syzbot

ERROR: (device loop0): xtSearch: XT_GETPAGE: xtree page corrupt
print_req_error: I/O error, dev loop0, sector 0
ERROR: (device loop0): xtSearch: XT_GETPAGE: xtree page corrupt
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Modules linked in:
CPU: 1 PID: 9575 Comm: syz-executor220 Not tainted 4.14.272-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff888092f28400 task.stack: ffff88808d978000
RIP: 0010:diFree+0x154/0x2830 fs/jfs/jfs_imap.c:892
RSP: 0018:ffff88808d97f9a0 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff8880aa0098c0 RCX: ffff88808bc90a74
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88808bc6caa8
RBP: 0000000000000000 R08: ffffffff8b9e39d0 R09: 0000000000000001
R10: 0000000000000000 R11: ffff888092f28400 R12: ffff88808bc90a68
R13: 0000000000000004 R14: ffffffff87b68060 R15: ffff88808bc90c20
FS:  0000555556335300(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffc4ea2d000 CR3: 00000000b0533000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 jfs_evict_inode+0x16f/0x1e0 fs/jfs/inode.c:165
 evict+0x2c8/0x700 fs/inode.c:555
 iput_final fs/inode.c:1524 [inline]
 iput+0x458/0x7e0 fs/inode.c:1551
 diFreeSpecial fs/jfs/jfs_imap.c:569 [inline]
 diFreeSpecial+0x63/0x80 fs/jfs/jfs_imap.c:561
 jfs_mount+0x20a/0x380 fs/jfs/jfs_mount.c:219
 jfs_fill_super+0x52a/0xab0 fs/jfs/super.c:589
 mount_bdev+0x2b3/0x360 fs/super.c:1134
 mount_fs+0x92/0x2a0 fs/super.c:1237
 vfs_kern_mount.part.0+0x5b/0x470 fs/namespace.c:1046
 vfs_kern_mount fs/namespace.c:1036 [inline]
 do_new_mount fs/namespace.c:2572 [inline]
 do_mount+0xe65/0x2a10 fs/namespace.c:2902
 SYSC_mount fs/namespace.c:3118 [inline]
 SyS_mount+0xa8/0x120 fs/namespace.c:3095
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f1bf64e1dba
RSP: 002b:00007ffc4ea2c3b8 EFLAGS: 00000282 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007ffc4ea2c420 RCX: 00007f1bf64e1dba
RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc4ea2c3e0
RBP: 00007ffc4ea2c3e0 R08: 00007ffc4ea2c420 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000282 R12: 0000000020000260
R13: 0000000000000003 R14: 0000000000000004 R15: 0000000000000004
Code: 48 8b 44 24 18 48 8b 68 80 48 8b 44 24 20 4c 8d 6d 04 48 c1 e8 0c 4c 89 ea 48 c1 ea 03 48 89 04 24 48 b8 00 00 00 00 00 fc ff df <0f> b6 14 02 4c 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 
RIP: diFree+0x154/0x2830 fs/jfs/jfs_imap.c:892 RSP: ffff88808d97f9a0
---[ end trace 46662daa114d9f36 ]---
----------------
Code disassembly (best guess):
   0:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
   5:	48 8b 68 80          	mov    -0x80(%rax),%rbp
   9:	48 8b 44 24 20       	mov    0x20(%rsp),%rax
   e:	4c 8d 6d 04          	lea    0x4(%rbp),%r13
  12:	48 c1 e8 0c          	shr    $0xc,%rax
  16:	4c 89 ea             	mov    %r13,%rdx
  19:	48 c1 ea 03          	shr    $0x3,%rdx
  1d:	48 89 04 24          	mov    %rax,(%rsp)
  21:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  28:	fc ff df
* 2b:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx <-- trapping instruction
  2f:	4c 89 e8             	mov    %r13,%rax
  32:	83 e0 07             	and    $0x7,%eax
  35:	83 c0 03             	add    $0x3,%eax
  38:	38 d0                	cmp    %dl,%al
  3a:	7c 08                	jl     0x44
  3c:	84 d2                	test   %dl,%dl
  3e:	0f                   	.byte 0xf
  3f:	85                   	.byte 0x85