syzbot

general protection fault, probably for non-canonical address 0xdffffc000000002f: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000178-0x000000000000017f]
CPU: 0 PID: 3630 Comm: syz-executor110 Not tainted 5.17.0-rc2-next-20220204-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:blk_throtl_bio block/blk-throttle.h:175 [inline]
RIP: 0010:submit_bio_checks+0x7c0/0x1bf0 block/blk-core.c:765
Code: 08 3c 03 0f 8e 4a 11 00 00 48 b8 00 00 00 00 00 fc ff df 44 8b 6d 10 41 83 e5 01 4a 8d bc 2b 7c 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 09 11 00 00
RSP: 0018:ffffc900028ef680 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000002f RSI: ffffffff83d5f91e RDI: 000000000000017d
RBP: ffff8880159e4400 R08: ffffffff8a044fc0 R09: 0000000000000000
R10: ffffffff83d5f910 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000fffffffe R15: ffff88801a4fbb9c
FS:  0000555555b78300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555b81628 CR3: 00000000190b0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __submit_bio+0xaf/0x360 block/blk-core.c:802
 __submit_bio_noacct_mq block/blk-core.c:881 [inline]
 submit_bio_noacct block/blk-core.c:907 [inline]
 submit_bio_noacct+0x6c9/0x8a0 block/blk-core.c:896
 submit_bio block/blk-core.c:968 [inline]
 submit_bio+0x1ea/0x430 block/blk-core.c:926
 write_dev_flush fs/btrfs/disk-io.c:4243 [inline]
 barrier_all_devices fs/btrfs/disk-io.c:4293 [inline]
 write_all_supers+0x3038/0x4440 fs/btrfs/disk-io.c:4388
 btrfs_commit_transaction+0x1be3/0x3180 fs/btrfs/transaction.c:2362
 btrfs_commit_super+0xc1/0x100 fs/btrfs/disk-io.c:4562
 close_ctree+0x314/0xccc fs/btrfs/disk-io.c:4671
 generic_shutdown_super+0x14c/0x400 fs/super.c:462
 kill_anon_super+0x36/0x60 fs/super.c:1056
 btrfs_kill_super+0x38/0x50 fs/btrfs/super.c:2365
 deactivate_locked_super+0x94/0x160 fs/super.c:332
 deactivate_super+0xad/0xd0 fs/super.c:363
 cleanup_mnt+0x3a2/0x540 fs/namespace.c:1159
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f3a312e48b7
Code: 07 00 48 83 c4 08 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffff8a6f9b8 EFLAGS: 00000206 ORIG_RAX: 00000000000000a6
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00007f3a312e48b7
RDX: 00007ffff8a6fa79 RSI: 000000000000000a RDI: 00007ffff8a6fa70
RBP: 00007ffff8a6fa70 R08: 00000000ffffffff R09: 00007ffff8a6f850
R10: 0000555555b79653 R11: 0000000000000206 R12: 00007ffff8a70ae0
R13: 0000555555b795f0 R14: 00007ffff8a6f9e0 R15: 0000000000000001
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:blk_throtl_bio block/blk-throttle.h:175 [inline]
RIP: 0010:submit_bio_checks+0x7c0/0x1bf0 block/blk-core.c:765
Code: 08 3c 03 0f 8e 4a 11 00 00 48 b8 00 00 00 00 00 fc ff df 44 8b 6d 10 41 83 e5 01 4a 8d bc 2b 7c 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 09 11 00 00
RSP: 0018:ffffc900028ef680 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000002f RSI: ffffffff83d5f91e RDI: 000000000000017d
RBP: ffff8880159e4400 R08: ffffffff8a044fc0 R09: 0000000000000000
R10: ffffffff83d5f910 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 00000000fffffffe R15: ffff88801a4fbb9c
FS:  0000555555b78300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555555b81628 CR3: 00000000190b0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	08 3c 03             	or     %bh,(%rbx,%rax,1)
   3:	0f 8e 4a 11 00 00    	jle    0x1153
   9:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  10:	fc ff df
  13:	44 8b 6d 10          	mov    0x10(%rbp),%r13d
  17:	41 83 e5 01          	and    $0x1,%r13d
  1b:	4a 8d bc 2b 7c 01 00 	lea    0x17c(%rbx,%r13,1),%rdi
  22:	00
  23:	48 89 fa             	mov    %rdi,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	0f b6 04 02          	movzbl (%rdx,%rax,1),%eax <-- trapping instruction
  2e:	48 89 fa             	mov    %rdi,%rdx
  31:	83 e2 07             	and    $0x7,%edx
  34:	38 d0                	cmp    %dl,%al
  36:	7f 08                	jg     0x40
  38:	84 c0                	test   %al,%al
  3a:	0f 85 09 11 00 00    	jne    0x1149