syzbot

==================================================================
BUG: KASAN: use-after-free in dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
Read of size 1 at addr ffff8881788e1061 by task jfsCommit/112

CPU: 1 PID: 112 Comm: jfsCommit Not tainted 6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:488
 kasan_report+0xd9/0x110 mm/kasan/report.c:601
 dbJoin+0x295/0x2b0 fs/jfs/jfs_dmap.c:2805
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1788e1
flags: 0x57ff00000000000(node=1|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 057ff00000000000 ffffea0005e23848 ffffea0005e23848 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffff8881788e0f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e0f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8881788e1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                       ^
 ffff8881788e1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8881788e1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2900:31
index -3 is out of range for type 's8 [1365]'
CPU: 1 PID: 112 Comm: jfsCommit Tainted: G    B              6.9.0-syzkaller-01768-ga5131c3fdf26 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:114
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x110/0x150 lib/ubsan.c:429
 dbAdjTree+0x383/0x3d0 fs/jfs/jfs_dmap.c:2900
 dbJoin+0x24b/0x2b0 fs/jfs/jfs_dmap.c:2841
 dbFreeBits+0x15c/0x8f0 fs/jfs/jfs_dmap.c:2338
 dbFreeDmap+0x62/0x1b0 fs/jfs/jfs_dmap.c:2087
 dbFree+0x266/0x550 fs/jfs/jfs_dmap.c:409
 txFreeMap+0x788/0xe60 fs/jfs/jfs_txnmgr.c:2515
 xtTruncate+0x1e57/0x2c80 fs/jfs/jfs_xtree.c:2467
 jfs_free_zero_link+0x372/0x4f0 fs/jfs/namei.c:759
 jfs_evict_inode+0x423/0x4b0 fs/jfs/inode.c:153
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 txUpdateMap+0xaf3/0xd20 fs/jfs/jfs_txnmgr.c:2367
 txLazyCommit fs/jfs/jfs_txnmgr.c:2664 [inline]
 jfs_lazycommit+0x5e6/0xb20 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x2c4/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---