Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 1 UID: 0 PID: 3536 Comm: kworker/u8:11 Not tainted 6.13.0-syzkaller-00164-g100ceb4817a2 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Workqueue: writeback wb_workfn (flush-bcachefs-16)
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:732 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0xc5a/0x2fa0 fs/bcachefs/btree_iter.c:1183
Code: 00 0f 85 af 22 00 00 49 8b 45 00 48 8d 88 98 00 00 00 48 89 85 98 fe ff ff 48 89 c8 48 89 8d 58 fe ff ff 83 e1 07 48 c1 e8 03 <42> 0f b6 04 20 38 c8 7f 08 84 c0 0f 85 02 23 00 00 48 8b 85 98 fe
RSP: 0018:ffffc9000c92dea0 EFLAGS: 00010212
RAX: 0000000000000013 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880323c3c00 RSI: ffffffff840545f5 RDI: 0000000000000001
RBP: ffffc9000c92e0c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88804e0814d8 R14: ffff88804e080000 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b307d9ff8 CR3: 000000005d8e2000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:247 [inline]
 bch2_btree_path_traverse fs/bcachefs/btree_iter.h:239 [inline]
 __bch2_btree_iter_peek fs/bcachefs/btree_iter.c:2210 [inline]
 bch2_btree_iter_peek_upto+0x8b0/0x5a60 fs/bcachefs/btree_iter.c:2310
 bch2_btree_iter_peek_upto_type fs/bcachefs/btree_iter.h:685 [inline]
 bch2_bucket_alloc_freelist+0x44a/0xff0 fs/bcachefs/alloc_foreground.c:495
 bch2_bucket_alloc_trans+0x73c/0xb20 fs/bcachefs/alloc_foreground.c:648
 bch2_bucket_alloc_set_trans+0x479/0xd60 fs/bcachefs/alloc_foreground.c:808
 __open_bucket_add_buckets+0x955/0x11f0 fs/bcachefs/alloc_foreground.c:1057
 open_bucket_add_buckets+0x1a9/0x380 fs/bcachefs/alloc_foreground.c:1101
 bch2_alloc_sectors_start_trans+0x12b1/0x1c10 fs/bcachefs/alloc_foreground.c:1424
 __bch2_write+0x5e3/0x4bc0 fs/bcachefs/io_write.c:1437
 bch2_write+0x798/0x14a0 fs/bcachefs/io_write.c:1631
 bch2_writepages+0x140/0x200 fs/bcachefs/fs-io-buffered.c:641
 do_writepages+0x1b6/0x820 mm/page-writeback.c:2708
 __writeback_single_inode+0x166/0xfa0 fs/fs-writeback.c:1680
 writeback_sb_inodes+0x606/0xfa0 fs/fs-writeback.c:1976
 wb_writeback+0x422/0xb80 fs/fs-writeback.c:2156
 wb_do_writeback fs/fs-writeback.c:2303 [inline]
 wb_workfn+0x151/0xbc0 fs/fs-writeback.c:2343
 process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x6c8/0xf00 kernel/workqueue.c:3398
 kthread+0x2c4/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btree_path_lock_root fs/bcachefs/btree_iter.c:732 [inline]
RIP: 0010:bch2_btree_path_traverse_one+0xc5a/0x2fa0 fs/bcachefs/btree_iter.c:1183
Code: 00 0f 85 af 22 00 00 49 8b 45 00 48 8d 88 98 00 00 00 48 89 85 98 fe ff ff 48 89 c8 48 89 8d 58 fe ff ff 83 e1 07 48 c1 e8 03 <42> 0f b6 04 20 38 c8 7f 08 84 c0 0f 85 02 23 00 00 48 8b 85 98 fe
RSP: 0018:ffffc9000c92dea0 EFLAGS: 00010212
RAX: 0000000000000013 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880323c3c00 RSI: ffffffff840545f5 RDI: 0000000000000001
RBP: ffffc9000c92e0c0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff88804e0814d8 R14: ffff88804e080000 R15: 0000000000000004
FS:  0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b3041dff8 CR3: 000000005d8e4000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	00 0f                	add    %cl,(%rdi)
   2:	85 af 22 00 00 49    	test   %ebp,0x49000022(%rdi)
   8:	8b 45 00             	mov    0x0(%rbp),%eax
   b:	48 8d 88 98 00 00 00 	lea    0x98(%rax),%rcx
  12:	48 89 85 98 fe ff ff 	mov    %rax,-0x168(%rbp)
  19:	48 89 c8             	mov    %rcx,%rax
  1c:	48 89 8d 58 fe ff ff 	mov    %rcx,-0x1a8(%rbp)
  23:	83 e1 07             	and    $0x7,%ecx
  26:	48 c1 e8 03          	shr    $0x3,%rax
* 2a:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax <-- trapping instruction
  2f:	38 c8                	cmp    %cl,%al
  31:	7f 08                	jg     0x3b
  33:	84 c0                	test   %al,%al
  35:	0f 85 02 23 00 00    	jne    0x233d
  3b:	48                   	rex.W
  3c:	8b                   	.byte 0x8b
  3d:	85                   	.byte 0x85
  3e:	98                   	cwtl
  3f:	fe                   	.byte 0xfe