lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAE4VaGCuK5gNJm=_xLkngNbxbc1aii3q9JCdFruDiKKcHR_Nuw@mail.gmail.com>
Date: Tue, 9 Dec 2025 11:38:19 +0100
From: Jirka Hladky <jhladky@...hat.com>
To: linux-kernel <linux-kernel@...r.kernel.org>
Cc: Kamil Kolakowski <kkolakow@...hat.com>, "spetrovi@...hat.com" <spetrovi@...hat.com>, 
	Luke Yang <luyang@...hat.com>
Subject: Re: BUG: NULL pointer dereference in update_qos_requests() triggered
 by writing to /sys/devices/system/cpu/intel_pstate/min_perf_pct (6.18-rc1)

Hello,

The issue is persistent. We have now confirmed it on the 6.18 final kernel.

Thank you
Jirka


On Thu, Oct 16, 2025 at 7:10 PM Jirka Hladky <jhladky@...hat.com> wrote:
>
> The kernel panic appears when we boot the system with the nosmt kernel
> boot parameter:
>
> grubby --update-kernel DEFAULT --args="nosmt"
>
> On Thu, Oct 16, 2025 at 6:57 PM Jirka Hladky <jhladky@...hat.com> wrote:
> >
> > Hello,
> >
> > We are observing a kernel panic on various Intel servers (Skylake, Ice
> > Lake) running kernel 6.18.0-0.rc1. The crash is caused by a NULL
> > pointer dereference in update_qos_requests() when the tuned daemon
> > writes CPU QoS settings from the default tuned-performance profile.
> >
> > Triggering setting:
> > ======================================================
> > /usr/lib/tuned/tuned-performance/tuned.conf
> > [cpu]
> > min_perf_pct=100
> > governor=performance
> > energy_perf_bias=performance
> > energy_performance_preference=performance
> > ======================================================
> >
> > This tuned profile causes the kernel panic when tuned starts, likely via:
> >
> > echo 100 > /sys/devices/system/cpu/intel_pstate/min_perf_pct
> >
> > Example log:
> >
> > BUG: kernel NULL pointer dereference, address: 0x38
> > RIP: 0010:update_qos_requests+0x7c/0xf0
> > PID: 1794 Comm: tuned
> > Call Trace:
> > store_min_perf_pct+0xb7/0x120
> > kernfs_fop_write_iter+0x14d/0x200
> > vfs_write+0x25d/0x480
> > ksys_write+0x73/0xf0
> > do_syscall_64+0x7c/0x800
> >
> > Thank you!
> > Jirka
> >
> > [      OK    ] Started polkit.service  Authorization Manager.
> > [   14.936180] BUG: kernel NULL pointer dereference, address: 0000000000000038
> > [   14.943996] #PF: supervisor read access in kernel mode
> > [   14.949763] #PF: error_code(0x0000) - not-present page
> > [   14.955531] PGD 178c1a067 P4D 0
> > [   14.959154] Oops: Oops: 0000 [#1] SMP NOPTI
> > [   14.963841] CPU: 14 UID: 0 PID: 1991 Comm: tuned Tainted: G S
> >           ------  ---  6.18.0-0.rc1.16.eln152.x86_64 #1 PREEMPT(lazy)
> > [   14.977798] Tainted: [S]=CPU_OUT_OF_SPEC
> > [   14.982200] Hardware name: Abacus electric, s.r.o. -
> > servis@...cus.cz Super Server/X12SPW-F, BIOS 1.2 02/14/2022
> > [   14.993621] RIP: 0010:update_qos_requests+0x7c/0xf0
> > [   14.999101] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
> > 05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
> > 8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
> > b8 40
> > [   15.020167] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
> > [   15.026031] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
> > [   15.034040] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
> > [   15.042048] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
> > [   15.050057] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > [   15.058065] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
> > [   15.066074] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
> > knlGS:0000000000000000
> > [   15.075156] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   15.081603] CR2: 0000000000000038 CR3: 00000001124e0001 CR4: 0000000000773ef0
> > [   15.089612] PKRU: 55555554
> > [   15.092646] Call Trace:
> > [   15.095390]  <TASK>
> > [   15.097746]  store_min_perf_pct+0xb7/0x120
> > [   15.102345]  kernfs_fop_write_iter+0x14d/0x200
> > [   15.107334]  vfs_write+0x25d/0x480
> > [   15.111152]  ksys_write+0x73/0xf0
> > [   15.114871]  do_syscall_64+0x7c/0x800
> > [   15.118980]  ? __do_sys_newfstat+0x44/0x70
> > [   15.123570]  ? syscall_exit_work+0x143/0x1b0
> > [   15.128363]  ? clear_bhb_loop+0x30/0x80
> > [   15.132660]  ? clear_bhb_loop+0x30/0x80
> > [   15.136965]  ? clear_bhb_loop+0x30/0x80
> > [   15.141260]  ? clear_bhb_loop+0x30/0x80
> > [   15.145566]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
> > [   15.151236] RIP: 0033:0x7f472b534e4f
> > [   15.155257] Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 59 74
> > f9 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00
> > 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 ac 74 f9
> > ff 48
> > [   15.176328] RSP: 002b:00007f472984e130 EFLAGS: 00000293 ORIG_RAX:
> > 0000000000000001
> > [   15.184824] RAX: ffffffffffffffda RBX: 00007f472984f638 RCX: 00007f472b534e4f
> > [   15.192832] RDX: 0000000000000003 RSI: 00007f472401b670 RDI: 000000000000000a
> > [   15.200840] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000002
> > [   15.208849] R10: 00007f47299116c0 R11: 0000000000000293 R12: 00007f472401b670
> > [   15.216857] R13: 000000000000000a R14: 000055f431e37b00 R15: 000055f431bbbba2
> > [   15.224866]  </TASK>
> > [   15.227318] Modules linked in: rfkill sunrpc vfat fat ext4 crc16
> > mbcache jbd2 intel_rapl_msr iTCO_wdt iTCO_vendor_support
> > intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common
> > i10nm_edac skx_edac_common nfit libnvdimm x86_pkg_temp_thermal
> > intel_powerclamp coretemp kvm_intel kvm dax_hmem cxl_acpi ipmi_ssif
> > rndis_host cxl_port irqbypass rapl intel_cstate cxl_core intel_th_gth
> > mei_me cdc_ether isst_if_mbox_pci isst_if_mmio igb i2c_i801 ioatdma
> > intel_th_pci ast intel_uncore usbnet einj isst_if_common pcspkr
> > i2c_smbus intel_pch_thermal mei acpi_power_meter intel_th intel_vsec
> > dca i2c_algo_bit mii ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler
> > joydev acpi_pad loop fuse dm_mod nfnetlink xfs ahci nvme libahci
> > nvme_core libata nvme_keyring ghash_clmulni_intel nvme_auth hkdf
> > [   15.305080] CR2: 0000000000000038
> > [   15.308798] ---[ end trace 0000000000000000 ]---
> > [   15.375282] RIP: 0010:update_qos_requests+0x7c/0xf0
> > [   15.380761] Code: 48 63 d2 48 c7 c7 80 77 29 97 e8 1f 39 bc ff 3b
> > 05 39 c3 9c 01 48 89 c3 73 66 48 8b 15 7d b5 68 02 48 63 c3 89 df 4c
> > 8b 24 c2 <41> 8b 6c 24 38 e8 fa 2d ff ff 49 89 c6 48 85 c0 74 bb 4c 8b
> > b8 40
> > [   15.401834] RSP: 0018:ff71393407197c50 EFLAGS: 00010293
> > [   15.407698] RAX: 0000000000000024 RBX: 0000000000000024 RCX: 0000000000000024
> > [   15.415707] RDX: ff713934001bd000 RSI: 0000000000000000 RDI: 0000000000000024
> > [   15.423714] RBP: 0000000014dc9380 R08: ffffffff97297780 R09: 0000000000000087
> > [   15.431722] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> > [   15.439731] R13: fffffffffffffff2 R14: ff29dd01cbeca800 R15: ff29dd01c2ff8580
> > [   15.447739] FS:  00007f472984f6c0(0000) GS:ff29dd40a6828000(0000)
> > knlGS:0000000000000000
> > [   15.456821] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > [   15.463268] CR2: 000000000000003
> >
> >
> >
> >
> >
> > --
> > -Jirka
>
>
>
> --
> -Jirka



-- 
-Jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ