Commit f157dd66 authored Oct 21, 2025 by Miquel Sabaté Solà Committed by David Sterba Dec 16, 2025

btrfs: fix NULL dereference on root when tracing inode eviction



When evicting an inode the first thing we do is to setup tracing for it,
which implies fetching the root's id. But in btrfs_evict_inode() the
root might be NULL, as implied in the next check that we do in
btrfs_evict_inode().

Hence, we either should set the ->root_objectid to 0 in case the root is
NULL, or we move tracing setup after checking that the root is not
NULL. Setting the rootid to 0 at least gives us the possibility to trace
this call even in the case when the root is NULL, so that's the solution
taken here.

Fixes: 1abe9b8a ("Btrfs: add initial tracepoint support for btrfs")
Reported-by:  <syzbot+d991fea1b4b23b1f6bf8@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d991fea1b4b23b1f6bf8


Signed-off-by: Miquel Sabaté Solà <mssola@mssola.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>

parent 68d4b3fa

include/trace/events/btrfs.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -224,7 +224,8 @@ DECLARE_EVENT_CLASS(btrfs__inode,
		__entry->generation = BTRFS_I(inode)->generation;
		__entry->last_trans = BTRFS_I(inode)->last_trans;
		__entry->logged_trans = BTRFS_I(inode)->logged_trans;
		__entry->root_objectid = btrfs_root_id(BTRFS_I(inode)->root);
		__entry->root_objectid = BTRFS_I(inode)->root ?
		btrfs_root_id(BTRFS_I(inode)->root) : 0;
		),

		TP_printk_btrfs("root=%llu(%s) gen=%llu ino=%llu blocks=%llu "