Hello, kernel test robot noticed "BUG:kernel_NULL_pointer_dereference,address" on: commit: 9e4beef457f5cf6e0c388248b2e12d9755edf03d ("[PATCH] media: vicodec: add V4L2_CID_MIN_BUFFERS_FOR_* controls") url: https://github.com/intel-lab-lkp/linux/commits/Hans-Verkuil/media-vicodec-add-V4L2_CID_MIN_BUFFERS_FOR_-controls/20241031-155021 base: https://git.linuxtv.org/media_stage.git master patch link: https://lore.kernel.org/all/1dd09050-40ca-4c5b-b985-819731140388@xxxxxxxxx/ patch subject: [PATCH] media: vicodec: add V4L2_CID_MIN_BUFFERS_FOR_* controls in testcase: boot config: i386-randconfig-013-20241103 compiler: gcc-12 test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 16G (please refer to attached dmesg/kmsg for entire log/backtrace) +---------------------------------------------+------------+------------+ | | d020ca11a8 | 9e4beef457 | +---------------------------------------------+------------+------------+ | boot_successes | 6 | 0 | | boot_failures | 0 | 6 | | BUG:kernel_NULL_pointer_dereference,address | 0 | 6 | | Oops | 0 | 6 | | EIP:__v4l2_ctrl_handler_setup | 0 | 6 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 6 | +---------------------------------------------+------------+------------+ If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <oliver.sang@xxxxxxxxx> | Closes: https://lore.kernel.org/oe-lkp/202411041552.ff2b79d7-lkp@xxxxxxxxx [ 9.211498][ T113] BUG: kernel NULL pointer dereference, address: 00000000 [ 9.212220][ T113] #PF: supervisor read access in kernel mode [ 9.212739][ T113] #PF: error_code(0x0000) - not-present page [ 9.213245][ T113] *pde = 00000000 [ 9.213566][ T113] Oops: Oops: 0000 [#1] PREEMPT SMP [ 9.214004][ T113] CPU: 1 UID: 0 PID: 113 Comm: v4l_id Not tainted 6.12.0-rc1-00151-g9e4beef457f5 #1 [ 9.214806][ T113] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 9.215724][ T113] EIP: __v4l2_ctrl_handler_setup (drivers/media/v4l2-core/v4l2-ctrls-core.c:2469) [ 9.216251][ T113] Code: 83 c0 38 e8 69 34 26 00 85 c0 75 02 0f 0b 8b 43 50 8d 73 50 39 c6 74 08 80 60 1c fe 8b 00 eb f4 8b 5b 50 39 de 74 c1 8b 43 14 <8b> 38 f6 43 1c 01 74 04 8b 1b eb ed 83 7b 30 04 74 f6 31 d2 f6 43 All code ======== 0: 83 c0 38 add $0x38,%eax 3: e8 69 34 26 00 call 0x263471 8: 85 c0 test %eax,%eax a: 75 02 jne 0xe c: 0f 0b ud2 e: 8b 43 50 mov 0x50(%rbx),%eax 11: 8d 73 50 lea 0x50(%rbx),%esi 14: 39 c6 cmp %eax,%esi 16: 74 08 je 0x20 18: 80 60 1c fe andb $0xfe,0x1c(%rax) 1c: 8b 00 mov (%rax),%eax 1e: eb f4 jmp 0x14 20: 8b 5b 50 mov 0x50(%rbx),%ebx 23: 39 de cmp %ebx,%esi 25: 74 c1 je 0xffffffffffffffe8 27: 8b 43 14 mov 0x14(%rbx),%eax 2a:* 8b 38 mov (%rax),%edi <-- trapping instruction 2c: f6 43 1c 01 testb $0x1,0x1c(%rbx) 30: 74 04 je 0x36 32: 8b 1b mov (%rbx),%ebx 34: eb ed jmp 0x23 36: 83 7b 30 04 cmpl $0x4,0x30(%rbx) 3a: 74 f6 je 0x32 3c: 31 d2 xor %edx,%edx 3e: f6 .byte 0xf6 3f: 43 rex.XB Code starting with the faulting instruction =========================================== 0: 8b 38 mov (%rax),%edi 2: f6 43 1c 01 testb $0x1,0x1c(%rbx) 6: 74 04 je 0xc 8: 8b 1b mov (%rbx),%ebx a: eb ed jmp 0xfffffffffffffff9 c: 83 7b 30 04 cmpl $0x4,0x30(%rbx) 10: 74 f6 je 0x8 12: 31 d2 xor %edx,%edx 14: f6 .byte 0xf6 15: 43 rex.XB [ 9.217884][ T113] EAX: 00000000 EBX: c410a7c0 ECX: 00000000 EDX: 00000000 [ 9.218489][ T113] ESI: c0a6c104 EDI: c410a900 EBP: c425dd68 ESP: c425dd58 [ 9.219105][ T113] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010287 [ 9.219760][ T113] CR0: 80050033 CR2: 00000000 CR3: 048af000 CR4: 000406d0 [ 9.220371][ T113] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 9.220987][ T113] DR6: fffe0ff0 DR7: 00000400 [ 9.221391][ T113] Call Trace: [ 9.221717][ T113] ? show_regs (arch/x86/kernel/dumpstack.c:478) [ 9.222109][ T113] ? __die_body (arch/x86/kernel/dumpstack.c:421) [ 9.222498][ T113] ? __die (arch/x86/kernel/dumpstack.c:435) [ 9.222868][ T113] ? page_fault_oops (arch/x86/mm/fault.c:715) [ 9.223285][ T113] ? kernelmode_fixup_or_oops+0x50/0x5e [ 9.223873][ T113] ? __bad_area_nosemaphore+0x37/0x1db [ 9.224429][ T113] ? up_read (kernel/locking/rwsem.c:1621) [ 9.224788][ T113] ? mmap_read_unlock (include/linux/mmap_lock.h:171) [ 9.225210][ T113] ? bad_area_nosemaphore (arch/x86/mm/fault.c:835) [ 9.225649][ T113] ? do_user_addr_fault (arch/x86/mm/fault.c:1280 (discriminator 1)) [ 9.226083][ T113] ? exc_page_fault (arch/x86/include/asm/irqflags.h:26 arch/x86/include/asm/irqflags.h:87 arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539) [ 9.226496][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) [ 9.227059][ T113] ? handle_exception (arch/x86/entry/entry_32.S:1047) [ 9.227509][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) [ 9.228049][ T113] ? __v4l2_ctrl_handler_setup (drivers/media/v4l2-core/v4l2-ctrls-core.c:2469) [ 9.228563][ T113] ? pvclock_clocksource_read_nowd (arch/x86/mm/fault.c:1494) [ 9.229122][ T113] ? __v4l2_ctrl_handler_setup (drivers/media/v4l2-core/v4l2-ctrls-core.c:2469) [ 9.229606][ T113] v4l2_ctrl_handler_setup (drivers/media/v4l2-core/v4l2-ctrls-core.c:2502) [ 9.230067][ T113] vicodec_open (drivers/media/test-drivers/vicodec/vicodec-core.c:1874) [ 9.230469][ T113] ? __mutex_unlock_slowpath (arch/x86/include/asm/atomic.h:23 include/linux/atomic/atomic-arch-fallback.h:457 include/linux/atomic/atomic-long.h:40 include/linux/atomic/atomic-instrumented.h:3189 kernel/locking/mutex.c:921) [ 9.230942][ T113] v4l2_open (drivers/media/v4l2-core/v4l2-dev.c:429) [ 9.231310][ T113] chrdev_open (fs/char_dev.c:414) [ 9.231704][ T113] ? cdev_put (fs/char_dev.c:374) [ 9.232074][ T113] do_dentry_open (fs/open.c:958) [ 9.232468][ T113] ? cdev_put (fs/char_dev.c:374) [ 9.232809][ T113] vfs_open (fs/open.c:1088) [ 9.233152][ T113] do_open (fs/namei.c:3774) [ 9.233507][ T113] ? open_last_lookups (fs/namei.c:3721) [ 9.233893][ T113] path_openat (fs/namei.c:3933) [ 9.234240][ T113] do_filp_open (fs/namei.c:3961) [ 9.234580][ T113] do_sys_openat2 (fs/open.c:1415) [ 9.234933][ T113] do_sys_open (fs/open.c:1431) [ 9.235262][ T113] __ia32_sys_openat (fs/open.c:1441) [ 9.235647][ T113] ia32_sys_call (kbuild/obj/consumer/i386-randconfig-013-20241103/./arch/x86/include/generated/asm/syscalls_32.h:296) [ 9.236049][ T113] do_int80_syscall_32 (arch/x86/entry/common.c:165 arch/x86/entry/common.c:339) [ 9.236452][ T113] ? irqentry_exit (kernel/entry/common.c:334) [ 9.236817][ T113] ? exc_page_fault (arch/x86/mm/fault.c:1543) [ 9.237201][ T113] entry_INT80_32 (arch/x86/entry/entry_32.S:941) [ 9.237584][ T113] EIP: 0xb7edd2a9 [ 9.237888][ T113] Code: 89 d0 31 f6 25 00 00 41 00 3d 00 00 41 00 74 29 65 a1 0c 00 00 00 85 c0 75 27 b8 27 01 00 00 bb 9c ff ff ff 8b 4c 24 20 cd 80 <3d> 00 f0 ff ff 77 50 83 c4 10 5b 5e 5f c3 90 8b 74 24 28 eb d1 66 All code ======== 0: 89 d0 mov %edx,%eax 2: 31 f6 xor %esi,%esi 4: 25 00 00 41 00 and $0x410000,%eax 9: 3d 00 00 41 00 cmp $0x410000,%eax e: 74 29 je 0x39 10: 65 a1 0c 00 00 00 85 movabs %gs:0x2775c0850000000c,%eax 17: c0 75 27 1a: b8 27 01 00 00 mov $0x127,%eax 1f: bb 9c ff ff ff mov $0xffffff9c,%ebx 24: 8b 4c 24 20 mov 0x20(%rsp),%ecx 28: cd 80 int $0x80 2a:* 3d 00 f0 ff ff cmp $0xfffff000,%eax <-- trapping instruction 2f: 77 50 ja 0x81 31: 83 c4 10 add $0x10,%esp 34: 5b pop %rbx 35: 5e pop %rsi 36: 5f pop %rdi 37: c3 ret 38: 90 nop 39: 8b 74 24 28 mov 0x28(%rsp),%esi 3d: eb d1 jmp 0x10 3f: 66 data16 Code starting with the faulting instruction =========================================== 0: 3d 00 f0 ff ff cmp $0xfffff000,%eax 5: 77 50 ja 0x57 7: 83 c4 10 add $0x10,%esp a: 5b pop %rbx b: 5e pop %rsi c: 5f pop %rdi d: c3 ret e: 90 nop f: 8b 74 24 28 mov 0x28(%rsp),%esi 13: eb d1 jmp 0xffffffffffffffe6 15: 66 data16 The kernel config and materials to reproduce are available at: https://download.01.org/0day-ci/archive/20241104/202411041552.ff2b79d7-lkp@xxxxxxxxx -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki