Re: [PATCH] btrfs: zoned: catch aborted trans in btrfs_zoned_reserve_data_reloc_bg

[Filipe Manana <fdmanana@kernel.org>]

On Mon, Feb 23, 2026 at 3:28 PM Johannes Thumshirn
<Johannes.Thumshirn@wdc.com> wrote:
>
> On 2/23/26 4:14 PM, Filipe Manana wrote:
> > On Mon, Feb 23, 2026 at 2:39 PM Johannes Thumshirn
> > <johannes.thumshirn@wdc.com> wrote:
> >> btrfs_zoned_reserve_data_reloc_bg() is called on each mount of a file
> >> system and allocates a new block-group, to assign it to be the dedicated
> >> relocation target, if no pre-existing usable block-group for this task is
> >> found.
> >>
> >> If for some reason the transaction was aborted during the call to
> >> btrfs_chunk_alloc() and btrfs_end_transaction() is executed, a
> >> NULL-pointer dereference happens in btrfs_end_transaction().
> > How does that happen?
> > Do you have the stack trace?
> >
> > We are supposed to be able to call btrfs_end_transaction() even if the
> > transaction was aborted.
> > In fact we have to, otherwise we leak memory. We do this everywhere in
> > the code base in fact.
> >
> Yep I do, here's the most important part:
>
> [  944.448765] BUG: kernel NULL pointer dereference, address: 000000000000073c
> [  944.449060] #PF: supervisor write access in kernel mode
> [  944.449270] #PF: error_code(0x0002) - not-present page
> [  944.449476] PGD 0 P4D 0
> [  944.449590] Oops: Oops: 0002 [#1] SMP NOPTI
> [  944.449762] CPU: 3 UID: 0 PID: 19233 Comm: mount Tainted: G        W           6.19.0-rc8+ #330 PREEMPT(none)
> [  944.450174] Tainted: [W]=WARN
> [  944.450301] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
> [  944.450536] RIP: 0010:_raw_spin_lock_irqsave+0x22/0x50
> [  944.450755] Code: 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 55 53 48 89 fb 9c 5d fa bf 01 00 00 00 e8 65 07 5d ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 75 0a 48 89 e8 5b 5d c3 cc cc cc cc 89 c6 48 89 df e8
> [  944.451505] RSP: 0018:ffffc9000c617c98 EFLAGS: 00010046
> [  944.451726] RAX: 0000000000000000 RBX: 000000000000073c RCX: 0000000000000002
> [  944.452020] RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000001
> [  944.452313] RBP: 0000000000000207 R08: ffffffff8223c71d R09: 0000000000000635
> [  944.452612] R10: ffff888108588000 R11: 0000000000000003 R12: 0000000000000003
> [  944.452910] R13: 000000000000073c R14: 0000000000000000 R15: ffff888114dd6000
> [  944.453208] FS:  00007f2993745840(0000) GS:ffff8882b508d000(0000) knlGS:0000000000000000
> [  944.453534] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  944.453777] CR2: 000000000000073c CR3: 0000000121a82006 CR4: 0000000000770eb0
> [  944.454072] PKRU: 55555554
> [  944.454187] Call Trace:
> [  944.454293]  <TASK>
> [  944.454387]  try_to_wake_up+0x5b/0x640
> [  944.454556]  __btrfs_end_transaction+0x137/0x230
> [  944.454754]  btrfs_zoned_reserve_data_reloc_bg+0x300/0x3d0
> [  944.454989]  open_ctree+0xedf/0x1688
> [  944.455146]  btrfs_get_tree.cold+0xbf/0x200
> [  944.455327]  vfs_get_tree+0x21/0xa0
> [  944.455480]  __do_sys_fsconfig+0x4c8/0x690
> [  944.455660]  do_syscall_64+0x59/0x2b0
> [  944.455822]  entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> And decoded:
>
> [  944.451505] RSP: 0018:ffffc9000c617c98 EFLAGS: 00010046
> [  944.451726] RAX: 0000000000000000 RBX: 000000000000073c RCX: 0000000000000002
> [  944.452020] RDX: 0000000000000001 RSI: 0000000000000003 RDI: 0000000000000001
> [  944.452313] RBP: 0000000000000207 R08: ffffffff8223c71d R09: 0000000000000635
> [  944.452612] R10: ffff888108588000 R11: 0000000000000003 R12: 0000000000000003
> [  944.452910] R13: 000000000000073c R14: 0000000000000000 R15: ffff888114dd6000
> [  944.453208] FS:  00007f2993745840(0000) GS:ffff8882b508d000(0000) knlGS:0000000000000000
> [  944.453534] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [  944.453777] CR2: 000000000000073c CR3: 0000000121a82006 CR4: 0000000000770eb0
> [  944.454072] PKRU: 55555554
> [  944.454187] Call Trace:
> [  944.454293]  <TASK>
> [  944.454387]  try_to_wake_up (./include/linux/spinlock.h:557 kernel/sched/core.c:4106)
> [  944.454556]  __btrfs_end_transaction (fs/btrfs/transaction.c:1115 (discriminator 2))
> [  944.454754]  btrfs_zoned_reserve_data_reloc_bg (fs/btrfs/zoned.c:2840)
> [  944.454989]  open_ctree (fs/btrfs/disk-io.c:3588)
> [  944.455146]  btrfs_get_tree.cold (fs/btrfs/super.c:982 fs/btrfs/super.c:1944 fs/btrfs/super.c:2087 fs/btrfs/super.c:2121)
> [  944.455327]  vfs_get_tree (fs/super.c:1752)
> [  944.455480]  __do_sys_fsconfig (fs/fsopen.c:231 fs/fsopen.c:295 fs/fsopen.c:473)
> [  944.455660]  do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1))
> [  944.455822]  entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131)
> [  944.456041] RIP: 0033:0x7f299392740e

This should go into the change log.

The problem is  btrfs_zoned_reserve_data_reloc_bg() is called in
open_ctree() before we initialized the transaction kthread and
btrfs_end_transaction() will try to wake the kthread.

The fix here is to change the order in open_ctree() to call
btrfs_zoned_reserve_data_reloc_bg() only after setting up the
transaction kthread (which is just a few lines below anyway).

Thanks.

>
>
>
> full log of my debug session so far, including dumps of fs_info,
> space_info and trans: https://termbin.com/m3mz
>