Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

linux-perf-users.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Mi, Dapeng" <dapeng1.mi@linux.intel.com>
To: Vince Weaver <vincent.weaver@maine.edu>
Cc: linux-kernel@vger.kernel.org, linux-perf-users@vger.kernel.org,
	"Liang, Kan" <kan.liang@linux.intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Namhyung Kim <namhyung@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@kernel.org>, Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>
Subject: Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"
Date: Tue, 29 Jul 2025 17:23:32 +0800	[thread overview]
Message-ID: <db7043a4-f815-4178-8d81-2da1dda6236e@linux.intel.com> (raw)
In-Reply-To: <fdcdd5a7-76b5-6c52-63dc-95fadddf7772@maine.edu>

Hi Vince,

Could you please provide more information about this issue?  Like HW
information, how long can the issue be produced and whether the issue can
be seen in latest kernel (6.16)? Thanks.

--

Dapeng Mi

On 7/22/2025 5:17 AM, Vince Weaver wrote:
> I'm still tracking this fuzzer issue.  The fuzzer can reliably trigger the 
> crash but only 32000 syscalls deep into a run and I am having a lot of 
> trouble trying to gather a trace/testcase that can generate it.
>
> I was hoping the recent
> 	[PATCH] perf/x86: Check if cpuc->events[*] pointer exists before accessing it
> patch might fix things as the symptoms were vaguely similar but that 
> particular patch does not fix the problem.
>
> Vince
>
> On Tue, 8 Jul 2025, Vince Weaver wrote:
>
>> Hello
>>
>> the perf_fuzzer can reliably trigger this on a 6.16-rc2 kernel.  It 
>> doesn't look obviously perf related but since the perf_fuzzer triggered it 
>> I thought I'd report it as a perf issue first.  I can work on a smaller 
>> test case but that might take a bit especially as the machine locks up 
>> super hard and requires being unplugged after it's triggered.
>>
>> let me know if there's any other info I can provide.  The dump below is 
>> transcribed from a screenshot as I still haven't figured out a way to get 
>> a serial console on this Raptorlake system.
>>
>> BUG: kernel NULL pointer dereference, address: 0000000000000008
>> #PF: supervisor read access in kernel mode
>> #PF: error_code(0x0000) - not-present page
>> PGD 0 P4D 0
>> Oops: Oops: 0000 [#1] SMP NOPTI
>> CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc2+ #8 PREEMPT (voluntary)
>> Hardware name: Dell Inc. Precision 3660/0VJ7G2
>> RIP: 0010:rb_insert_color+0x18/0x130
>> Code: 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07
>> RSP: 0018:ffffb5e5c01e3df8 EFLAGS: 00010046
>> RAX: ffff93f1927f8168 .....
>> ...
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 000000000000008 CR3: 00000000596824001 CR4: 000000000000f72ef0
>> DR0: 00000000a000001 ....
>> PKRU: 55555554
>> Call Trace:
>>  <TASK>
>>  timerqueue_add+0x66/0xb0
>>  hrtimer_start_range_ns+0x102/0x420
>>  ? next_zone+0x42/0x70
>>  tick_nohz_stop_tick+0xce/0x230
>>  tick_nohz_idle_stop_tick+0x70/0xd0
>>  do_idle+0x1d3/240
>>  cpu_startup_entry+0x29/0x30
>>  start_secondary+0x119/0x140
>>  common_startup_64+0x13e/0x141
>>  </TASK>
>>
>>
>>

next prev parent reply	other threads:[~2025-07-29  9:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-08 14:44 [perf] fuzzer triggers "BUG: kernel NULL pointer dereference" Vince Weaver
2025-07-21 21:17 ` Vince Weaver
2025-07-29  9:23   ` Mi, Dapeng [this message]
2025-07-29 16:50     ` Vince Weaver
2025-07-29 18:06       ` Vince Weaver
2025-07-30  1:54         ` Mi, Dapeng

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db7043a4-f815-4178-8d81-2da1dda6236e@linux.intel.com \
    --to=dapeng1.mi@linux.intel.com \
    --cc=acme@kernel.org \
    --cc=adrian.hunter@intel.com \
    --cc=alexander.shishkin@linux.intel.com \
    --cc=irogers@google.com \
    --cc=jolsa@kernel.org \
    --cc=kan.liang@linux.intel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-perf-users@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@redhat.com \
    --cc=namhyung@kernel.org \
    --cc=peterz@infradead.org \
    --cc=vincent.weaver@maine.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).