Re: [BUG] hrtimer: null deref in hrtimer_next_event_without when entering idle

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Thomas Gleixner <tglx@linutronix.de>
To: "Olle Lögdahl" <olle@logdahl.net>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: "frederic@kernel.org" <frederic@kernel.org>,
	"anna-maria@linutronix.de" <anna-maria@linutronix.de>
Subject: Re: [BUG] hrtimer: null deref in hrtimer_next_event_without when entering idle
Date: Mon, 15 Dec 2025 12:13:59 +0100	[thread overview]
Message-ID: <878qf4dmko.ffs@tglx> (raw)
In-Reply-To: <YoTfQSnM2hpZ1BK1RO-RvjgmNvowWRxy1jlgz3JksmSNprMQfhz_CRxUZph2ygPuGtaqJaPeVrflnldQkCgzzX8tsvX4A7sqWwF6OIdaJHo=@logdahl.net>

On Sat, Dec 13 2025 at 08:55, Olle Lögdahl wrote:
> I encountered a kernel panic with a null-pointer dereference in the
> hrtimer system on kernel 6.17.9-arch1-1 (x86_64) when entering idle. 
> The crash occurred in __hrtimer_next_event_base+0x4c.
>
> [137017.825435] BUG: kernel NULL pointer dereference, address: 0000000000000018
> [137017.825450] #PF: supervisor read access in kernel mode
> [137017.825457] #PF: error_code(0x0000) - not-present page
> [137017.825464] PGD 1719cb067 P4D 1719cb067 PUD 17ca5a067 PMD 0 
> [137017.825483] Oops: Oops: 0000 [#1] SMP NOPTI
> [137017.825495] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Tainted: P           OE       6.17.9-arch1-1 #1 PREEMPT(full)  71adf6020e7d04ea315feaf360c679be0fb5cb04
> [137017.825510] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
> [137017.825516] Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 4207 12/08/2018
> [137017.825523] RIP: 0010:__hrtimer_next_event_base+0x4c/0xb0
> [137017.825538] Code: 0f bc c9 89 cd 48 8d 45 01 48 c1 e0 06 4c 01 e0 74 32 ba 01 00 00 00 48 8b 40 28 d3 e2 f7 d2 21 d3 49 39 c7 74 43 48 c1 e5 06 <48> 8b 50 18 49 2b 54 2c 78 4c 39 ea 7d 08 4d 85 ff 74 1f 49 89 d5
> [137017.825546] RSP: 0018:ffffffffa3603d90 EFLAGS: 00010056
> [137017.825555] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> [137017.825562] RDX: 00000000fffffffe RSI: ffff8a6b0ee216d8 RDI: ffff8a6b0ee21100
> [137017.825569] RBP: 0000000000000000 R08: ffffffffa3603d78 R09: 0000000000000018
> [137017.825575] R10: 00000000ffffffff R11: 000000000000012d R12: ffff8a6b0ee21100
> [137017.825582] R13: 7fffffffffffffff R14: 071c71c71c71c71c R15: ffff8a6b0ee216d8
> [137017.825589] FS:  0000000000000000(0000) GS:ffff8a6b6ab09000(0000) knlGS:0000000000000000
> [137017.825596] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [137017.825603] CR2: 0000000000000018 CR3: 000000026e066000 CR4: 00000000003506f0
> [137017.825610] Call Trace:
> [137017.825618]  <TASK>
> [137017.825631]  hrtimer_next_event_without+0x56/0x90
> [137017.825644]  tick_nohz_get_sleep_length+0x86/0xa0
> [137017.825659]  menu_select+0x391/0x680
> [137017.825677]  do_idle+0x18b/0x210
> [137017.825693]  cpu_startup_entry+0x29/0x30
> [137017.825704]  rest_init+0xcc/0xd0
> [137017.825718]  start_kernel+0x9a2/0x9b0
> [137017.825735]  x86_64_start_reservations+0x24/0x30
> [137017.825748]  x86_64_start_kernel+0xd1/0xe0
> [137017.825760]  common_startup_64+0x13e/0x141
> [137017.825783]  </TASK>
>
> Disassembling the code at RIP shows the faulting instruction is:
>   2a: 48 8b 50 18    mov rdx,QWORD PTR [rax+0x18]

This looks like reading hrtimer::_softexpires and the hrtimer pointer is
NULL.

> Looking at the preceding code, rax was loaded from another structure
> at offset 0x28:
>   17: 48 8b 40 28    mov rax,QWORD PTR [rax+0x28]

That's loading the next node from the clock base

That means the clock base is marked active but has no timer queued. I
have no idea how that can happen as all related operations are holding
the relevant base lock.

> I have not been able to reproduce this yet. I'd be interested in
> working on a fix if guidance can be provided on the root cause.

No idea how this can be chased down unless you have a halfways reliable
reproducer which reproduces without that (whatever it is) module loaded:

> [137017.825510] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE

Thanks,

        tglx

     prev parent reply	other threads:[~2025-12-15 11:14 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-13  8:55 [BUG] hrtimer: null deref in hrtimer_next_event_without when entering idle Olle Lögdahl
2025-12-15 11:13 ` Thomas Gleixner [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878qf4dmko.ffs@tglx \
    --to=tglx@linutronix.de \
    --cc=anna-maria@linutronix.de \
    --cc=frederic@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=olle@logdahl.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.