Hi Tejun, I run into this bug on both 3.3.0-rc6-next-20120309 and 3.3.0-rc7-next-20120314. Vanilla kernel is fine. Attached is my kconfig. scripts/decodecode: [ 0.895765] Code: bc 24 70 07 00 00 e8 55 90 5b 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d cc 6b b1 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 13 d8 cb ff 85 All code ======== 0: bc 24 70 07 00 mov $0x77024,%esp 5: 00 e8 add %ch,%al 7: 55 push %rbp 8: 90 nop 9: 5b pop %rbx a: 00 48 8b add %cl,-0x75(%rax) d: 43 rex.XB e: 48 rex.W f: 48 85 c0 test %rax,%rax 12: 48 89 83 48 03 00 00 mov %rax,0x348(%rbx) 19: 74 07 je 0x22 1b: 4c 8b a8 10 ff ff ff mov -0xf0(%rax),%r13 22: 83 3d cc 6b b1 00 00 cmpl $0x0,0xb16bcc(%rip) # 0xb16bf5 29: 74 1c je 0x47 2b:* 49 8b 45 00 mov 0x0(%r13),%rax <-- trapping instruction 2f: 48 8b b8 70 07 00 00 mov 0x770(%rax),%rdi 36: 48 83 c7 18 add $0x18,%rdi 3a: e8 13 d8 cb ff callq 0xffffffffffcbd852 3f: 85 .byte 0x85 cfq-iosched.s: movl $1, 808(%rbx) #, MEM[(struct cfq_queue *)cfqd_195 + 624B].pid orq %rdx, %rax # tmp184, tmp185 movq %rax, 672(%rbx) # tmp185, MEM[(long unsigned int *)cfqd_195 + 672B] leaq 736(%rbx), %rax #, D.36977 movq %rax, 736(%rbx) # D.36977, MEM[(struct list_head *)cfqd_195 + 736B].next movq %rax, 744(%rbx) # D.36977, MEM[(struct list_head *)cfqd_195 + 736B].prev movl $1, 624(%rbx) #, cfqd_195->oom_cfqq.ref movq 1904(%r12), %rdi # q_3(D)->queue_lock, q_3(D)->queue_lock call _raw_spin_lock_irq # movq 72(%rbx), %rax # cfqd_195->root_group, D.32249 testq %rax, %rax # D.32249 movq %rax, 840(%rbx) # D.32249, MEM[(struct cfq_group * *)cfqd_195 + 840B] je .L112 #, movq -240(%rax), %r13 # MEM[(struct blkg_policy_data *)D.32249_23 + -240B].blkg, D.36985 .L112: cmpl $0, debug_locks(%rip) #, debug_locks je .L117 #, ==> movq 0(%r13), %rax # D.36985_144->q, D.36985_144->q movq 1904(%rax), %rdi # D.37004_146->queue_lock, D.37004_146->queue_lock addq $24, %rdi #, tmp189 call lock_is_held # testl %eax, %eax # D.37001 je .L114 #, .L117: cmpl $0, 176(%r13) #, D.36985_144->refcnt jg .L115 #, cmpb $1, __warned.29726(%rip) #, __warned je .L115 #, movl $296, %esi #, movq $.LC8, %rdi #, call warn_slowpath_null # movb $1, __warned.29726(%rip) #, __warned .L115: movl 176(%r13), %eax # D.36985_144->refcnt, D.36985_144->refcnt decl %eax # D.36990 testl %eax, %eax # D.36990 movl %eax, 176(%r13) # D.36990, D.36985_144->refcnt [ 0.845481] BUG: unable to handle kernel NULL pointer dereference at (null) [ 0.846338] IP: [] cfq_init_queue+0x254/0x3ee [ 0.846338] PGD 0 [ 0.846338] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 0.846338] CPU 0 [ 0.846338] Modules linked in: [ 0.846338] [ 0.846338] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc7-next-20120314 #1037 Bochs Bochs [ 0.846338] RIP: 0010:[] [] cfq_init_queue+0x254/0x3ee [ 0.846338] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002 [ 0.846338] RAX: ffff88001cfe7000 RBX: ffff88001cfe6c00 RCX: 8c6318c6318c6320 [ 0.846338] RDX: ffff88001f40de10 RSI: ffffffff81f2b558 RDI: 0000000000000046 [ 0.846338] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8233aeb8 [ 0.846338] R10: ffff88001f40b000 R11: ffff88001dc406a0 R12: ffff88001cfc8000 [ 0.846338] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001cfe7040 [ 0.846338] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000 [ 0.846338] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 0.846338] CR2: 0000000000000000 CR3: 0000000001e99000 CR4: 00000000000006f0 [ 0.846338] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 0.846338] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 0.846338] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000) [ 0.846338] Stack: [ 0.846338] 00000000fffffff4 ffff88001cfc8000 ffffffff81f12700 00000000fffffff4 [ 0.846338] ffff88001cfe6800 0000000000000000 ffff88001dc27e00 ffffffff813d7b7f [ 0.846338] 00000000001d7150 ffff88001cfc8000 ffffffff81f2b540 ffffffff8151d090 [ 0.846338] Call Trace: [ 0.846338] [] elevator_init+0xe4/0x11a [ 0.846338] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.846338] [] blk_init_allocated_queue+0x106/0x121 [ 0.846338] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.846338] [] blk_init_queue_node+0x3c/0x5c [ 0.846338] [] ? alloc_disk_node+0xc0/0xe2 [ 0.846338] [] blk_init_queue+0x11/0x13 [ 0.846338] [] floppy_init+0x78/0xdbd [ 0.846338] [] ? set_cmos+0x67/0x67 [ 0.846338] [] do_one_initcall+0x7f/0x140 [ 0.846338] [] kernel_init+0x11f/0x1a3 [ 0.846338] [] ? rdinit_setup+0x28/0x28 [ 0.846338] [] kernel_thread_helper+0x4/0x10 [ 0.846338] [] ? retint_restore_args+0x13/0x13 [ 0.846338] [] ? start_kernel+0x38f/0x38f [ 0.846338] [] ? gs_change+0x13/0x13 [ 0.846338] Code: bc 24 70 07 00 00 e8 55 1c 5c 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d 5c 4f b2 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 db da cb ff 85 [ 0.846338] RIP [] cfq_init_queue+0x254/0x3ee [ 0.846338] RSP [ 0.846338] CR2: 0000000000000000 [ 0.846338] ---[ end trace 5d580544713b781e ]--- [ 0.883287] BUG: unable to handle kernel NULL pointer dereference at (null) [ 0.884120] IP: [] cfq_init_queue+0x254/0x3ee [ 0.884120] PGD 0 [ 0.884120] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 0.884120] CPU 0 [ 0.884120] Modules linked in: [ 0.884120] [ 0.884120] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc7-next-20120314+ #1035 Bochs Bochs [ 0.884120] RIP: 0010:[] [] cfq_init_queue+0x254/0x3ee [ 0.884120] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002 [ 0.884120] RAX: ffff88001cfbf000 RBX: ffff88001cfbec00 RCX: 8c6318c6318c6320 [ 0.884120] RDX: ffff88001f40de10 RSI: ffffffff81f2b598 RDI: 0000000000000046 [ 0.884120] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8233aeb8 [ 0.884120] R10: ffff88001f40b000 R11: ffff88001dc406a0 R12: ffff88001cff0000 [ 0.884120] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001cfbf040 [ 0.884120] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000 [ 0.884120] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 0.884120] CR2: 0000000000000000 CR3: 0000000001e99000 CR4: 00000000000006f0 [ 0.884120] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 0.884120] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 0.884120] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000) [ 0.884120] Stack: [ 0.884120] 00000000fffffff4 ffff88001cff0000 ffffffff81f12770 00000000fffffff4 [ 0.884120] ffff88001cfbe800 0000000000000000 ffff88001dc27e00 ffffffff813d7fdf [ 0.884120] 00000000001d7150 ffff88001cff0000 ffffffff81f2b580 ffffffff8151d4f0 [ 0.884120] Call Trace: [ 0.884120] [] elevator_init+0xe4/0x11a [ 0.884120] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.884120] [] blk_init_allocated_queue+0x106/0x121 [ 0.884120] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.884120] [] blk_init_queue_node+0x3c/0x5c [ 0.884120] [] ? alloc_disk_node+0xc0/0xe2 [ 0.884120] [] blk_init_queue+0x11/0x13 [ 0.884120] [] floppy_init+0x78/0xdbd [ 0.884120] [] ? set_cmos+0x67/0x67 [ 0.884120] [] do_one_initcall+0x7f/0x140 [ 0.884120] [] kernel_init+0x11f/0x1a3 [ 0.884120] [] ? rdinit_setup+0x28/0x28 [ 0.884120] [] kernel_thread_helper+0x4/0x10 [ 0.884120] [] ? retint_restore_args+0x13/0x13 [ 0.884120] [] ? start_kernel+0x38f/0x38f [ 0.884120] [] ? gs_change+0x13/0x13 [ 0.884120] Code: bc 24 70 07 00 00 e8 55 1c 5c 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d 6c 4b b2 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 7b d6 cb ff 85 [ 0.884120] RIP [] cfq_init_queue+0x254/0x3ee [ 0.884120] RSP [ 0.884120] CR2: 0000000000000000 [ 0.884120] ---[ end trace c8ab7eb772c499e5 ]--- [ 0.894949] BUG: unable to handle kernel NULL pointer dereference at (null) [ 0.895765] IP: [] cfq_init_queue+0x254/0x3ee [ 0.895765] PGD 0 [ 0.895765] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [ 0.895765] CPU 0 [ 0.895765] Modules linked in: [ 0.895765] [ 0.895765] Pid: 1, comm: swapper/0 Not tainted 3.3.0-rc6-next-20120309+ #1034 Bochs Bochs [ 0.895765] RIP: 0010:[] [] cfq_init_queue+0x254/0x3ee [ 0.895765] RSP: 0018:ffff88001dc27da0 EFLAGS: 00010002 [ 0.895765] RAX: ffff88001c80b000 RBX: ffff88001c80ac00 RCX: 8c6318c6318c6320 [ 0.895765] RDX: ffff88001f40dc10 RSI: ffffffff81f1d478 RDI: 0000000000000046 [ 0.895765] RBP: ffff88001dc27dd0 R08: ffff88001dc27c1c R09: ffffffff8232ceb8 [ 0.895765] R10: ffff88001f40b000 R11: ffff88001dc406a8 R12: ffff88001cdc0000 [ 0.895765] R13: 0000000000000000 R14: 0000000000000010 R15: ffff88001c80b040 [ 0.895765] FS: 0000000000000000(0000) GS:ffff88001f400000(0000) knlGS:0000000000000000 [ 0.895765] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 0.895765] CR2: 0000000000000000 CR3: 0000000001e8b000 CR4: 00000000000006f0 [ 0.895765] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 0.895765] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 0.895765] Process swapper/0 (pid: 1, threadinfo ffff88001dc26000, task ffff88001dc40000) [ 0.895765] Stack: [ 0.895765] 00000000fffffff4 ffff88001cdc0000 ffffffff81f04670 00000000fffffff4 [ 0.895765] ffff88001c80a800 0000000000000000 ffff88001dc27e00 ffffffff813d7e7f [ 0.895765] 00000000001d6f50 ffff88001cdc0000 ffffffff81f1d460 ffffffff8151d368 [ 0.895765] Call Trace: [ 0.895765] [] elevator_init+0xe4/0x11a [ 0.895765] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.895765] [] blk_init_allocated_queue+0x106/0x121 [ 0.895765] [] ? lock_fdc.isra.22+0x10b/0x10b [ 0.895765] [] blk_init_queue_node+0x3c/0x5c [ 0.895765] [] ? alloc_disk_node+0xc0/0xe2 [ 0.895765] [] blk_init_queue+0x11/0x13 [ 0.895765] [] floppy_init+0x78/0xdbd [ 0.895765] [] ? set_cmos+0x67/0x67 [ 0.895765] [] do_one_initcall+0x7f/0x140 [ 0.895765] [] kernel_init+0x11f/0x1a3 [ 0.895765] [] ? rdinit_setup+0x28/0x28 [ 0.895765] [] kernel_thread_helper+0x4/0x10 [ 0.895765] [] ? retint_restore_args+0x13/0x13 [ 0.895765] [] ? start_kernel+0x38f/0x38f [ 0.895765] [] ? gs_change+0x13/0x13 [ 0.895765] Code: bc 24 70 07 00 00 e8 55 90 5b 00 48 8b 43 48 48 85 c0 48 89 83 48 03 00 00 74 07 4c 8b a8 10 ff ff ff 83 3d cc 6b b1 00 00 74 1c <49> 8b 45 00 48 8b b8 70 07 00 00 48 83 c7 18 e8 13 d8 cb ff 85 [ 0.895765] RIP [] cfq_init_queue+0x254/0x3ee [ 0.895765] RSP [ 0.895765] CR2: 0000000000000000 [ 0.895765] ---[ end trace 91ab7b260bc38ae6 ]--- Thanks, Fengguang