From: kernel test robot <oliver.sang@intel.com>
To: Wei Yang <richard.weiyang@gmail.com>
Cc: <oe-lkp@lists.linux.dev>, <lkp@intel.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Matthew Wilcox <willy@infradead.org>,
<maple-tree@lists.infradead.org>, <linux-mm@kvack.org>,
<oliver.sang@intel.com>
Subject: [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address
Date: Thu, 19 Jun 2025 15:32:12 +0800 [thread overview]
Message-ID: <202506191556.6bfc7b93-lkp@intel.com> (raw)
Hello,
kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on:
commit: 540335e9878005bf238ab4e1f91e8df0e3091a03 ("maple_tree: restart walk on correct status")
https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git master
[test failed on linux-next/master 6e5ab6fee68df8c40b338baeae6e269fa25a7e25]
in testcase: trinity
version: trinity-x86_64-ba2360ed-1_20241228
with following parameters:
runtime: 600s
config: x86_64-randconfig-008-20250618
compiler: gcc-12
test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G
(please refer to attached dmesg/kmsg for entire log/backtrace)
+--------------------------------------------------------------------------------------+------------+------------+
| | cedafc1185 | 540335e987 |
+--------------------------------------------------------------------------------------+------------+------------+
| BUG:kernel_NULL_pointer_dereference,address | 0 | 6 |
| Oops | 0 | 6 |
| RIP:mtree_range_walk | 0 | 6 |
| Kernel_panic-not_syncing:Fatal_exception | 0 | 6 |
+--------------------------------------------------------------------------------------+------------+------------+
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <oliver.sang@intel.com>
| Closes: https://lore.kernel.org/oe-lkp/202506191556.6bfc7b93-lkp@intel.com
[ 85.005305][ T5293] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 85.006027][ T5293] #PF: supervisor read access in kernel mode
[ 85.006448][ T5293] #PF: error_code(0x0000) - not-present page
[ 85.006895][ T5293] PGD 156b29067 P4D 156b29067 PUD 0
[ 85.007264][ T5293] Oops: Oops: 0000 [#1] SMP
[ 85.007587][ T5293] CPU: 1 UID: 65534 PID: 5293 Comm: trinity-c7 Not tainted 6.16.0-rc2-00111-g540335e98780 #1 PREEMPT(full) 36afef0ad633c67fb03a70379195b878849f7042
[ 85.008687][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
[ 85.010012][ T5293] Code: 89 45 a0 e8 4d d8 86 ff 48 8b 45 a0 48 39 45 c0 74 18 49 83 fc 03 76 0f 4c 89 e6 48 c7 c7 a0 8d 3e 9c e8 c2 85 b1 ff 45 89 ef <4d> 8b 2e 48 8b 53 08 49 39 d5 73 32 49 8d 46 08 41 b4 01 45 38 fc
All code
========
0: 89 45 a0 mov %eax,-0x60(%rbp)
3: e8 4d d8 86 ff call 0xffffffffff86d855
8: 48 8b 45 a0 mov -0x60(%rbp),%rax
c: 48 39 45 c0 cmp %rax,-0x40(%rbp)
10: 74 18 je 0x2a
12: 49 83 fc 03 cmp $0x3,%r12
16: 76 0f jbe 0x27
18: 4c 89 e6 mov %r12,%rsi
1b: 48 c7 c7 a0 8d 3e 9c mov $0xffffffff9c3e8da0,%rdi
22: e8 c2 85 b1 ff call 0xffffffffffb185e9
27: 45 89 ef mov %r13d,%r15d
2a:* 4d 8b 2e mov (%r14),%r13 <-- trapping instruction
2d: 48 8b 53 08 mov 0x8(%rbx),%rdx
31: 49 39 d5 cmp %rdx,%r13
34: 73 32 jae 0x68
36: 49 8d 46 08 lea 0x8(%r14),%rax
3a: 41 b4 01 mov $0x1,%r12b
3d: 45 38 fc cmp %r15b,%r12b
Code starting with the faulting instruction
===========================================
0: 4d 8b 2e mov (%r14),%r13
3: 48 8b 53 08 mov 0x8(%rbx),%rdx
7: 49 39 d5 cmp %rdx,%r13
a: 73 32 jae 0x3e
c: 49 8d 46 08 lea 0x8(%r14),%rax
10: 41 b4 01 mov $0x1,%r12b
13: 45 38 fc cmp %r15b,%r12b
[ 85.011432][ T5293] RSP: 0018:ffffb56182fffd88 EFLAGS: 00010246
[ 85.011917][ T5293] RAX: 0000000000000000 RBX: ffffb56182fffe80 RCX: 0000000000000000
[ 85.012541][ T5293] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 85.013167][ T5293] RBP: ffffb56182fffdf0 R08: 0000000000000000 R09: 0000000000000000
[ 85.013806][ T5293] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000fff
[ 85.014420][ T5293] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 85.015039][ T5293] FS: 00007f93d413a740(0000) GS:ffff922b1356c000(0000) knlGS:0000000000000000
[ 85.015721][ T5293] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 85.016227][ T5293] CR2: 0000000000000000 CR3: 000000016d4f8000 CR4: 00000000000406b0
[ 85.016837][ T5293] DR0: 00007f93d220d000 DR1: 0000000000000000 DR2: 0000000000000000
[ 85.017464][ T5293] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
[ 85.018096][ T5293] Call Trace:
[ 85.018359][ T5293] <TASK>
[ 85.018588][ T5293] ? mmap_write_lock (include/linux/seqlock.h:431 include/linux/mmap_lock.h:87 include/linux/mmap_lock.h:357)
[ 85.018970][ T5293] mas_state_walk (lib/maple_tree.c:3630)
[ 85.019311][ T5293] mas_walk (lib/maple_tree.c:279 lib/maple_tree.c:4937)
[ 85.019619][ T5293] mas_find (lib/maple_tree.c:5990 lib/maple_tree.c:6044)
[ 85.019967][ T5293] vma_find (include/linux/mm.h:856)
[ 85.020288][ T5293] __do_sys_set_mempolicy_home_node (mm/mempolicy.c:1723)
[ 85.020764][ T5293] __x64_sys_set_mempolicy_home_node (mm/mempolicy.c:1688)
[ 85.021229][ T5293] x64_sys_call (kbuild/obj/consumer/x86_64-randconfig-008-20250618/./arch/x86/include/generated/asm/syscalls_64.h:451)
[ 85.021592][ T5293] do_syscall_64 (arch/x86/entry/syscall_64.c:96)
[ 85.021973][ T5293] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 85.022454][ T5293] RIP: 0033:0x7f93d423e719
[ 85.022822][ T5293] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48
All code
========
0: 08 89 e8 5b 5d c3 or %cl,-0x3ca2a418(%rcx)
6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
d: 00 00 00
10: 90 nop
11: 48 89 f8 mov %rdi,%rax
14: 48 89 f7 mov %rsi,%rdi
17: 48 89 d6 mov %rdx,%rsi
1a: 48 89 ca mov %rcx,%rdx
1d: 4d 89 c2 mov %r8,%r10
20: 4d 89 c8 mov %r9,%r8
23: 4c 8b 4c 24 08 mov 0x8(%rsp),%r9
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 73 01 jae 0x33
32: c3 ret
33: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06f1
3a: f7 d8 neg %eax
3c: 64 89 01 mov %eax,%fs:(%rcx)
3f: 48 rex.W
Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 73 01 jae 0x9
8: c3 ret
9: 48 8b 0d b7 06 0d 00 mov 0xd06b7(%rip),%rcx # 0xd06c7
10: f7 d8 neg %eax
12: 64 89 01 mov %eax,%fs:(%rcx)
15: 48 rex.W
[ 85.024289][ T5293] RSP: 002b:00007ffd10d04c48 EFLAGS: 00000246 ORIG_RAX: 00000000000001c2
[ 85.024897][ T5293] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f93d423e719
[ 85.025466][ T5293] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000
[ 85.026060][ T5293] RBP: 00007f93d2b43058 R08: 0000000000000001 R09: 0000000000002000
[ 85.026652][ T5293] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000001c2
[ 85.027238][ T5293] R13: 00007f93d413a6c0 R14: 00007f93d2b43058 R15: 00007f93d2b43000
[ 85.027870][ T5293] </TASK>
[ 85.028106][ T5293] Modules linked in: polyval_clmulni ghash_clmulni_intel sha512_ssse3 sha1_ssse3 crypto_hash aesni_intel gf128mul libaes aead crypto_skcipher cryptomgr crypto_algapi crypto evdev qemu_fw_cfg
[ 85.029570][ T5293] CR2: 0000000000000000
[ 85.030009][ T5293] ---[ end trace 0000000000000000 ]---
[ 85.037300][ T5293] RIP: 0010:mtree_range_walk (lib/maple_tree.c:2773)
[ 85.037762][ T5293] Code: 89 45 a0 e8 4d d8 86 ff 48 8b 45 a0 48 39 45 c0 74 18 49 83 fc 03 76 0f 4c 89 e6 48 c7 c7 a0 8d 3e 9c e8 c2 85 b1 ff 45 89 ef <4d> 8b 2e 48 8b 53 08 49 39 d5 73 32 49 8d 46 08 41 b4 01 45 38 fc
All code
========
0: 89 45 a0 mov %eax,-0x60(%rbp)
3: e8 4d d8 86 ff call 0xffffffffff86d855
8: 48 8b 45 a0 mov -0x60(%rbp),%rax
c: 48 39 45 c0 cmp %rax,-0x40(%rbp)
10: 74 18 je 0x2a
12: 49 83 fc 03 cmp $0x3,%r12
16: 76 0f jbe 0x27
18: 4c 89 e6 mov %r12,%rsi
1b: 48 c7 c7 a0 8d 3e 9c mov $0xffffffff9c3e8da0,%rdi
22: e8 c2 85 b1 ff call 0xffffffffffb185e9
27: 45 89 ef mov %r13d,%r15d
2a:* 4d 8b 2e mov (%r14),%r13 <-- trapping instruction
2d: 48 8b 53 08 mov 0x8(%rbx),%rdx
31: 49 39 d5 cmp %rdx,%r13
34: 73 32 jae 0x68
36: 49 8d 46 08 lea 0x8(%r14),%rax
3a: 41 b4 01 mov $0x1,%r12b
3d: 45 38 fc cmp %r15b,%r12b
Code starting with the faulting instruction
===========================================
0: 4d 8b 2e mov (%r14),%r13
3: 48 8b 53 08 mov 0x8(%rbx),%rdx
7: 49 39 d5 cmp %rdx,%r13
a: 73 32 jae 0x3e
c: 49 8d 46 08 lea 0x8(%r14),%rax
10: 41 b4 01 mov $0x1,%r12b
13: 45 38 fc cmp %r15b,%r12b
The kernel config and materials to reproduce are available at:
https://download.01.org/0day-ci/archive/20250619/202506191556.6bfc7b93-lkp@intel.com
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
next reply other threads:[~2025-06-19 7:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-19 7:32 kernel test robot [this message]
2025-06-19 22:44 ` [linux-next:master] [maple_tree] 540335e987: BUG:kernel_NULL_pointer_dereference,address Andrew Morton
2025-06-20 2:14 ` Wei Yang
2025-06-23 21:19 ` Liam R. Howlett
2025-06-24 6:59 ` Wei Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202506191556.6bfc7b93-lkp@intel.com \
--to=oliver.sang@intel.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=linux-mm@kvack.org \
--cc=lkp@intel.com \
--cc=maple-tree@lists.infradead.org \
--cc=oe-lkp@lists.linux.dev \
--cc=richard.weiyang@gmail.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).