Hi MM folks, When I'm testing memory hotremove with various settings, I found the following NULL-pointer dereference. It reproduces easily with the folloing steps: $ echo offline > /sys/devices/system/memory/memoryN/state $ echo 1 > /sys/kernel/debug/split_huge_pages I don't check in which commit this was introduced yet (at least v6.0-rc1, v6.0-rc4 and mm-everything-2022-09-05-23-30 are affected), but I expect that someone might have clear idea about this, so let me share first. Thanks, Naoya Horiguchi --- [ 309.947421] BUG: kernel NULL pointer dereference, address: 0000000000000032 [ 309.949600] #PF: supervisor read access in kernel mode [ 309.951220] #PF: error_code(0x0000) - not-present page [ 309.952819] PGD 0 P4D 0 [ 309.953649] Oops: 0000 [#1] PREEMPT SMP PTI [ 309.954999] CPU: 1 PID: 846 Comm: bash Tainted: G E N 6.0.0-rc1-v6.0-rc1-220815-2254-000-rc1+ #62 [ 309.958170] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35 04/01/2014 [ 309.960759] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70 [ 309.962684] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f [ 309.968381] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202 [ 309.970067] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000 [ 309.972262] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300 [ 309.974475] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88 [ 309.976725] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454 [ 309.978980] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe [ 309.981267] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000 [ 309.983842] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 309.985672] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0 [ 309.987909] Call Trace: [ 309.988794] <TASK> [ 309.989461] ? _raw_spin_lock+0x13/0x40 [ 309.990578] ? __mark_inode_dirty+0x113/0x390 [ 309.991933] ? terminate_walk+0x90/0x100 [ 309.993186] ? path_openat+0x440/0x1070 [ 309.994421] ? do_filp_open+0x9f/0x130 [ 309.995610] full_proxy_write+0x53/0x80 [ 309.996820] vfs_write+0xb7/0x3a0 [ 309.997902] ? _raw_spin_unlock+0x15/0x30 [ 309.999190] ksys_write+0x4f/0xd0 [ 310.000249] do_syscall_64+0x3b/0x90 [ 310.001418] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 310.002938] RIP: 0033:0x7fe2cd1018b7 [ 310.004143] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 310.009871] RSP: 002b:00007ffc625f63f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 310.012060] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe2cd1018b7 [ 310.014250] RDX: 0000000000000002 RSI: 000055c1a80afc50 RDI: 0000000000000001 [ 310.016533] RBP: 000055c1a80afc50 R08: 0000000000000000 R09: 00007fe2cd1b64e0 [ 310.018782] R10: 00007fe2cd1b63e0 R11: 0000000000000246 R12: 0000000000000002 [ 310.021086] R13: 00007fe2cd1fb5a0 R14: 0000000000000002 R15: 00007fe2cd1fb7a0 [ 310.023169] </TASK> [ 310.023844] Modules linked in: nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) rfkill(E) nf_tables(E) nfnetlink(E) qrtr(E) sunrpc(E) 9p(E) fscache(E) netfs(E) intel_rapl_msr(E) intel_rapl_common(E) kvm_intel(E) kvm(E) irqbypass(E) virtio_balloon(E) rapl(E) 9pnet_virtio(E) i2c_piix4(E) 9pnet(E) joydev(E) pcspkr(E) fuse(E) zram(E) ip_tables(E) xfs(E) crc32c_intel(E) serio_raw(E) virtio_blk(E) e1000(E) ata_generic(E) pata_acpi(E) floppy(E) qemu_fw_cfg(E) [ 310.040426] CR2: 0000000000000032 [ 310.041715] ---[ end trace 0000000000000000 ]--- [ 310.043196] RIP: 0010:split_huge_pages_write.part.0+0x40c/0xe70 [ 310.044953] Code: 00 00 00 4d 8b ae 90 00 00 00 49 01 dd 4c 39 eb 72 47 eb c8 48 8b 41 08 a8 01 0f 85 57 08 00 00 0f 1f 44 00 00 0f 1f 44 00 00 <41> 8b 47 34 85 c0 0f 84 1c 09 00 00 f0 41 ff 4f 34 0f 94 c0 0f 1f [ 310.050051] RSP: 0018:ffffb4d201d6bbd0 EFLAGS: 00010202 [ 310.051593] RAX: ffffffffffffffff RBX: 0000000000230000 RCX: ffffd6fac8c00000 [ 310.053664] RDX: 00000000000003ff RSI: 0000000000000014 RDI: ffffd6fac4fff300 [ 310.056165] RBP: ffffb4d201d6bc12 R08: 0000000000000054 R09: ffffd6fac46b7f88 [ 310.059144] R10: 00000000ffffffff R11: ffffff8000000000 R12: 0000000000001454 [ 310.062033] R13: 0000000000248000 R14: ffff93ce3ffd5d80 R15: fffffffffffffffe [ 310.069111] FS: 00007fe2cd337740(0000) GS:ffff93ce3bc80000(0000) knlGS:0000000000000000 [ 310.077141] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 310.079988] CR2: 0000000000000032 CR3: 00000001018fc005 CR4: 0000000000170ee0 [ 310.083292] Kernel panic - not syncing: Fatal exception [ 310.086117] Kernel Offset: 0x1a000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 310.090607] Rebooting in 2 seconds..
