next-20250701: qemu-x86_64: BUG unable to handle page fault for address __cpa_flush_tlb

Regressions While booting the next-20250701 Linux kernel on a qemu-x86_64 virtual machine, a kernel panic is observed due to a page fault in the __cpa_flush_tlb function.

Test environments: - qemu-x86_64

Regression Analysis: - New regression? Yes - Reproducibility? I need more data (Testing is in progress)

Boot regression: Linux next-20250701 qemu-x86_64 BUG unable to handle page fault for address __cpa_flush_tlb

Reported-by: Linux Kernel Functional Testing lkft@linaro.org

## Boot log <6>[ 0.000000] Linux version 6.16.0-rc4-next-20250701 (tuxmake@tuxmake) (x86_64-linux-gnu-gcc (Debian 13.3.0-16) 13.3.0, GNU ld (GNU Binutils for Debian) 2.44) #1 SMP PREEMPT_DYNAMIC @1751364982 <6>[ 0.000000] Command line: console=ttyS0,115200 rootwait root=/dev/sda debug verbose console_msg_format=syslog systemd.log_level=warning rw earlycon <6>[ 0.000000] x86/CPU: Model not found in latest microcode list <6>[ 0.000000] BIOS-provided physical RAM map:

...

<6>[ 2.292682] EXT4-fs (sda): mounted filesystem 9c9bd7ea-a7a4-4c7c-bc54-7007f029c954 r/w with ordered data mode. Quota mode: none. <6>[ 2.294012] VFS: Mounted root (ext4 filesystem) on device 8:0. <6>[ 2.296792] devtmpfs: mounted <6>[ 2.387406] Freeing unused kernel image (initmem) memory: 4092K <6>[ 2.389312] Write protecting the kernel read-only data: 32768k <6>[ 2.391640] Freeing unused kernel image (text/rodata gap) memory: 28K <1>[ 2.393647] BUG: unable to handle page fault for address: 000000000002aa97 <1>[ 2.394089] #PF: supervisor read access in kernel mode <1>[ 2.395026] #PF: error_code(0x0000) - not-present page <6>[ 2.395623] PGD 0 P4D 0 <4>[ 2.396063] Oops: Oops: 0000 [#1] SMP PTI <4>[ 2.396998] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc4-next-20250701 #1 PREEMPT(voluntary) <4>[ 2.397726] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 <4>[ 2.398454] RIP: 0010:__cpa_flush_tlb (arch/x86/mm/pat/set_memory.c:320 arch/x86/mm/pat/set_memory.c:408) <4>[ 2.399219] Code: 1e fa 0f 1f 44 00 00 55 48 89 e5 41 54 53 48 83 7f 20 00 48 89 fb 74 5b 45 31 e4 31 ff eb 27 48 8b 13 a8 02 75 47 48 c1 e7 0c <48> 03 3a 48 01 ff 48 d1 ff e8 26 f4 ff ff 41 8d 7c 24 01 49 89 fc All code ======== 0: 1e (bad) 1: fa cli 2: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 7: 55 push %rbp 8: 48 89 e5 mov %rsp,%rbp b: 41 54 push %r12 d: 53 push %rbx e: 48 83 7f 20 00 cmpq $0x0,0x20(%rdi) 13: 48 89 fb mov %rdi,%rbx 16: 74 5b je 0x73 18: 45 31 e4 xor %r12d,%r12d 1b: 31 ff xor %edi,%edi 1d: eb 27 jmp 0x46 1f: 48 8b 13 mov (%rbx),%rdx 22: a8 02 test $0x2,%al 24: 75 47 jne 0x6d 26: 48 c1 e7 0c shl $0xc,%rdi 2a:* 48 03 3a add (%rdx),%rdi <-- trapping instruction 2d: 48 01 ff add %rdi,%rdi 30: 48 d1 ff sar $1,%rdi 33: e8 26 f4 ff ff call 0xfffffffffffff45e 38: 41 8d 7c 24 01 lea 0x1(%r12),%edi 3d: 49 89 fc mov %rdi,%r12

Code starting with the faulting instruction =========================================== 0: 48 03 3a add (%rdx),%rdi 3: 48 01 ff add %rdi,%rdi 6: 48 d1 ff sar $1,%rdi 9: e8 26 f4 ff ff call 0xfffffffffffff434 e: 41 8d 7c 24 01 lea 0x1(%r12),%edi 13: 49 89 fc mov %rdi,%r12 <4>[ 2.399698] RSP: 0000:ffffb316c00e0f78 EFLAGS: 00010046 <4>[ 2.400494] RAX: 0000000000000169 RBX: ffffb316c0013e30 RCX: ffffb316c0013e30 <4>[ 2.401577] RDX: 000000000002aa97 RSI: 000000008b09dcbb RDI: 0000000000000000 <4>[ 2.401910] RBP: ffffb316c00e0f88 R08: 000000000000546c R09: 0000000000000000 <4>[ 2.402961] R10: 0000000000000000 R11: ffffb316c00e0ff8 R12: 0000000000000000 <4>[ 2.403326] R13: ffff8e357bd2daa0 R14: ffff8e3500aaaeb8 R15: ffffffff95148f50 <4>[ 2.403927] FS: 0000000000000000(0000) GS:ffff8e35e47bc000(0000) knlGS:0000000000000000 <4>[ 2.404471] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 2.404795] CR2: 000000000002aa97 CR3: 000000002ac48000 CR4: 00000000000006f0 <4>[ 2.405623] Call Trace: <4>[ 2.406562] <IRQ> <4>[ 2.407678] __flush_smp_call_function_queue (arch/x86/include/asm/jump_label.h:36 include/trace/events/csd.h:64 kernel/smp.c:135 kernel/smp.c:540) <4>[ 2.408101] generic_smp_call_function_single_interrupt (kernel/smp.c:458) <4>[ 2.408234] __sysvec_call_function_single (arch/x86/include/asm/jump_label.h:36 arch/x86/include/asm/trace/irq_vectors.h:98 arch/x86/kernel/smp.c:272) <4>[ 2.409077] sysvec_call_function_single (arch/x86/kernel/smp.c:266 (discriminator 35) arch/x86/kernel/smp.c:266 (discriminator 35)) <4>[ 2.409287] </IRQ> <4>[ 2.409408] <TASK> <4>[ 2.409584] asm_sysvec_call_function_single (arch/x86/include/asm/idtentry.h:709) <4>[ 2.410108] RIP: 0010:pv_native_safe_halt (arch/x86/kernel/paravirt.c:82) <4>[ 2.410323] Code: 1f 84 00 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa eb 07 0f 00 2d 85 ef 03 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 All code ======== 0: 1f (bad) 1: 84 00 test %al,(%rax) 3: 00 00 add %al,(%rax) 5: 00 00 add %al,(%rax) 7: 0f 1f 40 00 nopl 0x0(%rax) b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: f3 0f 1e fa endbr64 1f: eb 07 jmp 0x28 21: 0f 00 2d 85 ef 03 00 verw 0x3ef85(%rip) # 0x3efad 28: fb sti 29: f4 hlt 2a:* c3 ret <-- trapping instruction 2b: cc int3 2c: cc int3 2d: cc int3 2e: cc int3 2f: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 36: 00 00 00 39: 66 90 xchg %ax,%ax 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 90 nop

Code starting with the faulting instruction =========================================== 0: c3 ret 1: cc int3 2: cc int3 3: cc int3 4: cc int3 5: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) c: 00 00 00 f: 66 90 xchg %ax,%ax 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop <4>[ 2.411151] RSP: 0000:ffffb316c00abea0 EFLAGS: 00010206 <4>[ 2.411522] RAX: ffff8e35e47bc000 RBX: ffff8e3500372e80 RCX: 0000000000000001 <4>[ 2.411691] RDX: ffffffff9523177d RSI: ffffffff96b9a3df RDI: 0000000000005464 <4>[ 2.412619] RBP: ffffb316c00abea8 R08: 0000000000005464 R09: 0000000000000001 <4>[ 2.412810] R10: 0000004d8989ef00 R11: 000000000548e0b3 R12: 0000000000000001 <4>[ 2.413067] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 <4>[ 2.413403] ? do_idle (kernel/sched/idle.c:191 kernel/sched/idle.c:330) <4>[ 2.413737] ? default_idle (arch/x86/include/asm/paravirt.h:107 arch/x86/kernel/process.c:757) <4>[ 2.413926] arch_cpu_idle (arch/x86/kernel/process.c:795) <4>[ 2.414072] default_idle_call (include/linux/cpuidle.h:144 kernel/sched/idle.c:123) <4>[ 2.414608] do_idle (kernel/sched/idle.c:191 kernel/sched/idle.c:330) <4>[ 2.414744] cpu_startup_entry (kernel/sched/idle.c:427) <4>[ 2.414961] start_secondary (arch/x86/kernel/smpboot.c:203 (discriminator 10) arch/x86/kernel/smpboot.c:283 (discriminator 10)) <4>[ 2.415531] common_startup_64 (arch/x86/kernel/head_64.S:419) <4>[ 2.415720] </TASK> <4>[ 2.415898] Modules linked in: <4>[ 2.416303] CR2: 000000000002aa97 <4>[ 2.417490] ---[ end trace 0000000000000000 ]--- <4>[ 2.417940] RIP: 0010:__cpa_flush_tlb (arch/x86/mm/pat/set_memory.c:320 arch/x86/mm/pat/set_memory.c:408) <4>[ 2.418250] Code: 1e fa 0f 1f 44 00 00 55 48 89 e5 41 54 53 48 83 7f 20 00 48 89 fb 74 5b 45 31 e4 31 ff eb 27 48 8b 13 a8 02 75 47 48 c1 e7 0c <48> 03 3a 48 01 ff 48 d1 ff e8 26 f4 ff ff 41 8d 7c 24 01 49 89 fc All code ======== 0: 1e (bad) 1: fa cli 2: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 7: 55 push %rbp 8: 48 89 e5 mov %rsp,%rbp b: 41 54 push %r12 d: 53 push %rbx e: 48 83 7f 20 00 cmpq $0x0,0x20(%rdi) 13: 48 89 fb mov %rdi,%rbx 16: 74 5b je 0x73 18: 45 31 e4 xor %r12d,%r12d 1b: 31 ff xor %edi,%edi 1d: eb 27 jmp 0x46 1f: 48 8b 13 mov (%rbx),%rdx 22: a8 02 test $0x2,%al 24: 75 47 jne 0x6d 26: 48 c1 e7 0c shl $0xc,%rdi 2a:* 48 03 3a add (%rdx),%rdi <-- trapping instruction 2d: 48 01 ff add %rdi,%rdi 30: 48 d1 ff sar $1,%rdi 33: e8 26 f4 ff ff call 0xfffffffffffff45e 38: 41 8d 7c 24 01 lea 0x1(%r12),%edi 3d: 49 89 fc mov %rdi,%r12

Code starting with the faulting instruction =========================================== 0: 48 03 3a add (%rdx),%rdi 3: 48 01 ff add %rdi,%rdi 6: 48 d1 ff sar $1,%rdi 9: e8 26 f4 ff ff call 0xfffffffffffff434 e: 41 8d 7c 24 01 lea 0x1(%r12),%edi 13: 49 89 fc mov %rdi,%r12 <4>[ 2.418856] RSP: 0000:ffffb316c00e0f78 EFLAGS: 00010046 <4>[ 2.419172] RAX: 0000000000000169 RBX: ffffb316c0013e30 RCX: ffffb316c0013e30 <4>[ 2.419363] RDX: 000000000002aa97 RSI: 000000008b09dcbb RDI: 0000000000000000 <4>[ 2.419552] RBP: ffffb316c00e0f88 R08: 000000000000546c R09: 0000000000000000 <4>[ 2.419864] R10: 0000000000000000 R11: ffffb316c00e0ff8 R12: 0000000000000000 <4>[ 2.420309] R13: ffff8e357bd2daa0 R14: ffff8e3500aaaeb8 R15: ffffffff95148f50 <4>[ 2.420816] FS: 0000000000000000(0000) GS:ffff8e35e47bc000(0000) knlGS:0000000000000000 <4>[ 2.421298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4>[ 2.421675] CR2: 000000000002aa97 CR3: 000000002ac48000 CR4: 00000000000006f0 <0>[ 2.422354] Kernel panic - not syncing: Fatal exception in interrupt <0>[ 2.425278] Kernel Offset: 0x13e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) <0>[ 2.426205] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

## Source * Kernel version: 6.16.0-rc4-next-20250701 * Git tree: https://kernel.googlesource.com/pub/scm/linux/kernel/git/next/linux-next.git * Git sha: 3f804361f3b9af33e00b90ec9cb5afcc96831e60 * Git describe: 6.16.0-rc4-next-20250701 * Architectures: arm64 * Toolchains: gcc-13 * Kconfigs: gcc-13-lkftconfig-no-kselftest-frag

## Build arm64 * Test log: https://qa-reports.linaro.org/api/testruns/28972335/log_file/ * Test LAVA log 1: https://lkft.validation.linaro.org/scheduler/job/8336872#L5891 * Test details: https://regressions.linaro.org/lkft/linux-next-master/next-20250701/log-pars... * Build link: https://storage.tuxsuite.com/public/linaro/lkft/builds/2zGk2ZJWqj1Ukob9bJAF1... * Kernel config: https://storage.tuxsuite.com/public/linaro/lkft/builds/2zGk2ZJWqj1Ukob9bJAF1...

-- Linaro LKFT https://lkft.linaro.org