From: Su Yue <l@damenly.org>
To: Qu Wenruo <quwenruo.btrfs@gmx.com>
Cc: linux-btrfs@vger.kernel.org, Su Yue <glass.su@suse.com>
Subject: Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference
Date: Mon, 01 Jun 2026 20:12:05 +0800 [thread overview]
Message-ID: <ik82qx2i.fsf@damenly.org> (raw)
In-Reply-To: <7edd1a98-4683-463d-b789-e75f7cb42de1@gmx.com> (Qu Wenruo's message of "Mon, 1 Jun 2026 21:23:20 +0930")
On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com>
wrote:
> 在 2026/6/1 20:11, Su Yue 写道:
>> Hi, btrfs folks. Recently I found that fstests/btrfs/242 can
>> trigger
>> kernel NULL pointer dereference with for-
>> next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
>> openSUSE Tumbleweed kernel(7.0.10-2-default). The probability
>> is within 50
>> rounds.
>> ENV:
>> host: mac mini m1 running Asahi linux
>> VM(new installed):
>> # uname -r
>> 7.0.10-2-default
>> # dmesg
>> [ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01
>> 10:25:08
>> [ 313.417562 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc
>> (8:32) scanned
>> by mkfs.btrfs (122570)
>> [ 313.417698 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd
>> (8:48) scanned
>> by mkfs.btrfs (122570)
>> [ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using
>> crc32c checksum
>> algorithm
>> [ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking
>> UUID tree
>> [ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on
>> async discard
>> [ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling
>> free space tree
>> [ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last
>> unmount of
>> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.513398 ] [ T122609 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc
>> (8:32) scanned
>> by mount (122609)
>> [ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using
>> crc32c checksum
>> algorithm
>> [ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing
>> degraded mounts
>> [ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on
>> async discard
>> [ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling
>> free space tree
>> [ 313.523827 ] [ T122625 ] Unable to handle kernel NULL
>> pointer dereference
>> at virtual address 0000000000000018
>> [ 313.523858 ] [ T122625 ] Mem abort info:
>> [ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004
>> [ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL
>> = 32 bits
>> [ 313.523877 ] [ T122625 ] SET = 0, FnV = 0
>> [ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0
>> [ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation
>> fault
>> [ 313.523894 ] [ T122625 ] Data abort info:
>> [ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 =
>> 0x00000000
>> [ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0,
>> TagAccess = 0
>> [ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit =
>> 0, Xs = 0
>> [ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs,
>> pgdp=000000013fd6b000
>> [ 313.523924 ] [ T122625 ] [0000000000000018]
>> pgd=0000000000000000,
>> p4d=0000000000000000
>> [ 313.523940 ] [ T122625 ] Internal error: Oops:
>> 0000000096000004 [#1] SMP
>> [ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill
>> dm_mod
>> nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon
>> libblake2b
>> virtio_net virtio_balloon net_failover failover button raid6_pq
>> vsock_loopback
>> vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common
>> vsock xfs sr_mod
>> cdrom aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg
>> scsi_mod
>> scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common
>> virtio_blk
>> efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
>> [ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm:
>> fstrim Not tainted
>> 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed
>> e9a5f6b24978fba3bf015a992f865837fdfff3dd
>> [ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual
>> Machine, BIOS
>> edk2-20250812-19.fc42 08/12/2025
>> [ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN
>> -UAO -TCO +DIT
>> -SSBS BTYPE=--)
>> [ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00
>> [btrfs]
>
> Since you can reproduce it on the latest for-next, mind to
> provide the for-next
> call trace along with the faddr2line output for pc register of
> the for-next run?
>
Sure.
# ./scripts/faddr2line fs/btrfs/btrfs.ko
btrfs_trim_fs+0x36c/0xa48
btrfs_trim_fs+0x36c/0xa48:
bdev_max_discard_sectors at
/var/lib/btrfs-linux-for-next/./include/linux/blkdev.h:1449
(discriminator 1)
(inlined by) btrfs_trim_free_extents_throttle at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6628
(discriminator 1)
(inlined by) btrfs_trim_free_extents at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6762
(discriminator 1)
(inlined by) btrfs_trim_fs at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6919
(discriminator 1)
[11630.789792] BTRFS info (device sdc): first mount of filesystem
5e033cee-fc5a-4e82-b065-e93b53533c2d
[11630.789810] BTRFS info (device sdc): using crc32c checksum
algorithm
[11630.803359] BTRFS warning (device sdc): devid 2 uuid
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.808199] BTRFS warning (device sdc): devid 2 uuid
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.815475] BTRFS info (device sdc): allowing degraded mounts
[11630.815485] BTRFS info (device sdc): turning on async discard
[11630.815489] BTRFS info (device sdc): enabling free space tree
[11630.836072] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000018
[11630.836118] Mem abort info:
[11630.836121] ESR = 0x0000000096000004
[11630.836124] EC = 0x25: DABT (current EL), IL = 32 bits
[11630.836128] SET = 0, FnV = 0
[11630.836130] EA = 0, S1PTW = 0
[11630.836133] FSC = 0x04: level 0 translation fault
[11630.836136] Data abort info:
[11630.836138] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[11630.836141] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[11630.836144] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[11630.836147] user pgtable: 4k pages, 48-bit VAs,
pgdp=00000001324a7000
[11630.836151] [0000000000000018] pgd=0000000000000000,
p4d=0000000000000000
[11630.836247] Internal error: Oops: 0000000096000004 [#1] SMP
[11630.836279] Modules linked in: dm_dust(E) dm_flakey(E) ext4(E)
crc16(E) mbcache(E) jbd2(E) loop(E) btrfs(E) xor(E) libblake2b(E)
raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E)
virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) drm(E)
fuse(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E)
virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E)
virtio_console(E) virtio_rng(E
) rng_core(E)
[11630.836342] CPU: 0 UID: 0 PID: 820669 Comm: fstrim Tainted: G
E 7.1.0-rc4-custom+ #1 PREEMPT(full)
[11630.836352] Tainted: [E]=UNSIGNED_MODULE
[11630.836356] Hardware name: QEMU KVM Virtual Machine, BIOS
edk2-20250812-19.fc42 08/12/2025
[11630.836363] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT
-SSBS BTYPE=--)
[11630.836370] pc : btrfs_trim_fs+0x36c/0xa48 [btrfs]
[11630.836474] lr : btrfs_trim_fs+0x1f8/0xa48 [btrfs]
[11630.836557] sp : ffff800085ef3ba0
[11630.836561] x29: ffff800085ef3c30 x28: ffff0000ed979cf8 x27:
ffff800085ef3c90
[11630.836569] x26: ffff0000f51a9c00 x25: 0000000000000000 x24:
0000000000000000
[11630.836577] x23: ffff0000ed979c70 x22: ffff0000ed979c00 x21:
ffff0000f51a9c00
[11630.836584] x20: 0000000000000000 x19: 000000004fdb8000 x18:
00000a9403d9d8b5
[11630.836592] x17: 0000000000000000 x16: ffffa49477e47e10 x15:
0000000000000000
[11630.836600] x14: 0000000000000000 x13: 0000000000000030 x12:
0000000800110005
[11630.836607] x11: ffff0000dc9cfc38 x10: 0000000000000000 x9 :
ffff800085ef3a10
[11630.836615] x8 : ffffa4947853e848 x7 : 0000000000000000 x6 :
ffff0000de710040
[11630.836622] x5 : 0000000000000000 x4 : ffff0000f51a9c00 x3 :
0000000000000000
[11630.836629] x2 : 0000000000000001 x1 : 0000000000000086 x0 :
0000000000000000
[11630.836645] Call trace:
[11630.836650] btrfs_trim_fs+0x36c/0xa48 [btrfs] (P)
[11630.836732] btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs]
[11630.836816] btrfs_ioctl+0x10d8/0x2910 [btrfs]
[11630.836898] __arm64_sys_ioctl+0xac/0x108
[11630.836907] invoke_syscall.constprop.0+0x48/0x120
[11630.836916] el0_svc_common.constprop.0+0x40/0xe8
[11630.836923] do_el0_svc+0x24/0x38
[11630.836928] el0_svc+0x50/0x310
[11630.836937] el0t_64_sync_handler+0xa0/0xe8
[11630.836943] el0t_64_sync+0x198/0x1a0
[11630.836951] Code: 17ffff7b f9400fe0 f90033e0 f9402f40
(f9400c00)
[11630.836958] ---[ end trace 0000000000000000 ]-—
> Thanks,
> Qu
next prev parent reply other threads:[~2026-06-01 12:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 10:41 [BUG report] btrfs/242 triggers kernel NULL pointer dereference Su Yue
2026-06-01 11:53 ` Qu Wenruo
2026-06-01 12:12 ` Su Yue [this message]
2026-06-01 22:11 ` Qu Wenruo
2026-06-02 1:49 ` Glass Su
2026-06-02 2:23 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ik82qx2i.fsf@damenly.org \
--to=l@damenly.org \
--cc=glass.su@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.