From: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
To: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
David Miller <davem@davemloft.net>,
Paolo Abeni <pabeni@redhat.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
linuxppc-dev <linuxppc-dev@lists.ozlabs.org>,
Madhavan Srinivasan <maddy@linux.ibm.com>,
riteshh@linux.ibm.com
Subject: [next-20251219]powerpc/pSeries: NULL deref in __dev_xmit_skb()
Date: Fri, 2 Jan 2026 09:51:33 +0530 [thread overview]
Message-ID: <efde8090-bb33-4fdf-aa8a-38eef4ce8446@linux.ibm.com> (raw)
Greetings!!!
IBM CI has reported a below crash. This occurs, in the TX path while
sending data over TCP. e.g., cloning the linux repo or running iperf3 tool.
Environment
-----------
- Platform: IBM,9080-HEX Power11 (architected), HV: phyp (pSeries)
- Firmware: FW1110.01 (NH1110_069)
- Kernel: v6.19-rc3 (Linus master)
- Config: LE, PAGE_SIZE=64K, MMU=Radix, SMP NR_CPUS=8192, NUMA pSeries
- Workload: sustained TCP send from sshd
Traces:
[ 2480.578185] BUG: Kernel NULL pointer dereference on read at 0x00000000
[ 2480.578189] Faulting instruction address: 0xc000000000f92830
[ 2480.578192] Oops: Kernel access of bad area, sig: 11 [#1]
[ 2480.578195] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries
[ 2480.578200] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct
nft_chain_nat nf_nat nf_conntrack bonding nf_defrag_ipv6 nf_defrag_ipv4
tls rfkill ip_set nf_tables nfnetlink kmem device_dax pseries_rng
vmx_crypto dax_pmem fuse ext4 crc16 mbcache jbd2 sd_mod nd_pmem sg
papr_scm libnvdimm ibmvscsi ibmveth scsi_transport_srp pseries_wdt
[ 2480.578234] CPU: 31 UID: 0 PID: 1895 Comm: sshd Kdump: loaded Not
tainted 6.19.0-rc1-next-20251219 #1 VOLUNTARY
[ 2480.578239] Hardware name: IBM,9080-HEX Power11 (architected)
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[ 2480.578243] NIP: c000000000f92830 LR: c000000000f92830 CTR:
c00000000002852c
[ 2480.578246] REGS: c000000071d3f0c0 TRAP: 0300 Not tainted
(6.19.0-rc1-next-20251219)
[ 2480.578250] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR:
28822448 XER: 00000000
[ 2480.578259] CFAR: c000000000f84354 DAR: 0000000000000000 DSISR:
40000000 IRQMASK: 0
[ 2480.578259] GPR00: c000000000f92830 c000000071d3f360 c0000000019b8100
0000000000000000
[ 2480.578259] GPR04: c00000001959fa68 c00000001959fa68 00000000000d19e0
0000000002000000
[ 2480.578259] GPR08: 0000000000000000 0000000000000000 0000000000000000
0000000000000001
[ 2480.578259] GPR12: c00000000002852c c000000efde71b00 0000000000000040
0000000000000001
[ 2480.578259] GPR16: c0000000a34af1a8 0000000082037405 000000000000005c
00000000000004df
[ 2480.578259] GPR20: 0000000000000001 0000000000000001 c0000000a34af190
c00000001959f914
[ 2480.578259] GPR24: c00000001959f918 0000000000000000 0000000000000001
0000000000000000
[ 2480.578259] GPR28: c00000007ad9e400 0000000000000000 0000000000000000
c00000001959f800
[ 2480.578298] NIP [c000000000f92830] __dev_xmit_skb+0x49c/0xc3c
[ 2480.578306] LR [c000000000f92830] __dev_xmit_skb+0x49c/0xc3c
[ 2480.578310] Call Trace:
[ 2480.578312] [c000000071d3f360] [c000000000f92830]
__dev_xmit_skb+0x49c/0xc3c (unreliable)
[ 2480.578318] [c000000071d3f3e0] [c000000000f98294]
__dev_queue_xmit+0x484/0xaa8
[ 2480.578323] [c000000071d3f540] [c0000000010a46d8]
neigh_hh_output+0xbc/0x154
[ 2480.578329] [c000000071d3f590] [c0000000010a5454]
ip_finish_output2+0x274/0x5e8
[ 2480.578333] [c000000071d3f630] [c0000000010a6a64] ip_output+0x74/0x12c
[ 2480.578338] [c000000071d3f6b0] [c0000000010a8524]
__ip_queue_xmit+0x1b0/0x500
[ 2480.578342] [c000000071d3f720] [c0000000010d9a1c]
__tcp_transmit_skb+0x53c/0xab8
[ 2480.578347] [c000000071d3f810] [c0000000010dc18c]
tcp_write_xmit+0x6a0/0xed4
[ 2480.578351] [c000000071d3f8c0] [c0000000010dca00]
__tcp_push_pending_frames+0x40/0x148
[ 2480.578354] [c000000071d3f940] [c0000000010bb97c] tcp_push+0xfc/0x1d8
[ 2480.578358] [c000000071d3f990] [c0000000010bd060]
tcp_sendmsg_locked+0xe18/0x1124
[ 2480.578363] [c000000071d3faa0] [c0000000010bd3b8] tcp_sendmsg+0x4c/0x80
[ 2480.578366] [c000000071d3fae0] [c000000001117988] inet_sendmsg+0x60/0xac
[ 2480.578370] [c000000071d3fb20] [c000000000f506f8]
sock_write_iter+0x1ac/0x1f4
[ 2480.578376] [c000000071d3fbd0] [c000000000759874] vfs_write+0x2a4/0x514
[ 2480.578381] [c000000071d3fc80] [c000000000759d44] ksys_write+0x104/0x144
[ 2480.578386] [c000000071d3fcd0] [c000000000030ec4]
system_call_exception+0x144/0x2e0
[ 2480.578390] [c000000071d3fe50] [c00000000000d05c]
system_call_vectored_common+0x15c/0x2ec
[ 2480.578396] ---- interrupt: 3000 at 0x7fff88333e74
[ 2480.578400] NIP: 00007fff88333e74 LR: 00007fff88333e74 CTR:
0000000000000000
[ 2480.578403] REGS: c000000071d3fe80 TRAP: 3000 Not tainted
(6.19.0-rc1-next-20251219)
[ 2480.578406] MSR: 800000000280f033
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE> CR: 48002444 XER: 00000000
[ 2480.578415] IRQMASK: 0
[ 2480.578415] GPR00: 0000000000000004 00007ffff7c1d100 00000001350e7e00
0000000000000004
[ 2480.578415] GPR04: 000000016c125cc0 000000000000005c 0000000000000726
000000000000703e
[ 2480.578415] GPR08: 0000000000000000 0000000000000000 0000000000000000
0000000000000000
[ 2480.578415] GPR12: 0000000000000000 00007fff89094640 00000001350b5320
00000001350b51a8
[ 2480.578415] GPR16: 0000000135083f58 00000001350b5348 0000000000000050
000000016c128fb0
[ 2480.578415] GPR20: 0000000000000008 00007ffff7c1d2d8 0000000000000004
00000001350b4fd0
[ 2480.578415] GPR24: 00007ffff7c1d358 000000000000000c 0000000000000001
000000016c174c00
[ 2480.578415] GPR28: 000000016c104ff0 0000000000000004 000000000000005c
000000016c1231c0
[ 2480.578451] NIP [00007fff88333e74] 0x7fff88333e74
[ 2480.578453] LR [00007fff88333e74] 0x7fff88333e74
[ 2480.578456] ---- interrupt: 3000
[ 2480.578457] Code: 3b200000 4800002c 60000000 60000000 7c004a2c
7fa3eb78 7f86e378 38a10020 7fe4fb78 fb3d0000 7fddf378 4bff1a95
<ebdd0000> 2fbe0000 419e0008 7c00f22c
[ 2480.578470] ---[ end trace 0000000000000000 ]---
If you happen to fix this issue, please add below tag.
Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Regards,
Venkat.
next reply other threads:[~2026-01-02 4:21 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-02 4:21 Venkat Rao Bagalkote [this message]
2026-01-02 5:53 ` [next-20251219]powerpc/pSeries: NULL deref in __dev_xmit_skb() ALOK TIWARI
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=efde8090-bb33-4fdf-aa8a-38eef4ce8446@linux.ibm.com \
--to=venkat88@linux.ibm.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=maddy@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=riteshh@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).