Hello. We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue. Stack dump: bcachefs (loop1): mounting version 1.7: (unknown version) opts=metadata_checksum=none,data_checksum=none,nojournal_transaction_names ------------[ cut here ]------------ kernel BUG at fs/bcachefs/buckets.h:114! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 9472 Comm: syz-executor.1 Not tainted 6.7.0 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:bucket_gen fs/bcachefs/buckets.h:114 [inline] RIP: 0010:ptr_stale+0x474/0x4e0 fs/bcachefs/buckets.h:188 Code: 48 c7 c2 80 8c 1b 8b be 67 00 00 00 48 c7 c7 e0 8c 1b 8b c6 05 ea a6 72 0b 01 e8 57 55 9c fd e9 fb fc ff ff e8 9d 02 bd fd 90 <0f> 0b 48 89 04 24 e8 31 bb 13 fe 48 8b 04 24 e9 35 fc ff ff e8 23 RSP: 0018:ffffc90007c4ec38 EFLAGS: 00010246 RAX: 0000000000040000 RBX: 0000000000000080 RCX: ffffc90002679000 RDX: 0000000000040000 RSI: ffffffff83ccf3b3 RDI: 0000000000000006 RBP: 0000000000000000 R08: 0000000000000006 R09: 0000000010000028 R10: 0000000000000080 R11: 0000000000000000 R12: 0000000010000028 R13: ffff88804dee5100 R14: 0000000000000000 R15: ffff88805b1a4110 FS: 00007f79ba8ab640(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f0bbda3f000 CR3: 000000005f37a000 CR4: 0000000000750ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: bch2_bkey_ptrs_to_text+0xb4e/0x1760 fs/bcachefs/extents.c:1012 bch2_btree_ptr_v2_to_text+0x288/0x330 fs/bcachefs/extents.c:215 bch2_val_to_text fs/bcachefs/bkey_methods.c:287 [inline] bch2_bkey_val_to_text+0x1c8/0x210 fs/bcachefs/bkey_methods.c:297 journal_validate_key+0x7ab/0xb50 fs/bcachefs/journal_io.c:322 journal_entry_btree_root_validate+0x31c/0x380 fs/bcachefs/journal_io.c:411 bch2_journal_entry_validate+0xc7/0x130 fs/bcachefs/journal_io.c:752 bch2_sb_clean_validate_late+0x14b/0x1e0 fs/bcachefs/sb-clean.c:32 bch2_read_superblock_clean+0xbb/0x250 fs/bcachefs/sb-clean.c:160 bch2_fs_recovery+0x113/0x52d0 fs/bcachefs/recovery.c:691 bch2_fs_start+0x365/0x5e0 fs/bcachefs/super.c:978 bch2_fs_open+0x1ac9/0x3890 fs/bcachefs/super.c:1968 bch2_mount+0x538/0x13c0 fs/bcachefs/fs.c:1863 legacy_get_tree+0x109/0x220 fs/fs_context.c:662 vfs_get_tree+0x93/0x380 fs/super.c:1771 do_new_mount fs/namespace.c:3337 [inline] path_mount+0x679/0x1e40 fs/namespace.c:3664 do_mount fs/namespace.c:3677 [inline] __do_sys_mount fs/namespace.c:3886 [inline] __se_sys_mount fs/namespace.c:3863 [inline] __x64_sys_mount+0x287/0x310 fs/namespace.c:3863 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x43/0x120 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f79b9a91b3e Code: 48 c7 c0 ff ff ff ff eb aa e8 be 0d 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f79ba8aae38 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00000000000119f4 RCX: 00007f79b9a91b3e RDX: 0000000020011a00 RSI: 0000000020011a40 RDI: 00007f79ba8aae90 RBP: 00007f79ba8aaed0 R08: 00007f79ba8aaed0 R09: 000000000181c050 R10: 000000000181c050 R11: 0000000000000202 R12: 0000000020011a00 R13: 0000000020011a40 R14: 00007f79ba8aae90 R15: 00000000200001c0 Modules linked in: ---[ end trace 0000000000000000 ]--- Thank you for taking the time to read this email and we look forward to working with you further.