[BUG report] btrfs/242 triggers kernel NULL pointer dereference

[BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Su Yue]

Hi, btrfs folks. Recently I found that fstests/btrfs/242 can 
trigger
kernel NULL pointer dereference with 
for-next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
openSUSE Tumbleweed kernel(7.0.10-2-default). The probability is 
within 50 rounds.

ENV:
host: mac mini m1 running Asahi linux

VM(new installed):

# uname -r
7.0.10-2-default

# dmesg
[  312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 
10:25:08
[  313.417562 ] [ T122570 ] BTRFS: device fsid 
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc 
(8:32) scanned by mkfs.btrfs (122570)
[  313.417698 ] [ T122570 ] BTRFS: device fsid 
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd 
(8:48) scanned by mkfs.btrfs (122570)
[  313.423953 ] [ T122578 ] BTRFS info (device sdc): first mount 
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[  313.423967 ] [ T122578 ] BTRFS info (device sdc): using crc32c 
checksum algorithm
[  313.428833 ] [ T122578 ] BTRFS info (device sdc): checking UUID 
tree
[  313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on 
async discard
[  313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling free 
space tree
[  313.469504 ] [ T122603 ] BTRFS info (device sdc): last unmount 
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[  313.513398 ] [ T122609 ] BTRFS: device fsid 
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc 
(8:32) scanned by mount (122609)
[  313.513820 ] [ T122609 ] BTRFS info (device sdc): first mount 
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[  313.513845 ] [ T122609 ] BTRFS info (device sdc): using crc32c 
checksum algorithm
[  313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 
uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
[  313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 
uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
[  313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing 
degraded mounts
[  313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on 
async discard
[  313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling free 
space tree
[  313.523827 ] [ T122625 ] Unable to handle kernel NULL pointer 
dereference at virtual address 0000000000000018
[  313.523858 ] [ T122625 ] Mem abort info:
[  313.523865 ] [ T122625 ]   ESR = 0x0000000096000004
[  313.523871 ] [ T122625 ]   EC = 0x25: DABT (current EL), IL = 
32 bits
[  313.523877 ] [ T122625 ]   SET = 0, FnV = 0
[  313.523883 ] [ T122625 ]   EA = 0, S1PTW = 0
[  313.523889 ] [ T122625 ]   FSC = 0x04: level 0 translation 
fault
[  313.523894 ] [ T122625 ] Data abort info:
[  313.523899 ] [ T122625 ]   ISV = 0, ISS = 0x00000004, ISS2 = 
0x00000000
[  313.523905 ] [ T122625 ]   CM = 0, WnR = 0, TnD = 0, TagAccess 
= 0
[  313.523911 ] [ T122625 ]   GCS = 0, Overlay = 0, DirtyBit = 0, 
Xs = 0
[  313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs, 
pgdp=000000013fd6b000
[  313.523924 ] [ T122625 ] [0000000000000018] 
pgd=0000000000000000, p4d=0000000000000000
[  313.523940 ] [ T122625 ] Internal error: Oops: 0000000096000004 
[#1]  SMP
[  313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill 
dm_mod nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor 
xor_neon libblake2b virtio_net virtio_balloon net_failover 
failover button raid6_pq vsock_loopback vmw_vsock_virtio_transport 
vmw_vsock_virtio_transport_common vsock xfs sr_mod cdrom 
aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg scsi_mod 
scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common 
virtio_blk efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
[  313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: fstrim 
Not tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed 
e9a5f6b24978fba3bf015a992f865837fdfff3dd
[  313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual 
Machine, BIOS edk2-20250812-19.fc42 08/12/2025
[  313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN -UAO 
-TCO +DIT -SSBS BTYPE=--)
[  313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 [btrfs]
[  313.548443 ] [ T122625 ] lr : btrfs_trim_fs+0x1f0/0xa00 [btrfs]
[  313.549248 ] [ T122625 ] sp : ffff80008addbb70
[  313.549760 ] [ T122625 ] x29: ffff80008addbbf0 x28: 
0000000000000000 x27: ffff80008addbc50
[  313.550826 ] [ T122625 ] x26: 000000002e300000 x25: 
0000000200000000 x24: ffff0000c0c35490
[  313.551819 ] [ T122625 ] x23: ffff0000c0c35400 x22: 
ffff0000c0d7bc00 x21: ffff0000c0d7bc00
[  313.553453 ] [ T122625 ] x20: 0000000000000000 x19: 
000000004fdb8000 x18: 0000000000000000
[  313.555099 ] [ T122625 ] x17: fffffdffc3a6c980 x16: 
ffffc03bf9d70f68 x15: fffffdffbf000000
[  313.557353 ] [ T122625 ] x14: ffff0000e75200d0 x13: 
0000000000000001 x12: 0000000000000000
[  313.559262 ] [ T122625 ] x11: 00000000000000c0 x10: 
16d71b527421a8a2 x9 : ffffc03bf9d70f88
[  313.560500 ] [ T122625 ] x8 : ffff0000e7521268 x7 : 
0000000000000000 x6 : 0000000000000000
[  313.561496 ] [ T122625 ] x5 : 842c1a086c93060f x4 : 
ffff0000c9dafeb0 x3 : ffff0000c0d7bc00
[  313.563063 ] [ T122625 ] x2 : 0000000000000001 x1 : 
0000000000000086 x0 : 0000000000000000
[  313.564057 ] [ T122625 ] Call trace:
[  313.564465 ] [ T122625 ]  btrfs_trim_fs+0x34c/0xa00 [btrfs 
f02c1d570ceea621c69d302ba75dd61868083840] (P)
[  313.565720 ] [ T122625 ]  btrfs_ioctl_fitrim+0xe8/0x178 [btrfs 
f02c1d570ceea621c69d302ba75dd61868083840]
[  313.567140 ] [ T122625 ]  btrfs_ioctl+0xdd4/0x2bd8 [btrfs 
f02c1d570ceea621c69d302ba75dd61868083840]
[  313.568326 ] [ T122625 ]  __arm64_sys_ioctl+0xac/0x108
[  313.568936 ] [ T122625 ]  invoke_syscall.constprop.0+0x5c/0xd0
[  313.569625 ] [ T122625 ]  el0_svc_common.constprop.0+0x40/0xf0
[  313.570320 ] [ T122625 ]  do_el0_svc+0x24/0x40
[  313.570864 ] [ T122625 ]  el0_svc+0x40/0x1d0
[  313.571964 ] [ T122625 ]  el0t_64_sync_handler+0xa0/0xe8
[  313.572614 ] [ T122625 ]  el0t_64_sync+0x1b0/0x1b8
[  313.573184 ] [ T122625 ] Code: 17ffff83 f94017e0 f9002be0 
f9402ea0 (f9400c00)
[  313.574045 ] [ T122625 ] ---[ end trace 0000000000000000  ]---
[  313.617087 ] [ T122648 ] BTRFS info (device sdb): last unmount 
of filesystem 41ba7202-04d0-466e-9130-a89f855aff0c

# cat local.config:

export FSTYPE=btrfs
export TEST_DEV="/dev/sdb"
export TEST_DIR="/mnt//test"
export SCRATCH_DEV_POOL="/dev/sdc /dev/sdd /dev/sde /dev/sdf 
/dev/sdg"
export SCRATCH_MNT="/mnt//scratch"
export KEEP_DMESG=yes


# rpm -qa  btrfsprogs
btrfsprogs-6.19-1.4.aarch64

# cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20260527"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20260527"

# uname -r
7.0.10-2-default

Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Qu Wenruo]

在 2026/6/1 20:11, Su Yue 写道:
> 
> Hi, btrfs folks. Recently I found that fstests/btrfs/242 can trigger
> kernel NULL pointer dereference with for- 
> next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
> openSUSE Tumbleweed kernel(7.0.10-2-default). The probability is within 
> 50 rounds.
> 
> ENV:
> host: mac mini m1 running Asahi linux
> 
> VM(new installed):
> 
> # uname -r
> 7.0.10-2-default
> 
> # dmesg
> [  312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 10:25:08
> [  313.417562 ] [ T122570 ] BTRFS: device fsid 
> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc (8:32) 
> scanned by mkfs.btrfs (122570)
> [  313.417698 ] [ T122570 ] BTRFS: device fsid 
> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd (8:48) 
> scanned by mkfs.btrfs (122570)
> [  313.423953 ] [ T122578 ] BTRFS info (device sdc): first mount of 
> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
> [  313.423967 ] [ T122578 ] BTRFS info (device sdc): using crc32c 
> checksum algorithm
> [  313.428833 ] [ T122578 ] BTRFS info (device sdc): checking UUID tree
> [  313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on async 
> discard
> [  313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling free space 
> tree
> [  313.469504 ] [ T122603 ] BTRFS info (device sdc): last unmount of 
> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
> [  313.513398 ] [ T122609 ] BTRFS: device fsid 
> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc (8:32) 
> scanned by mount (122609)
> [  313.513820 ] [ T122609 ] BTRFS info (device sdc): first mount of 
> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
> [  313.513845 ] [ T122609 ] BTRFS info (device sdc): using crc32c 
> checksum algorithm
> [  313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid 
> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
> [  313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid 
> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
> [  313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing degraded 
> mounts
> [  313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on async 
> discard
> [  313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling free space 
> tree
> [  313.523827 ] [ T122625 ] Unable to handle kernel NULL pointer 
> dereference at virtual address 0000000000000018
> [  313.523858 ] [ T122625 ] Mem abort info:
> [  313.523865 ] [ T122625 ]   ESR = 0x0000000096000004
> [  313.523871 ] [ T122625 ]   EC = 0x25: DABT (current EL), IL = 32 bits
> [  313.523877 ] [ T122625 ]   SET = 0, FnV = 0
> [  313.523883 ] [ T122625 ]   EA = 0, S1PTW = 0
> [  313.523889 ] [ T122625 ]   FSC = 0x04: level 0 translation fault
> [  313.523894 ] [ T122625 ] Data abort info:
> [  313.523899 ] [ T122625 ]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
> [  313.523905 ] [ T122625 ]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
> [  313.523911 ] [ T122625 ]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> [  313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs, 
> pgdp=000000013fd6b000
> [  313.523924 ] [ T122625 ] [0000000000000018] pgd=0000000000000000, 
> p4d=0000000000000000
> [  313.523940 ] [ T122625 ] Internal error: Oops: 0000000096000004 [#1]  
> SMP
> [  313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill dm_mod 
> nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon 
> libblake2b virtio_net virtio_balloon net_failover failover button 
> raid6_pq vsock_loopback vmw_vsock_virtio_transport 
> vmw_vsock_virtio_transport_common vsock xfs sr_mod cdrom aes_ce_blk 
> ghash_ce gf128mul virtio_scsi sd_mod sm4 sg scsi_mod scsi_common 
> xhci_pci virtio_mmio xhci_hcd usbcore usb_common virtio_blk efivarfs 
> dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
> [  313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: fstrim Not 
> tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed 
> e9a5f6b24978fba3bf015a992f865837fdfff3dd
> [  313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual Machine, 
> BIOS edk2-20250812-19.fc42 08/12/2025
> [  313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN -UAO -TCO 
> +DIT -SSBS BTYPE=--)
> [  313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 [btrfs]

Since you can reproduce it on the latest for-next, mind to provide the 
for-next call trace along with the faddr2line output for pc register of 
the for-next run?

Thanks,
Qu

Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Su Yue]

On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com> 
wrote:

> 在 2026/6/1 20:11, Su Yue 写道:
>> Hi, btrfs folks. Recently I found that fstests/btrfs/242 can 
>> trigger
>> kernel NULL pointer dereference with for-
>> next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
>> openSUSE Tumbleweed kernel(7.0.10-2-default). The probability 
>> is within 50
>> rounds.
>> ENV:
>> host: mac mini m1 running Asahi linux
>> VM(new installed):
>> # uname -r
>> 7.0.10-2-default
>> # dmesg
>> [  312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 
>> 10:25:08
>> [  313.417562 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc 
>> (8:32) scanned
>> by mkfs.btrfs (122570)
>> [  313.417698 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd 
>> (8:48) scanned
>> by mkfs.btrfs (122570)
>> [  313.423953 ] [ T122578 ] BTRFS info (device sdc): first 
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [  313.423967 ] [ T122578 ] BTRFS info (device sdc): using 
>> crc32c checksum
>> algorithm
>> [  313.428833 ] [ T122578 ] BTRFS info (device sdc): checking 
>> UUID tree
>> [  313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on 
>> async discard
>> [  313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling 
>> free space tree
>> [  313.469504 ] [ T122603 ] BTRFS info (device sdc): last 
>> unmount of
>> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
>> [  313.513398 ] [ T122609 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc 
>> (8:32) scanned
>> by mount (122609)
>> [  313.513820 ] [ T122609 ] BTRFS info (device sdc): first 
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [  313.513845 ] [ T122609 ] BTRFS info (device sdc): using 
>> crc32c checksum
>> algorithm
>> [  313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [  313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [  313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing 
>> degraded mounts
>> [  313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on 
>> async discard
>> [  313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling 
>> free space tree
>> [  313.523827 ] [ T122625 ] Unable to handle kernel NULL 
>> pointer dereference
>> at virtual address 0000000000000018
>> [  313.523858 ] [ T122625 ] Mem abort info:
>> [  313.523865 ] [ T122625 ]   ESR = 0x0000000096000004
>> [  313.523871 ] [ T122625 ]   EC = 0x25: DABT (current EL), IL 
>> = 32 bits
>> [  313.523877 ] [ T122625 ]   SET = 0, FnV = 0
>> [  313.523883 ] [ T122625 ]   EA = 0, S1PTW = 0
>> [  313.523889 ] [ T122625 ]   FSC = 0x04: level 0 translation 
>> fault
>> [  313.523894 ] [ T122625 ] Data abort info:
>> [  313.523899 ] [ T122625 ]   ISV = 0, ISS = 0x00000004, ISS2 = 
>> 0x00000000
>> [  313.523905 ] [ T122625 ]   CM = 0, WnR = 0, TnD = 0, 
>> TagAccess = 0
>> [  313.523911 ] [ T122625 ]   GCS = 0, Overlay = 0, DirtyBit = 
>> 0, Xs = 0
>> [  313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs,
>> pgdp=000000013fd6b000
>> [  313.523924 ] [ T122625 ] [0000000000000018] 
>> pgd=0000000000000000,
>> p4d=0000000000000000
>> [  313.523940 ] [ T122625 ] Internal error: Oops: 
>> 0000000096000004 [#1]  SMP
>> [  313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill 
>> dm_mod
>> nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon 
>> libblake2b
>> virtio_net virtio_balloon net_failover failover button raid6_pq 
>> vsock_loopback
>> vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common 
>> vsock xfs sr_mod
>> cdrom aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg 
>> scsi_mod
>> scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common 
>> virtio_blk
>> efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
>> [  313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: 
>> fstrim Not tainted
>> 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed
>> e9a5f6b24978fba3bf015a992f865837fdfff3dd
>> [  313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual 
>> Machine, BIOS
>> edk2-20250812-19.fc42 08/12/2025
>> [  313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN 
>> -UAO -TCO +DIT
>> -SSBS BTYPE=--)
>> [  313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 
>> [btrfs]
>
> Since you can reproduce it on the latest for-next, mind to 
> provide the for-next
> call trace along with the faddr2line output for pc register of 
> the for-next run?
>
Sure.

# ./scripts/faddr2line  fs/btrfs/btrfs.ko 
  btrfs_trim_fs+0x36c/0xa48
btrfs_trim_fs+0x36c/0xa48:
bdev_max_discard_sectors at 
/var/lib/btrfs-linux-for-next/./include/linux/blkdev.h:1449 
(discriminator 1)
(inlined by) btrfs_trim_free_extents_throttle at 
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6628 
(discriminator 1)
(inlined by) btrfs_trim_free_extents at 
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6762 
(discriminator 1)
(inlined by) btrfs_trim_fs at 
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6919 
(discriminator 1)

[11630.789792] BTRFS info (device sdc): first mount of filesystem 
5e033cee-fc5a-4e82-b065-e93b53533c2d
[11630.789810] BTRFS info (device sdc): using crc32c checksum 
algorithm
[11630.803359] BTRFS warning (device sdc): devid 2 uuid 
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.808199] BTRFS warning (device sdc): devid 2 uuid 
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.815475] BTRFS info (device sdc): allowing degraded mounts
[11630.815485] BTRFS info (device sdc): turning on async discard
[11630.815489] BTRFS info (device sdc): enabling free space tree
[11630.836072] Unable to handle kernel NULL pointer dereference at 
virtual address 0000000000000018
[11630.836118] Mem abort info:
[11630.836121]   ESR = 0x0000000096000004
[11630.836124]   EC = 0x25: DABT (current EL), IL = 32 bits
[11630.836128]   SET = 0, FnV = 0
[11630.836130]   EA = 0, S1PTW = 0
[11630.836133]   FSC = 0x04: level 0 translation fault
[11630.836136] Data abort info:
[11630.836138]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[11630.836141]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[11630.836144]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[11630.836147] user pgtable: 4k pages, 48-bit VAs, 
pgdp=00000001324a7000
[11630.836151] [0000000000000018] pgd=0000000000000000, 
p4d=0000000000000000
[11630.836247] Internal error: Oops: 0000000096000004 [#1]  SMP
[11630.836279] Modules linked in: dm_dust(E) dm_flakey(E) ext4(E) 
crc16(E) mbcache(E) jbd2(E) loop(E) btrfs(E) xor(E) libblake2b(E) 
raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E) 
virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) drm(E) 
fuse(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E) 
virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E) 
virtio_console(E) virtio_rng(E
) rng_core(E)
[11630.836342] CPU: 0 UID: 0 PID: 820669 Comm: fstrim Tainted: G 
E       7.1.0-rc4-custom+ #1 PREEMPT(full)
[11630.836352] Tainted: [E]=UNSIGNED_MODULE
[11630.836356] Hardware name: QEMU KVM Virtual Machine, BIOS 
edk2-20250812-19.fc42 08/12/2025
[11630.836363] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT 
-SSBS BTYPE=--)
[11630.836370] pc : btrfs_trim_fs+0x36c/0xa48 [btrfs]
[11630.836474] lr : btrfs_trim_fs+0x1f8/0xa48 [btrfs]
[11630.836557] sp : ffff800085ef3ba0
[11630.836561] x29: ffff800085ef3c30 x28: ffff0000ed979cf8 x27: 
ffff800085ef3c90
[11630.836569] x26: ffff0000f51a9c00 x25: 0000000000000000 x24: 
0000000000000000
[11630.836577] x23: ffff0000ed979c70 x22: ffff0000ed979c00 x21: 
ffff0000f51a9c00
[11630.836584] x20: 0000000000000000 x19: 000000004fdb8000 x18: 
00000a9403d9d8b5
[11630.836592] x17: 0000000000000000 x16: ffffa49477e47e10 x15: 
0000000000000000
[11630.836600] x14: 0000000000000000 x13: 0000000000000030 x12: 
0000000800110005
[11630.836607] x11: ffff0000dc9cfc38 x10: 0000000000000000 x9 : 
ffff800085ef3a10
[11630.836615] x8 : ffffa4947853e848 x7 : 0000000000000000 x6 : 
ffff0000de710040
[11630.836622] x5 : 0000000000000000 x4 : ffff0000f51a9c00 x3 : 
0000000000000000
[11630.836629] x2 : 0000000000000001 x1 : 0000000000000086 x0 : 
0000000000000000
[11630.836645] Call trace:
[11630.836650]  btrfs_trim_fs+0x36c/0xa48 [btrfs] (P)
[11630.836732]  btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs]
[11630.836816]  btrfs_ioctl+0x10d8/0x2910 [btrfs]
[11630.836898]  __arm64_sys_ioctl+0xac/0x108
[11630.836907]  invoke_syscall.constprop.0+0x48/0x120
[11630.836916]  el0_svc_common.constprop.0+0x40/0xe8
[11630.836923]  do_el0_svc+0x24/0x38
[11630.836928]  el0_svc+0x50/0x310
[11630.836937]  el0t_64_sync_handler+0xa0/0xe8
[11630.836943]  el0t_64_sync+0x198/0x1a0
[11630.836951] Code: 17ffff7b f9400fe0 f90033e0 f9402f40 
(f9400c00)
[11630.836958] ---[ end trace 0000000000000000  ]-—

> Thanks,
> Qu

Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Qu Wenruo]

在 2026/6/1 21:42, Su Yue 写道:
> On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com>
> wrote:
[...]
>> Since you can reproduce it on the latest for-next, mind to provide
>> the for-next call trace along with the faddr2line output for pc
>> register of the for-next run?
>> 
> Sure.
> 
> # ./scripts/faddr2line  fs/btrfs/btrfs.ko  btrfs_trim_fs+0x36c/0xa48 
> btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/
> btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator
> 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs-
> linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1)

Thanks! This is super helpful.

However this looks a little weird.

The NULL pointer dereference is from bdev_max_discard_sectors(), meaning
the bdev is NULL, most likely the device is missing.

However just before we call btrfs_trim_extents_throttle() we have
already checked the DEV_STATE_MISSING flag of the device and will skip
any missing device.

Furthermore the test case doesn't change the missing device state during
the run.

So there seems to be some weird race, or desychronization between
various bit flags.

Mind to test with the following diff?

Thanks,
Qu

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 6030cdbdb742..94535c90de22 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -6624,6 +6624,13 @@ static int 
btrfs_trim_free_extents_throttle(struct btrfs_device *device,

         *trimmed = 0;

+       ASSERT(!test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state),
+              "devid=%llu path=%s dev_state=0x%lx\n",
+              device->devid, btrfs_dev_name(device), device->dev_state);
+       ASSERT(device->bdev,
+              "devid=%llu path=%s dev_state=0x%lx\n",
+              device->devid, btrfs_dev_name(device), device->dev_state);
+
         /* Discard not supported = nothing to do. */
         if (!bdev_max_discard_sectors(device->bdev))
                 return 0;

Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Glass Su]

> On Jun 2, 2026, at 06:11, Qu Wenruo <quwenruo.btrfs@gmx.com> wrote:
> 
> 
> 
> 在 2026/6/1 21:42, Su Yue 写道:
>> On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com>
>> wrote:
> [...]
>>> Since you can reproduce it on the latest for-next, mind to provide
>>> the for-next call trace along with the faddr2line output for pc
>>> register of the for-next run?
>> Sure.
>> # ./scripts/faddr2line  fs/btrfs/btrfs.ko  btrfs_trim_fs+0x36c/0xa48 btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/
>> btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator
>> 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs-
>> linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1)
> 
> Thanks! This is super helpful.
> 
> However this looks a little weird.
> 
> The NULL pointer dereference is from bdev_max_discard_sectors(), meaning
> the bdev is NULL, most likely the device is missing.
> 
> However just before we call btrfs_trim_extents_throttle() we have
> already checked the DEV_STATE_MISSING flag of the device and will skip
> any missing device.
> 
> Furthermore the test case doesn't change the missing device state during
> the run.
> 
> So there seems to be some weird race, or desychronization between
> various bit flags.
> 
> Mind to test with the following diff?

Here you are:

[  434.761748] BTRFS info (device sdc): enabling free space tree
[  434.785804] assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82
               )
[  434.785822] ------------[ cut here ]------------
[  434.785823] kernel BUG at extent-tree.c:6630!
[  434.785846] Internal error: Oops - BUG: 00000000f2000800 [#1]  SMP
[  434.785849] Modules linked in: btrfs(OE) xor(E) libblake2b(E) raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E) virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) fuse(E) drm(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E) virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_rng(E) rng_core(E) [last unloaded: xor(E)]
[  434.785860] CPU: 5 UID: 0 PID: 34553 Comm: fstrim Tainted: G           OE       7.1.0-rc6-custom+ #2 PREEMPT(full)
[  434.785862] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE
[  434.785863] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025
[  434.785864] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[  434.785866] pc : btrfs_trim_fs+0x9f8/0xc48 [btrfs]
[  434.785937] lr : btrfs_trim_fs+0x9f8/0xc48 [btrfs]
[  434.785985] sp : ffff800087103ba0
[  434.785986] x29: ffff800087103c30 x28: ffff0000dcd6cc00 x27: ffff800087103c90
[  434.785987] x26: ffff0000dcd6cc00 x25: ffff0000dcd6cca8 x24: 0000000000000000
[  434.785989] x23: ffff0000de321c70 x22: ffff0000de321c00 x21: ffff0000de321cf8
[  434.785990] x20: 0000000000000002 x19: ffff0000c0c77110 x18: 0000000000000010
[  434.785991] x17: 7020323d64697665 x16: 642820303336363a x15: 632e656572742d74
[  434.785992] x14: 6e65747865206e69 x13: 290a323878303d65 x12: 746174735f766564
[  434.785993] x11: 0000000000017fe8 x10: ffffd8425b311620 x9 : ffffd84259e2bf3c
[  434.785995] x8 : ffffd8425b4b2ed8 x7 : ffff0000d2108b78 x6 : 0000000000000000
[  434.785996] x5 : ffff0002019de988 x4 : 0000000000000001 x3 : 0000000000000000
[  434.785997] x2 : 0000000000000000 x1 : ffff0000d2108040 x0 : 000000000000005d
[  434.785998] Call trace:
[  434.785999]  btrfs_trim_fs+0x9f8/0xc48 [btrfs] (P)
[  434.786045]  btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs]
[  434.786100]  btrfs_ioctl+0x10d8/0x2910 [btrfs]
[  434.786146]  __arm64_sys_ioctl+0xac/0x108
[  434.786151]  invoke_syscall.constprop.0+0x48/0x120
[  434.786155]  el0_svc_common.constprop.0+0x40/0xe8
[  434.786158]  do_el0_svc+0x24/0x38
[  434.786160]  el0_svc+0x50/0x310
[  434.786164]  el0t_64_sync_handler+0xa0/0xe8
[  434.786166]  el0t_64_sync+0x198/0x1a0
[  434.786168] Code: 911ca021 f00038a0 911b8000 9404ada8 (d4210000)
[  434.786169] ---[ end trace 0000000000000000 ]—

> 
> Thanks,
> Qu
> 
> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
> index 6030cdbdb742..94535c90de22 100644
> --- a/fs/btrfs/extent-tree.c
> +++ b/fs/btrfs/extent-tree.c
> @@ -6624,6 +6624,13 @@ static int btrfs_trim_free_extents_throttle(struct btrfs_device *device,
> 
>        *trimmed = 0;
> 
> +       ASSERT(!test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state),
> +              "devid=%llu path=%s dev_state=0x%lx\n",
> +              device->devid, btrfs_dev_name(device), device->dev_state);
> +       ASSERT(device->bdev,
> +              "devid=%llu path=%s dev_state=0x%lx\n",
> +              device->devid, btrfs_dev_name(device), device->dev_state);
> +
>        /* Discard not supported = nothing to do. */
>        if (!bdev_max_discard_sectors(device->bdev))
>                return 0;

Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference

[Qu Wenruo]

在 2026/6/2 11:19, Glass Su 写道:
> 
> 
>> On Jun 2, 2026, at 06:11, Qu Wenruo <quwenruo.btrfs@gmx.com> wrote:
>>
>>
>>
>> 在 2026/6/1 21:42, Su Yue 写道:
>>> On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com>
>>> wrote:
>> [...]
>>>> Since you can reproduce it on the latest for-next, mind to provide
>>>> the for-next call trace along with the faddr2line output for pc
>>>> register of the for-next run?
>>> Sure.
>>> # ./scripts/faddr2line  fs/btrfs/btrfs.ko  btrfs_trim_fs+0x36c/0xa48 btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/
>>> btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator
>>> 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs-
>>> linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1)
>>
>> Thanks! This is super helpful.
>>
>> However this looks a little weird.
>>
>> The NULL pointer dereference is from bdev_max_discard_sectors(), meaning
>> the bdev is NULL, most likely the device is missing.
>>
>> However just before we call btrfs_trim_extents_throttle() we have
>> already checked the DEV_STATE_MISSING flag of the device and will skip
>> any missing device.
>>
>> Furthermore the test case doesn't change the missing device state during
>> the run.
>>
>> So there seems to be some weird race, or desychronization between
>> various bit flags.
>>
>> Mind to test with the following diff?
> 
> Here you are:
> 
> [  434.761748] BTRFS info (device sdc): enabling free space tree
> [  434.785804] assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82
Thanks, this is really weird now.

Firstly through the previous message prefix, we know it's the sdc is the 
first device with devid 1, and devid 2 is missing.

But still we got devid 2 with a valid device path, without a proper 
bdev, nor DEVICE_MISSING flag.

This looks like by somehow devid 2 still got scanned but without proper 
bdev populated.

Let me check if there is some other way to allow btrfs to register a new 
device unexpectedly.

Thanks,
Qu