find_entry called with index >= next_index
==================================================================
BUG: KASAN: use-after-free in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999
Read of size 4 at addr ffff0000e828701c by task syz.1.29/5178

CPU: 1 PID: 5178 Comm: syz.1.29 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1999
 dtSplitUp fs/jfs/jfs_dtree.c:993 [inline]
 dtInsert+0xaa4/0x55dc fs/jfs/jfs_dtree.c:871
 jfs_symlink+0x66c/0xd78 fs/jfs/namei.c:1019
 vfs_symlink+0x238/0x3b0 fs/namei.c:4429
 do_symlinkat+0x184/0x5a8 fs/namei.c:4458
 __do_sys_symlinkat fs/namei.c:4475 [inline]
 __se_sys_symlinkat fs/namei.c:4472 [inline]
 __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 4728:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 slab_alloc mm/slub.c:3228 [inline]
 kmem_cache_alloc+0x1e0/0x3e4 mm/slub.c:3233
 anon_vma_chain_alloc mm/rmap.c:138 [inline]
 anon_vma_clone+0x90/0x470 mm/rmap.c:284
 __split_vma+0x194/0x3f0 mm/mmap.c:2741
 __do_munmap+0x2fc/0xc04 mm/mmap.c:2852
 __vm_munmap+0x12c/0x238 mm/mmap.c:2948
 __do_sys_munmap mm/mmap.c:2974 [inline]
 __se_sys_munmap mm/mmap.c:2970 [inline]
 __arm64_sys_munmap+0x74/0x8c mm/mmap.c:2970
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Freed by task 4728:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0xdc/0x3b4 mm/slub.c:3515
 anon_vma_chain_free mm/rmap.c:143 [inline]
 unlink_anon_vmas+0x224/0x53c mm/rmap.c:417
 free_pgtables+0x7c/0x278 mm/memory.c:412
 unmap_region+0x2a8/0x300 mm/mmap.c:2663
 __do_munmap+0x870/0xc04 mm/mmap.c:2895
 __vm_munmap+0x12c/0x238 mm/mmap.c:2948
 __do_sys_munmap mm/mmap.c:2974 [inline]
 __se_sys_munmap mm/mmap.c:2970 [inline]
 __arm64_sys_munmap+0x74/0x8c mm/mmap.c:2970
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

The buggy address belongs to the object at ffff0000e8287000
 which belongs to the cache anon_vma_chain of size 80
The buggy address is located 28 bytes inside of
 80-byte region [ffff0000e8287000, ffff0000e8287050)
The buggy address belongs to the page:
page:00000000b919c646 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x128287
memcg:ffff0000edab6401
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 fffffc0003703d40 0000000200000002 ffff0000c083ea80
raw: 0000000000000000 0000000000240024 00000001ffffffff ffff0000edab6401
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e8286f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff0000e8286f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000e8287000: fa fb fb fb fb fb fb fb fb fb fc fc fc fc fa fb
                            ^
 ffff0000e8287080: fb fb fb fb fb fb fb fb fc fc fc fc fa fb fb fb
 ffff0000e8287100: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
==================================================================
find_entry called with index >= next_index

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...