 16, 2025 at 6:57 PM Jirka Hladky <jhladky@...hat.com> wrote:
>
> Hello,
>
> We are observing a kernel panic on various Intel servers (Skylake, Ice
> Lake) running kernel 6.18.0-0.rc1. The crash is caused by a NULL
> pointer dereference in update_qos_requests() when the tuned daemon
> writes CPU QoS settings from the default tuned-performance profile.
>
> Triggering setting:
> ======================================================
> /usr/lib/tuned/tuned-performance/tuned.conf
> [cpu]
> min_perf_pct=100
> governor=performance
> energy_perf_bias=performance
> energy_performance_preference=performance
> ======================================================
>
> This tuned profile causes the kernel panic when tuned starts, likely via:
>
> echo 100 > /sys/devices/system/cpu/intel_pstate/min_perf_pct
>
> Example log:
>
> BUG: kernel NULL pointer dereference, address: 0x38
> RIP: 0010:update_qos_requests+0x7c/0xf0
> PID: 1794 Comm: tuned
> Call Trace:
> store_min_perf_pct+0xb7/0x120
> kernfs_fop_write_iter+0x14d/0x200
> vfs_write+0x25d/0x480
> ksys_write+0x73/0xf0
> do_syscall_64+0x7c/0x800
>
> Thank you!
> Jirka
>
> [      OK    ] Started polkit.service  Authorization Manager.
> [   14.936180] BUG: kernel NULL pointer dereference, address: 0000000000000038
> [   14.943996] #PF: supervisor read access in kernel mode
> [   14.949763] #PF: error_code(0x0000) - not-present page
> [   14.955531] PGD 178c1a067 P4D 0
> [   14.959154] Oops: Oops: 0000 [#1] SMP NOPTI
> [   14.963841] CPU: 14 UID: 0 PID: 1991 Comm: tuned Tainted: G S
>           ------  ---  6.18.0-0.rc1.16.eln152.x86_64 #1 PREEMPT(lazy)
> [   14.977798] Tainted: [S]=CPU_OUT_OF_SPEC
> [   14.982200] Hardware name: Abacus electric, s.r.o. -
> servis@...cus.cz Super Server/X12SPW-F, BIOS 1.2 02/14/2022
> [   14.993621] RIP: 0010:update_qos_requests+0x7c/0xf0
> [   14.999101] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
> 05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
> 8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
> b8 40
> [   15.020167] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
> [   15.026031] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
> [   15.034040] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
> [   15.042048] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
> [   15.050057] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [   15.058065] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
> [   15.066074] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
> knlGS:0000000000000000
> [   15.075156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   15.081603] CR2: 0000000000000038 CR3: 00000001124e0001 CR4: 0000000000773ef0
> [   15.089612] PKRU: 55555554
> [   15.092646] Call Trace:
> [   15.095390]  <TASK>
> [   15.097746]  store_min_perf_pct+0xb7/0x120
> [   15.102345]  kernfs_fop_write_iter+0x14d/0x200
> [   15.107334]  vfs_write+0x25d/0x480
> [   15.111152]  ksys_write+0x73/0xf0
> [   15.114871]  do_syscall_64+0x7c/0x800
> [   15.118980]  ? __do_sys_newfstat+0x44/0x70
> [   15.123570]  ? syscall_exit_work+0x143/0x1b0
> [   15.128363]  ? clear_bhb_loop+0x30/0x80
> [   15.132660]  ? clear_bhb_loop+0x30/0x80
> [   15.136965]  ? clear_bhb_loop+0x30/0x80
> [   15.141260]  ? clear_bhb_loop+0x30/0x80
> [   15.145566]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> [   15.151236] RIP: 0033:0x7f472b534e4f
> [   15.155257] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 59 74
> f9 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00
> 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 ac 74 f9
> ff 48
> [   15.176328] RSP: 002b:00007f472984e130 EFLAGS: 00000293 ORIG_RAX:
> 0000000000000001
> [   15.184824] RAX: ffffffffffffffda RBX: 00007f472984f638 RCX: 00007f472b534e4f
> [   15.192832] RDX: 0000000000000003 RSI: 00007f472401b670 RDI: 000000000000000a
> [   15.200840] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000002
> [   15.208849] R10: 00007f47299116c0 R11: 0000000000000293 R12: 00007f472401b670
> [   15.216857] R13: 000000000000000a R14: 000055f431e37b00 R15: 000055f431bbbba2
> [   15.224866]  </TASK>
> [   15.227318] Modules linked in: rfkill sunrpc vfat fat ext4 crc16
> mbcache jbd2 intel_rapl_msr iTCO_wdt iTCO_vendor_support
> intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common
> i10nm_edac skx_edac_common nfit libnvdimm x86_pkg_temp_thermal
> intel_powerclamp coretemp kvm_intel kvm dax_hmem cxl_acpi ipmi_ssif
> rndis_host cxl_port irqbypass rapl intel_cstate cxl_core intel_th_gth
> mei_me cdc_ether isst_if_mbox_pci isst_if_mmio igb i2c_i801 ioatdma
> intel_th_pci ast intel_uncore usbnet einj isst_if_common pcspkr
> i2c_smbus intel_pch_thermal mei acpi_power_meter intel_th intel_vsec
> dca i2c_algo_bit mii ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler
> joydev acpi_pad loop fuse dm_mod nfnetlink xfs ahci nvme libahci
> nvme_core libata nvme_keyring ghash_clmulni_intel nvme_auth hkdf
> [   15.305080] CR2: 0000000000000038
> [   15.308798] ---[ end trace 0000000000000000 ]---
> [   15.375282] RIP: 0010:update_qos_requests+0x7c/0xf0
> [   15.380761] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
> 05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
> 8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
> b8 40
> [   15.401834] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
> [   15.407698] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
> [   15.415707] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
> [   15.423714] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
> [   15.431722] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> [   15.439731] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
> [   15.447739] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
> knlGS:0000000000000000
> [   15.456821] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   15.463268] CR2: 000000000000003
>
>
>
>
>
> --
> -Jirka



-- 
-Jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ