[syzbot] [jfs?] BUG: unable to handle kernel paging request in txBeginAnon

[syzbot <syzbot+4e89b5368baba8324e07@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    fda5695d692c Merge branch 'for-next/core' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=104354b2980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=95dc1de8407c7270
dashboard link: https://syzkaller.appspot.com/bug?extid=4e89b5368baba8324e07
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1748ee42980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=155733e4980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/07f3214ff0d9/disk-fda5695d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/70e2e2c864e8/vmlinux-fda5695d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b259942a16dc/Image-fda5695d.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/abb93d88d631/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+4e89b5368baba8324e07@syzkaller.appspotmail.com

 ... Log Wrap ... Log Wrap ... Log Wrap ...
 ... Log Wrap ... Log Wrap ... Log Wrap ...
jfs_dirty_inode called on read-only volume
Is remount racy?
Unable to handle kernel paging request at virtual address dfff800000000008
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000008] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 6241 Comm: syz-executor389 Not tainted 6.9.0-rc7-syzkaller-gfda5695d692c #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : generic_test_bit include/asm-generic/bitops/generic-non-atomic.h:128 [inline]
pc : txBeginAnon+0xac/0x154 fs/jfs/jfs_txnmgr.c:465
lr : spin_lock include/linux/spinlock.h:351 [inline]
lr : txBeginAnon+0x78/0x154 fs/jfs/jfs_txnmgr.c:458
sp : ffff80009b2171c0
x29: ffff80009b2171c0 x28: ffff800093828e48 x27: ffff800093828000
x26: ffff800093828000 x25: 0000000000000008 x24: 0000000000000150
x23: dfff800000000000 x22: 0000000000000001 x21: 0000000000000000
x20: 0000000000000040 x19: ffff80008f473720 x18: ffff80009b216e80
x17: 000000000000cc10 x16: ffff80008034c6cc x15: ffff700013642e20
x14: 1ffff00013642e20 x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700013642e20 x10: 1ffff00013642e20 x9 : abdcc8a6ab47b800
x8 : abdcc8a6ab47b800 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000020 x4 : 0000000000000000 x3 : ffff80008034c7fc
x2 : 0000000000000001 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
 txBeginAnon+0xac/0x154
 extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78
 jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248
 __block_write_begin_int+0x580/0x166c fs/buffer.c:2105
 __block_write_begin fs/buffer.c:2154 [inline]
 block_write_begin+0x98/0x11c fs/buffer.c:2213
 jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299
 generic_perform_write+0x28c/0x588 mm/filemap.c:3974
 __generic_file_write_iter+0xfc/0x204 mm/filemap.c:4069
 generic_file_write_iter+0xb8/0x2b4 mm/filemap.c:4095
 do_iter_readv_writev+0x438/0x658
 vfs_writev+0x410/0xb58 fs/read_write.c:971
 do_pwritev fs/read_write.c:1072 [inline]
 __do_sys_pwritev2 fs/read_write.c:1131 [inline]
 __se_sys_pwritev2 fs/read_write.c:1122 [inline]
 __arm64_sys_pwritev2+0x1dc/0x2f0 fs/read_write.c:1122
 __invoke_syscall arch/arm64/kernel/syscall.c:34 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:48
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:133
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:152
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
Code: aa1803e0 97ffff65 aa1303e0 95922607 (38776b28) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	aa1803e0 	mov	x0, x24
   4:	97ffff65 	bl	0xfffffffffffffd98
   8:	aa1303e0 	mov	x0, x19
   c:	95922607 	bl	0x6489828
* 10:	38776b28 	ldrb	w8, [x25, x23] <-- trapping instruction


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup