program: r0 = socket(0x26, 0x803, 0x0) sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000000)=@ipv6_newrule={0x30, 0x20, 0x1, 0x0, 0x25dfdbfc, {0xa, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0xf, 0x12}, [@FRA_SRC={0x14, 0x2, @dev}]}, 0x30}, 0x1, 0x0, 0x0, 0x4090}, 0x0) r1 = dup2(r0, r0) r2 = socket(0x10, 0x3, 0x0) sendto$inet6(r2, &(0x7f0000000180)="9000000018001f2fb9409b52ffff65580200be04020c060560020b0243000f00ffffff9e00c8388827a685a168d0bf47d32345653602648dcaaf6c26c291214549935ade4a460c20b6ec0cff3959547f500f58ba86c902000f1d012e02000280160012000a000000000000000000000000080000000eceb6b362bb944cf2e70100aba4183b003e5fa424ac4d31c4f7a1", 0x90, 0x0, 0x0, 0xf) r3 = socket$inet6_udp(0xa, 0x2, 0x0) ioctl$KVM_SET_CPUID2(r1, 0x4008ae90, &(0x7f0000000700)={0x5, 0x0, [{0x80000007, 0x3ff, 0x5, 0x80000000, 0x1, 0x2, 0xb}, {0x40000001, 0x2, 0x3, 0x400, 0x6, 0x2, 0x8}, {0xc0000001, 0x7, 0x4, 0x0, 0x5, 0x1546, 0x3}, {0x40000006, 0x2, 0x2, 0xfffffffb, 0x3, 0xa11a, 0xe55}, {0xd, 0x7, 0x1, 0x4, 0x1, 0xfffffffa, 0x11c1}]}) sendmmsg$inet6(r3, &(0x7f0000001e80)=[{{&(0x7f00000002c0)={0xa, 0x4e22, 0x8, @ipv4={'\x00', '\xff\xff', @empty}, 0xa8}, 0x1c, 0x0}}, {{&(0x7f00000003c0)={0xa, 0x4e20, 0x3, @local, 0x1ff}, 0x1c, 0x0, 0x0, &(0x7f00000006c0)=[@hopopts={{0x18, 0x29, 0x36, {0x3a}}}, @hopopts_2292={{0x18, 0x29, 0x36, {0x2b}}}], 0x30}}], 0x2, 0x4000004) getresuid(&(0x7f0000000040)=0x0, &(0x7f0000000080)=0x0, &(0x7f00000000c0)) r6 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) ftruncate(r6, 0x2007ffc) setsockopt$inet6_int(r6, 0x29, 0xc9, &(0x7f0000000100)=0x6, 0x4) mlockall(0x6) r7 = syz_open_dev$sndpcmc(&(0x7f0000000080), 0x0, 0x0) mmap$snddsp_status(&(0x7f0000ffc000/0x4000)=nil, 0x1000, 0x1, 0x13, r7, 0x82000000) r8 = socket$nl_route(0x10, 0x3, 0x0) r9 = socket(0x1, 0x803, 0x0) getsockname$packet(r9, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) r11 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_batadv_hard(r11, 0x8933, &(0x7f00000001c0)={'batadv_slave_1\x00', 0x0}) sendmsg$nl_route(r8, &(0x7f0000000280)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000001ac0)=@newlink={0x58, 0x10, 0x403, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x88a8ffad}, [@IFLA_LINKINFO={0x1c, 0x12, 0x0, 0x1, @vlan={{0x9}, {0xc, 0x2, 0x0, 0x1, [@IFLA_VLAN_ID={0x6}]}}}, @IFLA_LINK={0x8, 0x5, r10}, @IFLA_MASTER={0x8, 0xa, r12}, @IFLA_ADDRESS={0xa, 0x1, @dev={'\xaa\xaa\xaa\xaa\xaa', 0x10}}]}, 0x58}}, 0x0) ioctl$sock_inet6_SIOCDELRT(r0, 0x890c, &(0x7f0000000300)={@private2={0xfc, 0x2, '\x00', 0x1}, @ipv4={'\x00', '\xff\xff', @rand_addr=0x64010102}, @local, 0x80000001, 0x1, 0x5, 0x100, 0xe8, 0x0, r10}) syz_mount_image$bcachefs(&(0x7f00000058c0), &(0x7f0000000000)='./file0\x00', 0x400, &(0x7f0000000400)={[{@errors_continue}], [{@subj_user={'subj_user', 0x3d, '*\''}}, {@euid_eq={'euid', 0x3d, r4}}, {@func={'func', 0x3d, 'KEXEC_KERNEL_CHECK'}}, {@subj_type={'subj_type', 0x3d, 'ob2_role'}}, {@uid_lt={'uid<', r5}}, {@smackfsroot={'smackfsroot', 0x3d, 'sync\xd3\xd0NK\xba\xf5\xb3l\xfepX\xc8\xb1+b\x9a\x06\xbe\xd4\xf9:,z\x89;\xeb\x85\xaaLF\x8d\xe9\x89*\xfe>\x17\xf9[\x18X\xf4\x0e/\xa4\xee\x89\xbb\xa8\x97q)T\xb3t\x1c\xe5v\xb7\xc2\xf6<\xf5\xce#X\x8cc`\x8fz\x93\x1bd\x10\xfa\xb9\xef\xc1\x92@\b\x01!r\x81\xa8~\xed\xe5\x8f\x05D\x83V\xb4;\xac|^*Y\x15\x9ba\xb6?t\x89\xf5F\'\xfabz\xee\xc7\xb7\fX\xdd\xcex\x06\x93\xb0w\x0e\x04\xb2\xcd\xef\x96\xee\xd0~\x1d\x13\xbc\xd0\x92-\x91N\x89I\xf0mB\x10\xdd\xae\x8c?\xc6$\x02\x00\x00\x00\x00\x00\x00\x00IeV\"\x8c\x9e\xb6-\x99\xbf\xbdYY\xef~\xc6\xe8S\xe3F\xd19qc\x96\xed\xb5\xf6\xf1\x86\xea u64s 11 type alloc_v4 0:4:0 len 0 ver 0, fixing [ 73.265944][ T5316] bcachefs (loop0): btree_node_read_work: rewriting btree node at btree=alloc level=0 SPOS_MAX due to error [ 73.271713][ T5316] invalid bkey u64s 7 type subvolume 0:1:0 len 0 ver 0: root 0 snapshot id 167772159 [ 73.271728][ T5316] invalid inode: delete?, fixing [ 73.281752][ T5316] bcachefs (loop0): error validating btree node on loop0 at btree backpointers level 0/0 [ 73.281768][ T5316] u64s 11 type btree_ptr_v2 18446744073709551360:8389119:U32_MAX len 0 ver 0: seq 4a8b0fa43a9980a6 written 24 min_key POS_MIN durability: 1 ptr: 0:37:0 gen 0 [ 73.281779][ T5316] node offset 0/24 bset u64s 0: incorrect max key SPOS_MAX [ 73.300541][ T5316] bcachefs (loop0): flagging btree backpointers lost data [ 73.304240][ T5316] error reading btree root backpointers l=0: btree_node_read_error, fixing [ 73.309159][ T5316] bcachefs (loop0): error validating btree node on loop0 at btree deleted_inodes level 0/0 [ 73.309175][ T5316] u64s 11 type btree_ptr_v2 U64_MAX:U64_MAX:3 len 0 ver 0: seq e870c84bb244c written 0 min_key POS_MIN durability: 1 ptr: 0:42:0 gen 0 [ 73.309184][ T5316] node offset 0/0: got wrong btree node: got [ 73.309191][ T5316] btree=deleted_inodes l=0 seq 2141732156441568332x [ 73.309198][ T5316] min: POS_MIN [ 73.309204][ T5316] max: SPOS_MAX [ 73.327753][ T5316] bcachefs (loop0): flagging btree deleted_inodes lost data [ 73.331300][ T5316] error reading btree root deleted_inodes l=0: btree_node_read_error, fixing [ 73.337107][ T5316] bcachefs (loop0): error validating btree node on loop0 at btree (unknown) level 26/26 [ 73.337120][ T5316] u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq e81e1ed936acf3df written 21 min_key POS_MIN durability: 1 ptr: 0:29:0 gen 0 [ 73.337130][ T5316] node offset 0/21 bset u64s 0: incorrect btree id [ 73.348366][ T5316] bcachefs (loop0): flagging btree (unknown) lost data [ 73.351725][ T5316] error reading btree root (unknown) l=26: btree_node_read_error, fixing [ 73.355083][ T5316] bcachefs (loop0): scan_for_btree_nodes... [ 73.361703][ T5316] bch2_scan_for_btree_nodes: nodes found after overwrites: [ 73.361725][ T5316] extents l=0 seq=1 journal_seq=5 cookie=c6c25c03258c59c5 POS_MIN-SPOS_MAX ptr: 0:27:0 gen 0 [ 73.361734][ T5316] xattrs l=0 seq=1 journal_seq=0 cookie=2 POS_MIN-14293651161087:U64_MAX:U32_MAX ptr: 0:31:0 gen 0 [ 73.361742][ T5316] lru l=0 seq=1 journal_seq=5 cookie=28f61e078e70b95c POS_MIN-SPOS_MAX ptr: 0:28:0 gen 0 [ 73.361751][ T5316] deleted_inodes l=0 seq=1 journal_seq=0 cookie=1db8f60c84bb244c POS_MIN-SPOS_MAX ptr: 0:42:0 gen 0 [ 73.361759][ T5316] [ 73.386858][ T5316] done [ 73.387862][ T5316] bcachefs (loop0): check_topology... [ 73.387936][ T5316] bcachefs (loop0): btree root xattrs unreadable, must recover from scan [ 73.394313][ T5316] bcachefs (loop0): bch2_get_scanned_nodes(): recovering xattrs l=0 POS_MIN - SPOS_MAX [ 73.399632][ T5316] bcachefs (loop0): bch2_get_scanned_nodes(): recovering u64s 11 type btree_ptr_v2 14293651161087:U64_MAX:U32_MAX len 0 ver 0: seq 2 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0 [ 73.412006][ T5316] btree node with incorrect max_keyat btree xattrs level 1: [ 73.412033][ T5316] parent: u64s 5 type btree_ptr SPOS_MAX len 0 ver 0 [ 73.412042][ T5316] child: u64s 11 type btree_ptr_v2 14293651161087:U64_MAX:U32_MAX len 0 ver 0: seq 2 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0, fixing [ 73.428754][ T5316] bcachefs (loop0): bch2_get_scanned_nodes(): recovering xattrs l=0 14293651161088:0:0 - SPOS_MAX [ 73.432775][ T5316] btree node with incorrect max_keyat btree xattrs level 1: [ 73.432789][ T5316] parent: u64s 5 type btree_ptr SPOS_MAX len 0 ver 0 [ 73.432797][ T5316] child: u64s 11 type btree_ptr_v2 14293651161087:U64_MAX:U32_MAX len 0 ver 0: seq 2 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0, fixing [ 73.446292][ T5316] bcachefs (loop0): set_node_max(): u64s 11 type btree_ptr_v2 14293651161087:U64_MAX:U32_MAX len 0 ver 0: seq 2 written 8 min_key POS_MIN durability: 1 ptr: 0:31:0 gen 0 -> SPOS_MAX [ 73.452729][ T5316] bcachefs (loop0): btree root deleted_inodes unreadable, must recover from scan [ 73.457457][ T5316] bcachefs (loop0): bch2_get_scanned_nodes(): recovering deleted_inodes l=0 POS_MIN - SPOS_MAX [ 73.461650][ T5316] bcachefs (loop0): bch2_get_scanned_nodes(): recovering u64s 11 type btree_ptr_v2 SPOS_MAX len 0 ver 0: seq 1db8f60c84bb244c written 8 min_key POS_MIN durability: 1 ptr: 0:42:0 gen 0 [ 73.469897][ T5316] Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI [ 73.474783][ T5316] KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] [ 73.478023][ T5316] CPU: 0 UID: 0 PID: 5316 Comm: syz.0.0 Not tainted 6.13.0-rc7-syzkaller-00149-g9bffa1ad25b8 #0 [ 73.481832][ T5316] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 73.485803][ T5316] RIP: 0010:__lock_acquire+0x6a/0x2100 [ 73.502670][ T5316] Code: b6 04 30 84 c0 0f 85 f8 16 00 00 45 31 f6 83 3d ab f0 9e 0e 00 0f 84 c8 13 00 00 89 54 24 60 89 5c 24 38 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 88 26 8b 00 48 be 00 00 00 00 00 fc [ 73.509869][ T5316] RSP: 0018:ffffc9000d136f50 EFLAGS: 00010002 [ 73.512151][ T5316] RAX: 000000000000000e RBX: 0000000000000001 RCX: 0000000000000001 [ 73.515033][ T5316] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000070 [ 73.517990][ T5316] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 73.520957][ T5316] R10: dffffc0000000000 R11: fffffbfff203308f R12: ffff888000f6a440 [ 73.524012][ T5316] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000070 [ 73.526884][ T5316] FS: 00007f20d14186c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 73.530036][ T5316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.532447][ T5316] CR2: 000055cb79039058 CR3: 0000000052efa000 CR4: 0000000000352ef0 [ 73.535276][ T5316] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 73.538145][ T5316] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 73.540988][ T5316] Call Trace: [ 73.543086][ T5316] [ 73.544160][ T5316] ? __die_body+0x5f/0xb0 [ 73.545796][ T5316] ? die_addr+0xb0/0xe0 [ 73.547348][ T5316] ? exc_general_protection+0x3dd/0x5d0 [ 73.549502][ T5316] ? asm_exc_general_protection+0x26/0x30 [ 73.551659][ T5316] ? __lock_acquire+0x6a/0x2100 [ 73.553536][ T5316] lock_acquire+0x1ed/0x550 [ 73.555302][ T5316] ? bch2_check_topology+0x59b/0xb20 [ 73.557448][ T5316] ? __pfx_lock_acquire+0x10/0x10 [ 73.559422][ T5316] ? __do_six_trylock+0x832/0x9f0 [ 73.561423][ T5316] ? __pfx_lock_release+0x10/0x10 [ 73.563433][ T5316] ? __pfx___do_six_trylock+0x10/0x10 [ 73.565623][ T5316] ? bch2_check_topology+0x59b/0xb20 [ 73.567743][ T5316] six_lock_ip_waiter+0x9e/0x160 [ 73.569753][ T5316] ? bch2_check_topology+0x59b/0xb20 [ 73.571750][ T5316] ? __pfx_bch2_six_check_for_deadlock+0x10/0x10 [ 73.574187][ T5316] bch2_check_topology+0x619/0xb20 [ 73.576145][ T5316] ? irq_work_queue+0xd1/0x150 [ 73.577940][ T5316] ? bch2_check_topology+0x59b/0xb20 [ 73.579875][ T5316] ? __pfx_bch2_check_topology+0x10/0x10 [ 73.582063][ T5316] ? __pfx___mutex_trylock_common+0x10/0x10 [ 73.584460][ T5316] ? __bch2_print+0x17a/0x220 [ 73.586280][ T5316] ? kvm_sched_clock_read+0x11/0x20 [ 73.588319][ T5316] ? local_clock_noinstr+0xe/0xe0 [ 73.590146][ T5316] ? __pfx___bch2_print+0x10/0x10 [ 73.592015][ T5316] ? __mutex_unlock_slowpath+0x21e/0x790 [ 73.594170][ T5316] bch2_run_recovery_pass+0xf0/0x1e0 [ 73.596242][ T5316] bch2_run_recovery_passes+0x3a7/0x880 [ 73.598442][ T5316] bch2_fs_recovery+0x25cc/0x39d0 [ 73.600269][ T5316] ? __pfx_bch2_fs_recovery+0x10/0x10 [ 73.602107][ T5316] ? __pfx_lock_release+0x10/0x10 [ 73.603961][ T5316] ? bch2_get_next_online_dev+0x2b/0x4f0 [ 73.605589][ T5316] ? __pfx_lock_release+0x10/0x10 [ 73.607036][ T5316] ? bch2_get_next_online_dev+0x2b/0x4f0 [ 73.608746][ T5316] ? bch2_get_next_online_dev+0x4b9/0x4f0 [ 73.610564][ T5316] ? bch2_get_next_online_dev+0x2b/0x4f0 [ 73.612209][ T5316] ? llist_reverse_order+0x72/0x90 [ 73.613957][ T5316] bch2_fs_start+0x356/0x5b0 [ 73.615555][ T5316] bch2_fs_get_tree+0xd68/0x1710 [ 73.617144][ T5316] ? __pfx_bch2_fs_get_tree+0x10/0x10 [ 73.618998][ T5316] ? generic_parse_monolithic+0x387/0x400 [ 73.620903][ T5316] ? apparmor_capable+0x13b/0x1b0 [ 73.622603][ T5316] vfs_get_tree+0x90/0x2b0 [ 73.624218][ T5316] do_new_mount+0x2be/0xb40 [ 73.625955][ T5316] ? __pfx_do_new_mount+0x10/0x10 [ 73.627887][ T5316] __se_sys_mount+0x2d6/0x3c0 [ 73.629806][ T5316] ? __pfx___se_sys_mount+0x10/0x10 [ 73.631920][ T5316] ? do_syscall_64+0x100/0x230 [ 73.633849][ T5316] ? __x64_sys_mount+0x20/0xc0 [ 73.635688][ T5316] do_syscall_64+0xf3/0x230 [ 73.637490][ T5316] ? clear_bhb_loop+0x35/0x90 [ 73.639323][ T5316] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 73.641554][ T5316] RIP: 0033:0x7f20d05874ca [ 73.643248][ T5316] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 73.650395][ T5316] RSP: 002b:00007f20d1417e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 [ 73.653631][ T5316] RAX: ffffffffffffffda RBX: 00007f20d1417ef0 RCX: 00007f20d05874ca [ 73.656701][ T5316] RDX: 00000000200058c0 RSI: 0000000020000000 RDI: 00007f20d1417eb0 [ 73.659857][ T5316] RBP: 00000000200058c0 R08: 00007f20d1417ef0 R09: 0000000000000400 [ 73.663177][ T5316] R10: 0000000000000400 R11: 0000000000000246 R12: 0000000020000000 [ 73.666353][ T5316] R13: 00007f20d1417eb0 R14: 0000000000005a30 R15: 0000000020000400 [ 73.669153][ T5316] [ 73.670270][ T5316] Modules linked in: [ 73.672491][ T5316] ---[ end trace 0000000000000000 ]--- [ 73.674474][ T5316] RIP: 0010:__lock_acquire+0x6a/0x2100 [ 73.676447][ T5316] Code: b6 04 30 84 c0 0f 85 f8 16 00 00 45 31 f6 83 3d ab f0 9e 0e 00 0f 84 c8 13 00 00 89 54 24 60 89 5c 24 38 4c 89 f8 48 c1 e8 03 <80> 3c 30 00 74 12 4c 89 ff e8 88 26 8b 00 48 be 00 00 00 00 00 fc [ 73.683248][ T5316] RSP: 0018:ffffc9000d136f50 EFLAGS: 00010002 [ 73.685542][ T5316] RAX: 000000000000000e RBX: 0000000000000001 RCX: 0000000000000001 [ 73.688730][ T5316] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000070 [ 73.691739][ T5316] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 73.694517][ T5316] R10: dffffc0000000000 R11: fffffbfff203308f R12: ffff888000f6a440 [ 73.697511][ T5316] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000070 [ 73.700500][ T5316] FS: 00007f20d14186c0(0000) GS:ffff88801fc00000(0000) knlGS:0000000000000000 [ 73.703410][ T5316] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.705660][ T5316] CR2: 000055cb79039058 CR3: 0000000052efa000 CR4: 0000000000352ef0 [ 73.708298][ T5316] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 73.711040][ T5316] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 73.713865][ T5316] Kernel panic - not syncing: Fatal exception [ 73.716309][ T5316] Kernel Offset: disabled [ 73.718058][ T5316] Rebooting in 86400 seconds..