lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ef9223ee-0a4e-468c-bfd0-0cf190d262f1@molgen.mpg.de>
Date: Mon, 1 Dec 2025 17:05:59 +0100
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Sudip Mukherjee <sudipm.mukherjee@...il.com>
Cc: Sudip Mukherjee <sudip.mukherjee@...ethink.co.uk>,
 linux-kernel@...r.kernel.org, Andrew Morton <akpm@...ux-foundation.org>,
 linux-mm@...ck.org
Subject: Re: BUG: kernel NULL pointer dereference, address: 0000000000000000

Dear Sudip,


Thank you very much for looking into this.


Am 01.12.25 um 14:25 schrieb Sudip Mukherjee:
> On Thu, 27 Nov 2025 at 22:55, Paul Menzel <pmenzel@...gen.mpg.de> wrote:

>> Am 27.11.25 um 19:51 schrieb Paul Menzel:
>>
>>> Unfortunately, not reproducible, but starting with Linux 6.18-rc7, I got
>>> the oops below *once*:
>>>
>>> ```
> 
> <snip>
> 
>> Building and booting Linux 6.18.0-rc7-00041-g765e56e41a5a, I got another
>> oops.
>>
>>       [   15.234799] ppdev lp.0: really_probe: driver_sysfs_add failed
>>       [   15.234852] ------------[ cut here ]------------
>>       [   15.234854] refcount_t: addition on 0; use-after-free.
>>       [   15.234864] WARNING: CPU: 0 PID: 353 at lib/refcount.c:25 refcount_warn_saturate+0xcd/0xf0
>>
>> Please find the output of `dmesg` attached.
>>
>> (It might be related to booting with an USB-C mini-dock connected, but I
>> do not know yet.)

At least today, I am also only able to reproduce this with *no* power 
cable plugged in, and the USB-C mini-dock connected.

> In both cases, it seems the underlying hardware was removed or the
> module was unloaded while it was still registering.
> 
> In the first case, 'parport_default_proc_unregister' has been called
> while parport driver is still checking for all the connected devices
> and was executing 'lp_attach'.
> 'parport_default_proc_unregister' will only be called when the parport
> module is exiting.
> 
> Same in the second case,  'lp_attach' was still executing and
> 'ppdev_cleanup' was called.

Please find the output of `dmesg` attached with the Oops for Linux 6.18.

```
[   14.696290] ppdev: user-space parallel port driver
[   14.696974] lp lp.0: really_probe: driver_sysfs_add failed
[   14.697015] kernel tried to execute NX-protected page - exploit 
attempt? (uid: 0)
[   14.697189] BUG: unable to handle page fault for address: 
ffff991d07830708
[   14.697223] #PF: supervisor instruction fetch in kernel mode
[   14.697249] #PF: error_code(0x0011) - permissions violation
[   14.697277] PGD 388401067 P4D 388401067 PUD 101338063 PMD 10785c063 
PTE 8000000107830163
[   14.697313] Oops: Oops: 0011 [#1] SMP
[   14.697334] CPU: 2 UID: 0 PID: 357 Comm: systemd-modules Not tainted 
6.18.0 #165 PREEMPT(voluntary)
[   14.697386] Hardware name: Dell Inc. XPS 13 9360/0596KF, BIOS 2.21.0 
06/02/2022
[   14.697423] RIP: 0010:0xffff991d07830708
[   14.697445] Code: ff ff 20 a1 10 01 1d 99 ff ff 80 3a 50 93 ff ff ff 
ff 40 54 3c 06 1d 99 ff ff 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 
00 <08> 07 83 07 1d 99 ff ff 08 07 83 07 1d 99 ff ff 00 00 00 00 00 00
[   14.697530] RSP: 0000:ffffa8c040a27a30 EFLAGS: 00010286
[   14.697561] RAX: ffff991d078306c0 RBX: ffff991d0722a000 RCX: 
0000000000000007
[   14.697593] RDX: ffffffffc078d5c0 RSI: ffff991d01fa7ce0 RDI: 
ffff991d03cc0000
[   14.697618] RBP: ffffa8c040a27a80 R08: 00000000fffffff3 R09: 
00000000fff7ffff
[   14.697639] R10: ffffffff9482b180 R11: ffffa8c040a27620 R12: 
ffff991d0722a040
[   14.697659] R13: ffff991d03cc0050 R14: ffff991d03cc0000 R15: 
ffff991d00dfe8e8
[   14.697679] FS:  00007f09cb7fd6c0(0000) GS:ffff9920d8587000(0000) 
knlGS:0000000000000000
[   14.697711] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   14.697728] CR2: ffff991d07830708 CR3: 0000000102019003 CR4: 
00000000003706f0
[   14.697749] Call Trace:
[   14.697759]  <TASK>
[   14.697768]  ? parport_register_dev_model+0x273/0x3c0 [parport]
[   14.697792]  ? lp_register+0x6f/0x100 [lp]
[   14.697806]  ? msr_init+0x1000/0x1000 [msr]
[   14.697822]  ? parport_irq_handler+0x50/0x50 [parport]
[   14.697841]  ? lp_attach+0x99/0xc0 [lp]
[   14.697854]  ? port_check+0x1d/0x20 [parport]
[   14.697879]  ? bus_for_each_dev+0x82/0xd0
[   14.697894]  ? ppdev_cleanup+0xb40/0xb40 [ppdev]
[   14.697910]  ? __parport_register_driver+0x7e/0xb0 [parport]
[   14.697930]  ? lp_init_module+0x1e2/0x1000 [lp]
[   14.697945]  ? do_one_initcall+0x58/0x2f0
[   14.697960]  ? do_init_module+0x67/0x2a0
[   14.697974]  ? init_module_from_file+0x85/0xc0
[   14.697989]  ? __x64_sys_finit_module+0x163/0x3d0
[   14.698005]  ? do_syscall_64+0x82/0x9b0
[   14.698020]  ? vfs_read+0x15e/0x380
[   14.698035]  ? vfs_read+0x15e/0x380
[   14.698056]  ? __rseq_handle_notify_resume+0xa6/0x480
[   14.698080]  ? restore_fpregs_from_fpstate+0x46/0xa0
[   14.698098]  ? switch_fpu_return+0x5b/0xd0
[   14.698113]  ? do_syscall_64+0x21d/0x9b0
[   14.698134]  ? restore_fpregs_from_fpstate+0x46/0xa0
[   14.698158]  ? switch_fpu_return+0x5b/0xd0
[   14.698179]  ? do_syscall_64+0x21d/0x9b0
[   14.698203]  ? do_user_addr_fault+0x216/0x690
[   14.698230]  ? exc_page_fault+0x7e/0x1a0
[   14.698254]  ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
[   14.698286]  </TASK>
```

> Are you seeing the crash only from v6.18-rc7 onwards? Was v6.18-rc6 or
> v6.17 ok for you?
Going through some Linux kernels, I hit the same issue with 
6.18.0-rc3-00256-gba36dd5ee6fd, but with that the graphics environment 
did not load, and I only have the journal entry.

```
Dez 01 14:33:41 abreu kernel: kernel tried to execute NX-protected page 
- exploit attempt? (uid: 0)
Dez 01 14:33:41 abreu kernel: BUG: unable to handle page fault for 
address: ffff97fec6b9c588
Dez 01 14:33:41 abreu kernel: #PF: supervisor instruction fetch in 
kernel mode
Dez 01 14:33:41 abreu kernel: #PF: error_code(0x0011) - permissions 
violation
Dez 01 14:33:41 abreu kernel: PGD 3fda01067 P4D 3fda01067 PUD 101338063 
PMD 106b74063 PTE 8000000106b9c163
Dez 01 14:33:41 abreu kernel: Oops: Oops: 0011 [#1] SMP
Dez 01 14:33:41 abreu kernel: CPU: 2 UID: 0 PID: 432 Comm: 
systemd-modules Not tainted 6.18.0-rc3-00256-gba36dd5ee6fd #154 
PREEMPT(voluntary)
Dez 01 14:33:41 abreu kernel: Hardware name: Dell Inc. XPS 13 
9360/0596KF, BIOS 2.21.0 06/02/2022
Dez 01 14:33:41 abreu kernel: RIP: 0010:0xffff97fec6b9c588
Dez 01 14:33:41 abreu kernel: Code: ff ff 20 ed 23 c7 fe 97 ff ff a0 3a 
f0 9a ff ff ff ff f8 37 58 c3 fe 97 ff ff 01 00 00 00 03 00 00 00 00 00 
00 00 00 00 00 00 <88> c5 b9 c6 fe 97 ff ff 88 c5 b9 c6 fe 97 ff ff 00 
00 00 00 00 00
Dez 01 14:33:41 abreu kernel: RSP: 0000:ffffaaba0095bb00 EFLAGS: 00010286
Dez 01 14:33:41 abreu kernel: RAX: ffff97fec6b9c540 RBX: 
ffff97fec48c7800 RCX: 0000000000000007
Dez 01 14:33:41 abreu kernel: RDX: ffffffffc077b5c0 RSI: 
ffff97fec71a58b0 RDI: ffff97fed8514800
Dez 01 14:33:41 abreu kernel: RBP: ffffaaba0095bb50 R08: 
ffff97fec77ec243 R09: ffff98022cd3f4c0
Dez 01 14:33:41 abreu kernel: R10: 0000000000000001 R11: 
0000000006f6b9e9 R12: ffff97fec48c7840
Dez 01 14:33:41 abreu kernel: R13: ffff97fed8514850 R14: 
ffff97fed8514800 R15: ffff97fec7349b08
Dez 01 14:33:41 abreu kernel: FS:  00007f4b0c2fcc80(0000) 
GS:ffff980290b87000(0000) knlGS:0000000000000000
Dez 01 14:33:41 abreu kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 
0000000080050033
Dez 01 14:33:41 abreu kernel: CR2: ffff97fec6b9c588 CR3: 
0000000106a5f004 CR4: 00000000003706f0
Dez 01 14:33:41 abreu kernel: Call Trace:
Dez 01 14:33:41 abreu kernel:  <TASK>
Dez 01 14:33:41 abreu kernel:  ? parport_register_dev_model+0x273/0x3c0 
[parport]
Dez 01 14:33:41 abreu kernel:  ? lp_register+0x6f/0x100 [lp]
Dez 01 14:33:41 abreu kernel:  ? parport_pc_init+0xf20/0xf20 [parport_pc]
Dez 01 14:33:41 abreu kernel:  ? parport_irq_handler+0x50/0x50 [parport]
Dez 01 14:33:41 abreu kernel:  ? lp_attach+0x99/0xc0 [lp]
Dez 01 14:33:41 abreu kernel:  ? port_check+0x1d/0x20 [parport]
Dez 01 14:33:41 abreu kernel:  ? bus_for_each_dev+0x82/0xd0
Dez 01 14:33:41 abreu kernel:  ? lp_open.cold+0xaf5/0xaf5 [lp]
Dez 01 14:33:41 abreu kernel:  ? __parport_register_driver+0x7e/0xb0 
[parport]
Dez 01 14:33:41 abreu kernel:  ? lp_init_module+0x1e2/0x1000 [lp]
Dez 01 14:33:41 abreu kernel:  ? do_one_initcall+0x58/0x2f0
Dez 01 14:33:41 abreu kernel:  ? do_init_module+0x67/0x2a0
Dez 01 14:33:41 abreu kernel:  ? init_module_from_file+0x85/0xc0
Dez 01 14:33:41 abreu kernel:  ? __x64_sys_finit_module+0x163/0x3d0
Dez 01 14:33:41 abreu kernel:  ? do_syscall_64+0x82/0x9b0
Dez 01 14:33:41 abreu kernel:  ? do_syscall_64+0xbb/0x9b0
Dez 01 14:33:41 abreu kernel:  ? do_sys_openat2+0xa2/0xe0
Dez 01 14:33:41 abreu kernel:  ? __x64_sys_openat+0x61/0xa0
Dez 01 14:33:41 abreu kernel:  ? do_syscall_64+0xbb/0x9b0
Dez 01 14:33:41 abreu kernel:  ? do_syscall_64+0xbb/0x9b0
Dez 01 14:33:41 abreu kernel:  ? exc_page_fault+0x7e/0x1a0
Dez 01 14:33:41 abreu kernel:  ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
Dez 01 14:33:41 abreu kernel:  </TASK>
Dez 01 14:33:41 abreu kernel: Modules linked in: ppdev(+) lp(+) 
parport_pc msr(+) parport drm efi_pstore configfs nfnetlink efivarfs 
autofs4 ext4 crc16 mbcache jbd2 dm_crypt dm_mod dell_wmi dell_smbios 
dell_wmi_descriptor dcdbas evdev nvme serio_raw pcspkr nvme_core video 
intel_hid sparse_keymap wmi aesni_intel
Dez 01 14:33:41 abreu kernel: CR2: ffff97fec6b9c588
Dez 01 14:33:41 abreu kernel: ---[ end trace 0000000000000000 ]---
```

I was forced to hard reset the machine by pressing the power button for 
more than ten seconds.


Kind regards,

Paul
View attachment "20251201--dell-xps-13-9360--linux-6.18--messages.txt" of type "text/plain" (87953 bytes)

View attachment "20251201--dell-xps-13-9360--linux-6.18.0-rc3-00256-gba36dd5ee6fd--journal-messages.txt" of type "text/plain" (78712 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ