[BUG] KVM: NULL pointer dereference in kvm_tdp_mmu_map under memory pressure
From: punixcorn
Date: Wed Apr 08 2026 - 06:35:17 EST
Under host memory pressure, a NULL pointer dereference occurs in
kvm_tdp_mmu_map() at offset 0x24. The exact root cause is unclear --
it may be an unhandled NULL return from tdp_mmu_alloc_sp(), or a
violated invariant elsewhere in the map path.
Crash log:
BUG: kernel NULL pointer dereference, address: 0000000000000024
#PF: supervisor read access in kernel mode
Oops: 0000 [#1] SMP NOPTI
CPU: 2 PID: 1110212 Comm: MainLoopThread Tainted: G U OE 6.19.10-arch1-1
Hardware name: Default Default/NLXB, BIOS BQ141 06/27/2024
RIP: 0010:kvm_tdp_mmu_map+0x471/0x880 [kvm]
Code: 00 00 00 80 48 2b 35 76 72 5c c8 48 c7 44 24 20 00 00 00 00 48 01 f1 48 c1 e9 0c 48 c1 e1 06 48 03 0d 4b 72 5c c8 48 8b 71 28 <0f> b6 4e 24 83 e1 0f 39 ca 0f 85 a7 02 00 00 f6 c4 08 74 26 80 7b
RSP: 0018:ffffce128333f790 EFLAGS: 00010286
Reproduction:
The issue was observed under heavy host memory pressure while running
a KVM guest (Android emulator via QEMU).
The crash is not reliably reproducible and appears to be
timing-dependent. Fault injection targeting tdp_mmu_alloc_sp()
increases the frequency of hitting the same code path without
triggering a panic, suggesting the retry path may be a viable
recovery, though the exact failure condition is still unclear.
Fault injection used:
sp = tdp_mmu_alloc_sp(vcpu);
if (!sp || (atomic_inc_return(&fail_counter) % 100 == 0)) {
if (sp) tdp_mmu_free_sp(sp);
goto retry;
}
With this injection the guest continues running normally initially,
but eventually terminates after sustained injection pressure. This is
expected behavior given the repeated forced failures.
A speculative fix:
if (!sp)
goto retry;
This has not been fully verified. Sending for maintainer review.
Environment:
Linux 6.19.10-arch1-1 x86_64
GNU C 15.2.1
Binutils 2.46
Signed-off-by: punixcorn <ohyunwoods663@xxxxxxxxx>