================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:628:10 index 237 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 4670 Comm: iou-wrk-4669 Not tainted 6.1.125-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282 dtSearch+0x1718/0x1f34 fs/jfs/jfs_dtree.c:628 jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459 __lookup_slow+0x250/0x374 fs/namei.c:1690 lookup_slow+0x60/0x84 fs/namei.c:1707 walk_component+0x280/0x36c fs/namei.c:1998 lookup_last fs/namei.c:2455 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2479 do_o_path+0xa8/0x214 fs/namei.c:3754 path_openat+0x203c/0x2548 fs/namei.c:3776 do_filp_open+0x1bc/0x3cc fs/namei.c:3810 io_openat2+0x368/0x7b4 io_uring/openclose.c:129 io_openat+0x28/0x38 io_uring/openclose.c:167 io_issue_sqe+0x308/0xa24 io_uring/io_uring.c:1753 io_wq_submit_work+0x3d4/0x760 io_uring/io_uring.c:1830 io_worker_handle_work+0x728/0xc8c io_uring/io-wq.c:600 io_wqe_worker+0x2f0/0xbec io_uring/io-wq.c:645 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 ================================================================================ ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:783:21 index -8 is out of range for type 'struct dtslot[128]' CPU: 1 PID: 4670 Comm: iou-wrk-4669 Not tainted 6.1.125-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x5c lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0xfc/0x148 lib/ubsan.c:282 dtSearch+0x16e4/0x1f34 fs/jfs/jfs_dtree.c:783 jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459 __lookup_slow+0x250/0x374 fs/namei.c:1690 lookup_slow+0x60/0x84 fs/namei.c:1707 walk_component+0x280/0x36c fs/namei.c:1998 lookup_last fs/namei.c:2455 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2479 do_o_path+0xa8/0x214 fs/namei.c:3754 path_openat+0x203c/0x2548 fs/namei.c:3776 do_filp_open+0x1bc/0x3cc fs/namei.c:3810 io_openat2+0x368/0x7b4 io_uring/openclose.c:129 io_openat+0x28/0x38 io_uring/openclose.c:167 io_issue_sqe+0x308/0xa24 io_uring/io_uring.c:1753 io_wq_submit_work+0x3d4/0x760 io_uring/io_uring.c:1830 io_worker_handle_work+0x728/0xc8c io_uring/io-wq.c:600 io_wqe_worker+0x2f0/0xbec io_uring/io-wq.c:645 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 ================================================================================ ================================================================== BUG: KASAN: slab-out-of-bounds in addressPXD fs/jfs/jfs_types.h:80 [inline] BUG: KASAN: slab-out-of-bounds in dtSearch+0x15dc/0x1f34 fs/jfs/jfs_dtree.c:784 Read of size 4 at addr ffff0000db0b1f00 by task iou-wrk-4669/4670 CPU: 0 PID: 4670 Comm: iou-wrk-4669 Not tainted 6.1.125-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x174/0x4c0 mm/kasan/report.c:427 kasan_report+0xd4/0x130 mm/kasan/report.c:531 __asan_report_load4_noabort+0x2c/0x38 mm/kasan/report_generic.c:350 addressPXD fs/jfs/jfs_types.h:80 [inline] dtSearch+0x15dc/0x1f34 fs/jfs/jfs_dtree.c:784 jfs_lookup+0x164/0x39c fs/jfs/namei.c:1459 __lookup_slow+0x250/0x374 fs/namei.c:1690 lookup_slow+0x60/0x84 fs/namei.c:1707 walk_component+0x280/0x36c fs/namei.c:1998 lookup_last fs/namei.c:2455 [inline] path_lookupat+0x13c/0x3d0 fs/namei.c:2479 do_o_path+0xa8/0x214 fs/namei.c:3754 path_openat+0x203c/0x2548 fs/namei.c:3776 do_filp_open+0x1bc/0x3cc fs/namei.c:3810 io_openat2+0x368/0x7b4 io_uring/openclose.c:129 io_openat+0x28/0x38 io_uring/openclose.c:167 io_issue_sqe+0x308/0xa24 io_uring/io_uring.c:1753 io_wq_submit_work+0x3d4/0x760 io_uring/io_uring.c:1830 io_worker_handle_work+0x728/0xc8c io_uring/io-wq.c:600 io_wqe_worker+0x2f0/0xbec io_uring/io-wq.c:645 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Allocated by task 4383: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x74/0x458 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x230/0x37c mm/slub.c:3422 kmem_cache_zalloc include/linux/slab.h:689 [inline] __alloc_file+0x30/0x22c fs/file_table.c:138 alloc_empty_file+0xa8/0x198 fs/file_table.c:187 path_openat+0xd0/0x2548 fs/namei.c:3769 do_filp_open+0x1bc/0x3cc fs/namei.c:3810 do_sys_openat2+0x128/0x3e0 fs/open.c:1318 do_sys_open fs/open.c:1334 [inline] __do_sys_openat fs/open.c:1350 [inline] __se_sys_openat fs/open.c:1345 [inline] __arm64_sys_openat+0x1f0/0x240 fs/open.c:1345 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Freed by task 21: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] kmem_cache_free+0x2f0/0x588 mm/slub.c:3683 file_free_rcu+0xac/0x12c fs/file_table.c:51 rcu_do_batch kernel/rcu/tree.c:2297 [inline] rcu_core+0x880/0x1c48 kernel/rcu/tree.c:2557 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2574 handle_softirqs+0x318/0xd58 kernel/softirq.c:571 run_ksoftirqd+0x6c/0x29c kernel/softirq.c:938 smpboot_thread_fn+0x4b0/0x96c kernel/smpboot.c:164 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:496 call_rcu+0xfc/0xa40 kernel/rcu/tree.c:2845 file_free fs/file_table.c:59 [inline] __fput+0x518/0x7c8 fs/file_table.c:333 ____fput+0x20/0x30 fs/file_table.c:348 task_work_run+0x240/0x2f0 kernel/task_work.c:203 resume_user_mode_work include/linux/resume_user_mode.h:49 [inline] do_notify_resume+0x2080/0x2cb8 arch/arm64/kernel/signal.c:1132 prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:137 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:142 [inline] el0_svc+0x9c/0x168 arch/arm64/kernel/entry-common.c:638 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 Second to last potentially related work creation: kasan_save_stack+0x40/0x70 mm/kasan/common.c:45 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:486 kasan_record_aux_stack+0x14/0x20 mm/kasan/generic.c:491 task_work_add+0x94/0x3d4 kernel/task_work.c:48 fput+0xf8/0x208 fs/file_table.c:376 filp_close+0x104/0x160 fs/open.c:1437 close_fd+0x7c/0x9c fs/file.c:646 __do_sys_close fs/open.c:1450 [inline] __se_sys_close fs/open.c:1448 [inline] __arm64_sys_close+0x40/0x90 fs/open.c:1448 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204 el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585 The buggy address belongs to the object at ffff0000db0b1b80 which belongs to the cache filp of size 456 The buggy address is located 440 bytes to the right of 456-byte region [ffff0000db0b1b80, ffff0000db0b1d48) The buggy address belongs to the physical page: page:000000009cae01c5 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b0b0 head:000000009cae01c5 order:1 compound_mapcount:0 compound_pincount:0 memcg:ffff0000d7eeb901 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 fffffc0003675280 dead000000000004 ffff0000c0852780 raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff0000d7eeb901 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000db0b1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000db0b1e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000db0b1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000db0b1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000db0b2000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ERROR: (device loop1): dtSearch: stack overrun! btstack dump: bn = 0, index = 0 bn = 8ed2c, index = 0 bn = 0, index = 0 bn = 8ed2c, index = 0 bn = 0, index = 0 bn = 8ed2c, index = 0 bn = 0, index = 0 bn = 0, index = 0 jfs_lookup: dtSearch returned -5