==================================================================
BUG: KASAN: use-after-free in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999
Read of size 4 at addr ffff0000d1ee801c by task syz.3.153/4927

CPU: 0 PID: 4927 Comm: syz.3.153 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xaa4/0x55dc fs/jfs/jfs_dtree.c:871
 jfs_create+0x588/0x8c4 fs/jfs/namei.c:137
 lookup_open fs/namei.c:3462 [inline]
 open_last_lookups fs/namei.c:3532 [inline]
 path_openat+0x1144/0x26e4 fs/namei.c:3739
 do_filp_open+0x164/0x330 fs/namei.c:3769
 do_sys_openat2+0x128/0x3d8 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __arm64_sys_openat+0x120/0x154 fs/open.c:1280
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 3653:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 ____kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc+0xb0/0xf0 mm/kasan/common.c:522
 kasan_kmalloc include/linux/kasan.h:264 [inline]
 __kmalloc+0x298/0x44c mm/slub.c:4407
 kmalloc include/linux/slab.h:609 [inline]
 kzalloc include/linux/slab.h:735 [inline]
 tomoyo_encode2 security/tomoyo/realpath.c:45 [inline]
 tomoyo_encode+0x274/0x4a4 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x4bc/0x510 security/tomoyo/realpath.c:288
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_number_perm+0x1b0/0x518 security/tomoyo/file.c:723
 tomoyo_file_ioctl+0x2c/0x3c security/tomoyo/tomoyo.c:327
 security_file_ioctl+0x80/0xbc security/security.c:1555
 __do_sys_ioctl fs/ioctl.c:868 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __arm64_sys_ioctl+0xa8/0x1c8 fs/ioctl.c:860
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Freed by task 3653:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kfree+0x170/0x40c mm/slub.c:4559
 tomoyo_path_number_perm+0x3fc/0x518 security/tomoyo/file.c:736
 tomoyo_file_ioctl+0x2c/0x3c security/tomoyo/tomoyo.c:327
 security_file_ioctl+0x80/0xbc security/security.c:1555
 __do_sys_ioctl fs/ioctl.c:868 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __arm64_sys_ioctl+0xa8/0x1c8 fs/ioctl.c:860
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000d1ee8000
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 28 bytes inside of
 128-byte region [ffff0000d1ee8000, ffff0000d1ee8080)
The buggy address belongs to the page:
page:0000000096f923e0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111ee8
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 0000000000000000 dead000000000122 ffff0000c0002300
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d1ee7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000d1ee7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d1ee8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000d1ee8080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000d1ee8100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
find_entry called with index = 0

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...