Re: [bug report] BUG: kernel NULL pointer dereference, address: 0000000000000060

Ming Lei <ming.lei@xxxxxxxxxx> · Tue, 1 Jul 2025 11:08:05 +0800

Hi Changhui,

Thanks for the report!

On Tue, Jul 01, 2025 at 09:55:23AM +0800, Changhui Zhong wrote:
> Hello,
> 
> the following kernel panic was triggered by 'ubdsrv  make test T=generic' tests,
> please help check and let me know if you need any info/test, thanks.
> 
> repo: https://github.com/torvalds/linux.git
> branch: master
> INFO: HEAD of cloned kernel:
> commit d0b3b7b22dfa1f4b515fd3a295b3fd958f9e81af
> Author: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Date:   Sun Jun 29 13:09:04 2025 -0700
> 
>     Linux 6.16-rc4
> 
> dmesg log:
> [ 3431.347957] BUG: kernel NULL pointer dereference, address: 0000000000000060
> [ 3431.355744] #PF: supervisor read access in kernel mode
> [ 3431.361484] #PF: error_code(0x0000) - not-present page
> [ 3431.367224] PGD 119ffa067 P4D 0
> [ 3431.370830] Oops: Oops: 0000 [#1] SMP NOPTI
> [ 3431.375503] CPU: 22 UID: 0 PID: 397273 Comm: fio Tainted: G S
>            6.16.0-rc4 #1 PREEMPT(voluntary)
> [ 3431.386864] Tainted: [S]=CPU_OUT_OF_SPEC
> [ 3431.391243] Hardware name: Lenovo ThinkSystem SR650 V2/7Z73CTO1WW,
> BIOS AFE118M-1.32 06/29/2022
> [ 3431.400954] RIP: 0010:ublk_queue_rqs+0x7d/0x1c0 [ublk_drv]

It is one regression of commit 524346e9d79f ("ublk: build batch from IOs in same io_ring_ctx and io task").

io->cmd can't be derefered unless the uring cmd is live, and the following patch
should fix the oops:

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index c3e3c3b65a6d..99894d712c1f 100644
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -1442,15 +1442,14 @@ static void ublk_queue_rqs(struct rq_list *rqlist)
 		struct ublk_queue *this_q = req->mq_hctx->driver_data;
 		struct ublk_io *this_io = &this_q->ios[req->tag];
 
-		if (io && !ublk_belong_to_same_batch(io, this_io) &&
-				!rq_list_empty(&submit_list))
-			ublk_queue_cmd_list(io, &submit_list);
-		io = this_io;
-
-		if (ublk_prep_req(this_q, req, true) == BLK_STS_OK)
+		if (ublk_prep_req(this_q, req, true) == BLK_STS_OK) {
+			if (io && !ublk_belong_to_same_batch(io, this_io) &&
+					!rq_list_empty(&submit_list))
+				ublk_queue_cmd_list(io, &submit_list);
 			rq_list_add_tail(&submit_list, req);
-		else
+		} else
 			rq_list_add_tail(&requeue_list, req);
+		io = this_io;
 	}
 
 	if (!rq_list_empty(&submit_list))


Thanks,
Ming








