From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2BC911ACEDE for ; Wed, 19 Nov 2025 06:41:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763534476; cv=none; b=dGmg5MTEqkWLhKiI0X2ZNsFtLW9jV5q9BEDQbIwPYEzdGjJelMqcW8r4ZGTQOnVHPR+LsQne6BJQoAZ+yZUY3wo61j/kNXQ7f72VD4WFzoOngZwHISSvLrlLqDLRqF3R67iv7bIgKX7TF8GzJ0/PlAyrN6jZfA65XW/ejhuR9Yg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1763534476; c=relaxed/simple; bh=MNlxAmLgawovaMhiSoY6dvGO6cR5f0XXs71s8LepdpE=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=s9SB6zyyHr66PDJoeWqFMvh2L+ka66Zx3FVsqj12XvRzB0zjuH/D5ZDhTXezZgtP01ehSrTR4sRpjAXn3QWAAHTDHqgG5LzlvhI00XjA8VOCY6tFS6HsixmwrQnBX257v2rMKHyY17VkG2vtGotFtC7itBwbPvySua6uTcgL9ec= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=fromorbit.com; spf=pass smtp.mailfrom=fromorbit.com; dkim=pass (2048-bit key) header.d=fromorbit-com.20230601.gappssmtp.com header.i=@fromorbit-com.20230601.gappssmtp.com header.b=3AiTdteO; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=fromorbit.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fromorbit.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fromorbit-com.20230601.gappssmtp.com header.i=@fromorbit-com.20230601.gappssmtp.com header.b="3AiTdteO" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-7b8e49d8b35so7225789b3a.3 for ; Tue, 18 Nov 2025 22:41:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fromorbit-com.20230601.gappssmtp.com; s=20230601; t=1763534472; x=1764139272; darn=vger.kernel.org; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:from:to :cc:subject:date:message-id:reply-to; bh=4ox4Jdqw071Aow8Vgui5YWFKHX9iaB4/6AjiFngL540=; b=3AiTdteOeEt4iamiDfw4fYr+hf4gbQQVyj/5Q+xCM4uBaSXj9pRAEjz8AW1wiFm9uX o/db6VukBNWgUN927nU73wkVIqY3cPfy+PocKfAXNQMC4CtVpLhxPXS++872dFLyCskw ueVyPc2A2pIJOmidmKqSN3pYm+pnGwpeyBRVtgQDPMvE4y9FcpXfatXWESabAfAepilJ 2hfAOUwRb4VlsaxluD9rG2h0UJnxUoYD5fcK2Hn6m0Ec7acyW6VlXe3/wO/RMvNMx0ag amNmMeHQ6iwqMGfiiyxmSif7gq9JJ4G2hANL3EwR2rRb7k2y47hstvqOiGnhdxIxgi54 OUFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763534472; x=1764139272; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=4ox4Jdqw071Aow8Vgui5YWFKHX9iaB4/6AjiFngL540=; b=hoBweg24OYN5chs6zmq3rEGcUDCwCvW3P1DTc8nLN8s96QQfvx27Xh65SMrrDkrAvt cr709HA8fiW3FPYgm6Q/QyJtHieyO5WZDHumdY9vZTVXECNg02ur1gJC7epjpcWaERt0 IMvaKa/fubZfwqPD940ebj70EiIhBVwCxJsy/C3dHZzWABBPN7KtJgiBDGymqD1prHJP 2zcZrNGRXSQJG31N1XryY7+po0k/QzBL5UhD+nI/IlTSLjAl7HxtacUKUWg+HKs9cyds e5scCISscOOEPIUQPASUaOBVsZCk0ZqNPBwuNJUZUOHDMcMTKeL//+py0nFbVRJC5AIK xM5A== X-Forwarded-Encrypted: i=1; AJvYcCV5iBCzs7MoidNqbGflfXcTWN0EhdnGcaPm9skk6UcCqmqnrBesRPA+j087ymjcyTCU/DFbEjl3GE2r7nQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxzKsz0g5kXg+Jz7ztfUHL8ztwvTeXef6gJCo1povzT3tCLOtrm WHvPboSkk5DeAmiw1TMYIFA5hsBwOUqOoYx0bWj7cvKZE3d6GySNdpc0yh8DhmXLIXo= X-Gm-Gg: ASbGnctACrJkDRk1GivRopEqxCPxhWgJSYsN8we9i0hkZu//wultllKX1Uq8AZJmPDV 8e9586EQCVZBaM+yuQMvMdatmJ18AyvPmLdG1xFcAXMCoHRyLfXyzlBVGlwMDEwO4mtBfCHLrwv DU0YHdaLTHUY8Lgn38w8FBXR0R/xHMIyVm6F34pKcxJVHmuQM/PnTk7L7ZNQoms8pExo7DJldo/ O4MSRkYYWQqA3cfxcB1mGLszoXqjg3MBWfe/N8D4LnqiKHP36d52Hbh9r4GW7CZJHqAefF9ma8O dzhlq0nEfgZEFuQAD2tCIHltjeES5SwvOEnGH7NNOK3t/lDJXlcBKpin/8Fcs325o3YV2906mVc TE1clHolJJ4E/gC4IsSMCiYC5RQa/iej84cHGh8ASL61BpxV3S2YCCwG1Xceja7xg3c9f5CZEE6 ra2d8SBeH6Hh0HIt5PAz1w7d0kGaGNMclvrG9GMo3pF3X0SklPkDoUr4W6PH4iqw== X-Google-Smtp-Source: AGHT+IEruiAirTHdnAOhENqkEjN/7Ew6b0s0+dDkYqDV6AhWrMGH2r3cUUQZIT9qBcgrazwzINNSdw== X-Received: by 2002:a05:6a00:94fa:b0:7a2:84f3:cefc with SMTP id d2e1a72fcca58-7ba371d36cbmr22709655b3a.0.1763534472332; Tue, 18 Nov 2025 22:41:12 -0800 (PST) Received: from dread.disaster.area (pa49-181-58-136.pa.nsw.optusnet.com.au. [49.181.58.136]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7b9250d24b9sm18450140b3a.17.2025.11.18.22.41.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Nov 2025 22:41:12 -0800 (PST) Received: from dave by dread.disaster.area with local (Exim 4.98.2) (envelope-from ) id 1vLbsL-0000000CmsE-1Mly; Wed, 19 Nov 2025 17:41:09 +1100 Date: Wed, 19 Nov 2025 17:41:09 +1100 From: Dave Chinner To: Christoph Hellwig Cc: =?utf-8?B?5p2O5aSp5a6H?= , linux-kernel , linux-xfs , cem Subject: Re: [BUG] xfs: NULL pointer dereference in xfs_buf.h: xfs_buf_daddr() Message-ID: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: On Tue, Nov 18, 2025 at 10:06:49PM -0800, Christoph Hellwig wrote: > On Tue, Nov 18, 2025 at 07:06:14PM +0800, 李天宇 wrote: > > The kernel reports a kernel NULL pointer dereference when the sys_mount is called. This is triggered by the statement b_maps[0], where b_maps is NULL. > > > > This bug was discovered through a fuzzing framework on Linux v6.2 > > Linux 6.2 is ancient (Feb 2023), and the buffer cache code has seen a > major rewrite since: > > ch@brick:~/work/linux$ git diff v6.2..HEAD fs/xfs/xfs_buf.[ch] | diffstat > xfs_buf.c | 1651 +++++++++++++++++++++++++++++++++++++++----------------------------------------------------- > xfs_buf.h | 96 +++-- > 2 files changed, 768 insertions(+), 979 deletions(-) > > hch@brick:~/work/linux$ wc -l fs/xfs/xfs_buf.[ch] > 2132 fs/xfs/xfs_buf.c > 391 fs/xfs/xfs_buf.h > 2523 total > > so I'm not sure how relevant this report is, especially without a good > report. It's not even a buffer cache bug. Something trashed a buffer pointer in a btree cursor and xfs_buf_daddr() is the first dereference to trip over it. It looks like random memory corruption to me, so unless it is reproduced on a TOT kernel there's no point spending any time looking at it... -Dave. -- Dave Chinner david@fromorbit.com