Linux-Kernel Archive: general protection fault in bch2_run_recovery

Dear Linux maintainers and reviewers:

We are reporting a Linux kernel bug titled **general protection fault in bch2_run_recovery_pass**, discovered using a modified version of Syzkaller.

Linux version: v6.12-rc6:59b723cd2adbac2a34fc8e12c74ae26ae45bf230 (crash is also reproduced in the latest kernel version)
The test case and kernel config is in attach.

The KASAN report is (The full report is attached):
bcachefs (loop1): check_alloc_info... done
bcachefs (loop1): check_lrus... done
bcachefs (loop1): check_extents_to_backpointers...
loop6: detected capacity change from 0 to 1024
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000013: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000098-0x000000000000009f]
CPU: 1 UID: 0 PID: 9172 Comm: syz.1.548 Not tainted 6.12.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:check_btree_root_to_backpointers+0x138/0x4a0 fs/bcachefs/backpointers.c:703
Code: df 48 c1 e8 03 80 3c 08 00 0f 85 25 03 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 1b 48 8d bb 98 00 00 00 48 89 f8 48 c1 e8 03 <0f> b6 04 08 84 c0 74 06 0f 8e f2 02 00 00 48 83 ec 18 45 31 c9 31
RSP: 0018:ff1100013d0e71e8 EFLAGS: 00010202
RAX: 0000000000000013 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: ff1100014aac2240 RSI: ffffffff83176a52 RDI: 0000000000000098
RBP: ff1100013d0e7338 R08: 0000000000000021 R09: fffffbfff14467ed
R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000021
R13: 0000000000000008 R14: ff1100013d0e7268 R15: ff11000104880000
FS: 00007fed67f73700(0000) GS:ff110004ca900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2383bb0018 CR3: 0000000107678006 CR4: 0000000000771ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 80000000
Call Trace:
<TASK>
bch2_check_extents_to_backpointers_pass+0x1db/0x810 fs/bcachefs/backpointers.c:868
bch2_check_extents_to_backpointers+0x152/0x760 fs/bcachefs/backpointers.c:932
bch2_run_recovery_pass+0x91/0x190 fs/bcachefs/recovery_passes.c:185
bch2_run_recovery_passes+0x3a3/0x730 fs/bcachefs/recovery_passes.c:232
bch2_fs_recovery+0x1f89/0x3c60 fs/bcachefs/recovery.c:861
bch2_fs_start+0x2d8/0x610 fs/bcachefs/super.c:1036
bch2_fs_get_tree+0xfda/0x15d0 fs/bcachefs/fs.c:2170
vfs_get_tree+0x94/0x380 fs/super.c:1814
do_new_mount fs/namespace.c:3507 [inline]
path_mount+0x6b2/0x1eb0 fs/namespace.c:3834
do_mount fs/namespace.c:3847 [inline]
__do_sys_mount fs/namespace.c:4057 [inline]
__se_sys_mount fs/namespace.c:4034 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:4034
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xc1/0x1d0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f