[perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Vince Weaver]

Hello

the perf_fuzzer can reliably trigger this on a 6.16-rc2 kernel.  It 
doesn't look obviously perf related but since the perf_fuzzer triggered it 
I thought I'd report it as a perf issue first.  I can work on a smaller 
test case but that might take a bit especially as the machine locks up 
super hard and requires being unplugged after it's triggered.

let me know if there's any other info I can provide.  The dump below is 
transcribed from a screenshot as I still haven't figured out a way to get 
a serial console on this Raptorlake system.

BUG: kernel NULL pointer dereference, address: 0000000000000008
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: Oops: 0000 [#1] SMP NOPTI
CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc2+ #8 PREEMPT (voluntary)
Hardware name: Dell Inc. Precision 3660/0VJ7G2
RIP: 0010:rb_insert_color+0x18/0x130
Code: 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07
RSP: 0018:ffffb5e5c01e3df8 EFLAGS: 00010046
RAX: ffff93f1927f8168 .....
...
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000008 CR3: 00000000596824001 CR4: 000000000000f72ef0
DR0: 00000000a000001 ....
PKRU: 55555554
Call Trace:
 <TASK>
 timerqueue_add+0x66/0xb0
 hrtimer_start_range_ns+0x102/0x420
 ? next_zone+0x42/0x70
 tick_nohz_stop_tick+0xce/0x230
 tick_nohz_idle_stop_tick+0x70/0xd0
 do_idle+0x1d3/240
 cpu_startup_entry+0x29/0x30
 start_secondary+0x119/0x140
 common_startup_64+0x13e/0x141
 </TASK>

Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Vince Weaver]

I'm still tracking this fuzzer issue.  The fuzzer can reliably trigger the 
crash but only 32000 syscalls deep into a run and I am having a lot of 
trouble trying to gather a trace/testcase that can generate it.

I was hoping the recent
	[PATCH] perf/x86: Check if cpuc->events[*] pointer exists before accessing it
patch might fix things as the symptoms were vaguely similar but that 
particular patch does not fix the problem.

Vince

On Tue, 8 Jul 2025, Vince Weaver wrote:

> Hello
> 
> the perf_fuzzer can reliably trigger this on a 6.16-rc2 kernel.  It 
> doesn't look obviously perf related but since the perf_fuzzer triggered it 
> I thought I'd report it as a perf issue first.  I can work on a smaller 
> test case but that might take a bit especially as the machine locks up 
> super hard and requires being unplugged after it's triggered.
> 
> let me know if there's any other info I can provide.  The dump below is 
> transcribed from a screenshot as I still haven't figured out a way to get 
> a serial console on this Raptorlake system.
> 
> BUG: kernel NULL pointer dereference, address: 0000000000000008
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: Oops: 0000 [#1] SMP NOPTI
> CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc2+ #8 PREEMPT (voluntary)
> Hardware name: Dell Inc. Precision 3660/0VJ7G2
> RIP: 0010:rb_insert_color+0x18/0x130
> Code: 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07
> RSP: 0018:ffffb5e5c01e3df8 EFLAGS: 00010046
> RAX: ffff93f1927f8168 .....
> ...
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 000000000000008 CR3: 00000000596824001 CR4: 000000000000f72ef0
> DR0: 00000000a000001 ....
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  timerqueue_add+0x66/0xb0
>  hrtimer_start_range_ns+0x102/0x420
>  ? next_zone+0x42/0x70
>  tick_nohz_stop_tick+0xce/0x230
>  tick_nohz_idle_stop_tick+0x70/0xd0
>  do_idle+0x1d3/240
>  cpu_startup_entry+0x29/0x30
>  start_secondary+0x119/0x140
>  common_startup_64+0x13e/0x141
>  </TASK>
> 
> 
> 

Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Mi, Dapeng]

Hi Vince,

Could you please provide more information about this issue?  Like HW
information, how long can the issue be produced and whether the issue can
be seen in latest kernel (6.16)? Thanks.

--

Dapeng Mi

On 7/22/2025 5:17 AM, Vince Weaver wrote:
> I'm still tracking this fuzzer issue.  The fuzzer can reliably trigger the 
> crash but only 32000 syscalls deep into a run and I am having a lot of 
> trouble trying to gather a trace/testcase that can generate it.
>
> I was hoping the recent
> 	[PATCH] perf/x86: Check if cpuc->events[*] pointer exists before accessing it
> patch might fix things as the symptoms were vaguely similar but that 
> particular patch does not fix the problem.
>
> Vince
>
> On Tue, 8 Jul 2025, Vince Weaver wrote:
>
>> Hello
>>
>> the perf_fuzzer can reliably trigger this on a 6.16-rc2 kernel.  It 
>> doesn't look obviously perf related but since the perf_fuzzer triggered it 
>> I thought I'd report it as a perf issue first.  I can work on a smaller 
>> test case but that might take a bit especially as the machine locks up 
>> super hard and requires being unplugged after it's triggered.
>>
>> let me know if there's any other info I can provide.  The dump below is 
>> transcribed from a screenshot as I still haven't figured out a way to get 
>> a serial console on this Raptorlake system.
>>
>> BUG: kernel NULL pointer dereference, address: 0000000000000008
>> #PF: supervisor read access in kernel mode
>> #PF: error_code(0x0000) - not-present page
>> PGD 0 P4D 0
>> Oops: Oops: 0000 [#1] SMP NOPTI
>> CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc2+ #8 PREEMPT (voluntary)
>> Hardware name: Dell Inc. Precision 3660/0VJ7G2
>> RIP: 0010:rb_insert_color+0x18/0x130
>> Code: 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07
>> RSP: 0018:ffffb5e5c01e3df8 EFLAGS: 00010046
>> RAX: ffff93f1927f8168 .....
>> ...
>> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> CR2: 000000000000008 CR3: 00000000596824001 CR4: 000000000000f72ef0
>> DR0: 00000000a000001 ....
>> PKRU: 55555554
>> Call Trace:
>>  <TASK>
>>  timerqueue_add+0x66/0xb0
>>  hrtimer_start_range_ns+0x102/0x420
>>  ? next_zone+0x42/0x70
>>  tick_nohz_stop_tick+0xce/0x230
>>  tick_nohz_idle_stop_tick+0x70/0xd0
>>  do_idle+0x1d3/240
>>  cpu_startup_entry+0x29/0x30
>>  start_secondary+0x119/0x140
>>  common_startup_64+0x13e/0x141
>>  </TASK>
>>
>>
>>

Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Vince Weaver]

[-- Attachment #1: Type: text/plain, Size: 3041 bytes --]

On Tue, 29 Jul 2025, Mi, Dapeng wrote:

> Could you please provide more information about this issue?  Like HW
> information, how long can the issue be produced and whether the issue can
> be seen in latest kernel (6.16)? Thanks.

I just reproduced this with current git (6.16.0+)

This is on a RaptorLake system.

I can reproduce this issue with the perf_fuzzer but it is possibly timing 
sensitive and so if I enable fuzzer trace logging to try to make a 
reproducible test case it won't trigger anymore.

The system locks up extremely hard and so I can't really get the panic 
message besides taking a picture of the screen.

I can try enabling KASAN to see if that helps get better debug messages.

Vince


> 
> --
> 
> Dapeng Mi
> 
> On 7/22/2025 5:17 AM, Vince Weaver wrote:
> > I'm still tracking this fuzzer issue.  The fuzzer can reliably trigger the 
> > crash but only 32000 syscalls deep into a run and I am having a lot of 
> > trouble trying to gather a trace/testcase that can generate it.
> >
> > I was hoping the recent
> > 	[PATCH] perf/x86: Check if cpuc->events[*] pointer exists before accessing it
> > patch might fix things as the symptoms were vaguely similar but that 
> > particular patch does not fix the problem.
> >
> > Vince
> >
> > On Tue, 8 Jul 2025, Vince Weaver wrote:
> >
> >> Hello
> >>
> >> the perf_fuzzer can reliably trigger this on a 6.16-rc2 kernel.  It 
> >> doesn't look obviously perf related but since the perf_fuzzer triggered it 
> >> I thought I'd report it as a perf issue first.  I can work on a smaller 
> >> test case but that might take a bit especially as the machine locks up 
> >> super hard and requires being unplugged after it's triggered.
> >>
> >> let me know if there's any other info I can provide.  The dump below is 
> >> transcribed from a screenshot as I still haven't figured out a way to get 
> >> a serial console on this Raptorlake system.
> >>
> >> BUG: kernel NULL pointer dereference, address: 0000000000000008
> >> #PF: supervisor read access in kernel mode
> >> #PF: error_code(0x0000) - not-present page
> >> PGD 0 P4D 0
> >> Oops: Oops: 0000 [#1] SMP NOPTI
> >> CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc2+ #8 PREEMPT (voluntary)
> >> Hardware name: Dell Inc. Precision 3660/0VJ7G2
> >> RIP: 0010:rb_insert_color+0x18/0x130
> >> Code: 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 07
> >> RSP: 0018:ffffb5e5c01e3df8 EFLAGS: 00010046
> >> RAX: ffff93f1927f8168 .....
> >> ...
> >> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> >> CR2: 000000000000008 CR3: 00000000596824001 CR4: 000000000000f72ef0
> >> DR0: 00000000a000001 ....
> >> PKRU: 55555554
> >> Call Trace:
> >>  <TASK>
> >>  timerqueue_add+0x66/0xb0
> >>  hrtimer_start_range_ns+0x102/0x420
> >>  ? next_zone+0x42/0x70
> >>  tick_nohz_stop_tick+0xce/0x230
> >>  tick_nohz_idle_stop_tick+0x70/0xd0
> >>  do_idle+0x1d3/240
> >>  cpu_startup_entry+0x29/0x30
> >>  start_secondary+0x119/0x140
> >>  common_startup_64+0x13e/0x141
> >>  </TASK>
> >>
> >>
> >>
> 

Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Vince Weaver]

On Tue, 29 Jul 2025, Vince Weaver wrote:

> This is on a RaptorLake system.
> 
> I can reproduce this issue with the perf_fuzzer but it is possibly timing 
> sensitive and so if I enable fuzzer trace logging to try to make a 
> reproducible test case it won't trigger anymore.
> 
> The system locks up extremely hard and so I can't really get the panic 
> message besides taking a picture of the screen.
> 
> I can try enabling KASAN to see if that helps get better debug messages.

I managed to get KASAN to trigger the issue without crashing the system, 
not sure if this helps at all:

[  115.636383] ==================================================================
[  115.636432] BUG: KASAN: slab-use-after-free in rb_erase+0xd25/0x1370
[  115.636467] Read of size 8 at addr ffff8881151dc0b8 by task swapper/5/0

[  115.636508] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0+ #13 PREEMPT(voluntary) 
[  115.636517] Hardware name: Dell Inc. Precision 3660/0VJ7G2, BIOS 2.17.0 08/09/2024
[  115.636520] Call Trace:
[  115.636524]  <TASK>
[  115.636528]  dump_stack_lvl+0x64/0x80
[  115.636536]  print_report+0xce/0x650
[  115.636547]  ? rb_erase+0xd25/0x1370
[  115.636552]  kasan_report+0xce/0x100
[  115.636559]  ? rb_erase+0xd25/0x1370
[  115.636565]  rb_erase+0xd25/0x1370
[  115.636570]  ? __tmigr_cpu_activate+0x13d/0x310
[  115.636578]  timerqueue_del+0x68/0x120
[  115.636585]  __remove_hrtimer+0x84/0x200
[  115.636592]  hrtimer_try_to_cancel+0x19c/0x350
[  115.636597]  hrtimer_cancel+0x15/0x30
[  115.636602]  tick_nohz_restart_sched_tick+0x5b/0x210
[  115.636609]  tick_nohz_idle_exit+0xfc/0x180
[  115.636615]  do_idle+0x258/0x410
[  115.636623]  ? __pfx_do_idle+0x10/0x10
[  115.636631]  ? do_idle+0x2c1/0x410
[  115.636638]  cpu_startup_entry+0x54/0x60
[  115.636645]  start_secondary+0x20f/0x290
[  115.636654]  ? __pfx_start_secondary+0x10/0x10
[  115.636661]  common_startup_64+0x13e/0x141
[  115.636671]  </TASK>

[  115.637037] Allocated by task 1091:
[  115.637054]  kasan_save_stack+0x33/0x60
[  115.637062]  kasan_save_track+0x14/0x30
[  115.637069]  __kasan_slab_alloc+0x89/0x90
[  115.637076]  kmem_cache_alloc_node_noprof+0x136/0x450
[  115.637086]  perf_event_alloc+0x100/0x41e0
[  115.637093]  __do_sys_perf_event_open+0x39b/0x1c30
[  115.637098]  do_syscall_64+0x82/0x2f0
[  115.637105]  entry_SYSCALL_64_after_hwframe+0x76/0x7e

[  115.637121] Freed by task 0:
[  115.637136]  kasan_save_stack+0x33/0x60
[  115.637143]  kasan_save_track+0x14/0x30
[  115.637149]  kasan_save_free_info+0x3b/0x60
[  115.637155]  __kasan_slab_free+0x51/0x70
[  115.637162]  kmem_cache_free+0x2f2/0x540
[  115.637167]  rcu_do_batch+0x39a/0xe00
[  115.637174]  rcu_core+0x3f0/0xb10
[  115.637180]  handle_softirqs+0x1bf/0x5d0
[  115.637188]  __irq_exit_rcu+0x14e/0x1a0
[  115.637193]  sysvec_apic_timer_interrupt+0x72/0x90
[  115.637201]  asm_sysvec_apic_timer_interrupt+0x1a/0x20

[  115.637216] Last potentially related work creation:
[  115.637235]  kasan_save_stack+0x33/0x60
[  115.637242]  kasan_record_aux_stack+0xa7/0xc0
[  115.637248]  __call_rcu_common.constprop.0+0xc8/0x1160
[  115.637255]  perf_event_release_kernel+0x2f6/0x400
[  115.637262]  perf_release+0x31/0x50
[  115.637270]  __fput+0x35b/0xac0
[  115.637276]  task_work_run+0x11a/0x1f0
[  115.637282]  do_exit+0x6c6/0x2400
[  115.637289]  do_group_exit+0xac/0x230
[  115.637297]  get_signal+0x1cbc/0x1e40
[  115.637304]  arch_do_signal_or_restart+0x8d/0x5e0
[  115.637312]  irqentry_exit_to_user_mode+0x12c/0x1f0
[  115.637319]  asm_sysvec_reschedule_ipi+0x1a/0x20

[  115.637334] The buggy address belongs to the object at ffff8881151dbf40
                which belongs to the cache perf_event of size 1344
[  115.637376] The buggy address is located 376 bytes inside of
                freed 1344-byte region [ffff8881151dbf40, ffff8881151dc480)

[  115.637428] The buggy address belongs to the physical page:
[  115.637450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1151d8
[  115.637457] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[  115.637461] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
[  115.637470] page_type: f5(slab)
[  115.637477] raw: 0017ffffc0000040 ffff88810004b040 dead000000000122 0000000000000000
[  115.637483] raw: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000
[  115.637488] head: 0017ffffc0000040 ffff88810004b040 dead000000000122 0000000000000000
[  115.637492] head: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000
[  115.637497] head: 0017ffffc0000003 ffffea0004547601 00000000ffffffff 00000000ffffffff
[  115.637501] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
[  115.637504] page dumped because: kasan: bad access detected

[  115.637517] Memory state around the buggy address:
[  115.637537]  ffff8881151dbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.637564]  ffff8881151dc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.637590] >ffff8881151dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.637615]                                         ^
[  115.637636]  ffff8881151dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.637661]  ffff8881151dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  115.637687] ==================================================================
[  115.637712] Disabling lock debugging due to kernel taint

Re: [perf] fuzzer triggers "BUG: kernel NULL pointer dereference"

[Mi, Dapeng]

Thanks the information. I would look at the issue.

On 7/30/2025 2:06 AM, Vince Weaver wrote:
> On Tue, 29 Jul 2025, Vince Weaver wrote:
>
>> This is on a RaptorLake system.
>>
>> I can reproduce this issue with the perf_fuzzer but it is possibly timing 
>> sensitive and so if I enable fuzzer trace logging to try to make a 
>> reproducible test case it won't trigger anymore.
>>
>> The system locks up extremely hard and so I can't really get the panic 
>> message besides taking a picture of the screen.
>>
>> I can try enabling KASAN to see if that helps get better debug messages.
> I managed to get KASAN to trigger the issue without crashing the system, 
> not sure if this helps at all:
>
> [  115.636383] ==================================================================
> [  115.636432] BUG: KASAN: slab-use-after-free in rb_erase+0xd25/0x1370
> [  115.636467] Read of size 8 at addr ffff8881151dc0b8 by task swapper/5/0
>
> [  115.636508] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0+ #13 PREEMPT(voluntary) 
> [  115.636517] Hardware name: Dell Inc. Precision 3660/0VJ7G2, BIOS 2.17.0 08/09/2024
> [  115.636520] Call Trace:
> [  115.636524]  <TASK>
> [  115.636528]  dump_stack_lvl+0x64/0x80
> [  115.636536]  print_report+0xce/0x650
> [  115.636547]  ? rb_erase+0xd25/0x1370
> [  115.636552]  kasan_report+0xce/0x100
> [  115.636559]  ? rb_erase+0xd25/0x1370
> [  115.636565]  rb_erase+0xd25/0x1370
> [  115.636570]  ? __tmigr_cpu_activate+0x13d/0x310
> [  115.636578]  timerqueue_del+0x68/0x120
> [  115.636585]  __remove_hrtimer+0x84/0x200
> [  115.636592]  hrtimer_try_to_cancel+0x19c/0x350
> [  115.636597]  hrtimer_cancel+0x15/0x30
> [  115.636602]  tick_nohz_restart_sched_tick+0x5b/0x210
> [  115.636609]  tick_nohz_idle_exit+0xfc/0x180
> [  115.636615]  do_idle+0x258/0x410
> [  115.636623]  ? __pfx_do_idle+0x10/0x10
> [  115.636631]  ? do_idle+0x2c1/0x410
> [  115.636638]  cpu_startup_entry+0x54/0x60
> [  115.636645]  start_secondary+0x20f/0x290
> [  115.636654]  ? __pfx_start_secondary+0x10/0x10
> [  115.636661]  common_startup_64+0x13e/0x141
> [  115.636671]  </TASK>
>
> [  115.637037] Allocated by task 1091:
> [  115.637054]  kasan_save_stack+0x33/0x60
> [  115.637062]  kasan_save_track+0x14/0x30
> [  115.637069]  __kasan_slab_alloc+0x89/0x90
> [  115.637076]  kmem_cache_alloc_node_noprof+0x136/0x450
> [  115.637086]  perf_event_alloc+0x100/0x41e0
> [  115.637093]  __do_sys_perf_event_open+0x39b/0x1c30
> [  115.637098]  do_syscall_64+0x82/0x2f0
> [  115.637105]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> [  115.637121] Freed by task 0:
> [  115.637136]  kasan_save_stack+0x33/0x60
> [  115.637143]  kasan_save_track+0x14/0x30
> [  115.637149]  kasan_save_free_info+0x3b/0x60
> [  115.637155]  __kasan_slab_free+0x51/0x70
> [  115.637162]  kmem_cache_free+0x2f2/0x540
> [  115.637167]  rcu_do_batch+0x39a/0xe00
> [  115.637174]  rcu_core+0x3f0/0xb10
> [  115.637180]  handle_softirqs+0x1bf/0x5d0
> [  115.637188]  __irq_exit_rcu+0x14e/0x1a0
> [  115.637193]  sysvec_apic_timer_interrupt+0x72/0x90
> [  115.637201]  asm_sysvec_apic_timer_interrupt+0x1a/0x20
>
> [  115.637216] Last potentially related work creation:
> [  115.637235]  kasan_save_stack+0x33/0x60
> [  115.637242]  kasan_record_aux_stack+0xa7/0xc0
> [  115.637248]  __call_rcu_common.constprop.0+0xc8/0x1160
> [  115.637255]  perf_event_release_kernel+0x2f6/0x400
> [  115.637262]  perf_release+0x31/0x50
> [  115.637270]  __fput+0x35b/0xac0
> [  115.637276]  task_work_run+0x11a/0x1f0
> [  115.637282]  do_exit+0x6c6/0x2400
> [  115.637289]  do_group_exit+0xac/0x230
> [  115.637297]  get_signal+0x1cbc/0x1e40
> [  115.637304]  arch_do_signal_or_restart+0x8d/0x5e0
> [  115.637312]  irqentry_exit_to_user_mode+0x12c/0x1f0
> [  115.637319]  asm_sysvec_reschedule_ipi+0x1a/0x20
>
> [  115.637334] The buggy address belongs to the object at ffff8881151dbf40
>                 which belongs to the cache perf_event of size 1344
> [  115.637376] The buggy address is located 376 bytes inside of
>                 freed 1344-byte region [ffff8881151dbf40, ffff8881151dc480)
>
> [  115.637428] The buggy address belongs to the physical page:
> [  115.637450] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1151d8
> [  115.637457] head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> [  115.637461] flags: 0x17ffffc0000040(head|node=0|zone=2|lastcpupid=0x1fffff)
> [  115.637470] page_type: f5(slab)
> [  115.637477] raw: 0017ffffc0000040 ffff88810004b040 dead000000000122 0000000000000000
> [  115.637483] raw: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000
> [  115.637488] head: 0017ffffc0000040 ffff88810004b040 dead000000000122 0000000000000000
> [  115.637492] head: 0000000000000000 0000000000160016 00000000f5000000 0000000000000000
> [  115.637497] head: 0017ffffc0000003 ffffea0004547601 00000000ffffffff 00000000ffffffff
> [  115.637501] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
> [  115.637504] page dumped because: kasan: bad access detected
>
> [  115.637517] Memory state around the buggy address:
> [  115.637537]  ffff8881151dbf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  115.637564]  ffff8881151dc000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  115.637590] >ffff8881151dc080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  115.637615]                                         ^
> [  115.637636]  ffff8881151dc100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  115.637661]  ffff8881151dc180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [  115.637687] ==================================================================
> [  115.637712] Disabling lock debugging due to kernel taint