Repeated kernel crashes hitting identical bad pointer

[ferdzo]

I experienced a crash/freeze while using Firefox, Ghostty and VSCode. Initially Firefox froze and I tried to close it which lead to the whole system being unresponsive and I had to shutdown it forcefully. After initial skim through the kernel logs, I saw 7 repeated crashes, where hit to a corrupted memory pointer 0x28d340da541dd2ae happened, which in the end turned into a system freeze. As far as I looked, it happened when kmalloc tried to allocate memory but hit the corrupt memory address. It happened multiple times, for Firefox, VSCode, but the final blow was for gnome shell and DRM driver which probably caused the freeze.

I'm using Asahi on a MacBook Air 2020 with Apple M1 (G13G B1), running the latest kernel from the fairydust branch, version 6.18.7.

Last kernel log:

Jan 28 15:11:27 fedora kernel: Unable to handle kernel paging request at virtual address 28d340da541dd2ae
Jan 28 15:11:27 fedora kernel: Mem abort info:
Jan 28 15:11:27 fedora kernel:   ESR = 0x0000000096000004
Jan 28 15:11:27 fedora kernel:   EC = 0x25: DABT (current EL), IL = 32 bits
Jan 28 15:11:27 fedora kernel:   SET = 0, FnV = 0
Jan 28 15:11:27 fedora kernel:   EA = 0, S1PTW = 0
Jan 28 15:11:27 fedora kernel:   FSC = 0x04: level 0 translation fault
Jan 28 15:11:27 fedora kernel: Data abort info:
Jan 28 15:11:27 fedora kernel:   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
Jan 28 15:11:27 fedora kernel:   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
Jan 28 15:11:27 fedora kernel:   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
Jan 28 15:11:27 fedora kernel: [28d340da541dd2ae] address between user and kernel address ranges
Jan 28 15:11:27 fedora kernel: Internal error: Oops: 0000000096000004 [#7]  SMP
Jan 28 15:11:27 fedora kernel: Modules linked in: uinput rfcomm snd_seq_dummy snd_hrtimer snd_seq snd_seq_device sunrpc nf_conntrack_netbios_ns nf_conntrack_broadcast nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables bnep brcmfmac_wcc qrtr binfmt_misc brcmfmac brcmutil cfg80211 hci_bcm4377 bluetooth mmc_core rfkill snd_soc_macaudio apple_isp videobuf2_dma_sg videobuf2_memops macsmc_input videobuf2_v4l2 videodev ofpart snd_soc_tas2770 spi_nor snd_soc_cs42l83_i2c snd_soc_cs42l42 snd_soc_apple_mca snd_soc_core mtd videobuf2_common apple_soc_cpufreq mc snd_compress ac97_bus leds_pwm joydev dm_multipath loop nfnetlink hid_apple spi_hid_apple_of spi_hid_apple tps6598x macsmc_reboot macsmc_power macsmc_hwmon gpio_macsmc rtc_macsmc apple_nvmem_spmi appledrm dwc3_apple polyval_ce dwc3 drm_dma_helper ghash_ce sha3_ce mux_apple_display_crossbar snd_pcm_dmaengine phy_apple_atc ulpi mux_core udc_core apple_tunable
Jan 28 15:11:27 fedora kernel:  snd_pcm asahi snd_timer pwm_apple snd nvmem_apple_efuses spi_apple apple_admac macsmc apple_wdt spmi_apple_controller soundcore pinctrl_apple_gpio clk_apple_nco typec i2c_pasemi_platform apple_dart i2c_pasemi_core xhci_plat_hcd vfat fat nvme_apple apple_sart nvme_core nvme_keyring nvme_auth hkdf scsi_dh_rdac scsi_dh_emc scsi_dh_alua i2c_dev fuse
Jan 28 15:11:27 fedora kernel: CPU: 2 UID: 1000 PID: 2093 Comm: gnome-shell Tainted: G S    D             6.18.7+ #3 PREEMPT(voluntary) 
Jan 28 15:11:27 fedora kernel: Tainted: [S]=CPU_OUT_OF_SPEC, [D]=DIE
Jan 28 15:11:27 fedora kernel: Hardware name: Apple MacBook Air (M1, 2020) (DT)
Jan 28 15:11:27 fedora kernel: pstate: 61400009 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
Jan 28 15:11:27 fedora kernel: pc : get_freepointer+0x10/0x28
Jan 28 15:11:27 fedora kernel: lr : __kmalloc_noprof+0x470/0x6e0
Jan 28 15:11:27 fedora kernel: sp : ffff80008e3f7870
Jan 28 15:11:27 fedora kernel: x29: ffff80008e3f7890 x28: 0000000000000028 x27: ffffd1e3af148e60
Jan 28 15:11:27 fedora kernel: x26: ffff80008e3f7968 x25: 0000000000000009 x24: 0000000000000024
Jan 28 15:11:27 fedora kernel: x23: ffffd1e3ae6dc6b0 x22: 28d340da541dd28e x21: ffff00000208c300
Jan 28 15:11:27 fedora kernel: x20: 0000000000000cc0 x19: 0000000000000024 x18: 0000000000000000
Jan 28 15:11:27 fedora kernel: x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffd2209d30
Jan 28 15:11:27 fedora kernel: x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000
Jan 28 15:11:27 fedora kernel: x11: 0000000000000000 x10: ffff0003393b7118 x9 : ffffd1e3adcd8778
Jan 28 15:11:27 fedora kernel: x8 : 0000000000000000 x7 : ffff80008e3f7a28 x6 : ffff80008e3f7a50
Jan 28 15:11:27 fedora kernel: x5 : 00000000ffffffff x4 : 0000000000000046 x3 : 0000000000000020
Jan 28 15:11:27 fedora kernel: x2 : aed21d54da40d328 x1 : 28d340da541dd28e x0 : 7744b32df9c59df9
Jan 28 15:11:27 fedora kernel: Call trace:
Jan 28 15:11:27 fedora kernel:  get_freepointer+0x10/0x28 (P)
Jan 28 15:11:27 fedora kernel:  drm_syncobj_array_find+0x40/0x2a8
Jan 28 15:11:27 fedora kernel:  drm_syncobj_wait_ioctl+0xa8/0x1b0
Jan 28 15:11:27 fedora kernel:  drm_ioctl_kernel+0xc8/0x138
Jan 28 15:11:27 fedora kernel:  drm_ioctl+0x238/0x4d0
Jan 28 15:11:27 fedora kernel:  __arm64_sys_ioctl+0xac/0x108
Jan 28 15:11:27 fedora kernel:  invoke_syscall.constprop.0+0x64/0xe8
Jan 28 15:11:27 fedora kernel:  el0_svc_common.constprop.0+0x40/0xe8
Jan 28 15:11:27 fedora kernel:  do_el0_svc+0x24/0x38
Jan 28 15:11:27 fedora kernel:  el0_svc+0x3c/0x170
Jan 28 15:11:27 fedora kernel:  el0t_64_sync_handler+0xa0/0xe8
Jan 28 15:11:27 fedora kernel:  el0t_64_sync+0x1b0/0x1b8
Jan 28 15:11:27 fedora kernel: Code: b9403003 f9406000 8b030022 dac00c42 (f8636821) 
Jan 28 15:11:27 fedora kernel: ---[ end trace 0000000000000000 ]---

asahi-diagnose-20260128-164356.txt
crash.txt