Decoded ESR 0x96000004 = DFSC level-0 (pure NULL deref) at virtual
address 0x20. Structural offset analysis: struct dma_fence has
u64 context at offset 32 (=0x20). dma_buf->ops also at 0x20 but
0004's code guards against NULL dbuf.
Leading hypothesis: dma_resv_add_fence iterates existing fences
in dbuf->resv->shared[] to merge-by-context. If RCU-managed
fence cleanup races with concurrent add, a freed slot becomes NULL
and the iteration dereferences NULL->context (offset 0x20).
Timing matches: 18-31 min uptime for first wedge (decode-cycle
churn needed); fast reboot loops after (BTRFS replays unflushed
state). KASAN doesn't catch (NULL deref is not UAF). Lockdep
doesn't catch (fence lifecycle race, not lock order).
Proposed 0004 v2 fix: use DMA_RESV_USAGE_KERNEL (single-slot,
replaces previous) instead of DMA_RESV_USAGE_WRITE (multi-slot
list with race window), OR dma_resv_replace_fences() for explicit
context-keyed atomic swap.
Confirmation path: when UART lands, look for pc inside
dma_resv_add_fence and the NULL-pointer register holding the
stale fence slot.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Markus Fritsche