find_entry called with index >= next_index ================================================================== BUG: KASAN: slab-out-of-bounds in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997 Read of size 4 at addr ffff0000f1d3001c by task syz.4.38/5294 CPU: 0 PID: 5294 Comm: syz.4.38 Not tainted 5.15.185-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call trace: dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack+0x30/0x40 lib/dump_stack.c:88 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106 print_address_description+0x78/0x30c mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0xec/0x15c mm/kasan/report.c:451 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997 dtSplitUp fs/jfs/jfs_dtree.c:991 [inline] dtInsert+0xb0c/0x5634 fs/jfs/jfs_dtree.c:869 jfs_symlink+0x66c/0xd78 fs/jfs/namei.c:1019 vfs_symlink+0x238/0x3b0 fs/namei.c:4429 do_symlinkat+0x184/0x5a8 fs/namei.c:4458 __do_sys_symlinkat fs/namei.c:4475 [inline] __se_sys_symlinkat fs/namei.c:4472 [inline] __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 Allocated by task 4838: kasan_save_stack mm/kasan/common.c:38 [inline] kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc+0xb0/0xf0 mm/kasan/common.c:522 kasan_kmalloc include/linux/kasan.h:264 [inline] __kmalloc_track_caller+0x218/0x370 mm/slub.c:4930 kstrdup+0xe4/0x15c mm/util.c:60 kstrdup_const+0x54/0x6c mm/util.c:83 __kernfs_new_node+0xa8/0x5d8 fs/kernfs/dir.c:589 kernfs_new_node+0x11c/0x240 fs/kernfs/dir.c:669 kernfs_create_link+0x98/0x1e0 fs/kernfs/symlink.c:39 sysfs_do_create_link_sd+0x8c/0x120 fs/sysfs/symlink.c:44 sysfs_do_create_link fs/sysfs/symlink.c:80 [inline] sysfs_create_link+0x74/0x94 fs/sysfs/symlink.c:92 netdev_adjacent_sysfs_add net/core/dev.c:7972 [inline] __netdev_adjacent_dev_insert+0x43c/0x7b0 net/core/dev.c:8028 __netdev_adjacent_dev_link_lists net/core/dev.c:8110 [inline] __netdev_adjacent_dev_link_neighbour net/core/dev.c:8134 [inline] __netdev_upper_dev_link+0x3f0/0x5a8 net/core/dev.c:8194 netdev_master_upper_dev_link+0xbc/0x104 net/core/dev.c:8269 bond_master_upper_dev_link+0x18c/0x20c drivers/net/bonding/bond_main.c:1621 bond_enslave+0x18b8/0x3014 drivers/net/bonding/bond_main.c:2117 do_set_master net/core/rtnetlink.c:2575 [inline] do_setlink+0xb78/0x3088 net/core/rtnetlink.c:2786 __rtnl_newlink net/core/rtnetlink.c:3450 [inline] rtnl_newlink+0x10d0/0x1404 net/core/rtnetlink.c:3572 rtnetlink_rcv_msg+0x9d4/0xd04 net/core/rtnetlink.c:5650 netlink_rcv_skb+0x208/0x3c4 net/netlink/af_netlink.c:2489 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:5668 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x60c/0x89c net/netlink/af_netlink.c:1337 netlink_sendmsg+0x6e8/0x9cc net/netlink/af_netlink.c:1905 sock_sendmsg_nosec net/socket.c:704 [inline] __sock_sendmsg net/socket.c:716 [inline] __sys_sendto+0x2e8/0x3d8 net/socket.c:2063 __do_sys_sendto net/socket.c:2075 [inline] __se_sys_sendto net/socket.c:2071 [inline] __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2071 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 The buggy address belongs to the object at ffff0000f1d30000 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 28 bytes inside of 128-byte region [ffff0000f1d30000, ffff0000f1d30080) The buggy address belongs to the page: page:00000000a596b9b5 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000f1d30800 pfn:0x131d30 flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000200 fffffc0003c749c8 fffffc0003c74cc8 ffff0000c0002300 raw: ffff0000f1d30800 000000000010000e 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000f1d2ff00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ffff0000f1d2ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff0000f1d30000: 00 00 03 fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff0000f1d30080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff0000f1d30100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ================================================================== find_entry called with index = 0 ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ...