find_entry called with index >= next_index
==================================================================
BUG: KASAN: use-after-free in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997
Read of size 4 at addr ffff0000c174401c by task syz.0.28/5065

CPU: 1 PID: 5065 Comm: syz.0.28 Not tainted 5.15.182-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/19/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997
 dtSplitUp fs/jfs/jfs_dtree.c:991 [inline]
 dtInsert+0xb0c/0x5634 fs/jfs/jfs_dtree.c:869
 jfs_symlink+0x66c/0xd78 fs/jfs/namei.c:1019
 vfs_symlink+0x238/0x3b0 fs/namei.c:4429
 do_symlinkat+0x184/0x5a8 fs/namei.c:4458
 __do_sys_symlinkat fs/namei.c:4475 [inline]
 __se_sys_symlinkat fs/namei.c:4472 [inline]
 __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 5064:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1e0/0x3e4 mm/slub.c:3233
 vm_area_alloc+0x2c/0xe0 kernel/fork.c:350
 __mmap_region mm/mmap.c:1770 [inline]
 mmap_region+0x99c/0x1390 mm/mmap.c:2921
 do_mmap+0x67c/0xdb4 mm/mmap.c:1574
 vm_mmap_pgoff+0x184/0x284 mm/util.c:551
 ksys_mmap_pgoff+0x410/0x620 mm/mmap.c:1623
 __do_sys_mmap arch/arm64/kernel/sys.c:28 [inline]
 __se_sys_mmap arch/arm64/kernel/sys.c:21 [inline]
 __arm64_sys_mmap+0xf8/0x110 arch/arm64/kernel/sys.c:21
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Freed by task 5064:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0xdc/0x3b4 mm/slub.c:3515
 vm_area_free+0x28/0x38 kernel/fork.c:376
 remove_vma mm/mmap.c:187 [inline]
 exit_mmap+0x3e0/0x4e0 mm/mmap.c:3215
 __mmput+0xec/0x3b8 kernel/fork.c:1127
 mmput+0x80/0xc8 kernel/fork.c:1148
 exit_mm+0x4a0/0x684 kernel/exit.c:550
 do_exit+0x4e4/0x1f58 kernel/exit.c:861
 do_group_exit+0x100/0x268 kernel/exit.c:996
 __do_sys_exit_group kernel/exit.c:1007 [inline]
 __se_sys_exit_group kernel/exit.c:1005 [inline]
 __wake_up_parent+0x0/0x60 kernel/exit.c:1005
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000c1744000
 which belongs to the cache vm_area_struct of size 200
The buggy address is located 28 bytes inside of
 200-byte region [ffff0000c1744000, ffff0000c17440c8)
The buggy address belongs to the page:
page:00000000ac2409d1 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c1744e70 pfn:0x101744
memcg:ffff0000cb43bc01
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc0003b55888 fffffc000368a088 ffff0000c0841500
raw: ffff0000c1744e70 00000000000f0005 00000001ffffffff ffff0000cb43bc01
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c1743f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000c1743f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000c1744000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000c1744080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc
 ffff0000c1744100: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
find_entry called with index >= next_index

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...