================================================================================ UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:1995:37 index -128 is out of range for type 'struct dtslot[128]' CPU: 0 PID: 4971 Comm: syz.3.47 Not tainted 5.15.178-syzkaller-00026-gc16c81c81336 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 dump_stack+0x1c/0x58 lib/dump_stack.c:113 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282 dtSplitRoot+0x998/0x1440 fs/jfs/jfs_dtree.c:1995 dtSplitUp fs/jfs/jfs_dtree.c:990 [inline] dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868 jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019 vfs_symlink+0x244/0x3a8 fs/namei.c:4429 do_symlinkat+0x364/0x6b0 fs/namei.c:4458 __do_sys_symlinkat fs/namei.c:4475 [inline] __se_sys_symlinkat fs/namei.c:4472 [inline] __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 ================================================================================ ================================================================== BUG: KASAN: use-after-free in dtSplitRoot+0x95c/0x1440 fs/jfs/jfs_dtree.c:1996 Read of size 4 at addr ffff0000cb37101c by task syz.3.47/4971 CPU: 0 PID: 4971 Comm: syz.3.47 Not tainted 5.15.178-syzkaller-00026-gc16c81c81336 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 Call trace: dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248 __kasan_report mm/kasan/report.c:434 [inline] kasan_report+0x174/0x1e4 mm/kasan/report.c:451 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308 dtSplitRoot+0x95c/0x1440 fs/jfs/jfs_dtree.c:1996 dtSplitUp fs/jfs/jfs_dtree.c:990 [inline] dtInsert+0xee0/0x5534 fs/jfs/jfs_dtree.c:868 jfs_symlink+0x910/0xf1c fs/jfs/namei.c:1019 vfs_symlink+0x244/0x3a8 fs/namei.c:4429 do_symlinkat+0x364/0x6b0 fs/namei.c:4458 __do_sys_symlinkat fs/namei.c:4475 [inline] __se_sys_symlinkat fs/namei.c:4472 [inline] __arm64_sys_symlinkat+0xa4/0xbc fs/namei.c:4472 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584 The buggy address belongs to the page: page:00000000de079600 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x10b371 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffc000333fd48 fffffc0003259248 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff7f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000cb370f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff0000cb370f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff0000cb371000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000cb371080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000cb371100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== find_entry called with index = 0 ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ... ... Log Wrap ... Log Wrap ... Log Wrap ...