... Log Wrap ... Log Wrap ... Log Wrap ... find_entry called with index >= next_index ================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37 index -128 is out of range for type 'struct dtslot[128]' CPU: 0 PID: 4255 Comm: syz-executor425 Not tainted 5.15.176-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 dtSplitRoot+0x998/0x1440 fs/jfs/jfs_dtree.c:1995 dtSplitUp fs/jfs/jfs_dtree.c:990 [inline] dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868 jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019 vfs_symlink+0x244/0x3a8 fs/namei.c:4429 do_symlinkat+0x364/0x6b0 fs/namei.c:4458 __do_sys_symlinkat fs/namei.c:4475 [inline] __se_sys_symlinkat fs/namei.c:4472 [inline] __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================== BUG: KASAN: use-after-free in dtSplitRoot+0x95c/0x1440 fs/jfs/jfs_dtree.c:1996 Read of size 4 at addr ffff0000c1ccc01c by task syz-executor425/4255 CPU: 0 PID: 4255 Comm: syz-executor425 Not tainted 5.15.176-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308 dtSplitRoot+0x95c/0x1440 fs/jfs/jfs_dtree.c:1996 dtSplitUp fs/jfs/jfs_dtree.c:990 [inline] dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868 jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019 vfs_symlink+0x244/0x3a8 fs/namei.c:4429 do_symlinkat+0x364/0x6b0 fs/namei.c:4458 __do_sys_symlinkat fs/namei.c:4475 [inline] __se_sys_symlinkat fs/namei.c:4472 [inline] __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 3642: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513 __kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] __kmalloc+0x29c/0x4c8 mm/slub.c:4407 kmalloc include/linux/slab.h:596 [inline] kzalloc include/linux/slab.h:721 [inline] tomoyo_encode2 security/tomoyo/realpath.c:45 [inline] tomoyo_encode+0x270/0x4b0 security/tomoyo/realpath.c:80 tomoyo_realpath_from_path+0x4b4/0x508 security/tomoyo/realpath.c:288 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x1dc/0x3f4 security/tomoyo/file.c:771 tomoyo_file_open+0x138/0x1b0 security/tomoyo/tomoyo.c:311 security_file_open+0x6c/0xb0 security/security.c:1668 do_dentry_open+0x29c/0xed8 fs/open.c:813 vfs_open+0x7c/0x90 fs/open.c:956 do_open fs/namei.c:3608 [inline] path_openat+0x1ea0/0x26cc fs/namei.c:3742 do_filp_open+0x1a8/0x3b4 fs/namei.c:3769 do_sys_openat2+0x128/0x3e0 fs/open.c:1253 do_sys_open fs/open.c:1269 [inline] __do_sys_openat fs/open.c:1285 [inline] __se_sys_openat fs/open.c:1280 [inline] __arm64_sys_openat+0x1f0/0x240 fs/open.c:1280 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Freed by task 3642: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track+0x4c/0x84 mm/kasan/common.c:46 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:1705 [inline] slab_free_freelist_hook+0x128/0x1ec mm/slub.c:1731 slab_free mm/slub.c:3499 [inline] kfree+0x178/0x410 mm/slub.c:4559 tomoyo_check_open_permission+0x2bc/0x3f4 security/tomoyo/file.c:786 tomoyo_file_open+0x138/0x1b0 security/tomoyo/tomoyo.c:311 security_file_open+0x6c/0xb0 security/security.c:1668 do_dentry_open+0x29c/0xed8 fs/open.c:813 vfs_open+0x7c/0x90 fs/open.c:956 do_open fs/namei.c:3608 [inline] path_openat+0x1ea0/0x26cc fs/namei.c:3742 do_filp_open+0x1a8/0x3b4 fs/namei.c:3769 do_sys_openat2+0x128/0x3e0 fs/open.c:1253 do_sys_open fs/open.c:1269 [inline] __do_sys_openat fs/open.c:1285 [inline] __se_sys_openat fs/open.c:1280 [inline] __arm64_sys_openat+0x1f0/0x240 fs/open.c:1280 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 The buggy address belongs to the object at ffff0000c1ccc000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 28 bytes inside of 128-byte region [ffff0000c1ccc000, ffff0000c1ccc080) The buggy address belongs to the page: page:00000000477072e1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101ccc flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000200 fffffc00030987c0 0000000200000002 ffff0000c0002300 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c1ccbf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000c1ccbf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000c1ccc000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c1ccc080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000c1ccc100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== find_entry called with index >= next_index ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ...