[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in diAllocBit
4 views
Skip to first unread message
syzbot
Nov 19, 2025, 12:43:30 AM11/19/25
to jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 7a0892d2836e Merge tag 'pci-v6.18-fixes-5' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1285760a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=929790bc044e87d7
dashboard link: https://syzkaller.appspot.com/bug?extid=015483fc71d1413f40ee
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-7a0892d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a78c5c2efd8d/vmlinux-7a0892d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a51cc5df960/bzImage-7a0892d2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015483...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
netlink: 96 bytes leftover after parsing attributes in process `syz.0.0'.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2105:2
index 8592359 is out of range for type 'struct iagctl[128]'
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
diAllocBit+0xba2/0xd40 fs/jfs/jfs_imap.c:2105
diAllocIno fs/jfs/jfs_imap.c:1844 [inline]
diAllocAG+0x12d9/0x1df0 fs/jfs/jfs_imap.c:1676
diAlloc+0x1d5/0x1680 fs/jfs/jfs_imap.c:1590
ialloc+0x8c/0x8f0 fs/jfs/jfs_inode.c:56
jfs_create+0x18d/0xa80 fs/jfs/namei.c:92
lookup_open fs/namei.c:3796 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x14f4/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a7ef8f6c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a7fed8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f0a7f1e5fa0 RCX: 00007f0a7ef8f6c9
RDX: 000000000000275a RSI: 0000200000000080 RDI: ffffffffffffff9c
RBP: 00007f0a7f011f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0a7f1e6038 R14: 00007f0a7f1e5fa0 R15: 00007ffde7416408
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 7a0892d2836e Merge tag 'pci-v6.18-fixes-5' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1285760a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=929790bc044e87d7
dashboard link: https://syzkaller.appspot.com/bug?extid=015483fc71d1413f40ee
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-7a0892d2.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a78c5c2efd8d/vmlinux-7a0892d2.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a51cc5df960/bzImage-7a0892d2.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015483...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
netlink: 96 bytes leftover after parsing attributes in process `syz.0.0'.
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2105:2
index 8592359 is out of range for type 'struct iagctl[128]'
CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x40 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe9/0xf0 lib/ubsan.c:455
diAllocBit+0xba2/0xd40 fs/jfs/jfs_imap.c:2105
diAllocIno fs/jfs/jfs_imap.c:1844 [inline]
diAllocAG+0x12d9/0x1df0 fs/jfs/jfs_imap.c:1676
diAlloc+0x1d5/0x1680 fs/jfs/jfs_imap.c:1590
ialloc+0x8c/0x8f0 fs/jfs/jfs_inode.c:56
jfs_create+0x18d/0xa80 fs/jfs/namei.c:92
lookup_open fs/namei.c:3796 [inline]
open_last_lookups fs/namei.c:3895 [inline]
path_openat+0x14f4/0x3830 fs/namei.c:4131
do_filp_open+0x1fa/0x410 fs/namei.c:4161
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a7ef8f6c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0a7fed8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f0a7f1e5fa0 RCX: 00007f0a7ef8f6c9
RDX: 000000000000275a RSI: 0000200000000080 RDI: ffffffffffffff9c
RBP: 00007f0a7f011f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0a7f1e6038 R14: 00007f0a7f1e5fa0 R15: 00007ffde7416408
</TASK>
---[ end trace ]---
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jun 21, 2026, 10:20:22 AM (4 days ago) Jun 21
to aha3...@gmail.com, jfs-dis...@lists.sourceforge.net, linux-...@vger.kernel.org, sha...@kernel.org, syzkall...@googlegroups.com, vu...@iscas.ac.cn, yun....@windriver.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 390d73adf896 Merge tag 'for-v7.2' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12675b7a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=569f5d5519e8bac8
dashboard link: https://syzkaller.appspot.com/bug?extid=015483fc71d1413f40ee
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1150cd56580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-390d73ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3cb386497ebc/vmlinux-390d73ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/333ffabcead8/bzImage-390d73ad.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/eb5e24fa41f8/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=138a501c580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/e4d71ffc49fe/mount_14.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=178a501c580000)
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/35380d3f8199/mount_18.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1650cd56580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015483...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
diAllocBit+0xb88/0xd30 fs/jfs/jfs_imap.c:2105
diAllocIno fs/jfs/jfs_imap.c:1844 [inline]
diAllocAG+0x13f7/0x1de0 fs/jfs/jfs_imap.c:1676
diAlloc+0x1e2/0x16b0 fs/jfs/jfs_imap.c:1590
ialloc+0x8c/0x8e0 fs/jfs/jfs_inode.c:56
jfs_create+0x1d8/0xae0 fs/jfs/namei.c:93
lookup_open fs/namei.c:4508 [inline]
open_last_lookups fs/namei.c:4608 [inline]
path_openat+0x133a/0x3830 fs/namei.c:4856
do_file_open+0x23e/0x4a0 fs/namei.c:4888
do_sys_openat2+0x115/0x200 fs/open.c:1395
do_sys_open fs/open.c:1401 [inline]
__do_sys_open fs/open.c:1409 [inline]
__se_sys_open fs/open.c:1405 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1405
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc75779ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc758713028 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fc757a15fa0 RCX: 00007fc75779ce59
RDX: 0000000000000292 RSI: 0000000000064842 RDI: 0000200000000080
RBP: 00007fc757832e6f R08: 0000000000000000 R09: 0000000000000000
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 390d73adf896 Merge tag 'for-v7.2' of git://git.kernel.org/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12675b7a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=569f5d5519e8bac8
dashboard link: https://syzkaller.appspot.com/bug?extid=015483fc71d1413f40ee
compiler: Debian clang version 22.1.6 (++20260514074242+fc4aad7b5db3-1~exp1~20260514074407.73), Debian LLD 22.1.6
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1150cd56580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-390d73ad.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3cb386497ebc/vmlinux-390d73ad.xz
kernel image: https://storage.googleapis.com/syzbot-assets/333ffabcead8/bzImage-390d73ad.xz
mounted in repro #1: https://storage.googleapis.com/syzbot-assets/eb5e24fa41f8/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=138a501c580000)
mounted in repro #2: https://storage.googleapis.com/syzbot-assets/e4d71ffc49fe/mount_14.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=178a501c580000)
mounted in repro #3: https://storage.googleapis.com/syzbot-assets/35380d3f8199/mount_18.gz
fsck result: OK (log: https://syzkaller.appspot.com/x/fsck.log?x=1650cd56580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+015483...@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2105:2
index 8592359 is out of range for type 'struct iagctl[128]'
CPU: 0 UID: 0 PID: 6143 Comm: syz.0.211 Not tainted syzkaller #0 PREEMPT(full)
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_imap.c:2105:2
index 8592359 is out of range for type 'struct iagctl[128]'
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
ubsan_epilogue+0xa/0x30 lib/ubsan.c:233
__ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:455
diAllocBit+0xb88/0xd30 fs/jfs/jfs_imap.c:2105
diAllocIno fs/jfs/jfs_imap.c:1844 [inline]
diAllocAG+0x13f7/0x1de0 fs/jfs/jfs_imap.c:1676
diAlloc+0x1e2/0x16b0 fs/jfs/jfs_imap.c:1590
ialloc+0x8c/0x8e0 fs/jfs/jfs_inode.c:56
jfs_create+0x1d8/0xae0 fs/jfs/namei.c:93
lookup_open fs/namei.c:4508 [inline]
open_last_lookups fs/namei.c:4608 [inline]
path_openat+0x133a/0x3830 fs/namei.c:4856
do_file_open+0x23e/0x4a0 fs/namei.c:4888
do_sys_openat2+0x115/0x200 fs/open.c:1395
do_sys_open fs/open.c:1401 [inline]
__do_sys_open fs/open.c:1409 [inline]
__se_sys_open fs/open.c:1405 [inline]
__x64_sys_open+0x11e/0x150 fs/open.c:1405
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x174/0x580 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc75779ce59
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fc758713028 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007fc757a15fa0 RCX: 00007fc75779ce59
RDX: 0000000000000292 RSI: 0000000000064842 RDI: 0000200000000080
RBP: 00007fc757832e6f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc757a16038 R14: 00007fc757a15fa0 R15: 00007ffc5cf2ad48
</TASK>
---[ end trace ]---
---
If you want syzbot to run the reproducer, reply with:
---[ end trace ]---
---
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages