* [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
@ 2025-06-19 7:32 kernel test robot
2025-06-19 22:44 ` Andrew Morton
0 siblings, 1 reply; 5+ messages in thread
From: kernel test robot @ 2025-06-19 7:32 UTC (permalink / raw)
To: Wei Yang
Cc: oe-lkp, lkp, Andrew Morton, Liam R. Howlett, Matthew Wilcox,
maple-tree, linux-mm, oliver.sang
Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 540335e9878005bf238ab4e1f91e8df0e3091a03 ("maple_tree: restart walk on correct status")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 6e5ab6fee68df8c40b338baeae6e269fa25a7e25]
in testcase: trinity
version: trinity-x86_64-ba2360ed-1_20241228
with following parameters:
runtime: 600s
config: x86_64-randconfig-008-20250618
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+--------------------------------------------------------------------------------------+------------+------------+
| | cedafc1185 | 540335e987 |
+--------------------------------------------------------------------------------------+------------+------------+
| BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
| Oops | 0 | 6 |
| RIP:mtree_range_walk | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+--------------------------------------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202506191556.6bfc7b93-lkp@intel.com
[ 85.005305][ T5293] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 85.006027][ T5293] #PF: supervisor read access in kernel mode
[ 85.006448][ T5293] #PF: error_code(0x0000) - not-present page
[ 85.006895][ T5293] PGD 156b29067 P4D 156b29067 PUD 0
[ 85.007264][ T5293] Oops: Oops: 0000 [#1] SMP
[ 85.007587][ T5293] CPU: 1 UID: 65534 PID: 5293 Comm: trinity-c7 Not tainted 6.16.0-rc2-00111-g540335e98780 #1 PREEMPT(full) 36afef0ad633c67fb03a70379195b878849f7042
[ 85.008687][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
[ 85.010012][ T5293] Code: 89 45 a0 e8 4d d8 86 ff 48 8b 45 a0 48 39 45 c0 74 18 49 83 fc 03 76 0f 4c 89 e6 48 c7 c7 a0 8d 3e 9c e8 c2 85 b1 ff 45 89 ef <4d> 8b 2e 48 8b 53 08 49 39 d5 73 32 49 8d 46 08 41 b4 01 45 38 fc
All code
========
0: 89 45 a0 mov %eax,-0x60(%rbp)
3: e8 4d d8 86 ff call 0xffffffffff86d855
8: 48 8b 45 a0 mov -0x60(%rbp),%rax
c: 48 39 45 c0 cmp %rax,-0x40(%rbp)
10: 74 18 je 0x2a
12: 49 83 fc 03 cmp $0x3,%r12
16: 76 0f jbe 0x27
18: 4c 89 e6 mov %r12,%rsi
1b: 48 c7 c7 a0 8d 3e 9c mov $0xffffffff9c3e8da0,%rdi
22: e8 c2 85 b1 ff call 0xffffffffffb185e9
27: 45 89 ef mov %r13d,%r15d
2a:* 4d 8b 2e mov (%r14),%r13 <-- trapping instruction
2d: 48 8b 53 08 mov 0x8(%rbx),%rdx
31: 49 39 d5 cmp %rdx,%r13
34: 73 32 jae 0x68
36: 49 8d 46 08 lea 0x8(%r14),%rax
3a: 41 b4 01 mov $0x1,%r12b
3d: 45 38 fc cmp %r15b,%r12b
Code starting with the faulting instruction
===========================================
0: 4d 8b 2e mov (%r14),%r13
3: 48 8b 53 08 mov 0x8(%rbx),%rdx
7: 49 39 d5 cmp %rdx,%r13
a: 73 32 jae 0x3e
c: 49 8d 46 08 lea 0x8(%r14),%rax
10: 41 b4 01 mov $0x1,%r12b
13: 45 38 fc cmp %r15b,%r12b
[ 85.011432][ T5293] RSP: 0018:ffffb56182fffd88 EFLAGS: 00010246
[ 85.011917][ T5293] RAX: 0000000000000000 RBX: ffffb56182fffe80 RCX: 0000000000000000
[ 85.012541][ T5293] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 85.013167][ T5293] RBP: ffffb56182fffdf0 R08: 0000000000000000 R09: 0000000000000000
[ 85.013806][ T5293] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000fff
[ 85.014420][ T5293] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 85.015039][ T5293] FS: 00007f93d413a740(0000) GS:ffff922b1356c000(0000) knlGS:0000000000000000
[ 85.015721][ T5293] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 85.016227][ T5293] CR2: 0000000000000000 CR3: 000000016d4f8000 CR4: 00000000000406b0
[ 85.016837][ T5293] DR0: 00007f93d220d000 DR1: 0000000000000000 DR2: 0000000000000000
[ 85.017464][ T5293] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[ 85.018096][ T5293] Call Trace:
[ 85.018359][ T5293] <TASK>
[ 85.018588][ T5293] ? mmap_write_lock (include/linux/seqlock.h:431 include/linux/mmap_lock.h:87 include/linux/mmap_lock.h:357)
[ 85.018970][ T5293] mas_state_walk (lib/maple_tree.c:3630)
[ 85.019311][ T5293] mas_walk (lib/maple_tree.c:279 lib/maple_tree.c:4937)
[ 85.019619][ T5293] mas_find (lib/maple_tree.c:5990 lib/maple_tree.c:6044)
[ 85.019967][ T5293] vma_find (include/linux/mm.h:856)
[ 85.020288][ T5293] __do_sys_set_mempolicy_home_node (mm/mempolicy.c:1723)
[ 85.020764][ T5293] __x64_sys_set_mempolicy_home_node (mm/mempolicy.c:1688)
[ 85.021229][ T5293] x64_sys_call (kbuild/obj/consumer/x86_64-randconfig-008-20250618/./arch/x86/include/generated/asm/syscalls_64.h:451)
[ 85.021592][ T5293] do_syscall_64 (arch/x86/entry/syscall_64.c:96)
[ 85.021973][ T5293] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 85.022454][ T5293] RIP: 0033:0x7f93d423e719
[ 85.022822][ T5293] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
All code
========
0: 08 89 e8 5b 5d c3 or %cl,-0x3ca2a418(%rcx)
6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
d: 00 00 00
10: 90 nop
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06f1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06c7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 85.024289][ T5293] RSP: 002b:00007ffd10d04c48 EFLAGS: 00000246 ORIG_RAX: 00000000000001c2
[ 85.024897][ T5293] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f93d423e719
[ 85.025466][ T5293] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
[ 85.026060][ T5293] RBP: 00007f93d2b43058 R08: 0000000000000001 R09: 0000000000002000
[ 85.026652][ T5293] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000001c2
[ 85.027238][ T5293] R13: 00007f93d413a6c0 R14: 00007f93d2b43058 R15: 00007f93d2b43000
[ 85.027870][ T5293] </TASK>
[ 85.028106][ T5293] Modules linked in: polyval_clmulni ghash_clmulni_intel sha512_ssse3 sha1_ssse3 crypto_hash aesni_intel gf128mul libaes aead crypto_skcipher cryptomgr crypto_algapi crypto evdev qemu_fw_cfg
[ 85.029570][ T5293] CR2: 0000000000000000
[ 85.030009][ T5293] ---[ end trace 0000000000000000 ]---
[ 85.037300][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
[ 85.037762][ T5293] Code: 89 45 a0 e8 4d d8 86 ff 48 8b 45 a0 48 39 45 c0 74 18 49 83 fc 03 76 0f 4c 89 e6 48 c7 c7 a0 8d 3e 9c e8 c2 85 b1 ff 45 89 ef <4d> 8b 2e 48 8b 53 08 49 39 d5 73 32 49 8d 46 08 41 b4 01 45 38 fc
All code
========
0: 89 45 a0 mov %eax,-0x60(%rbp)
3: e8 4d d8 86 ff call 0xffffffffff86d855
8: 48 8b 45 a0 mov -0x60(%rbp),%rax
c: 48 39 45 c0 cmp %rax,-0x40(%rbp)
10: 74 18 je 0x2a
12: 49 83 fc 03 cmp $0x3,%r12
16: 76 0f jbe 0x27
18: 4c 89 e6 mov %r12,%rsi
1b: 48 c7 c7 a0 8d 3e 9c mov $0xffffffff9c3e8da0,%rdi
22: e8 c2 85 b1 ff call 0xffffffffffb185e9
27: 45 89 ef mov %r13d,%r15d
2a:* 4d 8b 2e mov (%r14),%r13 <-- trapping instruction
2d: 48 8b 53 08 mov 0x8(%rbx),%rdx
31: 49 39 d5 cmp %rdx,%r13
34: 73 32 jae 0x68
36: 49 8d 46 08 lea 0x8(%r14),%rax
3a: 41 b4 01 mov $0x1,%r12b
3d: 45 38 fc cmp %r15b,%r12b
Code starting with the faulting instruction
===========================================
0: 4d 8b 2e mov (%r14),%r13
3: 48 8b 53 08 mov 0x8(%rbx),%rdx
7: 49 39 d5 cmp %rdx,%r13
a: 73 32 jae 0x3e
c: 49 8d 46 08 lea 0x8(%r14),%rax
10: 41 b4 01 mov $0x1,%r12b
13: 45 38 fc cmp %r15b,%r12b
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250619/202506191556.6bfc7b93-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
2025-06-19 7:32 [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address kernel test robot
@ 2025-06-19 22:44 ` Andrew Morton
2025-06-20 2:14 ` Wei Yang
0 siblings, 1 reply; 5+ messages in thread
From: Andrew Morton @ 2025-06-19 22:44 UTC (permalink / raw)
To: kernel test robot
Cc: Wei Yang, oe-lkp, lkp, Liam R. Howlett, Matthew Wilcox,
maple-tree, linux-mm
On Thu, 19 Jun 2025 15:32:12 +0800 kernel test robot <oliver.sang@intel.com> wrote:
> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
>
> commit: 540335e9878005bf238ab4e1f91e8df0e3091a03 ("maple_tree: restart walk on correct status")
> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>
> [test failed on linux-next/master 6e5ab6fee68df8c40b338baeae6e269fa25a7e25]
>
> ...
>
> [ 85.008687][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
Seems this is
if (pivots[0] >= mas->index) {
It seems odd that mtree_range_walk() doesn't (and didn't) check for
ma_pivots() returning NULL.
Oh well, thanks, the report is solid - I'll drop the series.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
2025-06-19 22:44 ` Andrew Morton
@ 2025-06-20 2:14 ` Wei Yang
2025-06-23 21:19 ` Liam R. Howlett
0 siblings, 1 reply; 5+ messages in thread
From: Wei Yang @ 2025-06-20 2:14 UTC (permalink / raw)
To: Andrew Morton
Cc: kernel test robot, Wei Yang, oe-lkp, lkp, Liam R. Howlett,
Matthew Wilcox, maple-tree, linux-mm
On Thu, Jun 19, 2025 at 03:44:46PM -0700, Andrew Morton wrote:
>On Thu, 19 Jun 2025 15:32:12 +0800 kernel test robot <oliver.sang@intel.com> wrote:
>
>> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
>>
>> commit: 540335e9878005bf238ab4e1f91e8df0e3091a03 ("maple_tree: restart walk on correct status")
>> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
>>
>> [test failed on linux-next/master 6e5ab6fee68df8c40b338baeae6e269fa25a7e25]
>>
>> ...
>>
>> [ 85.008687][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
>
>Seems this is
>
> if (pivots[0] >= mas->index) {
>
>It seems odd that mtree_range_walk() doesn't (and didn't) check for
>ma_pivots() returning NULL.
>
>Oh well, thanks, the report is solid - I'll drop the series.
Sorry for the trouble. It is better to drop it.
--
Wei Yang
Help you, Help me
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
2025-06-20 2:14 ` Wei Yang
@ 2025-06-23 21:19 ` Liam R. Howlett
2025-06-24 6:59 ` Wei Yang
0 siblings, 1 reply; 5+ messages in thread
From: Liam R. Howlett @ 2025-06-23 21:19 UTC (permalink / raw)
To: Wei Yang
Cc: Andrew Morton, kernel test robot, oe-lkp, lkp, Matthew Wilcox,
maple-tree, linux-mm
* Wei Yang <richard.weiyang@gmail.com> [250619 22:14]:
> On Thu, Jun 19, 2025 at 03:44:46PM -0700, Andrew Morton wrote:
> >On Thu, 19 Jun 2025 15:32:12 +0800 kernel test robot <oliver.sang@intel.com> wrote:
> >
> >> kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
> >>
> >> commit: 540335e9878005bf238ab4e1f91e8df0e3091a03 ("maple_tree: restart walk on correct status")
> >> https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
> >>
> >> [test failed on linux-next/master 6e5ab6fee68df8c40b338baeae6e269fa25a7e25]
> >>
> >> ...
> >>
> >> [ 85.008687][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
> >
> >Seems this is
> >
> > if (pivots[0] >= mas->index) {
> >
> >It seems odd that mtree_range_walk() doesn't (and didn't) check for
> >ma_pivots() returning NULL.
> >
> >Oh well, thanks, the report is solid - I'll drop the series.
This will need to be addressed once the dense nodes arrive, but it
really should not happen right now.
I don't like the idea of checking this every time we walk a node, if it
can be avoided.
>
> Sorry for the trouble. It is better to drop it.
This indicates another issue exists which was exposed with your fix.
I've tracked it down to the maple status being restored to ma_active
before the maple state node is set. The bot looks to have hit this by
going mas_prev() on 0 and getting the status to ma_underflow, then
mas_find(), which restored it to ma_active and tried to walk when the
node was NULL in mas_find_setup().
I have a fix for this and I'll roll your change into my fix and add you
as the reporter... and add links to the resend, v3 patches, and this
thread. Stable will be excluded because it's really not worth the risk
- the code is stable now but just suboptimal.
This still leaves your initial patch 1 and 3, which has nothing to do
with either of these bugs that you included in the patch set. It is
best to keep patches related to each other together, but not include
things you find while developing those fixes, specifically for this
scenario.
I will grab those patches and re-examine them before sending them along,
again.
Thanks,
Liam
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
2025-06-23 21:19 ` Liam R. Howlett
@ 2025-06-24 6:59 ` Wei Yang
0 siblings, 0 replies; 5+ messages in thread
From: Wei Yang @ 2025-06-24 6:59 UTC (permalink / raw)
To: Liam R. Howlett, Wei Yang, Andrew Morton, kernel test robot,
oe-lkp, lkp, Matthew Wilcox, maple-tree, linux-mm
On Mon, Jun 23, 2025 at 05:19:07PM -0400, Liam R. Howlett wrote:
[...]
>
>This will need to be addressed once the dense nodes arrive, but it
>really should not happen right now.
>
>I don't like the idea of checking this every time we walk a node, if it
>can be avoided.
>
>>
>> Sorry for the trouble. It is better to drop it.
>
>This indicates another issue exists which was exposed with your fix.
>
>I've tracked it down to the maple status being restored to ma_active
>before the maple state node is set. The bot looks to have hit this by
>going mas_prev() on 0 and getting the status to ma_underflow, then
>mas_find(), which restored it to ma_active and tried to walk when the
>node was NULL in mas_find_setup().
>
The analysis looks reasonable. Thanks for your time.
>I have a fix for this and I'll roll your change into my fix and add you
>as the reporter... and add links to the resend, v3 patches, and this
>thread. Stable will be excluded because it's really not worth the risk
>- the code is stable now but just suboptimal.
>
>This still leaves your initial patch 1 and 3, which has nothing to do
>with either of these bugs that you included in the patch set. It is
>best to keep patches related to each other together, but not include
>things you find while developing those fixes, specifically for this
>scenario.
>
>I will grab those patches and re-examine them before sending them along,
>again.
>
>Thanks,
>Liam
--
Wei Yang
Help you, Help me
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-06-24 6:59 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-19 7:32 [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address kernel test robot
2025-06-19 22:44 ` Andrew Morton
2025-06-20 2:14 ` Wei Yang
2025-06-23 21:19 ` Liam R. Howlett
2025-06-24 6:59 ` Wei Yang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).