[BUG] NULL pointer dereference probably caused by kernel/trace/ring_buffer.c
From: Roland Ruckerbauer
Date: Mon Oct 31 2022 - 09:02:31 EST
Somewhere between kernel 6.0.2 and 6.0.5 I started getting crashes
when https://github.com/mchehab/rasdaemon is starting.
After investigating a bit, I found the following commits:
a6b4d8d6656f ring-buffer: Fix race between reset page and reading page
fa76ee6fea9c ring-buffer: Add ring_buffer_wake_waiters()
7bf3c4d84204 ring-buffer: Check pending waiters when doing wake ups as well
692cc072c800 ring-buffer: Have the shortest_full queue be the shortest
not longest
57af2334ca70 ring-buffer: Allow splice to read previous partially read pages
I guess one of them must have broken something rasdaemon is using,
since the crash is in ring_buffer_wake_waiters(), and it was first
introduced by this commit series.
The crash report is attached in dmesg.log.
For me the crash is easily reproducible. For testing I run 6.0.5
upstream kernel, but I guess everything since 6.0.3 is affected as
well.
My hardware (hopefully irrelevant): x570 amd platform (ryzen 5000)
If I can help in any way, please say so (testing patches etc ...).
Thanks,
Roland Ruckerbauer
BUG: kernel NULL pointer dereference, address: 00000000000001c8
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 19 PID: 683 Comm: rasdaemon Not tainted 6.0.5-arch1-1 #1 00d2152aab88c17d1828226c9c8bd2aaf8a259fc
Hardware name: System manufacturer System Product Name/TUF GAMING X570-PLUS, BIOS 4021 08/09/2021
RIP: 0010:ring_buffer_wake_waiters+0x26/0xb0
Code: 0b eb e9 90 66 0f 1f 00 41 54 4c 8d 67 10 55 48 89 fd 53 48 63 de 83 fb ff 74 38 48 8b 47 60 48 8b 2c d8 48 81 c5 78 01 00 00 <48> 83 45 50 01 31 c9 31 d2 48 8d 7d 20 be 03 00 00 00 e8 b3 bb f4
RSP: 0018:ffffa815c1ae7e80 EFLAGS: 00010206
RAX: ffff8f0f5cdeed00 RBX: 0000000000000018 RCX: 0000000000000013
RDX: ffff8f0f413b2000 RSI: 0000000000000018 RDI: ffff8f0f5cdeff00
RBP: 0000000000000178 R08: ffff8f0f4bb02450 R09: ffff8f0f86ac2370
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f0f5cdeff10
R13: ffff8f0f439ddce0 R14: ffff8f0f86a54780 R15: 0000000000000000
FS: 00007fd201292740(0000) GS:ffff8f164eec0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001c8 CR3: 000000013a2d0000 CR4: 0000000000750ee0
PKRU: 55555554
Call Trace:
<TASK>
tracing_buffers_release+0x4d/0x90
__fput+0x89/0x250
task_work_run+0x60/0x90
exit_to_user_mode_prepare+0x1a7/0x1d0
syscall_exit_to_user_mode+0x1b/0x40
do_syscall_64+0x6b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fd201474774
Code: eb b2 67 e8 1e 02 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 80 3d ad 8d 0e 00 00 74 13 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 c3 0f 1f 00 48 83 ec 18 89 7c 24 0c e8 d3
RSP: 002b:00007ffe1f609858 EFLAGS: 00000202 ORIG_RAX: 0000000000000003
RAX: 0000000000000000 RBX: 0000000000000018 RCX: 00007fd201474774
RDX: 0000000000000021 RSI: 00007ffe1f609ae0 RDI: 000000000000001d
RBP: 00007ffe1f60afb0 R08: 00005634a87f5270 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000202 R12: 00007ffe1f6098e0
R13: 0000000000000001 R14: 0000000000000021 R15: 00005634a87f9720
</TASK>
Modules linked in: btusb(+) uvcvideo(+) btrtl videobuf2_vmalloc btbcm videobuf2_memops btintel videobuf2_v4l2 btmtk videobuf2_common nct6775 snd_usb_audio(+) nct6775_core bluetooth hwmon_vid snd_usbmidi_lib snd_rawmidi videodev ecdh_generic snd_seq_device crc16 mc intel_rapl_msr hid_logitech_hidpp joydev mousedev intel_rapl_common eeepc_wmi asus_wmi nls_iso8859_1 sparse_keymap platform_profile vfat edac_mce_amd fat snd_hda_codec_realtek kvm_amd snd_hda_codec_generic amdgpu ledtrig_audio kvm snd_hda_codec_hdmi wacom snd_hda_intel rfkill irqbypass crct10dif_pclmul hid_logitech_dj video crc32_pclmul gpu_sched snd_intel_dspcfg wmi_bmof polyval_clmulni polyval_generic snd_intel_sdw_acpi drm_buddy gf128mul snd_hda_codec ghash_clmulni_intel drm_ttm_helper aesni_intel snd_hda_core r8169 crypto_simd cryptd ttm snd_hwdep snd_pcm drm_display_helper rapl usbhid snd_timer pcspkr realtek cec k10temp mdio_devres snd soundcore ccp sp5100_tco tpm_crb libphy i2c_piix4 tpm_tis tpm_tis_core wmi
tpm rng_core mac_hid acpi_cpufreq usbip_host usbip_core dm_multipath dm_mod sg crypto_user fuse bpf_preload ip_tables x_tables btrfs blake2b_generic libcrc32c crc32c_generic xor raid6_pq nvme nvme_core crc32c_intel xhci_pci nvme_common xhci_pci_renesas
CR2: 00000000000001c8
---[ end trace 0000000000000000 ]---
RIP: 0010:ring_buffer_wake_waiters+0x26/0xb0
Code: 0b eb e9 90 66 0f 1f 00 41 54 4c 8d 67 10 55 48 89 fd 53 48 63 de 83 fb ff 74 38 48 8b 47 60 48 8b 2c d8 48 81 c5 78 01 00 00 <48> 83 45 50 01 31 c9 31 d2 48 8d 7d 20 be 03 00 00 00 e8 b3 bb f4
RSP: 0018:ffffa815c1ae7e80 EFLAGS: 00010206
RAX: ffff8f0f5cdeed00 RBX: 0000000000000018 RCX: 0000000000000013
RDX: ffff8f0f413b2000 RSI: 0000000000000018 RDI: ffff8f0f5cdeff00
RBP: 0000000000000178 R08: ffff8f0f4bb02450 R09: ffff8f0f86ac2370
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8f0f5cdeff10
R13: ffff8f0f439ddce0 R14: ffff8f0f86a54780 R15: 0000000000000000
FS: 00007fd201292740(0000) GS:ffff8f164eec0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000001c8 CR3: 000000013a2d0000 CR4: 0000000000750ee0
PKRU: 55555554