find_entry called with index >= next_index
==================================================================
BUG: KASAN: use-after-free in dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997
Read of size 4 at addr ffff0000e8eee01c by task syz.2.389/5936

CPU: 0 PID: 5936 Comm: syz.2.389 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x0/0x43c arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x78/0x30c mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xec/0x15c mm/kasan/report.c:451
 __asan_report_load4_noabort+0x44/0x50 mm/kasan/report_generic.c:308
 dtSplitRoot+0xb20/0x11bc fs/jfs/jfs_dtree.c:1997
 dtSplitUp fs/jfs/jfs_dtree.c:991 [inline]
 dtInsert+0xb0c/0x5634 fs/jfs/jfs_dtree.c:869
 jfs_create+0x588/0x8c4 fs/jfs/namei.c:137
 lookup_open fs/namei.c:3462 [inline]
 open_last_lookups fs/namei.c:3532 [inline]
 path_openat+0x1144/0x26e4 fs/namei.c:3739
 do_filp_open+0x164/0x330 fs/namei.c:3769
 do_sys_openat2+0x128/0x3d8 fs/open.c:1253
 do_sys_open fs/open.c:1269 [inline]
 __do_sys_openat fs/open.c:1285 [inline]
 __se_sys_openat fs/open.c:1280 [inline]
 __arm64_sys_openat+0x120/0x154 fs/open.c:1280
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x78/0x1e0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0xcc/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584

Allocated by task 4430:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:434 [inline]
 __kasan_slab_alloc+0x8c/0xcc mm/kasan/common.c:467
 kasan_slab_alloc include/linux/kasan.h:254 [inline]
 slab_post_alloc_hook+0x74/0x408 mm/slab.h:519
 slab_alloc_node mm/slub.c:3220 [inline]
 kmem_cache_alloc_node+0x204/0x41c mm/slub.c:3256
 __alloc_skb+0x134/0x67c net/core/skbuff.c:415
 alloc_skb include/linux/skbuff.h:1162 [inline]
 nsim_dev_trap_skb_build drivers/net/netdevsim/dev.c:664 [inline]
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:721 [inline]
 nsim_dev_trap_report_work+0x1fc/0x938 drivers/net/netdevsim/dev.c:762
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855

Freed by task 4430:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track+0x4c/0x84 mm/kasan/common.c:46
 kasan_set_free_info+0x28/0x4c mm/kasan/generic.c:360
 ____kasan_slab_free+0x118/0x164 mm/kasan/common.c:366
 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:374
 kasan_slab_free include/linux/kasan.h:230 [inline]
 slab_free_hook mm/slub.c:1705 [inline]
 slab_free_freelist_hook+0x128/0x1e8 mm/slub.c:1731
 slab_free mm/slub.c:3499 [inline]
 kmem_cache_free+0xdc/0x3b4 mm/slub.c:3515
 kfree_skbmem+0x114/0x1b0 net/core/skbuff.c:-1
 __kfree_skb net/core/skbuff.c:757 [inline]
 consume_skb+0x140/0x33c net/core/skbuff.c:914
 nsim_dev_trap_report drivers/net/netdevsim/dev.c:737 [inline]
 nsim_dev_trap_report_work+0x604/0x938 drivers/net/netdevsim/dev.c:762
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:855

The buggy address belongs to the object at ffff0000e8eee000
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 28 bytes inside of
 232-byte region [ffff0000e8eee000, ffff0000e8eee0e8)
The buggy address belongs to the page:
page:0000000039503263 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x128eee
memcg:ffff0000e8486701
flags: 0x5ffc00000000200(slab|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000200 dead000000000100 dead000000000122 ffff0000c0862000
raw: 0000000000000000 00000000000c000c 00000001ffffffff ffff0000e8486701
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000e8eedf00: fb fb fb fb fb fb fc fc fc fc fa fb fb fb fb fb
 ffff0000e8eedf80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000e8eee000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000e8eee080: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
 ffff0000e8eee100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================
find_entry called with index = 0

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...