From: Su Yue <l@damenly.org>
To: linux-btrfs@vger.kernel.org, Su Yue <glass.su@suse.com>
Subject: [BUG report] btrfs/242 triggers kernel NULL pointer dereference
Date: Mon, 01 Jun 2026 18:41:18 +0800 [thread overview]
Message-ID: <wlwir19t.fsf@damenly.org> (raw)
Hi, btrfs folks. Recently I found that fstests/btrfs/242 can
trigger
kernel NULL pointer dereference with
for-next(27a96ee64c0e0d6131160da98a5485adbbe9dd59) and
openSUSE Tumbleweed kernel(7.0.10-2-default). The probability is
within 50 rounds.
ENV:
host: mac mini m1 running Asahi linux
VM(new installed):
# uname -r
7.0.10-2-default
# dmesg
[ 312.853073 ] [ T121971 ] run fstests btrfs/242 at 2026-06-01
10:25:08
[ 313.417562 ] [ T122570 ] BTRFS: device fsid
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 8 /dev/sdc
(8:32) scanned by mkfs.btrfs (122570)
[ 313.417698 ] [ T122570 ] BTRFS: device fsid
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 2 transid 8 /dev/sdd
(8:48) scanned by mkfs.btrfs (122570)
[ 313.423953 ] [ T122578 ] BTRFS info (device sdc): first mount
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[ 313.423967 ] [ T122578 ] BTRFS info (device sdc): using crc32c
checksum algorithm
[ 313.428833 ] [ T122578 ] BTRFS info (device sdc): checking UUID
tree
[ 313.428975 ] [ T122578 ] BTRFS info (device sdc): turning on
async discard
[ 313.429097 ] [ T122578 ] BTRFS info (device sdc): enabling free
space tree
[ 313.469504 ] [ T122603 ] BTRFS info (device sdc): last unmount
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[ 313.513398 ] [ T122609 ] BTRFS: device fsid
d4d7f234-487c-4787-88e4-47a8b68c9874 devid 1 transid 9 /dev/sdc
(8:32) scanned by mount (122609)
[ 313.513820 ] [ T122609 ] BTRFS info (device sdc): first mount
of filesystem d4d7f234-487c-4787-88e4-47a8b68c9874
[ 313.513845 ] [ T122609 ] BTRFS info (device sdc): using crc32c
checksum algorithm
[ 313.515223 ] [ T122609 ] BTRFS warning (device sdc): devid 2
uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
[ 313.515523 ] [ T122609 ] BTRFS warning (device sdc): devid 2
uuid fbe72d72-3272-482d-80fb-ab88ed398192 is missing
[ 313.518615 ] [ T122609 ] BTRFS info (device sdc): allowing
degraded mounts
[ 313.518630 ] [ T122609 ] BTRFS info (device sdc): turning on
async discard
[ 313.518635 ] [ T122609 ] BTRFS info (device sdc): enabling free
space tree
[ 313.523827 ] [ T122625 ] Unable to handle kernel NULL pointer
dereference at virtual address 0000000000000018
[ 313.523858 ] [ T122625 ] Mem abort info:
[ 313.523865 ] [ T122625 ] ESR = 0x0000000096000004
[ 313.523871 ] [ T122625 ] EC = 0x25: DABT (current EL), IL =
32 bits
[ 313.523877 ] [ T122625 ] SET = 0, FnV = 0
[ 313.523883 ] [ T122625 ] EA = 0, S1PTW = 0
[ 313.523889 ] [ T122625 ] FSC = 0x04: level 0 translation
fault
[ 313.523894 ] [ T122625 ] Data abort info:
[ 313.523899 ] [ T122625 ] ISV = 0, ISS = 0x00000004, ISS2 =
0x00000000
[ 313.523905 ] [ T122625 ] CM = 0, WnR = 0, TnD = 0, TagAccess
= 0
[ 313.523911 ] [ T122625 ] GCS = 0, Overlay = 0, DirtyBit = 0,
Xs = 0
[ 313.523916 ] [ T122625 ] user pgtable: 4k pages, 48-bit VAs,
pgdp=000000013fd6b000
[ 313.523924 ] [ T122625 ] [0000000000000018]
pgd=0000000000000000, p4d=0000000000000000
[ 313.523940 ] [ T122625 ] Internal error: Oops: 0000000096000004
[#1] SMP
[ 313.534094 ] [ T122625 ] Modules linked in: af_packet rfkill
dm_mod nls_iso8859_1 nls_cp437 vfat fat binfmt_misc btrfs xor
xor_neon libblake2b virtio_net virtio_balloon net_failover
failover button raid6_pq vsock_loopback vmw_vsock_virtio_transport
vmw_vsock_virtio_transport_common vsock xfs sr_mod cdrom
aes_ce_blk ghash_ce gf128mul virtio_scsi sd_mod sm4 sg scsi_mod
scsi_common xhci_pci virtio_mmio xhci_hcd usbcore usb_common
virtio_blk efivarfs dmi_sysfs qemu_fw_cfg virtiofs fuse virtio_rng
[ 313.540774 ] [ T122625 ] CPU: 4 UID: 0 PID: 122625 Comm: fstrim
Not tainted 7.0.10-2-default #1 PREEMPT(full) openSUSE Tumbleweed
e9a5f6b24978fba3bf015a992f865837fdfff3dd
[ 313.544026 ] [ T122625 ] Hardware name: QEMU KVM Virtual
Machine, BIOS edk2-20250812-19.fc42 08/12/2025
[ 313.545160 ] [ T122625 ] pstate: 01400005 (nzcv daif +PAN -UAO
-TCO +DIT -SSBS BTYPE=--)
[ 313.546134 ] [ T122625 ] pc : btrfs_trim_fs+0x34c/0xa00 [btrfs]
[ 313.548443 ] [ T122625 ] lr : btrfs_trim_fs+0x1f0/0xa00 [btrfs]
[ 313.549248 ] [ T122625 ] sp : ffff80008addbb70
[ 313.549760 ] [ T122625 ] x29: ffff80008addbbf0 x28:
0000000000000000 x27: ffff80008addbc50
[ 313.550826 ] [ T122625 ] x26: 000000002e300000 x25:
0000000200000000 x24: ffff0000c0c35490
[ 313.551819 ] [ T122625 ] x23: ffff0000c0c35400 x22:
ffff0000c0d7bc00 x21: ffff0000c0d7bc00
[ 313.553453 ] [ T122625 ] x20: 0000000000000000 x19:
000000004fdb8000 x18: 0000000000000000
[ 313.555099 ] [ T122625 ] x17: fffffdffc3a6c980 x16:
ffffc03bf9d70f68 x15: fffffdffbf000000
[ 313.557353 ] [ T122625 ] x14: ffff0000e75200d0 x13:
0000000000000001 x12: 0000000000000000
[ 313.559262 ] [ T122625 ] x11: 00000000000000c0 x10:
16d71b527421a8a2 x9 : ffffc03bf9d70f88
[ 313.560500 ] [ T122625 ] x8 : ffff0000e7521268 x7 :
0000000000000000 x6 : 0000000000000000
[ 313.561496 ] [ T122625 ] x5 : 842c1a086c93060f x4 :
ffff0000c9dafeb0 x3 : ffff0000c0d7bc00
[ 313.563063 ] [ T122625 ] x2 : 0000000000000001 x1 :
0000000000000086 x0 : 0000000000000000
[ 313.564057 ] [ T122625 ] Call trace:
[ 313.564465 ] [ T122625 ] btrfs_trim_fs+0x34c/0xa00 [btrfs
f02c1d570ceea621c69d302ba75dd61868083840] (P)
[ 313.565720 ] [ T122625 ] btrfs_ioctl_fitrim+0xe8/0x178 [btrfs
f02c1d570ceea621c69d302ba75dd61868083840]
[ 313.567140 ] [ T122625 ] btrfs_ioctl+0xdd4/0x2bd8 [btrfs
f02c1d570ceea621c69d302ba75dd61868083840]
[ 313.568326 ] [ T122625 ] __arm64_sys_ioctl+0xac/0x108
[ 313.568936 ] [ T122625 ] invoke_syscall.constprop.0+0x5c/0xd0
[ 313.569625 ] [ T122625 ] el0_svc_common.constprop.0+0x40/0xf0
[ 313.570320 ] [ T122625 ] do_el0_svc+0x24/0x40
[ 313.570864 ] [ T122625 ] el0_svc+0x40/0x1d0
[ 313.571964 ] [ T122625 ] el0t_64_sync_handler+0xa0/0xe8
[ 313.572614 ] [ T122625 ] el0t_64_sync+0x1b0/0x1b8
[ 313.573184 ] [ T122625 ] Code: 17ffff83 f94017e0 f9002be0
f9402ea0 (f9400c00)
[ 313.574045 ] [ T122625 ] ---[ end trace 0000000000000000 ]---
[ 313.617087 ] [ T122648 ] BTRFS info (device sdb): last unmount
of filesystem 41ba7202-04d0-466e-9130-a89f855aff0c
# cat local.config:
export FSTYPE=btrfs
export TEST_DEV="/dev/sdb"
export TEST_DIR="/mnt//test"
export SCRATCH_DEV_POOL="/dev/sdc /dev/sdd /dev/sde /dev/sdf
/dev/sdg"
export SCRATCH_MNT="/mnt//scratch"
export KEEP_DMESG=yes
# rpm -qa btrfsprogs
btrfsprogs-6.19-1.4.aarch64
# cat /etc/os-release
NAME="openSUSE Tumbleweed"
# VERSION="20260527"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20260527"
# uname -r
7.0.10-2-default
next reply other threads:[~2026-06-01 10:46 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-01 10:41 Su Yue [this message]
2026-06-01 11:53 ` [BUG report] btrfs/242 triggers kernel NULL pointer dereference Qu Wenruo
2026-06-01 12:12 ` Su Yue
2026-06-01 22:11 ` Qu Wenruo
2026-06-02 1:49 ` Glass Su
2026-06-02 2:23 ` Qu Wenruo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=wlwir19t.fsf@damenly.org \
--to=l@damenly.org \
--cc=glass.su@suse.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox