loop2: detected capacity change from 0 to 32768
xfs: Deprecated parameter 'ikeep'
XFS: ikeep mount option is deprecated.
XFS (loop2): Mounting V5 Filesystem 9f91832a-3b79-45c3-9d6d-ed0bc7357fe4
XFS (loop2): Ending clean mount
XFS (loop2): Quotacheck needed: Please wait.
XFS (loop2): Quotacheck: Done.
Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 UID: 0 PID: 13187 Comm: syz.2.19 Not tainted 6.19.0-rc6 #31 PREEMPT(full) 
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:xchk_metadata_inode_subtype fs/xfs/scrub/common.c:1398 [inline]
RIP: 0010:xchk_metadata_inode_forks+0xf3/0x8f0 fs/xfs/scrub/common.c:1418
Code: 00 00 00 48 8b 7c 24 08 be 0b 00 00 00 e8 25 c8 03 00 49 89 c7 4c 8d 60 10 4c 89 e0 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80 3c 28 00 74 08 4c 89 e7 e8 5e 4b a0 fe 4d 8b 24 24 49 83 c4
RSP: 0018:ffffc9000a6af2a0 EFLAGS: 00010247
RAX: 0000000000000000 RBX: ffff888046c67c08 RCX: ffff888000361ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801a441b40
RBP: ffffc9000a6af370 R08: 0000000000006dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff1c0d107 R12: 0000000000000004
R13: dffffc0000000000 R14: 1ffff11008d8cf81 R15: fffffffffffffff4
FS:  00007f5877ffe640(0000) GS:ffff8880ec5e0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f627486f000 CR3: 0000000026294000 CR4: 0000000000752ef0
PKRU: 00000000
Call Trace:
 <TASK>
 xchk_quota_data_fork+0xd0/0x5e0 fs/xfs/scrub/quota.c:271
 xchk_quota+0x193/0x420 fs/xfs/scrub/quota.c:314
 xfs_scrub_metadata+0xc08/0x1920 fs/xfs/scrub/scrub.c:-1
 xfs_ioc_scrubv_metadata+0x74a/0xaf0 fs/xfs/scrub/scrub.c:981
 xfs_file_ioctl+0x751/0x1560 fs/xfs/xfs_ioctl.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xe8/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f58789b459d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5877ffdf98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f5878c45fa0 RCX: 00007f58789b459d
RDX: 00002000000000c0 RSI: 00000000c0285840 RDI: 0000000000000004
RBP: 00007f5877ffe010 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007f5878c46038 R14: 00007f5878c45fa0 R15: 00007f5877fde000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:xchk_metadata_inode_subtype fs/xfs/scrub/common.c:1398 [inline]
RIP: 0010:xchk_metadata_inode_forks+0xf3/0x8f0 fs/xfs/scrub/common.c:1418
Code: 00 00 00 48 8b 7c 24 08 be 0b 00 00 00 e8 25 c8 03 00 49 89 c7 4c 8d 60 10 4c 89 e0 48 c1 e8 03 49 bd 00 00 00 00 00 fc ff df <42> 80 3c 28 00 74 08 4c 89 e7 e8 5e 4b a0 fe 4d 8b 24 24 49 83 c4
RSP: 0018:ffffc9000a6af2a0 EFLAGS: 00010247
RAX: 0000000000000000 RBX: ffff888046c67c08 RCX: ffff888000361ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88801a441b40
RBP: ffffc9000a6af370 R08: 0000000000006dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff1c0d107 R12: 0000000000000004
R13: dffffc0000000000 R14: 1ffff11008d8cf81 R15: fffffffffffffff4
FS:  00007f5877ffe640(0000) GS:ffff8880ec5e0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f62748ab000 CR3: 0000000026294000 CR4: 0000000000752ef0
PKRU: 00000000
----------------
Code disassembly (best guess):
   0:	00 00                	add    %al,(%rax)
   2:	00 48 8b             	add    %cl,-0x75(%rax)
   5:	7c 24                	jl     0x2b
   7:	08 be 0b 00 00 00    	or     %bh,0xb(%rsi)
   d:	e8 25 c8 03 00       	call   0x3c837
  12:	49 89 c7             	mov    %rax,%r15
  15:	4c 8d 60 10          	lea    0x10(%rax),%r12
  19:	4c 89 e0             	mov    %r12,%rax
  1c:	48 c1 e8 03          	shr    $0x3,%rax
  20:	49 bd 00 00 00 00 00 	movabs $0xdffffc0000000000,%r13
  27:	fc ff df
* 2a:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1) <-- trapping instruction
  2f:	74 08                	je     0x39
  31:	4c 89 e7             	mov    %r12,%rdi
  34:	e8 5e 4b a0 fe       	call   0xfea04b97
  39:	4d 8b 24 24          	mov    (%r12),%r12
  3d:	49                   	rex.WB
  3e:	83                   	.byte 0x83
  3f:	c4                   	.byte 0xc4