syzbot

BTRFS info (device loop0): using spread ssd allocation scheme
BTRFS info (device loop0): disk space caching is enabled
BTRFS error (device loop0: state MC): ignoredatacsums must be used with ro mount option
Unable to handle kernel paging request at virtual address dfff800000000003
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
Mem abort info:
  ESR = 0x0000000096000006
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x06: level 2 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000006
  CM = 0, WnR = 0
[dfff800000000003] address between user and kernel address ranges
Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 4525 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/02/2026
pstate: 82400005 (Nzcv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
pc : backup_super_roots fs/btrfs/disk-io.c:1985 [inline]
pc : write_all_supers+0x8cc/0x35e8 fs/btrfs/disk-io.c:4335
lr : lowmem_page_address include/linux/mm.h:1870 [inline]
lr : btrfs_header_level fs/btrfs/ctree.h:2375 [inline]
lr : backup_super_roots fs/btrfs/disk-io.c:1983 [inline]
lr : write_all_supers+0x820/0x35e8 fs/btrfs/disk-io.c:4335
sp : ffff800020ea72e0
x29: ffff800020ea7640 x28: 1ffff0000298ae14 x27: ffff7000041d4e80
x26: 0000000000000003 x25: ffff0000df4c86c8 x24: ffff0000d204eb2b
x23: dfff800000000000 x22: dfff800000000000 x21: ffff0000d204ebc5
x20: dfff800000000000 x19: 0000000000000018 x18: ffff800011babf60
x17: ffff800018381000 x16: ffff8000082effe8 x15: ffff800017e62000
x14: 0000000000000001 x13: 1fffe0001be9900c x12: 0000000000ff0100
x11: ff00800009f74524 x10: 0000000000000000 x9 : 0000000000000000
x8 : 0000000000000000 x7 : ffff800009f671fc x6 : 0000000000000000
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff8000082f0044
x2 : 0000000000000001 x1 : 0000000000000000 x0 : ffff0000ca5bba50
Call trace:
 backup_super_roots fs/btrfs/disk-io.c:1985 [inline]
 write_all_supers+0x8cc/0x35e8 fs/btrfs/disk-io.c:4335
 btrfs_commit_transaction+0x1890/0x2884 fs/btrfs/transaction.c:2521
 btrfs_set_free_space_cache_v1_active+0x7c/0x248 fs/btrfs/free-space-cache.c:4139
 btrfs_remount_cleanup fs/btrfs/super.c:1992 [inline]
 btrfs_remount+0x5c4/0x1150 fs/btrfs/super.c:2182
 legacy_reconfigure+0xf8/0x110 fs/fs_context.c:655
 reconfigure_super+0x1d4/0x79c fs/super.c:977
 do_remount fs/namespace.c:2741 [inline]
 path_mount+0xbdc/0xe80 fs/namespace.c:3400
 do_mount fs/namespace.c:3421 [inline]
 __do_sys_mount fs/namespace.c:3629 [inline]
 __se_sys_mount fs/namespace.c:3606 [inline]
 __arm64_sys_mount+0x49c/0x59c fs/namespace.c:3606
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x290 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x130 arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x128 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585
Code: d2d00014 f2fbfff4 91006113 d343fe7a (38766b48) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	d2d00014 	mov	x20, #0x800000000000        	// #140737488355328
   4:	f2fbfff4 	movk	x20, #0xdfff, lsl #48
   8:	91006113 	add	x19, x8, #0x18
   c:	d343fe7a 	lsr	x26, x19, #3
* 10:	38766b48 	ldrb	w8, [x26, x22] <-- trapping instruction