[next-20251219]powerpc/pSeries: NULL deref in __dev_xmit_skb()

[next-20251219]powerpc/pSeries: NULL deref in __dev_xmit_skb()

[Venkat Rao Bagalkote]

Greetings!!!


IBM CI has reported a below crash. This occurs, in the TX path while 
sending data over TCP. e.g., cloning the linux repo or running iperf3 tool.


Environment
-----------
- Platform: IBM,9080-HEX Power11 (architected), HV: phyp (pSeries)
- Firmware: FW1110.01 (NH1110_069)
- Kernel: v6.19-rc3 (Linus master)
- Config: LE, PAGE_SIZE=64K, MMU=Radix, SMP NR_CPUS=8192, NUMA pSeries
- Workload: sustained TCP send from sshd


Traces:


[ 2480.578185] BUG: Kernel NULL pointer dereference on read at 0x00000000
[ 2480.578189] Faulting instruction address: 0xc000000000f92830
[ 2480.578192] Oops: Kernel access of bad area, sig: 11 [#1]
[ 2480.578195] LE PAGE_SIZE=64K MMU=Radix  SMP NR_CPUS=8192 NUMA pSeries
[ 2480.578200] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 
nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct 
nft_chain_nat nf_nat nf_conntrack bonding nf_defrag_ipv6 nf_defrag_ipv4 
tls rfkill ip_set nf_tables nfnetlink kmem device_dax pseries_rng 
vmx_crypto dax_pmem fuse ext4 crc16 mbcache jbd2 sd_mod nd_pmem sg 
papr_scm libnvdimm ibmvscsi ibmveth scsi_transport_srp pseries_wdt
[ 2480.578234] CPU: 31 UID: 0 PID: 1895 Comm: sshd Kdump: loaded Not 
tainted 6.19.0-rc1-next-20251219 #1 VOLUNTARY
[ 2480.578239] Hardware name: IBM,9080-HEX Power11 (architected) 
0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
[ 2480.578243] NIP:  c000000000f92830 LR: c000000000f92830 CTR: 
c00000000002852c
[ 2480.578246] REGS: c000000071d3f0c0 TRAP: 0300   Not tainted 
(6.19.0-rc1-next-20251219)
[ 2480.578250] MSR:  8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 
28822448  XER: 00000000
[ 2480.578259] CFAR: c000000000f84354 DAR: 0000000000000000 DSISR: 
40000000 IRQMASK: 0
[ 2480.578259] GPR00: c000000000f92830 c000000071d3f360 c0000000019b8100 
0000000000000000
[ 2480.578259] GPR04: c00000001959fa68 c00000001959fa68 00000000000d19e0 
0000000002000000
[ 2480.578259] GPR08: 0000000000000000 0000000000000000 0000000000000000 
0000000000000001
[ 2480.578259] GPR12: c00000000002852c c000000efde71b00 0000000000000040 
0000000000000001
[ 2480.578259] GPR16: c0000000a34af1a8 0000000082037405 000000000000005c 
00000000000004df
[ 2480.578259] GPR20: 0000000000000001 0000000000000001 c0000000a34af190 
c00000001959f914
[ 2480.578259] GPR24: c00000001959f918 0000000000000000 0000000000000001 
0000000000000000
[ 2480.578259] GPR28: c00000007ad9e400 0000000000000000 0000000000000000 
c00000001959f800
[ 2480.578298] NIP [c000000000f92830] __dev_xmit_skb+0x49c/0xc3c
[ 2480.578306] LR [c000000000f92830] __dev_xmit_skb+0x49c/0xc3c
[ 2480.578310] Call Trace:
[ 2480.578312] [c000000071d3f360] [c000000000f92830] 
__dev_xmit_skb+0x49c/0xc3c (unreliable)
[ 2480.578318] [c000000071d3f3e0] [c000000000f98294] 
__dev_queue_xmit+0x484/0xaa8
[ 2480.578323] [c000000071d3f540] [c0000000010a46d8] 
neigh_hh_output+0xbc/0x154
[ 2480.578329] [c000000071d3f590] [c0000000010a5454] 
ip_finish_output2+0x274/0x5e8
[ 2480.578333] [c000000071d3f630] [c0000000010a6a64] ip_output+0x74/0x12c
[ 2480.578338] [c000000071d3f6b0] [c0000000010a8524] 
__ip_queue_xmit+0x1b0/0x500
[ 2480.578342] [c000000071d3f720] [c0000000010d9a1c] 
__tcp_transmit_skb+0x53c/0xab8
[ 2480.578347] [c000000071d3f810] [c0000000010dc18c] 
tcp_write_xmit+0x6a0/0xed4
[ 2480.578351] [c000000071d3f8c0] [c0000000010dca00] 
__tcp_push_pending_frames+0x40/0x148
[ 2480.578354] [c000000071d3f940] [c0000000010bb97c] tcp_push+0xfc/0x1d8
[ 2480.578358] [c000000071d3f990] [c0000000010bd060] 
tcp_sendmsg_locked+0xe18/0x1124
[ 2480.578363] [c000000071d3faa0] [c0000000010bd3b8] tcp_sendmsg+0x4c/0x80
[ 2480.578366] [c000000071d3fae0] [c000000001117988] inet_sendmsg+0x60/0xac
[ 2480.578370] [c000000071d3fb20] [c000000000f506f8] 
sock_write_iter+0x1ac/0x1f4
[ 2480.578376] [c000000071d3fbd0] [c000000000759874] vfs_write+0x2a4/0x514
[ 2480.578381] [c000000071d3fc80] [c000000000759d44] ksys_write+0x104/0x144
[ 2480.578386] [c000000071d3fcd0] [c000000000030ec4] 
system_call_exception+0x144/0x2e0
[ 2480.578390] [c000000071d3fe50] [c00000000000d05c] 
system_call_vectored_common+0x15c/0x2ec
[ 2480.578396] ---- interrupt: 3000 at 0x7fff88333e74
[ 2480.578400] NIP:  00007fff88333e74 LR: 00007fff88333e74 CTR: 
0000000000000000
[ 2480.578403] REGS: c000000071d3fe80 TRAP: 3000   Not tainted 
(6.19.0-rc1-next-20251219)
[ 2480.578406] MSR:  800000000280f033 
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 48002444  XER: 00000000
[ 2480.578415] IRQMASK: 0
[ 2480.578415] GPR00: 0000000000000004 00007ffff7c1d100 00000001350e7e00 
0000000000000004
[ 2480.578415] GPR04: 000000016c125cc0 000000000000005c 0000000000000726 
000000000000703e
[ 2480.578415] GPR08: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[ 2480.578415] GPR12: 0000000000000000 00007fff89094640 00000001350b5320 
00000001350b51a8
[ 2480.578415] GPR16: 0000000135083f58 00000001350b5348 0000000000000050 
000000016c128fb0
[ 2480.578415] GPR20: 0000000000000008 00007ffff7c1d2d8 0000000000000004 
00000001350b4fd0
[ 2480.578415] GPR24: 00007ffff7c1d358 000000000000000c 0000000000000001 
000000016c174c00
[ 2480.578415] GPR28: 000000016c104ff0 0000000000000004 000000000000005c 
000000016c1231c0
[ 2480.578451] NIP [00007fff88333e74] 0x7fff88333e74
[ 2480.578453] LR [00007fff88333e74] 0x7fff88333e74
[ 2480.578456] ---- interrupt: 3000
[ 2480.578457] Code: 3b200000 4800002c 60000000 60000000 7c004a2c 
7fa3eb78 7f86e378 38a10020 7fe4fb78 fb3d0000 7fddf378 4bff1a95 
<ebdd0000> 2fbe0000 419e0008 7c00f22c
[ 2480.578470] ---[ end trace 0000000000000000 ]---


If you happen to fix this issue, please add below tag.


Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>


Regards,

Venkat.

Re: [next-20251219]powerpc/pSeries: NULL deref in __dev_xmit_skb()

[ALOK TIWARI]

On 1/2/2026 9:51 AM, Venkat Rao Bagalkote wrote:
> Greetings!!!
> 
> 
> IBM CI has reported a below crash. This occurs, in the TX path while 
> sending data over TCP. e.g., cloning the linux repo or running iperf3 tool.
> 
> 
> Environment
> -----------
> - Platform: IBM,9080-HEX Power11 (architected), HV: phyp (pSeries)
> - Firmware: FW1110.01 (NH1110_069)
> - Kernel: v6.19-rc3 (Linus master)
> - Config: LE, PAGE_SIZE=64K, MMU=Radix, SMP NR_CPUS=8192, NUMA pSeries
> - Workload: sustained TCP send from sshd
> 
> 
> Traces:
> 
> 
> [ 2480.578185] BUG: Kernel NULL pointer dereference on read at 0x00000000
> [ 2480.578189] Faulting instruction address: 0xc000000000f92830
> [ 2480.578192] Oops: Kernel access of bad area, sig: 11 [#1]
> [ 2480.578195] LE PAGE_SIZE=64K MMU=Radix  SMP NR_CPUS=8192 NUMA pSeries
> [ 2480.578200] Modules linked in: nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 
> nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct 
> nft_chain_nat nf_nat nf_conntrack bonding nf_defrag_ipv6 nf_defrag_ipv4 
> tls rfkill ip_set nf_tables nfnetlink kmem device_dax pseries_rng 
> vmx_crypto dax_pmem fuse ext4 crc16 mbcache jbd2 sd_mod nd_pmem sg 
> papr_scm libnvdimm ibmvscsi ibmveth scsi_transport_srp pseries_wdt
> [ 2480.578234] CPU: 31 UID: 0 PID: 1895 Comm: sshd Kdump: loaded Not 
> tainted 6.19.0-rc1-next-20251219 #1 VOLUNTARY
> [ 2480.578239] Hardware name: IBM,9080-HEX Power11 (architected) 
> 0x820200 0xf000007 of:IBM,FW1110.01 (NH1110_069) hv:phyp pSeries
> [ 2480.578243] NIP:  c000000000f92830 LR: c000000000f92830 CTR: 
> c00000000002852c
> [ 2480.578246] REGS: c000000071d3f0c0 TRAP: 0300   Not tainted (6.19.0- 
> rc1-next-20251219)


This looks like the same NULL pointer dereference in __dev_xmit_skb() 
fixed in v6.19-rc4 
(https://lore.kernel.org/all/20251230143959.325961-1-pabeni@redhat.com/).

https://lore.kernel.org/all/20251218081844.809008-1-edumazet@google.com/

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c04de0c79534


Thanks,
Alok