jfs_lookup: dtSearch returned -5 find_entry called with index >= next_index ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1998:37 index -128 is out of range for type 'struct dtslot[128]' CPU: 1 UID: 0 PID: 7411 Comm: syz.1.159 Not tainted 6.16.0-rc6-syzkaller-gaaef6f251176 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 dump_stack+0x1c/0x28 lib/dump_stack.c:129 ubsan_epilogue+0x14/0x48 lib/ubsan.c:233 __ubsan_handle_out_of_bounds+0xd0/0xfc lib/ubsan.c:455 dtSplitRoot+0x87c/0x12f4 fs/jfs/jfs_dtree.c:1998 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline] dtInsert+0xba0/0x49c0 fs/jfs/jfs_dtree.c:871 jfs_mkdir+0x5a4/0x8b4 fs/jfs/namei.c:270 vfs_mkdir+0x284/0x424 fs/namei.c:4375 do_mkdirat+0x1f8/0x4c8 fs/namei.c:4408 __do_sys_mkdirat fs/namei.c:4425 [inline] __se_sys_mkdirat fs/namei.c:4423 [inline] __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4423 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 ---[ end trace ]--- ================================================================== BUG: KASAN: slab-use-after-free in dtSplitRoot+0x898/0x12f4 fs/jfs/jfs_dtree.c:1999 Read of size 4 at addr ffff0000dfa1001c by task syz.1.159/7411 CPU: 1 UID: 0 PID: 7411 Comm: syz.1.159 Not tainted 6.16.0-rc6-syzkaller-gaaef6f251176 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x220 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:480 kasan_report+0xb0/0x110 mm/kasan/report.c:593 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 dtSplitRoot+0x898/0x12f4 fs/jfs/jfs_dtree.c:1999 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline] dtInsert+0xba0/0x49c0 fs/jfs/jfs_dtree.c:871 jfs_mkdir+0x5a4/0x8b4 fs/jfs/namei.c:270 vfs_mkdir+0x284/0x424 fs/namei.c:4375 do_mkdirat+0x1f8/0x4c8 fs/namei.c:4408 __do_sys_mkdirat fs/namei.c:4425 [inline] __se_sys_mkdirat fs/namei.c:4423 [inline] __arm64_sys_mkdirat+0x8c/0xa4 fs/namei.c:4423 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Allocated by task 6534: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x70/0x88 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_noprof+0x238/0x3e8 mm/slub.c:4204 vm_area_dup+0x34/0x50c mm/vma_init.c:122 dup_mmap+0x778/0x16b4 mm/mmap.c:1784 dup_mm kernel/fork.c:1477 [inline] copy_mm+0x100/0x438 kernel/fork.c:1529 copy_process+0x1518/0x318c kernel/fork.c:2169 kernel_clone+0x1d8/0x7a0 kernel/fork.c:2599 __do_sys_clone kernel/fork.c:2742 [inline] __se_sys_clone kernel/fork.c:2710 [inline] __arm64_sys_clone+0x144/0x1a0 kernel/fork.c:2710 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 Freed by task 7290: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free_after_rcu_debug+0x11c/0x2f4 mm/slub.c:4693 rcu_do_batch kernel/rcu/tree.c:2576 [inline] rcu_core+0x848/0x17a4 kernel/rcu/tree.c:2832 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2849 handle_softirqs+0x328/0xc88 kernel/softirq.c:579 __do_softirq+0x14/0x20 kernel/softirq.c:613 Last potentially related work creation: kasan_save_stack+0x40/0x6c mm/kasan/common.c:47 kasan_record_aux_stack+0xb0/0xc8 mm/kasan/generic.c:548 slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4643 [inline] kmem_cache_free+0x354/0x550 mm/slub.c:4745 vm_area_free+0x108/0x17c mm/vma_init.c:150 remove_vma+0x120/0x138 mm/vma.c:465 exit_mmap+0x414/0xabc mm/mmap.c:1309 __mmput+0xec/0x3dc kernel/fork.c:1121 mmput+0x70/0xac kernel/fork.c:1144 exit_mm+0x13c/0x200 kernel/exit.c:581 do_exit+0x4bc/0x19fc kernel/exit.c:952 do_group_exit+0x194/0x22c kernel/exit.c:1105 get_signal+0x11dc/0x12f8 kernel/signal.c:3034 do_signal+0x274/0x4438 arch/arm64/kernel/signal.c:1615 do_notify_resume+0xb0/0x1f4 arch/arm64/kernel/entry-common.c:152 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:173 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:182 [inline] el0_svc+0xb8/0x180 arch/arm64/kernel/entry-common.c:880 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596 The buggy address belongs to the object at ffff0000dfa10000 which belongs to the cache vm_area_struct of size 256 The buggy address is located 28 bytes inside of freed 256-byte region [ffff0000dfa10000, ffff0000dfa10100) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11fa10 memcg:ffff0000d46ba681 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000000 ffff0000c18b1b40 dead000000000122 0000000000000000 raw: 0000000000000000 00000000000c000c 00000000f5000000 ffff0000d46ba681 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000dfa0ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000dfa0ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000dfa10000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000dfa10080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000dfa10100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== find_entry called with index >= next_index ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... jfs_lookup: dtSearch returned -5 jfs_lookup: dtSearch returned -5 jfs_lookup: dtSearch returned -5