[next-20250506][btrfs] Kernel OOPS while btrfs/001 TC

[Venkat Rao Bagalkote]

Hello,


I am observing kernel OOPS, while running btrfs/001 TC, from xfstests suite.


This issue is introduced in next-20250506. This issue is not seen on 
next-20250505 kernel.


Steps to repro:


1. git clone git://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git
2. cd xfstests-dev/
3. mkdir /mnt/loop-device /mnt/test /mnt/scratch
4. for i in $(seq 0 5); do fallocate -o 0 -l 5GiB 
/mnt/loop-device/file-$i.img; done
5. for i in $(seq 0 5); do losetup /dev/loop$i 
/mnt/loop-device/file-$i.img; done
6. mkfs.btrfs -f -s 65536 -n 65536 /dev/loop0; mkfs.btrfs -f /dev/loop1; 
mkfs.btrfs -f /dev/loop2; mkfs.btrfs -f /dev/loop3; mkfs.btrfs -f 
/dev/loop4; mkfs.btrfs -f /dev/loop5
8. vi local.config
9. make
10. ./check tools/btrfs/001


local.config contents:


export RECREATE_TEST_DEV=true
export TEST_DEV=/dev/loop0
export TEST_DIR=/mnt/test
export SCRATCH_DEV_POOL="/dev/loop1 /dev/loop2 /dev/loop3 /dev/loop4 
/dev/loop5"
export SCRATCH_MNT=/mnt/scratch
export MKFS_OPTIONS="-f -s 4096 -n 4096"
export FSTYP=btrfs
export MOUNT_OPTIONS=""


Crash:


[  953.799060] Btrfs loaded, zoned=yes, fsverity=no
[  968.070858] BTRFS: device fsid 3813dc53-a2f3-4342-b44e-c9349f17f991 
devid 1 transid 8 /dev/loop0 (7:0) scanned by mount (25422)
[  968.072561] BTRFS info (device loop0): first mount of filesystem 
3813dc53-a2f3-4342-b44e-c9349f17f991
[  968.072584] BTRFS info (device loop0): using crc32c (crc32c-powerpc) 
checksum algorithm
[  968.072594] BTRFS info (device loop0): forcing free space tree for 
sector size 4096 with page size 65536
[  968.072599] BTRFS info (device loop0): using free-space-tree
[  968.073867] BTRFS info (device loop0): checking UUID tree
[  968.074000] Kernel attempted to read user page (68) - exploit 
attempt? (uid: 0)
[  968.074009] BUG: Kernel NULL pointer dereference on read at 0x00000068
[  968.074013] Faulting instruction address: 0xc00800000f7fb5e0
[  968.074019] Oops: Kernel access of bad area, sig: 11 [#1]
[  968.074022] LE PAGE_SIZE=64K MMU=Radix  SMP NR_CPUS=8192 NUMA pSeries
[  968.074028] Modules linked in: btrfs blake2b_generic xor raid6_pq 
zstd_compress loop dm_mod nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib 
nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct sunrpc 
nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 bonding 
tls rfkill ip_set nf_tables nfnetlink pseries_rng vmx_crypto fuse ext4 
crc16 mbcache jbd2 sd_mod sg ibmvscsi scsi_transport_srp ibmveth
[  968.074074] CPU: 0 UID: 0 PID: 25422 Comm: mount Kdump: loaded Not 
tainted 6.15.0-rc5-next-20250506 #1 VOLUNTARY

[  968.074087] NIP:  c00800000f7fb5e0 LR: c00800000f7fb3b4 CTR: 
c00000000047862c
[  968.074091] REGS: c000000154747920 TRAP: 0300   Not tainted 
(6.15.0-rc5-next-20250506)
[  968.074096] MSR:  800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE>  
CR: 24022882  XER: 00000000
[  968.074109] CFAR: c00800000f7fb650 DAR: 0000000000000068 DSISR: 
40000000 IRQMASK: 0
[  968.074109] GPR00: c00800000f7fb3b4 c000000154747bc0 c0080000099da600 
0000000000000000
[  968.074109] GPR04: c000000008570c20 7fffffffffffffff 0000000000000000 
c0000000068e3a00
[  968.074109] GPR08: 0000000000000000 0000000000000000 c0000000068e3a00 
0000000000002000
[  968.074109] GPR12: c00000000047862c c000000003020000 0000000000000000 
0000000000000000
[  968.074109] GPR16: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[  968.074109] GPR20: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[  968.074109] GPR24: 0000000000000000 c000000015b00000 c00000007a38ac00 
0000000000000020
[  968.074109] GPR28: c000000008560a00 c00000006b1784c0 0000000000000000 
c000000063147980
[  968.074163] NIP [c00800000f7fb5e0] btrfs_get_tree_subvol+0x32c/0x544 
[btrfs]
[  968.074205] LR [c00800000f7fb3b4] btrfs_get_tree_subvol+0x100/0x544 
[btrfs]
[  968.074241] Call Trace:
[  968.074244] [c000000154747bc0] [c00800000f7fb3b4] 
btrfs_get_tree_subvol+0x100/0x544 [btrfs] (unreliable)
[  968.074282] [c000000154747cb0] [c000000000630da4] vfs_get_tree+0x48/0x15c
[  968.074291] [c000000154747d30] [c00000000067675c] 
do_new_mount+0x234/0x438
[  968.074297] [c000000154747da0] [c000000000678298] sys_mount+0x164/0x1b0
[  968.074303] [c000000154747e10] [c000000000033338] 
system_call_exception+0x138/0x330
[  968.074311] [c000000154747e50] [c00000000000d05c] 
system_call_vectored_common+0x15c/0x2ec
[  968.074319] ---- interrupt: 3000 at 0x7fff89d4edf4
[  968.074323] NIP:  00007fff89d4edf4 LR: 00007fff89d4edf4 CTR: 
0000000000000000
[  968.074328] REGS: c000000154747e80 TRAP: 3000   Not tainted 
(6.15.0-rc5-next-20250506)
[  968.074333] MSR:  800000000280f033 
<SF,VEC,VSX,EE,PR,FP,ME,IR,DR,RI,LE>  CR: 44022804  XER: 00000000
[  968.074345] IRQMASK: 0
[  968.074345] GPR00: 0000000000000015 00007fffc25e41b0 00007fff89e37d00 
000000015e810710
[  968.074345] GPR04: 000000015e810730 000000015e8106f0 0000000000000000 
000000015e810690
[  968.074345] GPR08: 000000015e8106f0 0000000000000000 0000000000000000 
0000000000000000
[  968.074345] GPR12: 0000000000000000 00007fff8a03c140 0000000000000000 
0000000000000000
[  968.074345] GPR16: 0000000000000000 0000000000000000 0000000000000000 
0000000125d1f298
[  968.074345] GPR20: 0000000000000000 0000000000000000 000000015e810530 
000000015e810730
[  968.074345] GPR24: 00007fff89f38e68 00007fff89f38e78 00007fff89f3dfe8 
00007fff89f60240
[  968.074345] GPR28: 000000015e8106f0 0000000000000000 000000015e810710 
0000000000100000
[  968.074396] NIP [00007fff89d4edf4] 0x7fff89d4edf4
[  968.074399] LR [00007fff89d4edf4] 0x7fff89d4edf4
[  968.074403] ---- interrupt: 3000
[  968.074406] Code: 4bffeffd 3920f000 7c234840 7c7e1b78 41810144 
7c7a1b78 4bfffe30 60000000 813f0088 71290001 41820068 e93d0040 
<e8690068> 38630070 481416e1 e8410018
[  968.074425] ---[ end trace 0000000000000000 ]---
[  968.076694] pstore: backend (nvram) writing error (-1)
[  968.076698]



If you happent to fix this, please add below tag.


Reported-by: Venkat Rao Bagalkote <venkat88 at linux.ibm.com>


Regards,

Venkat.