lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <202511271605.bd46ddc3-lkp@intel.com>
Date: Thu, 27 Nov 2025 16:35:37 +0800
From: kernel test robot <oliver.sang@...el.com>
To: Tim Chen <tim.c.chen@...ux.intel.com>
CC: <oe-lkp@...ts.linux.dev>, <lkp@...el.com>, <linux-kernel@...r.kernel.org>,
	<x86@...nel.org>, Ingo Molnar <mingo@...nel.org>, Peter Zijlstra
	<peterz@...radead.org>, Chen Yu <yu.c.chen@...el.com>, Vincent Guittot
	<vincent.guittot@...aro.org>, Shrikanth Hegde <sshegde@...ux.ibm.com>, "K
 Prateek Nayak" <kprateek.nayak@....com>, Srikar Dronamraju
	<srikar@...ux.ibm.com>, Mohini Narkhede <mohini.narkhede@...el.com>,
	<aubrey.li@...ux.intel.com>, <oliver.sang@...el.com>
Subject: [tip:tmp.tmp] [sched/fair]  eb2db043ab:
 BUG:kernel_NULL_pointer_dereference,address



Hello,

kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:

commit: eb2db043ab3a28ae76800f2a57e144420800d56d ("sched/fair: Skip sched_balance_running cmpxchg when balance is not due")
https://git.kernel.org/cgit/linux/kernel/git/tip/tip.git tmp.tmp

in testcase: fio-basic
version: fio-x86_64-7c8dbca4-1_20251123
with following parameters:

	runtime: 300s
	disk: 1SSD
	fs: btrfs
	nr_task: 100%
	test_size: 128G
	rw: randwrite
	bs: 4M
	ioengine: falloc
	cpufreq_governor: performance



config: x86_64-rhel-9.4
compiler: gcc-14
test machine: 192 threads 4 sockets Intel(R) Xeon(R) Platinum 9242 CPU @ 2.30GHz (Cascade Lake) with 176G memory

(please refer to attached dmesg/kmsg for entire log/backtrace)



If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@...el.com>
| Closes: https://lore.kernel.org/oe-lkp/202511271605.bd46ddc3-lkp@intel.com


[    5.764008][    C0] BUG: kernel NULL pointer dereference, address: 0000000000000000
[    5.764501][    T1] futex hash table entries: 16384 (1048576 bytes on 4 NUMA nodes, total 4096 KiB, linear).
[    5.764999][    C0] #PF: supervisor read access in kernel mode
[    5.764999][    C0] #PF: error_code(0x0000) - not-present page
[    5.764999][    T1] pinctrl core: initialized pinctrl subsystem
[    5.764999][    C0] PGD 0 P4D 0
[    5.764999][    C0] Oops: Oops: 0000 [#1] SMP NOPTI
[    5.764999][    C0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: G S                  6.18.0-rc6-00035-geb2db043ab3a #1 VOLUNTARY
[    5.764999][    C0] Tainted: [S]=CPU_OUT_OF_SPEC
[    5.764999][    C0] Hardware name: Intel Corporation ............/S9200WKBRD2, BIOS SE5C620.86B.0D.01.0552.060220191912 06/02/2019
[    5.764999][    C0] RIP: 0010:sched_balance_rq (arch/x86/include/asm/atomic.h:107 (discriminator 4) include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) kernel/sched/fair.c:11733 (discriminator 4))
[    5.764999][    C0] Code: b8 00 00 00 65 48 2b 15 c2 47 a7 02 0f 85 30 03 00 00 48 81 c4 c0 00 00 00 89 f0 5b 5d 41 5c 41 5d 41 5e 41 5f e9 bc fb f5 00 <8b> 04 25 00 00 00 00 ba 01 00 00 00 f0 0f b1 15 58 d6 af 02 0f 94
All code
========
   0:	b8 00 00 00 65       	mov    $0x65000000,%eax
   5:	48 2b 15 c2 47 a7 02 	sub    0x2a747c2(%rip),%rdx        # 0x2a747ce
   c:	0f 85 30 03 00 00    	jne    0x342
  12:	48 81 c4 c0 00 00 00 	add    $0xc0,%rsp
  19:	89 f0                	mov    %esi,%eax
  1b:	5b                   	pop    %rbx
  1c:	5d                   	pop    %rbp
  1d:	41 5c                	pop    %r12
  1f:	41 5d                	pop    %r13
  21:	41 5e                	pop    %r14
  23:	41 5f                	pop    %r15
  25:	e9 bc fb f5 00       	jmp    0xf5fbe6
  2a:*	8b 04 25 00 00 00 00 	mov    0x0,%eax		<-- trapping instruction
  31:	ba 01 00 00 00       	mov    $0x1,%edx
  36:	f0 0f b1 15 58 d6 af 	lock cmpxchg %edx,0x2afd658(%rip)        # 0x2afd696
  3d:	02 
  3e:	0f                   	.byte 0xf
  3f:	94                   	xchg   %eax,%esp

Code starting with the faulting instruction
===========================================
   0:	8b 04 25 00 00 00 00 	mov    0x0,%eax
   7:	ba 01 00 00 00       	mov    $0x1,%edx
   c:	f0 0f b1 15 58 d6 af 	lock cmpxchg %edx,0x2afd658(%rip)        # 0x2afd66c
  13:	02 
  14:	0f                   	.byte 0xf
  15:	94                   	xchg   %eax,%esp
[    5.764999][    C0] RSP: 0000:ffffc90000003e30 EFLAGS: 00010202
[    5.764999][    C0] RAX: 0000000000000001 RBX: ffff8881002c2ba0 RCX: 0000000000000000
[    5.764999][    C0] RDX: ffff8881002dbc01 RSI: 00000000000000c0 RDI: 00000000000000c0
[    5.764999][    C0] RBP: 0000000000000000 R08: ffff8881002dbcc0 R09: ffff8881002c2020
[    5.764999][    C0] R10: 00ffffff00000000 R11: 0000000000000000 R12: 0000000000000000
[    5.764999][    C0] R13: ffffc90000003ed8 R14: ffffc90000003e80 R15: ffffc90000003f4c
[    5.764999][    C0] FS:  0000000000000000(0000) GS:ffff888ccb7f2000(0000) knlGS:0000000000000000
[    5.764999][    C0] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    5.764999][    C0] CR2: 0000000000000000 CR3: 0000002c7de24001 CR4: 00000000007706f0
[    5.764999][    C0] PKRU: 55555554
[    5.764999][    C0] Call Trace:
[    5.764999][    C0]  <IRQ>
[    5.764999][    C0]  ? rcu_do_batch (kernel/rcu/tree.c:2612 (discriminator 1))
[    5.764999][    C0]  sched_balance_domains (kernel/sched/fair.c:12186 (discriminator 1))
[    5.764999][    C0]  ? sched_balance_update_blocked_averages (arch/x86/include/asm/irqflags.h:158 (discriminator 1) kernel/sched/sched.h:1577 (discriminator 1) kernel/sched/sched.h:1884 (discriminator 1) kernel/sched/fair.c:9857 (discriminator 1))
[    5.764999][    C0]  handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623)
[    5.764999][    C0]  __irq_exit_rcu (kernel/softirq.c:657 kernel/softirq.c:496 kernel/softirq.c:723)
[    5.764999][    C0]  sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052 (discriminator 35) arch/x86/kernel/apic/apic.c:1052 (discriminator 35))
[    5.764999][    C0]  </IRQ>
[    5.764999][    C0]  <TASK>
[    5.764999][    C0]  asm_sysvec_apic_timer_interrupt (arch/x86/include/asm/idtentry.h:697)
[    5.764999][    C0] RIP: 0010:mwait_idle (arch/x86/include/asm/irqflags.h:37 arch/x86/include/asm/irqflags.h:114 arch/x86/kernel/process.c:930)
[    5.764999][    C0] Code: 2d c0 8e 10 00 f0 80 0e 40 48 8b 06 a8 10 75 1b 48 89 f0 0f 1f 00 31 c9 89 ca 0f 01 c8 48 8b 06 a8 10 75 07 89 c8 fb 0f 01 c9 <fa> f0 80 26 bf e9 c5 e1 00 00 0f 1f 44 00 00 66 66 2e 0f 1f 84 00
All code
========
   0:	2d c0 8e 10 00       	sub    $0x108ec0,%eax
   5:	f0 80 0e 40          	lock orb $0x40,(%rsi)
   9:	48 8b 06             	mov    (%rsi),%rax
   c:	a8 10                	test   $0x10,%al
   e:	75 1b                	jne    0x2b
  10:	48 89 f0             	mov    %rsi,%rax
  13:	0f 1f 00             	nopl   (%rax)
  16:	31 c9                	xor    %ecx,%ecx
  18:	89 ca                	mov    %ecx,%edx
  1a:	0f 01 c8             	monitor %rax,%ecx,%edx
  1d:	48 8b 06             	mov    (%rsi),%rax
  20:	a8 10                	test   $0x10,%al
  22:	75 07                	jne    0x2b
  24:	89 c8                	mov    %ecx,%eax
  26:	fb                   	sti
  27:	0f 01 c9             	mwait  %eax,%ecx
  2a:*	fa                   	cli		<-- trapping instruction
  2b:	f0 80 26 bf          	lock andb $0xbf,(%rsi)
  2f:	e9 c5 e1 00 00       	jmp    0xe1f9
  34:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  39:	66                   	data16
  3a:	66                   	data16
  3b:	2e                   	cs
  3c:	0f                   	.byte 0xf
  3d:	1f                   	(bad)
  3e:	84 00                	test   %al,(%rax)

Code starting with the faulting instruction
===========================================
   0:	fa                   	cli
   1:	f0 80 26 bf          	lock andb $0xbf,(%rsi)
   5:	e9 c5 e1 00 00       	jmp    0xe1cf
   a:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
   f:	66                   	data16
  10:	66                   	data16
  11:	2e                   	cs
  12:	0f                   	.byte 0xf
  13:	1f                   	(bad)
  14:	84 00                	test   %al,(%rax)
[    5.764999][    C0] RSP: 0000:ffffffff82e03e90 EFLAGS: 00000246
[    5.764999][    C0] RAX: 0000000000000000 RBX: ffffffff82e12940 RCX: 0000000000000000
[    5.764999][    C0] RDX: 0000000000000000 RSI: ffffffff82e12940 RDI: 0000000001655ddc
[    5.764999][    C0] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888105016728
[    5.764999][    C0] R10: 000000000000001d R11: 0000000000000011 R12: 0000000000000000
[    5.764999][    C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000002c7fff1000
[    5.764999][    C0]  default_idle_call (include/linux/cpuidle.h:144 kernel/sched/idle.c:123)
[    5.764999][    C0]  cpuidle_idle_call (kernel/sched/idle.c:191)
[    5.764999][    C0]  do_idle (kernel/sched/idle.c:332)
[    5.764999][    C0]  cpu_startup_entry (kernel/sched/idle.c:427)
[    5.764999][    C0]  rest_init (init/main.c:757)
[    5.764999][    C0]  start_kernel (init/main.c:1111)
[    5.764999][    C0]  x86_64_start_reservations (arch/x86/kernel/head64.c:310)
[    5.764999][    C0]  x86_64_start_kernel (??:?)
[    5.764999][    C0]  common_startup_64 (arch/x86/kernel/head_64.S:419)
[    5.764999][    C0]  </TASK>
[    5.764999][    C0] Modules linked in:
[    5.764999][    C0] CR2: 0000000000000000
[    5.764999][    C0] ---[ end trace 0000000000000000 ]---


The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20251127/202511271605.bd46ddc3-lkp@intel.com



-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ