Re: [bug report] BUG: kernel NULL pointer dereference, address: 0000000000000001

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Jun 23, 2025 at 12:02 PM Ming Lei <ming.lei@xxxxxxxxxx> wrote:
>
> Hi Changhui,
>
> On Mon, Jun 23, 2025 at 10:58:24AM +0800, Changhui Zhong wrote:
> > Hello,
> >
> > the following kernel panic was triggered by ubdsrv  generic/002,
> > please help check and let me know if you need any info/test, thanks.
> >
> > commit HEAD:
> >
> > commit 2589cd05008205ee29f5f66f24a684732ee2e3a3
> > Merge: 98d0347fe8fb e1c75831f682
> > Author: Jens Axboe <axboe@xxxxxxxxx>
> > Date:   Wed Jun 18 05:11:50 2025 -0600
> >
> >     Merge branch 'io_uring-6.16' into for-next
> >
> >     * io_uring-6.16:
> >       io_uring: fix potential page leak in io_sqe_buffer_register()
> >       io_uring/sqpoll: don't put task_struct on tctx setup failure
> >       io_uring: remove duplicate io_uring_alloc_task_context() definition
>
> The above branch has been merged to v6.16-rc3, can you reproduce it with -rc3?
>
> I tried to duplicate in my test VM, not succeed with -rc3.
>
> ...
>
> > [ 7044.064528] BUG: kernel NULL pointer dereference, address: 0000000000000001
> > [ 7044.071507] #PF: supervisor read access in kernel mode
> > [ 7044.076653] #PF: error_code(0x0000) - not-present page
> > [ 7044.081801] PGD 462c42067 P4D 462c42067 PUD 462c43067 PMD 0
> > [ 7044.087488] Oops: Oops: 0000 [#1] SMP NOPTI
> > [ 7044.091685] CPU: 13 UID: 0 PID: 367 Comm: kworker/13:1H Not tainted
> > 6.16.0-rc2+ #1 PREEMPT(voluntary)
> > [ 7044.100991] Hardware name: Dell Inc. PowerEdge R640/0X45NX, BIOS
> > 2.22.2 09/12/2024
> > [ 7044.108565] Workqueue: kblockd blk_mq_requeue_work
> > [ 7044.113374] RIP: 0010:__io_req_task_work_add+0x18/0x1f0
>
> Can you share where the above line points to source line if it can be
> reproduced in -rc3?
>
> gdb> l *(__io_req_task_work_add+0x18)
>
>
> Thanks,
> Ming
>

now successfully reproduced on v6.16-rc3, more loop tests are needed
to trigger this issue,

[ 8898.102836] BUG: kernel NULL pointer dereference, address: 0000000000000001
[ 8898.109848] #PF: supervisor read access in kernel mode
[ 8898.115011] #PF: error_code(0x0000) - not-present page
[ 8898.120161] PGD 80000001bcd7b067 P4D 80000001bcd7b067 PUD 1ee49f067 PMD 0
[ 8898.127043] Oops: Oops: 0000 [#1] SMP PTI
[ 8898.131065] CPU: 2 UID: 0 PID: 47056 Comm: kworker/2:2H Not tainted
6.16.0-rc3 #1 PREEMPT(voluntary)
[ 8898.140283] Hardware name: Dell Inc. PowerEdge R340/045M96, BIOS
2.17.3 09/12/2024
[ 8898.147860] Workqueue: kblockd blk_mq_requeue_work
[ 8898.152658] RIP: 0010:__io_req_task_work_add+0x18/0x1f0
[ 8898.157895] Code: 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 8b 6f 60
48 89 fb <f6> 45 01 20 0f 84 8e 00 00 00 31 c0 f6 47 48 0c 0f 94 c0 21
c6 41
[ 8898.176650] RSP: 0018:ffffd28e08d03c50 EFLAGS: 00010206
[ 8898.181882] RAX: ffffffffc0dc73d0 RBX: ffff8d64218c35c0 RCX: ffff8d676ee1e828
[ 8898.189025] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8d64218c35c0
[ 8898.196165] RBP: 0000000000000000 R08: 0000000000010000 R09: ffff8d6402d42600
[ 8898.203308] R10: ffff8d6400c1d8c0 R11: fefefefefefefeff R12: ffff8d64218c35c0
[ 8898.210448] R13: ffffd28e08d03cc8 R14: 0000000000000000 R15: ffff8d6420901310
[ 8898.217592] FS:  0000000000000000(0000) GS:ffff8d67cd7c5000(0000)
knlGS:0000000000000000
[ 8898.225685] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8898.231441] CR2: 0000000000000001 CR3: 00000001951b8003 CR4: 00000000003726f0
[ 8898.238581] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8898.245720] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8898.252876] Call Trace:
[ 8898.255335]  <TASK>
[ 8898.257450]  ublk_queue_rq+0x50/0x90 [ublk_drv]
[ 8898.261989]  blk_mq_dispatch_rq_list+0x13c/0x510
[ 8898.266620]  __blk_mq_sched_dispatch_requests+0x118/0x1a0
[ 8898.272027]  ? xa_find_after+0xfc/0x190
[ 8898.275876]  blk_mq_sched_dispatch_requests+0x2d/0x70
[ 8898.280937]  blk_mq_run_hw_queue+0x26a/0x2e0
[ 8898.285216]  blk_mq_run_hw_queues+0x7f/0x140
[ 8898.289498]  blk_mq_requeue_work+0x19f/0x1e0
[ 8898.293782]  process_one_work+0x188/0x340
[ 8898.297820]  worker_thread+0x257/0x3a0
[ 8898.301578]  ? __pfx_worker_thread+0x10/0x10
[ 8898.305871]  kthread+0xf9/0x240
[ 8898.309022]  ? __pfx_kthread+0x10/0x10
[ 8898.312785]  ? __pfx_kthread+0x10/0x10
[ 8898.316549]  ret_from_fork+0xed/0x110
[ 8898.320220]  ? __pfx_kthread+0x10/0x10
[ 8898.323981]  ret_from_fork_asm+0x1a/0x30
[ 8898.327919]  </TASK>
[ 8898.330118] Modules linked in: ublk_drv rpcsec_gss_krb5 auth_rpcgss
nfsv4 dns_resolver nfs lockd grace nfs_localio netfs sunrpc ipmi_ssif
intel_rapl_msr intel_rapl_common intel_uncore_frequency
intel_uncore_frequency_common intel_pmc_core_pltdrv intel_pmc_core
pmt_telemetry pmt_class intel_pmc_ssram_telemetry intel_vsec
intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp
kvm_intel kvm platform_profile dell_wmi dell_smbios iTCO_wdt irqbypass
dell_wmi_descriptor iTCO_vendor_support rapl sparse_keymap rfkill
intel_cstate mgag200 tg3 mei_me dcdbas intel_uncore i2c_algo_bit
pcspkr mei i2c_i801 idma64 i2c_smbus ie31200_edac acpi_power_meter
intel_pch_thermal ipmi_si acpi_ipmi ipmi_devintf ipmi_msghandler sg
fuse loop dm_multipath nfnetlink xfs sd_mod ahci libahci megaraid_sas
libata ghash_clmulni_intel video pinctrl_cannonlake wmi dm_mirror
dm_region_hash dm_log dm_mod [last unloaded: ublk_drv]
[ 8898.409843] CR2: 0000000000000001
[ 8898.413172] ---[ end trace 0000000000000000 ]---
[ 8898.510831] pstore: backend (erst) writing error (-19)
[ 8898.515985] RIP: 0010:__io_req_task_work_add+0x18/0x1f0
[ 8898.521221] Code: 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 66 0f 1f 00 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 8b 6f 60
48 89 fb <f6> 45 01 20 0f 84 8e 00 00 00 31 c0 f6 47 48 0c 0f 94 c0 21
c6 41
[ 8898.539975] RSP: 0018:ffffd28e08d03c50 EFLAGS: 00010206
[ 8898.545208] RAX: ffffffffc0dc73d0 RBX: ffff8d64218c35c0 RCX: ffff8d676ee1e828
[ 8898.552348] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8d64218c35c0
[ 8898.559492] RBP: 0000000000000000 R08: 0000000000010000 R09: ffff8d6402d42600
[ 8898.566631] R10: ffff8d6400c1d8c0 R11: fefefefefefefeff R12: ffff8d64218c35c0
[ 8898.573775] R13: ffffd28e08d03cc8 R14: 0000000000000000 R15: ffff8d6420901310
[ 8898.580913] FS:  0000000000000000(0000) GS:ffff8d67cd7c5000(0000)
knlGS:0000000000000000
[ 8898.589011] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 8898.594763] CR2: 0000000000000001 CR3: 00000001951b8003 CR4: 00000000003726f0
[ 8898.601906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 8898.609047] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 8898.616191] Kernel panic - not syncing: Fatal exception
[ 8898.621466] Kernel Offset: 0x1dc00000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 8898.646077] ---[ end Kernel panic - not syncing: Fatal exception ]---


(gdb) l *(__io_req_task_work_add+0x18)
0xffffffff81907668 is in __io_req_task_work_add (io_uring/io_uring.c:1251).
1246            io_fallback_tw(tctx, false);
1247    }
1248
1249    void __io_req_task_work_add(struct io_kiocb *req, unsigned flags)
1250    {
1251            if (req->ctx->flags & IORING_SETUP_DEFER_TASKRUN)
1252                    io_req_local_work_add(req, flags);
1253            else
1254                    io_req_normal_work_add(req);
1255    }
(gdb)


Thanks,
Changhui
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux