BUG REPORT: zstd failures when !CONFIG_SMP

[Michael Kelley]

Zstd maintainers -- 

When building and running a 7.1 kernel with !CONFIG_SMP, I get the
following fault during boot:

[    1.073388] BUG: kernel NULL pointer dereference, address: 0000000000000028
[    1.077212] #PF: supervisor read access in kernel mode
[    1.077212] #PF: error_code(0x0000) - not-present page
[    1.077212] PGD 0 
[    1.077212] Oops: Oops: 0000 [#1] NOPTI
[    1.077212] CPU: 0 UID: 0 PID: 27 Comm: kworker/u4:1 Not tainted 7.1.0 #1 PREEMPT(full) 
[    1.077212] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 02/25/2026
[    1.077212] Workqueue: async async_run_entry_fn
[    1.077212] RIP: 0010:FSE_decompress_wksp_body_bmi2+0x29/0xba0
[    1.077212] Code: 90 0f 1f 44 00 00 55 49 c7 c2 ff ff ff ff 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 28 48 89 7d c0 4c 8b 7d 10 48 89 75 b8 <65> 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 c7 45 cc ff 00 00 00
[    1.077212] RSP: 0000:ff5a0b66401138d8 EFLAGS: 00010296
[    1.077212] RAX: 000000000000036c RBX: ff5a0b66401bcabc RCX: 0000000000000045
[    1.077212] RDX: ff1fe1293745200f RSI: 00000000000000ff RDI: ff5a0b66401bcf90
[    1.077212] RBP: ff5a0b6640113928 R08: 0000000000000006 R09: ff5a0b66401bcb24
[    1.077212] R10: ffffffffffffffff R11: 000000000000036c R12: ff5a0b66401bcf90
[    1.077212] R13: ff5a0b66401139f8 R14: ff5a0b66401139fc R15: 000000000000036c
[    1.077212] FS:  0000000000000000(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[    1.077212] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.077212] CR2: 0000000000000028 CR3: 00000005b024c001 CR4: 0000000000b71ef0
[    1.077212] Call Trace:
[    1.077212]  <TASK>
[    1.077212]  FSE_decompress_wksp_bmi2+0x2d/0x40
[    1.077212]  HUF_readStats_body_bmi2+0x12d/0x1f0
[    1.077212]  HUF_readStats_wksp+0x3d/0x50
[    1.077212]  HUF_readDTableX1_wksp+0x77/0x470
[    1.077212]  HUF_decompress4X_hufOnly_wksp+0xad/0x110
[    1.077212]  ZSTD_decodeLiteralsBlock+0x2c0/0x660
[    1.077212]  ZSTD_decompressBlock_internal.part.0+0x43/0x200
[    1.077212]  ZSTD_decompressBlock_internal+0x35/0x40
[    1.077212]  ZSTD_decompressContinue.part.0+0x359/0x4a0
[    1.077212]  ZSTD_decompressContinueStream+0x9c/0x160
[    1.077212]  ZSTD_decompressStream+0x770/0xb90
[    1.077212]  ? __pfx_flush_buffer+0x10/0x10
[    1.077212]  ? __pfx_flush_buffer+0x10/0x10
[    1.077212]  ? __pfx_error+0x10/0x10
[    1.077212]  zstd_decompress_stream+0x12/0x20
[    1.077212]  unzstd+0x328/0x5b0
[    1.077212]  ? __pfx_unzstd+0x10/0x10
[    1.077212]  unpack_to_rootfs+0x142/0x3a0
[    1.077212]  ? __pfx_error+0x10/0x10
[    1.077212]  ? vprintk_default+0x21/0x30
[    1.077212]  ? vprintk+0x1c/0x50
[    1.077212]  ? _printk+0x5a/0x80
[    1.077212]  do_populate_rootfs+0x134/0x1e0
[    1.077212]  ? do_populate_rootfs+0x134/0x1e0
[    1.077212]  ? ktime_get+0xa1/0xf0
[    1.077212]  async_run_entry_fn+0x37/0x160
[    1.077212]  process_one_work+0x195/0x3e0
[    1.077212]  worker_thread+0x1dc/0x390
[    1.077212]  ? __pfx_worker_thread+0x10/0x10
[    1.077212]  kthread+0x10b/0x150
[    1.077212]  ? __pfx_kthread+0x10/0x10
[    1.077212]  ret_from_fork+0x186/0x280
[    1.077212]  ? __pfx_kthread+0x10/0x10
[    1.077212]  ret_from_fork_asm+0x19/0x30
[    1.077212]  </TASK>
[    1.077212] Modules linked in:
[    1.077212] CR2: 0000000000000028
[    1.077212] ---[ end trace 0000000000000000 ]---
[    1.077212] RIP: 0010:FSE_decompress_wksp_body_bmi2+0x29/0xba0
[    1.077212] Code: 90 0f 1f 44 00 00 55 49 c7 c2 ff ff ff ff 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 ec 28 48 89 7d c0 4c 8b 7d 10 48 89 75 b8 <65> 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 c7 45 cc ff 00 00 00
[    1.077212] RSP: 0000:ff5a0b66401138d8 EFLAGS: 00010296
[    1.077212] RAX: 000000000000036c RBX: ff5a0b66401bcabc RCX: 0000000000000045
[    1.077212] RDX: ff1fe1293745200f RSI: 00000000000000ff RDI: ff5a0b66401bcf90
[    1.077212] RBP: ff5a0b6640113928 R08: 0000000000000006 R09: ff5a0b66401bcb24
[    1.077212] R10: ffffffffffffffff R11: 000000000000036c R12: ff5a0b66401bcf90
[    1.077212] R13: ff5a0b66401139f8 R14: ff5a0b66401139fc R15: 000000000000036c
[    1.077212] FS:  0000000000000000(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[    1.077212] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.077212] CR2: 0000000000000028 CR3: 00000005b024c001 CR4: 0000000000b71ef0
[    1.077212] note: kworker/u4:1[27] exited with irqs disabled

The problem does not occur with CONFIG_SMP=y. I know there were problems
in the past with older gcc versions and DYNAMIC_BMI2. So I hacked
lib/zstd/common/portability_macros.h to force DYNAMIC_BMI2=0, and the
problem goes away. The kernel is built with gcc version 13.3.0 and I'm running on
Ubuntu 24.04. This is running in an x86 guest VM on Hyper-V in the Azure cloud.

A similar problem occurs all the way back to Linux 6.15-rc1. 6.14 is good. I
have not bisected further, but 6.15-rc1 is where upstream zstd v1.5.7 was
added, and where kernel commit 1400c87e6cac was added to avoid compiler
problems with gcc version earlier than 11.0. So I'm assuming zstd v1.5.7 is where
this !CONFIG_SMP problem was originally introduced.

Here's another similar fault with !CONFIG_SMP, built with gcc 11.4.0 and running
on Ubuntu 20.04. Again, CONFIG_SMP=y works, as does hacking
DYNAMIC_BMI2=0.

[    3.419662] BUG: kernel NULL pointer dereference, address: 0000000000000028
[    3.419835] #PF: supervisor read access in kernel mode
[    3.420019] #PF: error_code(0x0000) - not-present page
[    3.420200] PGD 0 P4D 0
[    3.420383] Oops: Oops: 0000 [#2] NOPTI
[    3.420585] CPU: 0 UID: 0 PID: 550 Comm: apparmor_parser Tainted: G      D     E       7.1.0-rc7-next-20260612 #1 PREEMPT(full)
[    3.420974] Tainted: [D]=DIE, [E]=UNSIGNED_MODULE
[    3.421166] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 09/25/2025
[    3.421367] RIP: 0010:HUF_compress1X_usingCTable_internal_bmi2+0x20/0x12b0
[    3.421573] Code: 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 89 d3 48 83 e4 f0 48 83 ec 50 4d 8b 18 <65> 48 8b 14 25 28 00 00 00 48 89 54 24 48 31 d2 48 83 fe 07 77 29
[    3.421995] RSP: 0018:ffffcb4400d7f5b0 EFLAGS: 00010282
[    3.422209] RAX: 0000000000000001 RBX: ffff8a7402daaddf RCX: 000000000000197d
[    3.422437] RDX: ffff8a7402daaddf RSI: 00000000000112dc RDI: ffff8a740dec0054
[    3.422654] RBP: ffffcb4400d7f628 R08: ffff8a7402d04568 R09: 0000000000000001
[    3.422867] R10: ffff8a7402daaddf R11: 000000000000ff0a R12: 00000000000112e2
[    3.423076] R13: ffff8a7402d04568 R14: ffff8a740dec004e R15: ffff8a7402daaddf
[    3.423283] FS:  00007f1ddb576740(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[    3.423492] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.423699] CR2: 0000000000000028 CR3: 0000000109867001 CR4: 0000000000b70ef0
[    3.423910] Call Trace:
[    3.424118]  <TASK>
[    3.424326]  HUF_compress4X_usingCTable_internal+0x1a9/0x1f0
[    3.424548]  ? HUF_writeCTable_wksp+0x20f/0x320
[    3.424753]  HUF_compressCTable_internal+0x7c/0x90
[    3.424954]  HUF_compress_internal+0x2b2/0x480
[    3.425150]  HUF_compress4X_repeat+0x24/0x30
[    3.425340]  ZSTD_compressLiterals+0x1a1/0x370
[    3.425527]  ZSTD_entropyCompressSeqStore_internal+0xfe/0x300
[    3.425709]  ZSTD_entropyCompressSeqStore+0x44/0xb0
[    3.425890]  ZSTD_compressBlock_internal+0xee/0x1a0
[    3.426070]  ZSTD_compressContinue_internal+0x20b/0xd10
[    3.426250]  ZSTD_compressEnd_public+0x2c/0x170
[    3.426423]  ZSTD_compressStream2+0x7ab/0x8e0
[    3.426604]  ? ___kmalloc_large_node+0x9b/0xe0
[    3.426781]  ZSTD_compress2+0x83/0xd0
[    3.426945]  zstd_compress_cctx+0x87/0xa0
[    3.427107]  aa_unpack+0x5c3/0x740
[    3.427270]  aa_replace_profiles+0x9c/0x1110
[    3.427431]  ? __might_sleep+0x4d/0x60
[    3.427590]  ? _copy_from_user+0x2b/0xa0
[    3.427748]  policy_update+0x11b/0x2b0
[    3.427903]  profile_replace+0x4f/0xc0
[    3.428056]  vfs_write+0xf9/0x410
[    3.428220]  ? putname+0x45/0x80
[    3.428369]  ksys_write+0x6e/0xe0
[    3.428517]  __x64_sys_write+0x1d/0x30
[    3.428664]  x64_sys_call+0x1704/0x21c0
[    3.428809]  do_syscall_64+0x63/0x4e0
[    3.428954]  ? exc_page_fault+0x98/0x180
[    3.429098]  entry_SYSCALL_64_after_hwframe+0x74/0x7c
[    3.429242] RIP: 0033:0x7f1ddb77e2f7
[    3.429383] Code: 75 05 48 83 c4 58 c3 e8 f7 33 ff ff 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
[    3.429672] RSP: 002b:00007ffdc74eb438 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[    3.429818] RAX: ffffffffffffffda RBX: 0000000000011201 RCX: 00007f1ddb77e2f7
[    3.429960] RDX: 0000000000011201 RSI: 00007f1ddb555010 RDI: 0000000000000007
[    3.430098] RBP: 00007f1ddb555010 R08: 0000000000011201 R09: 0000564204365398
[    3.430244] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[    3.430377] R13: 0000000000000007 R14: 0000564204330f10 R15: 0000000000011201
[    3.430509]  </TASK>
[    3.430637] Modules linked in: nls_iso8859_1(E) dm_multipath(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) intel_rapl_msr(E) intel_rapl_common(E) rapl(E) serio_raw(E) hv_balloon(E) joydev(E) mac_hid(E) sch_fq_codel(E) msr(E) ramoops(E) reed_solomon(E) efi_pstore(E) autofs4(E) btrfs(E) libblake2b(E) raid10(E) raid456(E) async_raid6_recov(E) async_memcpy(E) async_pq(E) async_xor(E) async_tx(E) raid6_pq(E) xor(E) raid1(E) raid0(E) hyperv_drm(E) drm_client_lib(E) drm_shmem_helper(E) drm_kms_helper(E) hid_generic(E) hid_hyperv(E) hv_storvsc(E) scsi_transport_fc(E) drm(E) hid(E) hyperv_keyboard(E) hv_netvsc(E) hv_utils(E) hv_vmbus(E) aesni_intel(E) gf128mul(E)
[    3.431529] CR2: 0000000000000028
[    3.431677] ---[ end trace 0000000000000000 ]---
[    3.547311] RIP: 0010:HUF_compress1X_usingCTable_internal_bmi2+0x20/0x12b0
[    3.547693] Code: 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 89 d3 48 83 e4 f0 48 83 ec 50 4d 8b 18 <65> 48 8b 14 25 28 00 00 00 48 89 54 24 48 31 d2 48 83 fe 07 77 29
[    3.549627] RSP: 0018:ffffcb4400c635b0 EFLAGS: 00010282
[    3.550827] RAX: 0000000000000001 RBX: ffff8a740156dc44 RCX: 0000000000000751
[    3.551934] RDX: ffff8a740156dc44 RSI: 0000000000007831 RDI: ffff8a7412688053
[    3.553108] RBP: ffffcb4400c63628 R08: ffff8a7401504568 R09: 0000000000000001
[    3.554221] R10: ffff8a740156dc44 R11: 000000000000ff0a R12: 0000000000007837
[    3.555410] R13: ffff8a7401504568 R14: ffff8a741268804d R15: ffff8a740156dc44
[    3.556544] FS:  00007f1ddb576740(0000) GS:0000000000000000(0000) knlGS:0000000000000000
[    3.557770] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.558917] CR2: 0000000000000028 CR3: 0000000109867001 CR4: 0000000000b70ef0
[    3.559905] note: apparmor_parser[550] exited with irqs disabled

I have no clue how to debug this further. It seems like the problem should
reproduce easily for you, but if not, let me know what might be helpful and
I can run additional experiments in my environment.

Thanks,

Michael