* [BUG report] btrfs/242 triggers kernel NULL pointer dereference @ 2026-06-01 10:41 Su Yue 2026-06-01 11:53 ` Qu Wenruo 0 siblings, 1 reply; 6+ messages in thread From: Su Yue @ 2026-06-01 10:41 UTC (permalink / raw) To: linux-btrfs, Su Yue Hi, btrfs folks. Recently I found that fstests/btrfs/242 can trigger kernel NULL pointer dereference with for-next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and openSUSE Tumbleweed kernel(7.0.10-2-default). The probability is within 50 rounds. ENV: host: mac mini m1 running Asahi linux VM(new installed): # uname -r 7.0.10-2-default # dmesg [ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 10:25:08 [ 313.417562 ] [ T122570 ] BTRFS: device fsid d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc (8:32) scanned by mkfs.btrfs (122570) [ 313.417698 ] [ T122570 ] BTRFS: device fsid d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd (8:48) scanned by mkfs.btrfs (122570) [ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first mount of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 [ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using crc32c checksum algorithm [ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking UUID tree [ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on async discard [ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling free space tree [ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last unmount of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 [ 313.513398 ] [ T122609 ] BTRFS: device fsid d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc (8:32) scanned by mount (122609) [ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first mount of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 [ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using crc32c checksum algorithm [ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing [ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing [ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing degraded mounts [ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on async discard [ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling free space tree [ 313.523827 ] [ T122625 ] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 [ 313.523858 ] [ T122625 ] Mem abort info: [ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004 [ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL = 32 bits [ 313.523877 ] [ T122625 ] SET = 0, FnV = 0 [ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0 [ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation fault [ 313.523894 ] [ T122625 ] Data abort info: [ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs, pgdp=000000013fd6b000 [ 313.523924 ] [ T122625 ] [0000000000000018] pgd=0000000000000000, p4d=0000000000000000 [ 313.523940 ] [ T122625 ] Internal error: Oops: 0000000096000004 [#1] SMP [ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill dm_mod nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon libblake2b virtio_net virtio_balloon net_failover failover button raid6_pq vsock_loopback vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common vsock xfs sr_mod cdrom aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg scsi_mod scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common virtio_blk efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng [ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: fstrim Not tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed e9a5f6b24978fba3bf015a992f865837fdfff3dd [ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025 [ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 [btrfs] [ 313.548443 ] [ T122625 ] lr : btrfs_trim_fs+0x1f0/0xa00 [btrfs] [ 313.549248 ] [ T122625 ] sp : ffff80008addbb70 [ 313.549760 ] [ T122625 ] x29: ffff80008addbbf0 x28: 0000000000000000 x27: ffff80008addbc50 [ 313.550826 ] [ T122625 ] x26: 000000002e300000 x25: 0000000200000000 x24: ffff0000c0c35490 [ 313.551819 ] [ T122625 ] x23: ffff0000c0c35400 x22: ffff0000c0d7bc00 x21: ffff0000c0d7bc00 [ 313.553453 ] [ T122625 ] x20: 0000000000000000 x19: 000000004fdb8000 x18: 0000000000000000 [ 313.555099 ] [ T122625 ] x17: fffffdffc3a6c980 x16: ffffc03bf9d70f68 x15: fffffdffbf000000 [ 313.557353 ] [ T122625 ] x14: ffff0000e75200d0 x13: 0000000000000001 x12: 0000000000000000 [ 313.559262 ] [ T122625 ] x11: 00000000000000c0 x10: 16d71b527421a8a2 x9 : ffffc03bf9d70f88 [ 313.560500 ] [ T122625 ] x8 : ffff0000e7521268 x7 : 0000000000000000 x6 : 0000000000000000 [ 313.561496 ] [ T122625 ] x5 : 842c1a086c93060f x4 : ffff0000c9dafeb0 x3 : ffff0000c0d7bc00 [ 313.563063 ] [ T122625 ] x2 : 0000000000000001 x1 : 0000000000000086 x0 : 0000000000000000 [ 313.564057 ] [ T122625 ] Call trace: [ 313.564465 ] [ T122625 ] btrfs_trim_fs+0x34c/0xa00 [btrfs f02c1d570ceea621c69d302ba75dd61868083840] (P) [ 313.565720 ] [ T122625 ] btrfs_ioctl_fitrim+0xe8/0x178 [btrfs f02c1d570ceea621c69d302ba75dd61868083840] [ 313.567140 ] [ T122625 ] btrfs_ioctl+0xdd4/0x2bd8 [btrfs f02c1d570ceea621c69d302ba75dd61868083840] [ 313.568326 ] [ T122625 ] __arm64_sys_ioctl+0xac/0x108 [ 313.568936 ] [ T122625 ] invoke_syscall.constprop.0+0x5c/0xd0 [ 313.569625 ] [ T122625 ] el0_svc_common.constprop.0+0x40/0xf0 [ 313.570320 ] [ T122625 ] do_el0_svc+0x24/0x40 [ 313.570864 ] [ T122625 ] el0_svc+0x40/0x1d0 [ 313.571964 ] [ T122625 ] el0t_64_sync_handler+0xa0/0xe8 [ 313.572614 ] [ T122625 ] el0t_64_sync+0x1b0/0x1b8 [ 313.573184 ] [ T122625 ] Code: 17ffff83 f94017e0 f9002be0 f9402ea0 (f9400c00) [ 313.574045 ] [ T122625 ] ---[ end trace 0000000000000000 ]--- [ 313.617087 ] [ T122648 ] BTRFS info (device sdb): last unmount of filesystem 41ba7202-04d0-466e-9130-a89f855aff0c # cat local.config: export FSTYPE=btrfs export TEST_DEV="/dev/sdb" export TEST_DIR="/mnt//test" export SCRATCH_DEV_POOL="/dev/sdc /dev/sdd /dev/sde /dev/sdf /dev/sdg" export SCRATCH_MNT="/mnt//scratch" export KEEP_DMESG=yes # rpm -qa btrfsprogs btrfsprogs-6.19-1.4.aarch64 # cat /etc/os-release NAME="openSUSE Tumbleweed" # VERSION="20260527" ID="opensuse-tumbleweed" ID_LIKE="opensuse suse" VERSION_ID="20260527" # uname -r 7.0.10-2-default ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference 2026-06-01 10:41 [BUG report] btrfs/242 triggers kernel NULL pointer dereference Su Yue @ 2026-06-01 11:53 ` Qu Wenruo 2026-06-01 12:12 ` Su Yue 0 siblings, 1 reply; 6+ messages in thread From: Qu Wenruo @ 2026-06-01 11:53 UTC (permalink / raw) To: Su Yue, linux-btrfs, Su Yue 在 2026/6/1 20:11, Su Yue 写道: > > Hi, btrfs folks. Recently I found that fstests/btrfs/242 can trigger > kernel NULL pointer dereference with for- > next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and > openSUSE Tumbleweed kernel(7.0.10-2-default). The probability is within > 50 rounds. > > ENV: > host: mac mini m1 running Asahi linux > > VM(new installed): > > # uname -r > 7.0.10-2-default > > # dmesg > [ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 10:25:08 > [ 313.417562 ] [ T122570 ] BTRFS: device fsid > d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc (8:32) > scanned by mkfs.btrfs (122570) > [ 313.417698 ] [ T122570 ] BTRFS: device fsid > d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd (8:48) > scanned by mkfs.btrfs (122570) > [ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first mount of > filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 > [ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using crc32c > checksum algorithm > [ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking UUID tree > [ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on async > discard > [ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling free space > tree > [ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last unmount of > filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 > [ 313.513398 ] [ T122609 ] BTRFS: device fsid > d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc (8:32) > scanned by mount (122609) > [ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first mount of > filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 > [ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using crc32c > checksum algorithm > [ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid > fbe72d72-3272-482d-80fb-ab88ed398192 is missing > [ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 uuid > fbe72d72-3272-482d-80fb-ab88ed398192 is missing > [ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing degraded > mounts > [ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on async > discard > [ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling free space > tree > [ 313.523827 ] [ T122625 ] Unable to handle kernel NULL pointer > dereference at virtual address 0000000000000018 > [ 313.523858 ] [ T122625 ] Mem abort info: > [ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004 > [ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL = 32 bits > [ 313.523877 ] [ T122625 ] SET = 0, FnV = 0 > [ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0 > [ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation fault > [ 313.523894 ] [ T122625 ] Data abort info: > [ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 > [ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 > [ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 > [ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs, > pgdp=000000013fd6b000 > [ 313.523924 ] [ T122625 ] [0000000000000018] pgd=0000000000000000, > p4d=0000000000000000 > [ 313.523940 ] [ T122625 ] Internal error: Oops: 0000000096000004 [#1] > SMP > [ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill dm_mod > nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon > libblake2b virtio_net virtio_balloon net_failover failover button > raid6_pq vsock_loopback vmw_vsock_virtio_transport > vmw_vsock_virtio_transport_common vsock xfs sr_mod cdrom aes_ce_blk > ghash_ce gf128mul virtio_scsi sd_mod sm4 sg scsi_mod scsi_common > xhci_pci virtio_mmio xhci_hcd usbcore usb_common virtio_blk efivarfs > dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng > [ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: fstrim Not > tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed > e9a5f6b24978fba3bf015a992f865837fdfff3dd > [ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual Machine, > BIOS edk2-20250812-19.fc42 08/12/2025 > [ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN -UAO -TCO > +DIT -SSBS BTYPE=--) > [ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 [btrfs] Since you can reproduce it on the latest for-next, mind to provide the for-next call trace along with the faddr2line output for pc register of the for-next run? Thanks, Qu ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference 2026-06-01 11:53 ` Qu Wenruo @ 2026-06-01 12:12 ` Su Yue 2026-06-01 22:11 ` Qu Wenruo 0 siblings, 1 reply; 6+ messages in thread From: Su Yue @ 2026-06-01 12:12 UTC (permalink / raw) To: Qu Wenruo; +Cc: linux-btrfs, Su Yue On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com> wrote: > 在 2026/6/1 20:11, Su Yue 写道: >> Hi, btrfs folks. Recently I found that fstests/btrfs/242 can >> trigger >> kernel NULL pointer dereference with for- >> next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and >> openSUSE Tumbleweed kernel(7.0.10-2-default). The probability >> is within 50 >> rounds. >> ENV: >> host: mac mini m1 running Asahi linux >> VM(new installed): >> # uname -r >> 7.0.10-2-default >> # dmesg >> [ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01 >> 10:25:08 >> [ 313.417562 ] [ T122570 ] BTRFS: device fsid >> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc >> (8:32) scanned >> by mkfs.btrfs (122570) >> [ 313.417698 ] [ T122570 ] BTRFS: device fsid >> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd >> (8:48) scanned >> by mkfs.btrfs (122570) >> [ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first >> mount of filesystem >> d4d7f234-487c-4787-88e4-47a8b68c9874 >> [ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using >> crc32c checksum >> algorithm >> [ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking >> UUID tree >> [ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on >> async discard >> [ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling >> free space tree >> [ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last >> unmount of >> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874 >> [ 313.513398 ] [ T122609 ] BTRFS: device fsid >> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc >> (8:32) scanned >> by mount (122609) >> [ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first >> mount of filesystem >> d4d7f234-487c-4787-88e4-47a8b68c9874 >> [ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using >> crc32c checksum >> algorithm >> [ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2 >> uuid >> fbe72d72-3272-482d-80fb-ab88ed398192 is missing >> [ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2 >> uuid >> fbe72d72-3272-482d-80fb-ab88ed398192 is missing >> [ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing >> degraded mounts >> [ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on >> async discard >> [ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling >> free space tree >> [ 313.523827 ] [ T122625 ] Unable to handle kernel NULL >> pointer dereference >> at virtual address 0000000000000018 >> [ 313.523858 ] [ T122625 ] Mem abort info: >> [ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004 >> [ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL >> = 32 bits >> [ 313.523877 ] [ T122625 ] SET = 0, FnV = 0 >> [ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0 >> [ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation >> fault >> [ 313.523894 ] [ T122625 ] Data abort info: >> [ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 = >> 0x00000000 >> [ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0, >> TagAccess = 0 >> [ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit = >> 0, Xs = 0 >> [ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs, >> pgdp=000000013fd6b000 >> [ 313.523924 ] [ T122625 ] [0000000000000018] >> pgd=0000000000000000, >> p4d=0000000000000000 >> [ 313.523940 ] [ T122625 ] Internal error: Oops: >> 0000000096000004 [#1] SMP >> [ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill >> dm_mod >> nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon >> libblake2b >> virtio_net virtio_balloon net_failover failover button raid6_pq >> vsock_loopback >> vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common >> vsock xfs sr_mod >> cdrom aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg >> scsi_mod >> scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common >> virtio_blk >> efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng >> [ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: >> fstrim Not tainted >> 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed >> e9a5f6b24978fba3bf015a992f865837fdfff3dd >> [ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual >> Machine, BIOS >> edk2-20250812-19.fc42 08/12/2025 >> [ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN >> -UAO -TCO +DIT >> -SSBS BTYPE=--) >> [ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 >> [btrfs] > > Since you can reproduce it on the latest for-next, mind to > provide the for-next > call trace along with the faddr2line output for pc register of > the for-next run? > Sure. # ./scripts/faddr2line fs/btrfs/btrfs.ko btrfs_trim_fs+0x36c/0xa48 btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/btrfs-linux-for-next/./include/linux/blkdev.h:1449 (discriminator 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1) (inlined by) btrfs_trim_free_extents at /var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6762 (discriminator 1) (inlined by) btrfs_trim_fs at /var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6919 (discriminator 1) [11630.789792] BTRFS info (device sdc): first mount of filesystem 5e033cee-fc5a-4e82-b065-e93b53533c2d [11630.789810] BTRFS info (device sdc): using crc32c checksum algorithm [11630.803359] BTRFS warning (device sdc): devid 2 uuid ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing [11630.808199] BTRFS warning (device sdc): devid 2 uuid ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing [11630.815475] BTRFS info (device sdc): allowing degraded mounts [11630.815485] BTRFS info (device sdc): turning on async discard [11630.815489] BTRFS info (device sdc): enabling free space tree [11630.836072] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000018 [11630.836118] Mem abort info: [11630.836121] ESR = 0x0000000096000004 [11630.836124] EC = 0x25: DABT (current EL), IL = 32 bits [11630.836128] SET = 0, FnV = 0 [11630.836130] EA = 0, S1PTW = 0 [11630.836133] FSC = 0x04: level 0 translation fault [11630.836136] Data abort info: [11630.836138] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [11630.836141] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [11630.836144] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [11630.836147] user pgtable: 4k pages, 48-bit VAs, pgdp=00000001324a7000 [11630.836151] [0000000000000018] pgd=0000000000000000, p4d=0000000000000000 [11630.836247] Internal error: Oops: 0000000096000004 [#1] SMP [11630.836279] Modules linked in: dm_dust(E) dm_flakey(E) ext4(E) crc16(E) mbcache(E) jbd2(E) loop(E) btrfs(E) xor(E) libblake2b(E) raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E) virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) drm(E) fuse(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E) virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_rng(E ) rng_core(E) [11630.836342] CPU: 0 UID: 0 PID: 820669 Comm: fstrim Tainted: G E 7.1.0-rc4-custom+ #1 PREEMPT(full) [11630.836352] Tainted: [E]=UNSIGNED_MODULE [11630.836356] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025 [11630.836363] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [11630.836370] pc : btrfs_trim_fs+0x36c/0xa48 [btrfs] [11630.836474] lr : btrfs_trim_fs+0x1f8/0xa48 [btrfs] [11630.836557] sp : ffff800085ef3ba0 [11630.836561] x29: ffff800085ef3c30 x28: ffff0000ed979cf8 x27: ffff800085ef3c90 [11630.836569] x26: ffff0000f51a9c00 x25: 0000000000000000 x24: 0000000000000000 [11630.836577] x23: ffff0000ed979c70 x22: ffff0000ed979c00 x21: ffff0000f51a9c00 [11630.836584] x20: 0000000000000000 x19: 000000004fdb8000 x18: 00000a9403d9d8b5 [11630.836592] x17: 0000000000000000 x16: ffffa49477e47e10 x15: 0000000000000000 [11630.836600] x14: 0000000000000000 x13: 0000000000000030 x12: 0000000800110005 [11630.836607] x11: ffff0000dc9cfc38 x10: 0000000000000000 x9 : ffff800085ef3a10 [11630.836615] x8 : ffffa4947853e848 x7 : 0000000000000000 x6 : ffff0000de710040 [11630.836622] x5 : 0000000000000000 x4 : ffff0000f51a9c00 x3 : 0000000000000000 [11630.836629] x2 : 0000000000000001 x1 : 0000000000000086 x0 : 0000000000000000 [11630.836645] Call trace: [11630.836650] btrfs_trim_fs+0x36c/0xa48 [btrfs] (P) [11630.836732] btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs] [11630.836816] btrfs_ioctl+0x10d8/0x2910 [btrfs] [11630.836898] __arm64_sys_ioctl+0xac/0x108 [11630.836907] invoke_syscall.constprop.0+0x48/0x120 [11630.836916] el0_svc_common.constprop.0+0x40/0xe8 [11630.836923] do_el0_svc+0x24/0x38 [11630.836928] el0_svc+0x50/0x310 [11630.836937] el0t_64_sync_handler+0xa0/0xe8 [11630.836943] el0t_64_sync+0x198/0x1a0 [11630.836951] Code: 17ffff7b f9400fe0 f90033e0 f9402f40 (f9400c00) [11630.836958] ---[ end trace 0000000000000000 ]-— > Thanks, > Qu ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference 2026-06-01 12:12 ` Su Yue @ 2026-06-01 22:11 ` Qu Wenruo 2026-06-02 1:49 ` Glass Su 0 siblings, 1 reply; 6+ messages in thread From: Qu Wenruo @ 2026-06-01 22:11 UTC (permalink / raw) To: Su Yue; +Cc: linux-btrfs, Su Yue 在 2026/6/1 21:42, Su Yue 写道: > On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com> > wrote: [...] >> Since you can reproduce it on the latest for-next, mind to provide >> the for-next call trace along with the faddr2line output for pc >> register of the for-next run? >> > Sure. > > # ./scripts/faddr2line fs/btrfs/btrfs.ko btrfs_trim_fs+0x36c/0xa48 > btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/ > btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator > 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs- > linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1) Thanks! This is super helpful. However this looks a little weird. The NULL pointer dereference is from bdev_max_discard_sectors(), meaning the bdev is NULL, most likely the device is missing. However just before we call btrfs_trim_extents_throttle() we have already checked the DEV_STATE_MISSING flag of the device and will skip any missing device. Furthermore the test case doesn't change the missing device state during the run. So there seems to be some weird race, or desychronization between various bit flags. Mind to test with the following diff? Thanks, Qu diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 6030cdbdb742..94535c90de22 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -6624,6 +6624,13 @@ static int btrfs_trim_free_extents_throttle(struct btrfs_device *device, *trimmed = 0; + ASSERT(!test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state), + "devid=%llu path=%s dev_state=0x%lx\n", + device->devid, btrfs_dev_name(device), device->dev_state); + ASSERT(device->bdev, + "devid=%llu path=%s dev_state=0x%lx\n", + device->devid, btrfs_dev_name(device), device->dev_state); + /* Discard not supported = nothing to do. */ if (!bdev_max_discard_sectors(device->bdev)) return 0; ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference 2026-06-01 22:11 ` Qu Wenruo @ 2026-06-02 1:49 ` Glass Su 2026-06-02 2:23 ` Qu Wenruo 0 siblings, 1 reply; 6+ messages in thread From: Glass Su @ 2026-06-02 1:49 UTC (permalink / raw) To: Qu Wenruo; +Cc: Su Yue, linux-btrfs > On Jun 2, 2026, at 06:11, Qu Wenruo <quwenruo.btrfs@gmx.com> wrote: > > > > 在 2026/6/1 21:42, Su Yue 写道: >> On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com> >> wrote: > [...] >>> Since you can reproduce it on the latest for-next, mind to provide >>> the for-next call trace along with the faddr2line output for pc >>> register of the for-next run? >> Sure. >> # ./scripts/faddr2line fs/btrfs/btrfs.ko btrfs_trim_fs+0x36c/0xa48 btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/ >> btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator >> 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs- >> linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1) > > Thanks! This is super helpful. > > However this looks a little weird. > > The NULL pointer dereference is from bdev_max_discard_sectors(), meaning > the bdev is NULL, most likely the device is missing. > > However just before we call btrfs_trim_extents_throttle() we have > already checked the DEV_STATE_MISSING flag of the device and will skip > any missing device. > > Furthermore the test case doesn't change the missing device state during > the run. > > So there seems to be some weird race, or desychronization between > various bit flags. > > Mind to test with the following diff? Here you are: [ 434.761748] BTRFS info (device sdc): enabling free space tree [ 434.785804] assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82 ) [ 434.785822] ------------[ cut here ]------------ [ 434.785823] kernel BUG at extent-tree.c:6630! [ 434.785846] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 434.785849] Modules linked in: btrfs(OE) xor(E) libblake2b(E) raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E) virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) fuse(E) drm(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E) virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E) virtio_console(E) virtio_rng(E) rng_core(E) [last unloaded: xor(E)] [ 434.785860] CPU: 5 UID: 0 PID: 34553 Comm: fstrim Tainted: G OE 7.1.0-rc6-custom+ #2 PREEMPT(full) [ 434.785862] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 434.785863] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250812-19.fc42 08/12/2025 [ 434.785864] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 434.785866] pc : btrfs_trim_fs+0x9f8/0xc48 [btrfs] [ 434.785937] lr : btrfs_trim_fs+0x9f8/0xc48 [btrfs] [ 434.785985] sp : ffff800087103ba0 [ 434.785986] x29: ffff800087103c30 x28: ffff0000dcd6cc00 x27: ffff800087103c90 [ 434.785987] x26: ffff0000dcd6cc00 x25: ffff0000dcd6cca8 x24: 0000000000000000 [ 434.785989] x23: ffff0000de321c70 x22: ffff0000de321c00 x21: ffff0000de321cf8 [ 434.785990] x20: 0000000000000002 x19: ffff0000c0c77110 x18: 0000000000000010 [ 434.785991] x17: 7020323d64697665 x16: 642820303336363a x15: 632e656572742d74 [ 434.785992] x14: 6e65747865206e69 x13: 290a323878303d65 x12: 746174735f766564 [ 434.785993] x11: 0000000000017fe8 x10: ffffd8425b311620 x9 : ffffd84259e2bf3c [ 434.785995] x8 : ffffd8425b4b2ed8 x7 : ffff0000d2108b78 x6 : 0000000000000000 [ 434.785996] x5 : ffff0002019de988 x4 : 0000000000000001 x3 : 0000000000000000 [ 434.785997] x2 : 0000000000000000 x1 : ffff0000d2108040 x0 : 000000000000005d [ 434.785998] Call trace: [ 434.785999] btrfs_trim_fs+0x9f8/0xc48 [btrfs] (P) [ 434.786045] btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs] [ 434.786100] btrfs_ioctl+0x10d8/0x2910 [btrfs] [ 434.786146] __arm64_sys_ioctl+0xac/0x108 [ 434.786151] invoke_syscall.constprop.0+0x48/0x120 [ 434.786155] el0_svc_common.constprop.0+0x40/0xe8 [ 434.786158] do_el0_svc+0x24/0x38 [ 434.786160] el0_svc+0x50/0x310 [ 434.786164] el0t_64_sync_handler+0xa0/0xe8 [ 434.786166] el0t_64_sync+0x198/0x1a0 [ 434.786168] Code: 911ca021 f00038a0 911b8000 9404ada8 (d4210000) [ 434.786169] ---[ end trace 0000000000000000 ]— > > Thanks, > Qu > > diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c > index 6030cdbdb742..94535c90de22 100644 > --- a/fs/btrfs/extent-tree.c > +++ b/fs/btrfs/extent-tree.c > @@ -6624,6 +6624,13 @@ static int btrfs_trim_free_extents_throttle(struct btrfs_device *device, > > *trimmed = 0; > > + ASSERT(!test_bit(BTRFS_DEV_STATE_MISSING, &device->dev_state), > + "devid=%llu path=%s dev_state=0x%lx\n", > + device->devid, btrfs_dev_name(device), device->dev_state); > + ASSERT(device->bdev, > + "devid=%llu path=%s dev_state=0x%lx\n", > + device->devid, btrfs_dev_name(device), device->dev_state); > + > /* Discard not supported = nothing to do. */ > if (!bdev_max_discard_sectors(device->bdev)) > return 0; ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference 2026-06-02 1:49 ` Glass Su @ 2026-06-02 2:23 ` Qu Wenruo 0 siblings, 0 replies; 6+ messages in thread From: Qu Wenruo @ 2026-06-02 2:23 UTC (permalink / raw) To: Glass Su; +Cc: Su Yue, linux-btrfs 在 2026/6/2 11:19, Glass Su 写道: > > >> On Jun 2, 2026, at 06:11, Qu Wenruo <quwenruo.btrfs@gmx.com> wrote: >> >> >> >> 在 2026/6/1 21:42, Su Yue 写道: >>> On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com> >>> wrote: >> [...] >>>> Since you can reproduce it on the latest for-next, mind to provide >>>> the for-next call trace along with the faddr2line output for pc >>>> register of the for-next run? >>> Sure. >>> # ./scripts/faddr2line fs/btrfs/btrfs.ko btrfs_trim_fs+0x36c/0xa48 btrfs_trim_fs+0x36c/0xa48: bdev_max_discard_sectors at /var/lib/ >>> btrfs-linux-for-next/./include/ linux/blkdev.h:1449 (discriminator >>> 1) (inlined by) btrfs_trim_free_extents_throttle at /var/lib/btrfs- >>> linux- for-next/fs/btrfs/extent-tree.c:6628 (discriminator 1) >> >> Thanks! This is super helpful. >> >> However this looks a little weird. >> >> The NULL pointer dereference is from bdev_max_discard_sectors(), meaning >> the bdev is NULL, most likely the device is missing. >> >> However just before we call btrfs_trim_extents_throttle() we have >> already checked the DEV_STATE_MISSING flag of the device and will skip >> any missing device. >> >> Furthermore the test case doesn't change the missing device state during >> the run. >> >> So there seems to be some weird race, or desychronization between >> various bit flags. >> >> Mind to test with the following diff? > > Here you are: > > [ 434.761748] BTRFS info (device sdc): enabling free space tree > [ 434.785804] assertion failed: device->bdev, in extent-tree.c:6630 (devid=2 path=/dev/sdd dev_state=0x82 Thanks, this is really weird now. Firstly through the previous message prefix, we know it's the sdc is the first device with devid 1, and devid 2 is missing. But still we got devid 2 with a valid device path, without a proper bdev, nor DEVICE_MISSING flag. This looks like by somehow devid 2 still got scanned but without proper bdev populated. Let me check if there is some other way to allow btrfs to register a new device unexpectedly. Thanks, Qu ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-02 2:23 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-01 10:41 [BUG report] btrfs/242 triggers kernel NULL pointer dereference Su Yue 2026-06-01 11:53 ` Qu Wenruo 2026-06-01 12:12 ` Su Yue 2026-06-01 22:11 ` Qu Wenruo 2026-06-02 1:49 ` Glass Su 2026-06-02 2:23 ` Qu Wenruo
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.