ERROR: (device loop1): txCommit: 
read_mapping_page failed!
bread failed!
jfs_mkdir: dtInsert returned -EIO
ERROR: (device loop1): jfs_mkdir: 
==================================================================
BUG: KFENCE: out-of-bounds read in jfs_readdir+0x14e6/0x3c10 fs/jfs/jfs_dtree.c:2916

Out-of-bounds read at 0xffff88823bf3d045 (2437B right of kfence-#157):
 jfs_readdir+0x14e6/0x3c10 fs/jfs/jfs_dtree.c:2916
 wrap_directory_iterator+0x99/0xe0 fs/readdir.c:65
 iterate_dir+0x3a5/0x580 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:412 [inline]
 __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#157: 0xffff88823bf3c6c0-0xffff88823bf3cfff, size=2368, cache=jfs_ip

allocated by task 6971 on cpu 1 at 158.138947s (0.141583s ago):
 jfs_alloc_inode+0x28/0x70 fs/jfs/super.c:105
 alloc_inode+0x6a/0x1b0 fs/inode.c:347
 iget_locked+0x131/0x6a0 fs/inode.c:1480
 jfs_iget+0x24/0x470 fs/jfs/inode.c:29
 jfs_lookup+0x220/0x420 fs/jfs/namei.c:1472
 __lookup_slow+0x2d2/0x440 fs/namei.c:1916
 lookup_slow+0x53/0x70 fs/namei.c:1933
 walk_component fs/namei.c:2279 [inline]
 lookup_last fs/namei.c:2786 [inline]
 path_lookupat+0x3f5/0x8c0 fs/namei.c:2810
 filename_lookup+0x256/0x5d0 fs/namei.c:2839
 __do_sys_chdir fs/open.c:559 [inline]
 __se_sys_chdir+0xa8/0x2a0 fs/open.c:552
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 6971 Comm: syz.1.183 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:jfs_readdir+0x14e6/0x3c10 fs/jfs/jfs_dtree.c:2916
Code: bc 24 90 00 00 00 41 c1 e6 05 48 8b 04 24 4a 8d 1c 30 48 83 c3 05 48 89 d8 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 20 05 00 00 <44> 0f b6 2b 48 8b 44 24 60 4a 8d 1c 28 48 ff c3 48 89 df 4c 8b bc
RSP: 0018:ffffc9000eaafa40 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff88823bf3d045 RCX: ffff888028275b80
RDX: 0000000000000002 RSI: 0000000000000034 RDI: 0000000000000000
RBP: ffffc9000eaafd40 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff9400019bbf7 R12: dffffc0000000000
R13: 1ffff92001d55f70 R14: 0000000000000680 R15: 0000000000000000
FS:  00007f3ea6ba66c0(0000) GS:ffff888126335000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bf3d045 CR3: 000000003abde000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 wrap_directory_iterator+0x99/0xe0 fs/readdir.c:65
 iterate_dir+0x3a5/0x580 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:412 [inline]
 __se_sys_getdents64+0xf1/0x280 fs/readdir.c:397
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3ea894c819
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3ea6ba6028 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007f3ea8bc5fa0 RCX: 00007f3ea894c819
RDX: 0000000000000091 RSI: 0000200000000440 RDI: 0000000000000006
RBP: 00007f3ea89e2c91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3ea8bc6038 R14: 00007f3ea8bc5fa0 R15: 00007ffc3bdcc298
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	bc 24 90 00 00       	mov    $0x9024,%esp
   5:	00 41 c1             	add    %al,-0x3f(%rcx)
   8:	e6 05                	out    %al,$0x5
   a:	48 8b 04 24          	mov    (%rsp),%rax
   e:	4a 8d 1c 30          	lea    (%rax,%r14,1),%rbx
  12:	48 83 c3 05          	add    $0x5,%rbx
  16:	48 89 d8             	mov    %rbx,%rax
  19:	48 c1 e8 03          	shr    $0x3,%rax
  1d:	42 0f b6 04 20       	movzbl (%rax,%r12,1),%eax
  22:	84 c0                	test   %al,%al
  24:	0f 85 20 05 00 00    	jne    0x54a
* 2a:	44 0f b6 2b          	movzbl (%rbx),%r13d <-- trapping instruction
  2e:	48 8b 44 24 60       	mov    0x60(%rsp),%rax
  33:	4a 8d 1c 28          	lea    (%rax,%r13,1),%rbx
  37:	48 ff c3             	inc    %rbx
  3a:	48 89 df             	mov    %rbx,%rdi
  3d:	4c                   	rex.WR
  3e:	8b                   	.byte 0x8b
  3f:	bc                   	.byte 0xbc