From: Su Yue <l@damenly.org>
To: Qu Wenruo <quwenruo.btrfs@gmx.com>
Cc: linux-btrfs@vger.kernel.org, Su Yue <glass.su@suse.com>
Subject: Re: [BUG report] btrfs/242 triggers kernel NULL pointer dereference
Date: Mon, 01 Jun 2026 20:12:05 +0800 [thread overview]
Message-ID: <ik82qx2i.fsf@damenly.org> (raw)
In-Reply-To: <7edd1a98-4683-463d-b789-e75f7cb42de1@gmx.com> (Qu Wenruo's message of "Mon, 1 Jun 2026 21:23:20 +0930")
On Mon 01 Jun 2026 at 21:23, Qu Wenruo <quwenruo.btrfs@gmx.com>
wrote:
> 在 2026/6/1 20:11, Su Yue 写道:
>> Hi, btrfs folks. Recently I found that fstests/btrfs/242 can
>> trigger
>> kernel NULL pointer dereference with for-
>> next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
>> openSUSE Tumbleweed kernel(7.0.10-2-default). The probability
>> is within 50
>> rounds.
>> ENV:
>> host: mac mini m1 running Asahi linux
>> VM(new installed):
>> # uname -r
>> 7.0.10-2-default
>> # dmesg
>> [ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01
>> 10:25:08
>> [ 313.417562 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc
>> (8:32) scanned
>> by mkfs.btrfs (122570)
>> [ 313.417698 ] [ T122570 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd
>> (8:48) scanned
>> by mkfs.btrfs (122570)
>> [ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using
>> crc32c checksum
>> algorithm
>> [ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking
>> UUID tree
>> [ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on
>> async discard
>> [ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling
>> free space tree
>> [ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last
>> unmount of
>> filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.513398 ] [ T122609 ] BTRFS: device fsid
>> d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc
>> (8:32) scanned
>> by mount (122609)
>> [ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first
>> mount of filesystem
>> d4d7f234-487c-4787-88e4-47a8b68c9874
>> [ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using
>> crc32c checksum
>> algorithm
>> [ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2
>> uuid
>> fbe72d72-3272-482d-80fb-ab88ed398192 is missing
>> [ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing
>> degraded mounts
>> [ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on
>> async discard
>> [ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling
>> free space tree
>> [ 313.523827 ] [ T122625 ] Unable to handle kernel NULL
>> pointer dereference
>> at virtual address 0000000000000018
>> [ 313.523858 ] [ T122625 ] Mem abort info:
>> [ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004
>> [ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL
>> = 32 bits
>> [ 313.523877 ] [ T122625 ] SET = 0, FnV = 0
>> [ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0
>> [ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation
>> fault
>> [ 313.523894 ] [ T122625 ] Data abort info:
>> [ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 =
>> 0x00000000
>> [ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0,
>> TagAccess = 0
>> [ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit =
>> 0, Xs = 0
>> [ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs,
>> pgdp=000000013fd6b000
>> [ 313.523924 ] [ T122625 ] [0000000000000018]
>> pgd=0000000000000000,
>> p4d=0000000000000000
>> [ 313.523940 ] [ T122625 ] Internal error: Oops:
>> 0000000096000004 [#1] SMP
>> [ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill
>> dm_mod
>> nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor xor_neon
>> libblake2b
>> virtio_net virtio_balloon net_failover failover button raid6_pq
>> vsock_loopback
>> vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common
>> vsock xfs sr_mod
>> cdrom aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg
>> scsi_mod
>> scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common
>> virtio_blk
>> efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
>> [ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm:
>> fstrim Not tainted
>> 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed
>> e9a5f6b24978fba3bf015a992f865837fdfff3dd
>> [ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual
>> Machine, BIOS
>> edk2-20250812-19.fc42 08/12/2025
>> [ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN
>> -UAO -TCO +DIT
>> -SSBS BTYPE=--)
>> [ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00
>> [btrfs]
>
> Since you can reproduce it on the latest for-next, mind to
> provide the for-next
> call trace along with the faddr2line output for pc register of
> the for-next run?
>
Sure.
# ./scripts/faddr2line fs/btrfs/btrfs.ko
btrfs_trim_fs+0x36c/0xa48
btrfs_trim_fs+0x36c/0xa48:
bdev_max_discard_sectors at
/var/lib/btrfs-linux-for-next/./include/linux/blkdev.h:1449
(discriminator 1)
(inlined by) btrfs_trim_free_extents_throttle at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6628
(discriminator 1)
(inlined by) btrfs_trim_free_extents at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6762
(discriminator 1)
(inlined by) btrfs_trim_fs at
/var/lib/btrfs-linux-for-next/fs/btrfs/extent-tree.c:6919
(discriminator 1)
[11630.789792] BTRFS info (device sdc): first mount of filesystem
5e033cee-fc5a-4e82-b065-e93b53533c2d
[11630.789810] BTRFS info (device sdc): using crc32c checksum
algorithm
[11630.803359] BTRFS warning (device sdc): devid 2 uuid
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.808199] BTRFS warning (device sdc): devid 2 uuid
ffa87e4a-26a0-4fb8-988d-1a6c8d643134 is missing
[11630.815475] BTRFS info (device sdc): allowing degraded mounts
[11630.815485] BTRFS info (device sdc): turning on async discard
[11630.815489] BTRFS info (device sdc): enabling free space tree
[11630.836072] Unable to handle kernel NULL pointer dereference at
virtual address 0000000000000018
[11630.836118] Mem abort info:
[11630.836121] ESR = 0x0000000096000004
[11630.836124] EC = 0x25: DABT (current EL), IL = 32 bits
[11630.836128] SET = 0, FnV = 0
[11630.836130] EA = 0, S1PTW = 0
[11630.836133] FSC = 0x04: level 0 translation fault
[11630.836136] Data abort info:
[11630.836138] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
[11630.836141] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[11630.836144] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[11630.836147] user pgtable: 4k pages, 48-bit VAs,
pgdp=00000001324a7000
[11630.836151] [0000000000000018] pgd=0000000000000000,
p4d=0000000000000000
[11630.836247] Internal error: Oops: 0000000096000004 [#1] SMP
[11630.836279] Modules linked in: dm_dust(E) dm_flakey(E) ext4(E)
crc16(E) mbcache(E) jbd2(E) loop(E) btrfs(E) xor(E) libblake2b(E)
raid6_pq(E) dm_mod(E) arm_smccc_trng(E) virtio_balloon(E)
virtio_net(E) net_failover(E) failover(E) vfat(E) fat(E) drm(E)
fuse(E) xfs(E) virtio_scsi(E) qemu_fw_cfg(E) virtio_pci(E)
virtio_pci_legacy_dev(E) virtio_pci_modern_dev(E)
virtio_console(E) virtio_rng(E
) rng_core(E)
[11630.836342] CPU: 0 UID: 0 PID: 820669 Comm: fstrim Tainted: G
E 7.1.0-rc4-custom+ #1 PREEMPT(full)
[11630.836352] Tainted: [E]=UNSIGNED_MODULE
[11630.836356] Hardware name: QEMU KVM Virtual Machine, BIOS
edk2-20250812-19.fc42 08/12/2025
[11630.836363] pstate: 01400005 (nzcv daif +PAN -UAO -TCO +DIT
-SSBS BTYPE=--)
[11630.836370] pc : btrfs_trim_fs+0x36c/0xa48 [btrfs]
[11630.836474] lr : btrfs_trim_fs+0x1f8/0xa48 [btrfs]
[11630.836557] sp : ffff800085ef3ba0
[11630.836561] x29: ffff800085ef3c30 x28: ffff0000ed979cf8 x27:
ffff800085ef3c90
[11630.836569] x26: ffff0000f51a9c00 x25: 0000000000000000 x24:
0000000000000000
[11630.836577] x23: ffff0000ed979c70 x22: ffff0000ed979c00 x21:
ffff0000f51a9c00
[11630.836584] x20: 0000000000000000 x19: 000000004fdb8000 x18:
00000a9403d9d8b5
[11630.836592] x17: 0000000000000000 x16: ffffa49477e47e10 x15:
0000000000000000
[11630.836600] x14: 0000000000000000 x13: 0000000000000030 x12:
0000000800110005
[11630.836607] x11: ffff0000dc9cfc38 x10: 0000000000000000 x9 :
ffff800085ef3a10
[11630.836615] x8 : ffffa4947853e848 x7 : 0000000000000000 x6 :
ffff0000de710040
[11630.836622] x5 : 0000000000000000 x4 : ffff0000f51a9c00 x3 :
0000000000000000
[11630.836629] x2 : 0000000000000001 x1 : 0000000000000086 x0 :
0000000000000000
[11630.836645] Call trace:
[11630.836650] btrfs_trim_fs+0x36c/0xa48 [btrfs] (P)
[11630.836732] btrfs_ioctl_fitrim+0x138/0x2a0 [btrfs]
[11630.836816] btrfs_ioctl+0x10d8/0x2910 [btrfs]
[11630.836898] __arm64_sys_ioctl+0xac/0x108
[11630.836907] invoke_syscall.constprop.0+0x48/0x120
[11630.836916] el0_svc_common.constprop.0+0x40/0xe8
[11630.836923] do_el0_svc+0x24/0x38
[11630.836928] el0_svc+0x50/0x310
[11630.836937] el0t_64_sync_handler+0xa0/0xe8
[11630.836943] el0t_64_sync+0x198/0x1a0
[11630.836951] Code: 17ffff7b f9400fe0 f90033e0 f9402f40
(f9400c00)
[11630.836958] ---[ end trace 0000000000000000 ]-—
> Thanks,
> Qu
next prev parent reply other threads:[~2026-06-01 12:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 10:41 [BUG report] btrfs/242 triggers kernel NULL pointer dereference Su Yue
2026-06-01 11:53 ` Qu Wenruo
2026-06-01 12:12 ` Su Yue [this message]
2026-06-01 22:11 ` Qu Wenruo
2026-06-02 1:49 ` Glass Su
2026-06-02 2:23 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ik82qx2i.fsf@damenly.org \
--to=l@damenly.org \
--cc=glass.su@suse.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=quwenruo.btrfs@gmx.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox