From: Salvatore Bonaccorso <carnil@debian.org>
To: Paul Menzel <pmenzel@molgen.mpg.de>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>,
linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org
Subject: Re: BUG: kernel NULL pointer dereference, address: 0000000000000000
Date: Fri, 2 Jan 2026 20:59:33 +0100 [thread overview]
Message-ID: <aVgjpWaIRkerdgCa@eldamar.lan> (raw)
In-Reply-To: <ef9223ee-0a4e-468c-bfd0-0cf190d262f1@molgen.mpg.de>
Hi Paul, hi Sudip,
On Mon, Dec 01, 2025 at 05:05:59PM +0100, Paul Menzel wrote:
> Dear Sudip,
>
>
> Thank you very much for looking into this.
>
>
> Am 01.12.25 um 14:25 schrieb Sudip Mukherjee:
> > On Thu, 27 Nov 2025 at 22:55, Paul Menzel <pmenzel@molgen.mpg.de> wrote:
>
> > > Am 27.11.25 um 19:51 schrieb Paul Menzel:
> > >
> > > > Unfortunately, not reproducible, but starting with Linux 6.18-rc7, I got
> > > > the oops below *once*:
> > > >
> > > > ```
> >
> > <snip>
> >
> > > Building and booting Linux 6.18.0-rc7-00041-g765e56e41a5a, I got another
> > > oops.
> > >
> > > [ 15.234799] ppdev lp.0: really_probe: driver_sysfs_add failed
> > > [ 15.234852] ------------[ cut here ]------------
> > > [ 15.234854] refcount_t: addition on 0; use-after-free.
> > > [ 15.234864] WARNING: CPU: 0 PID: 353 at lib/refcount.c:25 refcount_warn_saturate+0xcd/0xf0
> > >
> > > Please find the output of `dmesg` attached.
> > >
> > > (It might be related to booting with an USB-C mini-dock connected, but I
> > > do not know yet.)
>
> At least today, I am also only able to reproduce this with *no* power cable
> plugged in, and the USB-C mini-dock connected.
>
> > In both cases, it seems the underlying hardware was removed or the
> > module was unloaded while it was still registering.
> >
> > In the first case, 'parport_default_proc_unregister' has been called
> > while parport driver is still checking for all the connected devices
> > and was executing 'lp_attach'.
> > 'parport_default_proc_unregister' will only be called when the parport
> > module is exiting.
> >
> > Same in the second case, 'lp_attach' was still executing and
> > 'ppdev_cleanup' was called.
>
> Please find the output of `dmesg` attached with the Oops for Linux 6.18.
>
> ```
> [ 14.696290] ppdev: user-space parallel port driver
> [ 14.696974] lp lp.0: really_probe: driver_sysfs_add failed
> [ 14.697015] kernel tried to execute NX-protected page - exploit attempt?
> (uid: 0)
> [ 14.697189] BUG: unable to handle page fault for address:
> ffff991d07830708
> [ 14.697223] #PF: supervisor instruction fetch in kernel mode
> [ 14.697249] #PF: error_code(0x0011) - permissions violation
> [ 14.697277] PGD 388401067 P4D 388401067 PUD 101338063 PMD 10785c063 PTE
> 8000000107830163
> [ 14.697313] Oops: Oops: 0011 [#1] SMP
> [ 14.697334] CPU: 2 UID: 0 PID: 357 Comm: systemd-modules Not tainted
> 6.18.0 #165 PREEMPT(voluntary)
> [ 14.697386] Hardware name: Dell Inc. XPS 13 9360/0596KF, BIOS 2.21.0
> 06/02/2022
> [ 14.697423] RIP: 0010:0xffff991d07830708
> [ 14.697445] Code: ff ff 20 a1 10 01 1d 99 ff ff 80 3a 50 93 ff ff ff ff
> 40 54 3c 06 1d 99 ff ff 01 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 <08>
> 07 83 07 1d 99 ff ff 08 07 83 07 1d 99 ff ff 00 00 00 00 00 00
> [ 14.697530] RSP: 0000:ffffa8c040a27a30 EFLAGS: 00010286
> [ 14.697561] RAX: ffff991d078306c0 RBX: ffff991d0722a000 RCX:
> 0000000000000007
> [ 14.697593] RDX: ffffffffc078d5c0 RSI: ffff991d01fa7ce0 RDI:
> ffff991d03cc0000
> [ 14.697618] RBP: ffffa8c040a27a80 R08: 00000000fffffff3 R09:
> 00000000fff7ffff
> [ 14.697639] R10: ffffffff9482b180 R11: ffffa8c040a27620 R12:
> ffff991d0722a040
> [ 14.697659] R13: ffff991d03cc0050 R14: ffff991d03cc0000 R15:
> ffff991d00dfe8e8
> [ 14.697679] FS: 00007f09cb7fd6c0(0000) GS:ffff9920d8587000(0000)
> knlGS:0000000000000000
> [ 14.697711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 14.697728] CR2: ffff991d07830708 CR3: 0000000102019003 CR4:
> 00000000003706f0
> [ 14.697749] Call Trace:
> [ 14.697759] <TASK>
> [ 14.697768] ? parport_register_dev_model+0x273/0x3c0 [parport]
> [ 14.697792] ? lp_register+0x6f/0x100 [lp]
> [ 14.697806] ? msr_init+0x1000/0x1000 [msr]
> [ 14.697822] ? parport_irq_handler+0x50/0x50 [parport]
> [ 14.697841] ? lp_attach+0x99/0xc0 [lp]
> [ 14.697854] ? port_check+0x1d/0x20 [parport]
> [ 14.697879] ? bus_for_each_dev+0x82/0xd0
> [ 14.697894] ? ppdev_cleanup+0xb40/0xb40 [ppdev]
> [ 14.697910] ? __parport_register_driver+0x7e/0xb0 [parport]
> [ 14.697930] ? lp_init_module+0x1e2/0x1000 [lp]
> [ 14.697945] ? do_one_initcall+0x58/0x2f0
> [ 14.697960] ? do_init_module+0x67/0x2a0
> [ 14.697974] ? init_module_from_file+0x85/0xc0
> [ 14.697989] ? __x64_sys_finit_module+0x163/0x3d0
> [ 14.698005] ? do_syscall_64+0x82/0x9b0
> [ 14.698020] ? vfs_read+0x15e/0x380
> [ 14.698035] ? vfs_read+0x15e/0x380
> [ 14.698056] ? __rseq_handle_notify_resume+0xa6/0x480
> [ 14.698080] ? restore_fpregs_from_fpstate+0x46/0xa0
> [ 14.698098] ? switch_fpu_return+0x5b/0xd0
> [ 14.698113] ? do_syscall_64+0x21d/0x9b0
> [ 14.698134] ? restore_fpregs_from_fpstate+0x46/0xa0
> [ 14.698158] ? switch_fpu_return+0x5b/0xd0
> [ 14.698179] ? do_syscall_64+0x21d/0x9b0
> [ 14.698203] ? do_user_addr_fault+0x216/0x690
> [ 14.698230] ? exc_page_fault+0x7e/0x1a0
> [ 14.698254] ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
> [ 14.698286] </TASK>
> ```
>
> > Are you seeing the crash only from v6.18-rc7 onwards? Was v6.18-rc6 or
> > v6.17 ok for you?
> Going through some Linux kernels, I hit the same issue with
> 6.18.0-rc3-00256-gba36dd5ee6fd, but with that the graphics environment did
> not load, and I only have the journal entry.
>
> ```
> Dez 01 14:33:41 abreu kernel: kernel tried to execute NX-protected page -
> exploit attempt? (uid: 0)
> Dez 01 14:33:41 abreu kernel: BUG: unable to handle page fault for address:
> ffff97fec6b9c588
> Dez 01 14:33:41 abreu kernel: #PF: supervisor instruction fetch in kernel
> mode
> Dez 01 14:33:41 abreu kernel: #PF: error_code(0x0011) - permissions
> violation
> Dez 01 14:33:41 abreu kernel: PGD 3fda01067 P4D 3fda01067 PUD 101338063 PMD
> 106b74063 PTE 8000000106b9c163
> Dez 01 14:33:41 abreu kernel: Oops: Oops: 0011 [#1] SMP
> Dez 01 14:33:41 abreu kernel: CPU: 2 UID: 0 PID: 432 Comm: systemd-modules
> Not tainted 6.18.0-rc3-00256-gba36dd5ee6fd #154 PREEMPT(voluntary)
> Dez 01 14:33:41 abreu kernel: Hardware name: Dell Inc. XPS 13 9360/0596KF,
> BIOS 2.21.0 06/02/2022
> Dez 01 14:33:41 abreu kernel: RIP: 0010:0xffff97fec6b9c588
> Dez 01 14:33:41 abreu kernel: Code: ff ff 20 ed 23 c7 fe 97 ff ff a0 3a f0
> 9a ff ff ff ff f8 37 58 c3 fe 97 ff ff 01 00 00 00 03 00 00 00 00 00 00 00
> 00 00 00 00 <88> c5 b9 c6 fe 97 ff ff 88 c5 b9 c6 fe 97 ff ff 00 00 00 00 00
> 00
> Dez 01 14:33:41 abreu kernel: RSP: 0000:ffffaaba0095bb00 EFLAGS: 00010286
> Dez 01 14:33:41 abreu kernel: RAX: ffff97fec6b9c540 RBX: ffff97fec48c7800
> RCX: 0000000000000007
> Dez 01 14:33:41 abreu kernel: RDX: ffffffffc077b5c0 RSI: ffff97fec71a58b0
> RDI: ffff97fed8514800
> Dez 01 14:33:41 abreu kernel: RBP: ffffaaba0095bb50 R08: ffff97fec77ec243
> R09: ffff98022cd3f4c0
> Dez 01 14:33:41 abreu kernel: R10: 0000000000000001 R11: 0000000006f6b9e9
> R12: ffff97fec48c7840
> Dez 01 14:33:41 abreu kernel: R13: ffff97fed8514850 R14: ffff97fed8514800
> R15: ffff97fec7349b08
> Dez 01 14:33:41 abreu kernel: FS: 00007f4b0c2fcc80(0000)
> GS:ffff980290b87000(0000) knlGS:0000000000000000
> Dez 01 14:33:41 abreu kernel: CS: 0010 DS: 0000 ES: 0000 CR0:
> 0000000080050033
> Dez 01 14:33:41 abreu kernel: CR2: ffff97fec6b9c588 CR3: 0000000106a5f004
> CR4: 00000000003706f0
> Dez 01 14:33:41 abreu kernel: Call Trace:
> Dez 01 14:33:41 abreu kernel: <TASK>
> Dez 01 14:33:41 abreu kernel: ? parport_register_dev_model+0x273/0x3c0
> [parport]
> Dez 01 14:33:41 abreu kernel: ? lp_register+0x6f/0x100 [lp]
> Dez 01 14:33:41 abreu kernel: ? parport_pc_init+0xf20/0xf20 [parport_pc]
> Dez 01 14:33:41 abreu kernel: ? parport_irq_handler+0x50/0x50 [parport]
> Dez 01 14:33:41 abreu kernel: ? lp_attach+0x99/0xc0 [lp]
> Dez 01 14:33:41 abreu kernel: ? port_check+0x1d/0x20 [parport]
> Dez 01 14:33:41 abreu kernel: ? bus_for_each_dev+0x82/0xd0
> Dez 01 14:33:41 abreu kernel: ? lp_open.cold+0xaf5/0xaf5 [lp]
> Dez 01 14:33:41 abreu kernel: ? __parport_register_driver+0x7e/0xb0
> [parport]
> Dez 01 14:33:41 abreu kernel: ? lp_init_module+0x1e2/0x1000 [lp]
> Dez 01 14:33:41 abreu kernel: ? do_one_initcall+0x58/0x2f0
> Dez 01 14:33:41 abreu kernel: ? do_init_module+0x67/0x2a0
> Dez 01 14:33:41 abreu kernel: ? init_module_from_file+0x85/0xc0
> Dez 01 14:33:41 abreu kernel: ? __x64_sys_finit_module+0x163/0x3d0
> Dez 01 14:33:41 abreu kernel: ? do_syscall_64+0x82/0x9b0
> Dez 01 14:33:41 abreu kernel: ? do_syscall_64+0xbb/0x9b0
> Dez 01 14:33:41 abreu kernel: ? do_sys_openat2+0xa2/0xe0
> Dez 01 14:33:41 abreu kernel: ? __x64_sys_openat+0x61/0xa0
> Dez 01 14:33:41 abreu kernel: ? do_syscall_64+0xbb/0x9b0
> Dez 01 14:33:41 abreu kernel: ? do_syscall_64+0xbb/0x9b0
> Dez 01 14:33:41 abreu kernel: ? exc_page_fault+0x7e/0x1a0
> Dez 01 14:33:41 abreu kernel: ? entry_SYSCALL_64_after_hwframe+0x4b/0x53
> Dez 01 14:33:41 abreu kernel: </TASK>
> Dez 01 14:33:41 abreu kernel: Modules linked in: ppdev(+) lp(+) parport_pc
> msr(+) parport drm efi_pstore configfs nfnetlink efivarfs autofs4 ext4 crc16
> mbcache jbd2 dm_crypt dm_mod dell_wmi dell_smbios dell_wmi_descriptor dcdbas
> evdev nvme serio_raw pcspkr nvme_core video intel_hid sparse_keymap wmi
> aesni_intel
> Dez 01 14:33:41 abreu kernel: CR2: ffff97fec6b9c588
> Dez 01 14:33:41 abreu kernel: ---[ end trace 0000000000000000 ]---
> ```
>
> I was forced to hard reset the machine by pressing the power button for more
> than ten seconds.
FWIW, we have two bugs in Debian as well reported, but they were once
for 6.17.12 and 6.17.13 already. See:
https://bugs.debian.org/1124075
https://bugs.debian.org/1124463
Does it make a difference to cold-boot or reboot into the system?
Regards,
Salvatore
next prev parent reply other threads:[~2026-01-02 21:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-27 18:51 BUG: kernel NULL pointer dereference, address: 0000000000000000 Paul Menzel
2025-11-27 22:55 ` Paul Menzel
2025-12-01 13:25 ` Sudip Mukherjee
2025-12-01 16:05 ` Paul Menzel
2026-01-02 19:59 ` Salvatore Bonaccorso [this message]
2026-01-03 6:01 ` Paul Menzel
2026-01-03 11:33 ` Sudip Mukherjee
2026-01-22 8:22 ` Salvatore Bonaccorso
2026-01-26 18:56 ` Sudip Mukherjee
2026-01-27 7:01 ` Giuseppe Sacco
2026-03-15 0:37 ` Uwe Kleine-König
2026-03-15 14:52 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aVgjpWaIRkerdgCa@eldamar.lan \
--to=carnil@debian.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=pmenzel@molgen.mpg.de \
--cc=sudip.mukherjee@codethink.co.uk \
--cc=sudipm.mukherjee@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.