... Log Wrap ... Log Wrap ... Log Wrap ... find_entry called with index >= next_index ================================================================== BUG: KASAN: use-after-free in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999 Read of size 4 at addr ffff0000e97f601c by task syz.2.24/4251 CPU: 0 PID: 4251 Comm: syz.2.24 Not tainted 5.15.189-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call trace: dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106 print_address_description+0x78/0x30c mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xec/0x15c mm/kasan/report.c:451 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline] dtInsert+0xaa4/0x55dc fs/jfs/jfs_dtree.c:871 jfs_create+0x588/0x8c4 fs/jfs/namei.c:137 lookup_open fs/namei.c:3462 [inline] open_last_lookups fs/namei.c:3532 [inline] path_openat+0x1144/0x26e4 fs/namei.c:3739 do_filp_open+0x164/0x330 fs/namei.c:3769 do_sys_openat2+0x128/0x3d8 fs/open.c:1253 do_sys_open fs/open.c:1269 [inline] __do_sys_openat fs/open.c:1285 [inline] __se_sys_openat fs/open.c:1280 [inline] __arm64_sys_openat+0x120/0x154 fs/open.c:1280 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 4114: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb0/0xf0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] __kmalloc+0x298/0x44c mm/slub.c:4407 kmalloc include/linux/slab.h:609 [inline] switchdev_deferred_enqueue+0x38/0x228 net/switchdev/switchdev.c:87 switchdev_port_obj_add_defer net/switchdev/switchdev.c:236 [inline] switchdev_port_obj_add+0x120/0x284 net/switchdev/switchdev.c:255 br_mdb_switchdev_host_port net/bridge/br_mdb.c:744 [inline] br_mdb_switchdev_host net/bridge/br_mdb.c:759 [inline] br_mdb_notify+0x348/0xee8 net/bridge/br_mdb.c:799 br_multicast_host_join net/bridge/br_multicast.c:1327 [inline] __br_multicast_add_group+0x7cc/0x96c net/bridge/br_multicast.c:1370 br_multicast_add_group net/bridge/br_multicast.c:1414 [inline] br_ip6_multicast_add_group net/bridge/br_multicast.c:1466 [inline] br_ip6_multicast_mld2_report net/bridge/br_multicast.c:2863 [inline] br_multicast_ipv6_rcv net/bridge/br_multicast.c:3801 [inline] br_multicast_rcv+0x28b8/0x5044 net/bridge/br_multicast.c:3859 br_dev_xmit+0x7cc/0x1094 net/bridge/br_device.c:94 __netdev_start_xmit include/linux/netdevice.h:5027 [inline] netdev_start_xmit include/linux/netdevice.h:5041 [inline] xmit_one net/core/dev.c:3649 [inline] dev_hard_start_xmit+0x2a8/0x87c net/core/dev.c:3665 __dev_queue_xmit+0x12d8/0x2800 net/core/dev.c:4288 dev_queue_xmit+0x24/0x34 net/core/dev.c:4321 neigh_hh_output include/net/neighbour.h:493 [inline] neigh_output include/net/neighbour.h:507 [inline] ip6_finish_output2+0x129c/0x1a14 net/ipv6/ip6_output.c:130 __ip6_finish_output net/ipv6/ip6_output.c:201 [inline] ip6_finish_output+0x570/0x6dc net/ipv6/ip6_output.c:211 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x274/0x500 net/ipv6/ip6_output.c:234 dst_output include/net/dst.h:452 [inline] NF_HOOK+0x15c/0x42c include/linux/netfilter.h:302 mld_sendpack+0x7d4/0x1058 net/ipv6/mcast.c:1826 mld_send_cr net/ipv6/mcast.c:2127 [inline] mld_ifc_work+0x784/0xad8 net/ipv6/mcast.c:2659 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457 kthread+0x374/0x454 kernel/kthread.c:334 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855 The buggy address belongs to the object at ffff0000e97f6000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 28 bytes inside of 128-byte region [ffff0000e97f6000, ffff0000e97f6080) The buggy address belongs to the page: page:00000000b2285a2a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000e97f6800 pfn:0x1297f6 flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000200 fffffc0003242f40 0000000800000008 ffff0000c0002300 raw: ffff0000e97f6800 0000000080100007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000e97f5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000e97f5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000e97f6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000e97f6080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000e97f6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== find_entry called with index >= next_index ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ...