| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <202510211205.1e0f5223-lkp@intel.com>
Date: Tue, 21 Oct 2025 13:14:36 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Fernand Sieber <sieberf@...zon.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
<x86@...nel.org>, Peter Zijlstra <peterz@...radead.org>,
<aubrey.li@...ux.intel.com>, <yu.c.chen@...el.com>, <oliver.sang@...el.com>
Subject: [tip:sched/core] [sched/fair] 79104becf4:
BUG:kernel_NULL_pointer_dereference,address
Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 79104becf42baeeb4a3f2b106f954b9fc7c10a3c ("sched/fair: Forfeit vruntime on yield")
https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git sched/core
[test failed on linux-next/master 606da5bb165594c052ee11de79bf05bc38bc1aa6]
in testcase: trinity
version:
with following parameters:
runtime: 300s
group: group-04
nr_groups: 5
config: x86_64-randconfig-121-20251020
compiler: gcc-13
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202510211205.1e0f5223-lkp@intel.com
[ 23.486344][ T3682] BUG: kernel NULL pointer dereference, address: 0000000000000051
[ 23.486846][ T3682] #PF: supervisor read access in kernel mode
[ 23.487189][ T3682] #PF: error_code(0x0000) - not-present page
[ 23.487532][ T3682] PGD 12b0a5067 P4D 12b0a5067 PUD 12b0b0067 PMD 0
[ 23.487905][ T3682] Oops: Oops: 0000 [#1]
[ 23.488147][ T3682] CPU: 0 UID: 65534 PID: 3682 Comm: trinity-c1 Not tainted 6.18.0-rc1-00001-g79104becf42b #1 PREEMPT
[ 23.488817][ T3682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 23.489401][ T3682] RIP: 0010:pick_task_fair (kernel/sched/fair.c:5526 kernel/sched/fair.c:8846)
[ 23.490438][ T3682] Code: d2 74 1a 4c 89 d6 4c 89 e7 e8 8d e9 ff ff 85 c0 74 0b 41 80 7a 51 00 74 31 0f 0b eb 2d be 01 00 00 00 4c 89 e7 e8 b5 fe ff ff <80> 78 51 00 49 89 c2 74 12 ba 01 02 00 00 48 89 c6 48 89 df e8 44
All code
========
0: d2 74 1a 4c shlb %cl,0x4c(%rdx,%rbx,1)
4: 89 d6 mov %edx,%esi
6: 4c 89 e7 mov %r12,%rdi
9: e8 8d e9 ff ff call 0xffffffffffffe99b
e: 85 c0 test %eax,%eax
10: 74 0b je 0x1d
12: 41 80 7a 51 00 cmpb $0x0,0x51(%r10)
17: 74 31 je 0x4a
19: 0f 0b ud2
1b: eb 2d jmp 0x4a
1d: be 01 00 00 00 mov $0x1,%esi
22: 4c 89 e7 mov %r12,%rdi
25: e8 b5 fe ff ff call 0xfffffffffffffedf
2a:* 80 78 51 00 cmpb $0x0,0x51(%rax) <-- trapping instruction
2e: 49 89 c2 mov %rax,%r10
31: 74 12 je 0x45
33: ba 01 02 00 00 mov $0x201,%edx
38: 48 89 c6 mov %rax,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: e8 .byte 0xe8
3f: 44 rex.R
Code starting with the faulting instruction
===========================================
0: 80 78 51 00 cmpb $0x0,0x51(%rax)
4: 49 89 c2 mov %rax,%r10
7: 74 12 je 0x1b
9: ba 01 02 00 00 mov $0x201,%edx
e: 48 89 c6 mov %rax,%rsi
11: 48 89 df mov %rbx,%rdi
14: e8 .byte 0xe8
15: 44 rex.R
[ 23.491525][ T3682] RSP: 0000:ffff88812640fdf0 EFLAGS: 00010046
[ 23.491870][ T3682] RAX: 0000000000000000 RBX: ffffffff8306f580 RCX: 000000004d636517
[ 23.492330][ T3682] RDX: 000000004d636517 RSI: 000000005572ffec RDI: ffffffff8306f600
[ 23.492786][ T3682] RBP: ffff88812640fe00 R08: 000000000000000f R09: 0000000000000002
[ 23.493232][ T3682] R10: 0000000000000000 R11: ffff8881264140c0 R12: ffffffff8306f600
[ 23.493679][ T3682] R13: ffff888125cf0000 R14: ffff88812640fe58 R15: ffff888126414788
[ 23.494125][ T3682] FS: 0000000000000000(0000) GS:0000000000000000(0063) knlGS:0000000008e97880
[ 23.494627][ T3682] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 23.494999][ T3682] CR2: 0000000000000051 CR3: 000000012b09c000 CR4: 00000000000406b0
[ 23.495447][ T3682] Call Trace:
[ 23.495637][ T3682] <TASK>
[ 23.495807][ T3682] pick_next_task_fair (kernel/sched/fair.c:8869)
[ 23.496095][ T3682] __schedule (kernel/sched/core.c:5969 kernel/sched/core.c:6488 kernel/sched/core.c:6870)
[ 23.496349][ T3682] ? raw_spin_rq_unlock (kernel/sched/core.c:683)
[ 23.496640][ T3682] schedule (arch/x86/include/asm/bitops.h:202 (discriminator 1) arch/x86/include/asm/bitops.h:232 (discriminator 1) include/linux/thread_info.h:192 (discriminator 1) include/linux/thread_info.h:208 (discriminator 1) include/linux/sched.h:2217 (discriminator 1) kernel/sched/core.c:7013 (discriminator 1) kernel/sched/core.c:7026 (discriminator 1))
[ 23.496868][ T3682] do_sched_yield (kernel/sched/syscalls.c:1361)
[ 23.497127][ T3682] __do_sys_sched_yield (kernel/sched/syscalls.c:1375)
[ 23.497409][ T3682] ia32_sys_call (kbuild/obj/consumer/x86_64-randconfig-121-20251020/./arch/x86/include/generated/asm/syscalls_32.h:159)
[ 23.497681][ T3682] do_int80_emulation (arch/x86/entry/syscall_32.c:83 arch/x86/entry/syscall_32.c:172)
[ 23.497962][ T3682] asm_int80_emulation (arch/x86/include/asm/idtentry.h:569)
[ 23.498244][ T3682] RIP: 0023:0xf7f3c579
[ 23.498477][ T3682] Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 0f 1f 40 00 cd 80 <5d> 5a 59 c3 90 90 90 90 2e 8d b4 26 00 00 00 00 8d b4 26 00 00 00
All code
========
0: b8 01 10 06 03 mov $0x3061001,%eax
5: 74 b4 je 0xffffffffffffffbb
7: 01 10 add %edx,(%rax)
9: 07 (bad)
a: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi
e: 10 08 adc %cl,(%rax)
10: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 0f 1f 40 00 nopl 0x0(%rax)
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 ret
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 2e 8d b4 26 00 00 00 cs lea 0x0(%rsi,%riz,1),%esi
39: 00
3a: 8d .byte 0x8d
3b: b4 26 mov $0x26,%ah
3d: 00 00 add %al,(%rax)
...
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 ret
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 2e 8d b4 26 00 00 00 cs lea 0x0(%rsi,%riz,1),%esi
f: 00
10: 8d .byte 0x8d
11: b4 26 mov $0x26,%ah
13: 00 00 add %al,(%rax)
...
[ 23.499561][ T3682] RSP: 002b:00000000ffd6080c EFLAGS: 00000292 ORIG_RAX: 000000000000009e
[ 23.500032][ T3682] RAX: ffffffffffffffda RBX: 00000000edededed RCX: 00000000e16628f4
[ 23.500494][ T3682] RDX: 00000000000000e4 RSI: 00000000c25418ab RDI: 00000000810000d8
[ 23.500940][ T3682] RBP: 0000000000002424 R08: 0000000000000000 R09: 0000000000000000
[ 23.501386][ T3682] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[ 23.501832][ T3682] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 23.502281][ T3682] </TASK>
[ 23.502457][ T3682] Modules linked in:
[ 23.502681][ T3682] CR2: 0000000000000051
[ 23.502918][ T3682] ---[ end trace 0000000000000000 ]---
[ 23.503228][ T3682] RIP: 0010:pick_task_fair (kernel/sched/fair.c:5526 kernel/sched/fair.c:8846)
[ 23.503528][ T3682] Code: d2 74 1a 4c 89 d6 4c 89 e7 e8 8d e9 ff ff 85 c0 74 0b 41 80 7a 51 00 74 31 0f 0b eb 2d be 01 00 00 00 4c 89 e7 e8 b5 fe ff ff <80> 78 51 00 49 89 c2 74 12 ba 01 02 00 00 48 89 c6 48 89 df e8 44
All code
========
0: d2 74 1a 4c shlb %cl,0x4c(%rdx,%rbx,1)
4: 89 d6 mov %edx,%esi
6: 4c 89 e7 mov %r12,%rdi
9: e8 8d e9 ff ff call 0xffffffffffffe99b
e: 85 c0 test %eax,%eax
10: 74 0b je 0x1d
12: 41 80 7a 51 00 cmpb $0x0,0x51(%r10)
17: 74 31 je 0x4a
19: 0f 0b ud2
1b: eb 2d jmp 0x4a
1d: be 01 00 00 00 mov $0x1,%esi
22: 4c 89 e7 mov %r12,%rdi
25: e8 b5 fe ff ff call 0xfffffffffffffedf
2a:* 80 78 51 00 cmpb $0x0,0x51(%rax) <-- trapping instruction
2e: 49 89 c2 mov %rax,%r10
31: 74 12 je 0x45
33: ba 01 02 00 00 mov $0x201,%edx
38: 48 89 c6 mov %rax,%rsi
3b: 48 89 df mov %rbx,%rdi
3e: e8 .byte 0xe8
3f: 44 rex.R
Code starting with the faulting instruction
===========================================
0: 80 78 51 00 cmpb $0x0,0x51(%rax)
4: 49 89 c2 mov %rax,%r10
7: 74 12 je 0x1b
9: ba 01 02 00 00 mov $0x201,%edx
e: 48 89 c6 mov %rax,%rsi
11: 48 89 df mov %rbx,%rdi
14: e8 .byte 0xe8
15: 44 rex.R
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251021/202510211205.1e0f5223-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
Powered by blists - more mailing lists