------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2892:30
index -1 is out of range for type 'struct dtslot[128]'
CPU: 0 PID: 8879 Comm: syz-executor.4 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:347
 jfs_readdir+0x1580/0x37bc fs/jfs/jfs_dtree.c:2892
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:67
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x3f8/0x580 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:394
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2647:28
index -1 is out of range for type 'struct dtslot[128]'
CPU: 0 PID: 8879 Comm: syz-executor.4 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:347
 add_missing_indices fs/jfs/jfs_dtree.c:2647 [inline]
 jfs_readdir+0x1dfc/0x37bc fs/jfs/jfs_dtree.c:3009
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:67
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x3f8/0x580 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:394
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:750:12
index 255 is out of range for type 'struct dtslot[128]'
CPU: 1 PID: 8879 Comm: syz-executor.4 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:347
 diWrite+0xbcc/0x15cc fs/jfs/jfs_imap.c:750
 txCommit+0x750/0x5438 fs/jfs/jfs_txnmgr.c:1255
 add_missing_indices fs/jfs/jfs_dtree.c:2661 [inline]
 jfs_readdir+0x1e80/0x37bc fs/jfs/jfs_dtree.c:3009
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:67
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x3f8/0x580 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:394
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:750:35
index 255 is out of range for type 'struct dtslot[128]'
CPU: 0 PID: 8879 Comm: syz-executor.4 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 dump_stack+0x1c/0x28 lib/dump_stack.c:113
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:347
 diWrite+0xc24/0x15cc fs/jfs/jfs_imap.c:750
 txCommit+0x750/0x5438 fs/jfs/jfs_txnmgr.c:1255
 add_missing_indices fs/jfs/jfs_dtree.c:2661 [inline]
 jfs_readdir+0x1e80/0x37bc fs/jfs/jfs_dtree.c:3009
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:67
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x3f8/0x580 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:394
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
---[ end trace ]---
==================================================================
BUG: KASAN: slab-use-after-free in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:750
Read of size 32 at addr ffff0000df2d0890 by task syz-executor.4/8879

CPU: 0 PID: 8879 Comm: syz-executor.4 Not tainted 6.8.0-rc7-syzkaller-g707081b61156 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
 dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:291
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:298
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:377 [inline]
 print_report+0x178/0x518 mm/kasan/report.c:488
 kasan_report+0xd8/0x138 mm/kasan/report.c:601
 kasan_check_range+0x254/0x294 mm/kasan/generic.c:189
 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
 diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:750
 txCommit+0x750/0x5438 fs/jfs/jfs_txnmgr.c:1255
 add_missing_indices fs/jfs/jfs_dtree.c:2661 [inline]
 jfs_readdir+0x1e80/0x37bc fs/jfs/jfs_dtree.c:3009
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:67
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x3f8/0x580 fs/readdir.c:110
 __do_sys_getdents64 fs/readdir.c:409 [inline]
 __se_sys_getdents64 fs/readdir.c:394 [inline]
 __arm64_sys_getdents64+0x1c4/0x4a0 fs/readdir.c:394
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Allocated by task 6184:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:575
 unpoison_slab_object mm/kasan/common.c:312 [inline]
 __kasan_slab_alloc+0x74/0x8c mm/kasan/common.c:338
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slub.c:3813 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 kmem_cache_alloc_lru+0x1e0/0x48c mm/slub.c:3879
 alloc_inode_sb include/linux/fs.h:3018 [inline]
 ext4_alloc_inode+0x30/0x44c fs/ext4/super.c:1408
 alloc_inode fs/inode.c:260 [inline]
 new_inode_pseudo+0x68/0x1d0 fs/inode.c:1005
 new_inode+0x30/0x16c fs/inode.c:1031
 __ext4_new_inode+0x2cc/0x39a0 fs/ext4/ialloc.c:958
 ext4_mkdir+0x33c/0xa64 fs/ext4/namei.c:3014
 vfs_mkdir+0x27c/0x3e4 fs/namei.c:4126
 do_mkdirat+0x248/0x574 fs/namei.c:4149
 __do_sys_mkdirat fs/namei.c:4164 [inline]
 __se_sys_mkdirat fs/namei.c:4162 [inline]
 __arm64_sys_mkdirat+0x90/0xa8 fs/namei.c:4162
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

Freed by task 28:
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:68
 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:589
 poison_slab_object+0x124/0x18c mm/kasan/common.c:240
 __kasan_slab_free+0x3c/0x70 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2121 [inline]
 slab_free mm/slub.c:4299 [inline]
 kmem_cache_free+0x15c/0x3d4 mm/slub.c:4363
 ext4_free_in_core_inode+0x64/0xb0 fs/ext4/super.c:1461
 i_callback+0x50/0x78 fs/inode.c:249
 rcu_do_batch kernel/rcu/tree.c:2190 [inline]
 rcu_core+0x890/0x1b34 kernel/rcu/tree.c:2465
 rcu_core_si+0x10/0x1c kernel/rcu/tree.c:2482
 __do_softirq+0x2d8/0xce4 kernel/softirq.c:553

Last potentially related work creation:
 kasan_save_stack+0x40/0x6c mm/kasan/common.c:47
 __kasan_record_aux_stack+0xcc/0xe8 mm/kasan/generic.c:551
 kasan_record_aux_stack_noalloc+0x14/0x20 mm/kasan/generic.c:561
 __call_rcu_common kernel/rcu/tree.c:2715 [inline]
 call_rcu+0x104/0xaf4 kernel/rcu/tree.c:2829
 destroy_inode fs/inode.c:315 [inline]
 evict+0x5fc/0x68c fs/inode.c:680
 iput_final fs/inode.c:1739 [inline]
 iput+0x734/0x818 fs/inode.c:1765
 d_delete_notify include/linux/fsnotify.h:301 [inline]
 vfs_rmdir+0x330/0x43c fs/namei.c:4222
 do_rmdir+0x2e0/0x720 fs/namei.c:4268
 __do_sys_unlinkat fs/namei.c:4444 [inline]
 __se_sys_unlinkat fs/namei.c:4438 [inline]
 __arm64_sys_unlinkat+0xe0/0xfc fs/namei.c:4438
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598

The buggy address belongs to the object at ffff0000df2d0000
 which belongs to the cache ext4_inode_cache of size 2432
The buggy address is located 2192 bytes inside of
 freed 2432-byte region [ffff0000df2d0000, ffff0000df2d0980)

The buggy address belongs to the physical page:
page:00000000b67870c9 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2d0
head:00000000b67870c9 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff0000d5734f81
ksm flags: 0x5ffc00000000840(slab|head|node=0|zone=2|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 05ffc00000000840 ffff0000c46dcdc0 fffffdffc3bac800 dead000000000003
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff0000d5734f81
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000df2d0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000df2d0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff0000df2d0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff0000df2d0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000df2d0980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
ERROR: (device loop4): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 1

non-latin1 character 0x3ff found in JFS file name
mount with iocharset=utf8 to access