done
bcachefs (loop2): accounting_read... done
bcachefs (loop2): alloc_read... done
bcachefs (loop2): stripes_read... done
bcachefs (loop2): snapshots_read... done
bcachefs (loop2): check_allocations...
BUG: kernel NULL pointer dereference, address: 0000000000000020
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000010636a067 P4D 800000010636a067 PUD 0 
Oops: Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 UID: 0 PID: 3350 Comm: syz.2.16 Not tainted 6.14.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
RIP: 0010:bch2_snapshot_tree_oldest_subvol+0x79/0x130 fs/bcachefs/snapshot.c:400
Code: 31 ff 89 e8 49 8b 94 24 50 09 00 00 89 e9 f7 d1 48 85 d2 0f 84 96 00 00 00 48 6b f1 38 48 39 4a 10 48 8d 54 32 18 49 0f 46 d5 <8b> 52 20 44 39 fa 44 89 fe 0f 42 f2 45 85 ff 0f 44 f2 85 d2 44 0f
RSP: 0018:ffffc900033e7450 EFLAGS: 00010297
RAX: 000000000014b780 RBX: ffffc900033e74c8 RCX: 00000000ffeb487f
RDX: 0000000000000000 RSI: 00000037fb77dbc8 RDI: ffffffff836b705c
RBP: 000000000014b780 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88810ff00000
R13: 0000000000000000 R14: ffffffff81bf7ecf R15: 0000000000000000
FS:  00007fbcb7cb36c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 000000010df8c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 bch2_inum_snap_err_msg_trans+0xcd/0x160 fs/bcachefs/error.c:576
 bch2_inum_snap_offset_err_msg_trans+0x1f/0x50 fs/bcachefs/error.c:591
 bch2_indirect_extent_missing_error+0x130/0x3a0 fs/bcachefs/reflink.c:192
 gc_trigger_reflink_p_segment fs/bcachefs/reflink.c:392 [inline]
 __trigger_reflink_p+0x6df/0x790 fs/bcachefs/reflink.c:432
 bch2_key_trigger fs/bcachefs/bkey_methods.h:88 [inline]
 bch2_gc_mark_key+0x1e0/0x4a0 fs/bcachefs/btree_gc.c:639
 bch2_gc_btree fs/bcachefs/btree_gc.c:675 [inline]
 bch2_gc_btrees fs/bcachefs/btree_gc.c:735 [inline]
 bch2_check_allocations+0x1a17/0x1f20 fs/bcachefs/btree_gc.c:1038
 bch2_run_recovery_pass fs/bcachefs/recovery_passes.c:226 [inline]
 bch2_run_recovery_passes+0x10d/0x2a0 fs/bcachefs/recovery_passes.c:291
 bch2_fs_recovery+0xa2f/0x1330 fs/bcachefs/recovery.c:936
 bch2_fs_start+0x1c9/0x290 fs/bcachefs/super.c:1041
 bch2_fs_get_tree+0x2be/0x6a0 fs/bcachefs/fs.c:2204
 vfs_get_tree+0x24/0xb0 fs/super.c:1814
 do_new_mount+0x15a/0x3a0 fs/namespace.c:3560
 do_mount fs/namespace.c:3900 [inline]
 __do_sys_mount fs/namespace.c:4111 [inline]
 __se_sys_mount+0x147/0x1b0 fs/namespace.c:4088
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x8d/0x190 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbcb6d8e90a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 1a 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbcb7cb2e68 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbcb7cb2ef0 RCX: 00007fbcb6d8e90a
RDX: 0000200000000040 RSI: 0000200000000000 RDI: 00007fbcb7cb2eb0
RBP: 0000200000000040 R08: 00007fbcb7cb2ef0 R09: 0000000000800001
R10: 0000000000800001 R11: 0000000000000246 R12: 0000200000000000
R13: 00007fbcb7cb2eb0 R14: 000000000000599b R15: 0000200000005b40
 </TASK>
Modules linked in:
CR2: 0000000000000020
---[ end trace 0000000000000000 ]---
RIP: 0010:bch2_snapshot_tree_oldest_subvol+0x79/0x130 fs/bcachefs/snapshot.c:400
Code: 31 ff 89 e8 49 8b 94 24 50 09 00 00 89 e9 f7 d1 48 85 d2 0f 84 96 00 00 00 48 6b f1 38 48 39 4a 10 48 8d 54 32 18 49 0f 46 d5 <8b> 52 20 44 39 fa 44 89 fe 0f 42 f2 45 85 ff 0f 44 f2 85 d2 44 0f
RSP: 0018:ffffc900033e7450 EFLAGS: 00010297
RAX: 000000000014b780 RBX: ffffc900033e74c8 RCX: 00000000ffeb487f
RDX: 0000000000000000 RSI: 00000037fb77dbc8 RDI: ffffffff836b705c
RBP: 000000000014b780 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff88810ff00000
R13: 0000000000000000 R14: ffffffff81bf7ecf R15: 0000000000000000
FS:  00007fbcb7cb36c0(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 000000010df8c000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	31 ff                	xor    %edi,%edi
   2:	89 e8                	mov    %ebp,%eax
   4:	49 8b 94 24 50 09 00 	mov    0x950(%r12),%rdx
   b:	00
   c:	89 e9                	mov    %ebp,%ecx
   e:	f7 d1                	not    %ecx
  10:	48 85 d2             	test   %rdx,%rdx
  13:	0f 84 96 00 00 00    	je     0xaf
  19:	48 6b f1 38          	imul   $0x38,%rcx,%rsi
  1d:	48 39 4a 10          	cmp    %rcx,0x10(%rdx)
  21:	48 8d 54 32 18       	lea    0x18(%rdx,%rsi,1),%rdx
  26:	49 0f 46 d5          	cmovbe %r13,%rdx
* 2a:	8b 52 20             	mov    0x20(%rdx),%edx <-- trapping instruction
  2d:	44 39 fa             	cmp    %r15d,%edx
  30:	44 89 fe             	mov    %r15d,%esi
  33:	0f 42 f2             	cmovb  %edx,%esi
  36:	45 85 ff             	test   %r15d,%r15d
  39:	0f 44 f2             	cmove  %edx,%esi
  3c:	85 d2                	test   %edx,%edx
  3e:	44                   	rex.R
  3f:	0f                   	.byte 0xf