Hello,
syzbot found the following issue on:
HEAD commit: 284087d4f7d5 Linux 5.15.158
git tree: linux-5.15.y
console output:
https://syzkaller.appspot.com/x/log.txt?x=1180c624980000
kernel config:
https://syzkaller.appspot.com/x/.config?x=ab74f93e8454887c
dashboard link:
https://syzkaller.appspot.com/bug?extid=cffee4987ee15d116a32
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image:
https://storage.googleapis.com/syzbot-assets/0accc7dacf9d/disk-284087d4.raw.xz
vmlinux:
https://storage.googleapis.com/syzbot-assets/fb6b5b110f8c/vmlinux-284087d4.xz
kernel image:
https://storage.googleapis.com/syzbot-assets/6763bebdbfea/Image-284087d4.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by:
syzbot+cffee4...@syzkaller.appspotmail.com
================================================================================
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:2846:24
index 2994972533 is out of range for type 's8[1365]' (aka 'signed char[1365]')
CPU: 1 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
dump_stack+0x1c/0x58 lib/dump_stack.c:113
ubsan_epilogue lib/ubsan.c:151 [inline]
__ubsan_handle_out_of_bounds+0x108/0x15c lib/ubsan.c:282
dbJoin+0x268/0x2a4 fs/jfs/jfs_dmap.c:2846
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
================================================================================
------------[ cut here ]------------
WARNING: CPU: 0 PID: 239 at fs/jfs/jfs_dmap.c:2941 dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
Modules linked in:
CPU: 0 PID: 239 Comm: jfsCommit Not tainted 5.15.158-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
lr : dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
sp : ffff80001aed7410
x29: ffff80001aed7410 x28: dfff800000000000 x27: 1fffe0001e29c002
x26: dfff800000000000 x25: ffff0001a3d1a796 x24: 00000000ffffffff
x23: 0000000000000155 x22: 00000000b283a776 x21: 0000000000000001
x20: 0000000000000001 x19: ffff0000f14e0010 x18: 1fffe000368fd78e
x17: 1fffe000368fd78e x16: ffff800011998e34 x15: ffff8000149dec00
x14: 1ffff0000292806a x13: dfff800000000000 x12: ffff700002de9f64
x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c69e1b40
x8 : ffff8000098c2aa8 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000000 x3 : 0000000000000000
x2 : 0000000000000001 x1 : 0000000000000155 x0 : 00000000b283a776
Call trace:
dbAdjTree+0x3a0/0x480 fs/jfs/jfs_dmap.c:2941
dbJoin+0x1ec/0x2a4 fs/jfs/jfs_dmap.c:2909
dbFreeBits+0x458/0xc30 fs/jfs/jfs_dmap.c:2406
dbFreeDmap fs/jfs/jfs_dmap.c:2155 [inline]
dbFree+0x2dc/0x5d8 fs/jfs/jfs_dmap.c:409
txFreeMap+0x7e8/0xb84 fs/jfs/jfs_txnmgr.c:2549
xtTruncate+0xb18/0x2b10 fs/jfs/jfs_xtree.c:3428
jfs_free_zero_link+0x374/0x598 fs/jfs/namei.c:758
jfs_evict_inode+0x308/0x408 fs/jfs/inode.c:153
evict+0x260/0x68c fs/inode.c:587
iput_final fs/inode.c:1705 [inline]
iput+0x744/0x824 fs/inode.c:1731
txUpdateMap+0x76c/0x914 fs/jfs/jfs_txnmgr.c:2401
txLazyCommit fs/jfs/jfs_txnmgr.c:2698 [inline]
jfs_lazycommit+0x3b0/0xa40 fs/jfs/jfs_txnmgr.c:2766
kthread+0x37c/0x45c kernel/kthread.c:334
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 1292
hardirqs last enabled at (1291): [<ffff800008269adc>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1338 [inline]
hardirqs last enabled at (1291): [<ffff800008269adc>] finish_lock_switch+0xbc/0x1e8 kernel/sched/core.c:4784
hardirqs last disabled at (1292): [<ffff8000119944c0>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:396
softirqs last enabled at (1274): [<ffff800008021c64>] softirq_handle_end kernel/softirq.c:401 [inline]
softirqs last enabled at (1274): [<ffff800008021c64>] __do_softirq+0xb5c/0xdb0 kernel/softirq.c:587
softirqs last disabled at (1027): [<ffff8000081b6568>] do_softirq_own_stack include/asm-generic/softirq_stack.h:10 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] invoke_softirq kernel/softirq.c:439 [inline]
softirqs last disabled at (1027): [<ffff8000081b6568>] __irq_exit_rcu+0x264/0x4d4 kernel/softirq.c:637
---[ end trace 2f25899a09969fbf ]---
---
This report is generated by a bot. It may contain errors.
See
https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at
syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup