[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    28eb75e178d3 Merge tag 'drm-next-2024-11-21' of https://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10ad3930580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=402159daa216c89d
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e3c9c97af7d9/disk-28eb75e1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/1e22f3d29103/vmlinux-28eb75e1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/8ff56ec30fa6/bzImage-28eb75e1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b974bd41515f770c608b@syzkaller.appspotmail.com

------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2649:28
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 UID: 0 PID: 9494 Comm: syz.7.422 Not tainted 6.12.0-syzkaller-07749-g28eb75e178d3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429
 add_missing_indices+0x824/0xbf0 fs/jfs/jfs_dtree.c:2649
 jfs_readdir+0x1fc5/0x3c50 fs/jfs/jfs_dtree.c:3019
 wrap_directory_iterator+0x91/0xd0 fs/readdir.c:65
 iterate_dir+0x571/0x800 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64+0x1e2/0x4b0 fs/readdir.c:389
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbaf317e819
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbaf3f2d038 EFLAGS: 00000246 ORIG_RAX: 00000000000000d9
RAX: ffffffffffffffda RBX: 00007fbaf3335fa0 RCX: 00007fbaf317e819
RDX: 0000000000001000 RSI: 0000000020000f80 RDI: 0000000000000004
RBP: 00007fbaf31f175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fbaf3335fa0 R15: 00007fff928fc148
 </TASK>
---[ end trace ]---


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    1950a0af2d55 Merge tag 'arm64-upstream' into for-kernelci
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=113b2424580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cd5bb525e2b2bae
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=11d0d618580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=153b2424580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1ebe061fa55c/disk-1950a0af.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/943902875907/vmlinux-1950a0af.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9b5110e82096/Image-1950a0af.gz.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/6e79f480238f/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+b974bd41515f770c608b@syzkaller.appspotmail.com

 ... Log Wrap ... Log Wrap ... Log Wrap ...
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dtree.c:2649:28
index -128 is out of range for type 'struct dtslot[128]'
CPU: 1 UID: 0 PID: 6414 Comm: syz-executor126 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 dump_stack+0x1c/0x28 lib/dump_stack.c:129
 ubsan_epilogue lib/ubsan.c:231 [inline]
 __ubsan_handle_out_of_bounds+0xf8/0x148 lib/ubsan.c:429
 add_missing_indices+0x6e4/0xa8c fs/jfs/jfs_dtree.c:2649
 jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:65
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x408/0x648 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64 fs/readdir.c:389 [inline]
 __arm64_sys_getdents64+0x1c0/0x490 fs/readdir.c:389
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600
---[ end trace ]---
==================================================================
BUG: KASAN: slab-out-of-bounds in diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
Read of size 32 at addr ffff0000dea84108 by task syz-executor126/6414

CPU: 1 UID: 0 PID: 6414 Comm: syz-executor126 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0x198/0x538 mm/kasan/report.c:489
 kasan_report+0xd8/0x138 mm/kasan/report.c:602
 kasan_check_range+0x268/0x2a8 mm/kasan/generic.c:189
 __asan_memcpy+0x3c/0x84 mm/kasan/shadow.c:105
 diWrite+0xb48/0x15cc fs/jfs/jfs_imap.c:753
 txCommit+0x750/0x5504 fs/jfs/jfs_txnmgr.c:1255
 add_missing_indices+0x760/0xa8c fs/jfs/jfs_dtree.c:2663
 jfs_readdir+0x18ac/0x3030 fs/jfs/jfs_dtree.c:3019
 wrap_directory_iterator+0xa8/0xf4 fs/readdir.c:65
 shared_jfs_readdir+0x30/0x40 fs/jfs/namei.c:1540
 iterate_dir+0x408/0x648 fs/readdir.c:108
 __do_sys_getdents64 fs/readdir.c:403 [inline]
 __se_sys_getdents64 fs/readdir.c:389 [inline]
 __arm64_sys_getdents64+0x1c0/0x490 fs/readdir.c:389
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744
 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

The buggy address belongs to the object at ffff0000dea84088
 which belongs to the cache jfs_ip of size 2232
The buggy address is located 128 bytes inside of
 allocated 2232-byte region [ffff0000dea84088, ffff0000dea84940)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11ea80
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c486ec80 dead000000000122 0000000000000000
raw: 0000000000000000 00000000800d000d 00000001f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c486ec80 dead000000000122 0000000000000000
head: 0000000000000000 00000000800d000d 00000001f5000000 0000000000000000
head: 05ffc00000000003 fffffdffc37aa001 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000dea84000: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dea84080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000dea84100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                      ^
 ffff0000dea84180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000dea84200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...


 ... Log Wrap ... Log Wrap ... Log Wrap ...

ERROR: (device loop0): jfs_readdir: JFS:Dtree error: ino = 2, bn=0, index = 0

ERROR: (device loop0): remounting filesystem as read-only
JFS: Invalid stbl[1] = -128 for inode 2, block = 0


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[Aditya Dutt]

#syz test https://github.com/kleikamp/linux-shaggy.git jfs-next

diff --git i/fs/jfs/jfs_dtree.c w/fs/jfs/jfs_dtree.c
index 93db6eec4465..de33026d18d2 100644
--- i/fs/jfs/jfs_dtree.c
+++ w/fs/jfs/jfs_dtree.c
@@ -2613,7 +2613,7 @@ void dtInitRoot(tid_t tid, struct inode *ip, u32 idotdot)
  *	     fsck.jfs should really fix this, but it currently does not.
  *	     Called from jfs_readdir when bad index is detected.
  */
-static void add_missing_indices(struct inode *inode, s64 bn)
+static int add_missing_indices(struct inode *inode, s64 bn)
 {
 	struct ldtentry *d;
 	struct dt_lock *dtlck;
@@ -2622,7 +2622,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	struct lv *lv;
 	struct metapage *mp;
 	dtpage_t *p;
-	int rc;
+	int rc = 0;
 	s8 *stbl;
 	tid_t tid;
 	struct tlock *tlck;
@@ -2647,6 +2647,16 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 
 	stbl = DT_GETSTBL(p);
 	for (i = 0; i < p->header.nextindex; i++) {
+		if (stbl[i] < 0) {
+			jfs_err("jfs: add_missing_indices: Invalid stbl[%d] = %d for inode %ld, block = %lld",
+				i, stbl[i], (long)inode->i_ino, (long long)bn);
+			rc = -EIO;
+
+			DT_PUTPAGE(mp);
+			txAbort(tid, 0);
+			goto end;
+		}
+
 		d = (struct ldtentry *) &p->slot[stbl[i]];
 		index = le32_to_cpu(d->index);
 		if ((index < 2) || (index >= JFS_IP(inode)->next_index)) {
@@ -2664,6 +2674,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	(void) txCommit(tid, 1, &inode, 0);
 end:
 	txEnd(tid);
+	return rc;
 }
 
 /*
@@ -3017,7 +3028,10 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
 		}
 
 		if (fix_page) {
-			add_missing_indices(ip, bn);
+			if ((rc = add_missing_indices(ip, bn))) {
+				jfs_err("jfs_readdir: add_missing_indices returned %d", rc);
+				goto out;
+			}
 			page_fixed = 1;
 		}

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

7.299426][ T6437]  evict+0x444/0x978
[   57.300436][ T6437]  iput+0x740/0x8e8
[   57.301425][ T6437]  dentry_unlink_inode+0x3a0/0x4e0
[   57.302787][ T6437]  __dentry_kill+0x178/0x5e8
[   57.303966][ T6437]  shrink_kill+0xd4/0x2cc
[   57.305091][ T6437]  shrink_dentry_list+0x31c/0x768
[   57.306403][ T6437]  shrink_dcache_parent+0xc4/0x374
[   57.307725][ T6437]  do_one_tree+0x30/0xfc
[   57.308817][ T6437]  shrink_dcache_for_umount+0xd8/0x188
[   57.310208][ T6437]  generic_shutdown_super+0x68/0x2bc
[   57.311588][ T6437]  kill_litter_super+0x74/0xb8
[   57.312815][ T6437]  binderfs_kill_super+0x44/0x9c
[   57.314091][ T6437]  deactivate_locked_super+0xc4/0x12c
[   57.315477][ T6437]  deactivate_super+0xe0/0x100
[   57.316708][ T6437]  cleanup_mnt+0x34c/0x3dc
[   57.317880][ T6437]  __cleanup_mnt+0x20/0x30
[   57.319022][ T6437]  task_work_run+0x230/0x2e0
[   57.320203][ T6437]  do_exit+0x4e8/0x1acc
[   57.321325][ T6437]  do_group_exit+0x194/0x22c
[   57.322516][ T6437]  get_signal+0x1418/0x1534
[   57.323687][ T6437]  do_signal+0x22c/0x39e4
[   57.324803][ T6437]  do_notify_resume+0x74/0x1f4
[   57.326054][ T6437]  el0_svc+0xac/0x168
[   57.327137][ T6437]  el0t_64_sync_handler+0x84/0x108
[   57.328474][ T6437]  el0t_64_sync+0x198/0x19c
[   57.329650][ T6437] 
[   57.330236][ T6437] The buggy address belongs to the object at ffff0000c6dd0800
[   57.330236][ T6437]  which belongs to the cache kmalloc-512 of size 512
[   57.333883][ T6437] The buggy address is located 8 bytes inside of
[   57.333883][ T6437]  freed 512-byte region [ffff0000c6dd0800, ffff0000c6dd0a00)
[   57.337465][ T6437] 
[   57.338058][ T6437] The buggy address belongs to the physical page:
[   57.339720][ T6437] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000c6dd3000 pfn:0x106dd0
[   57.342360][ T6437] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   57.344585][ T6437] anon flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
[   57.346663][ T6437] page_type: f5(slab)
[   57.347694][ T6437] raw: 05ffc00000000040 ffff0000c0001c80 0000000000000000 0000000000000001
[   57.349947][ T6437] raw: ffff0000c6dd3000 000000000010000c 00000000f5000000 0000000000000000
[   57.352181][ T6437] head: 05ffc00000000040 ffff0000c0001c80 0000000000000000 0000000000000001
[   57.354462][ T6437] head: ffff0000c6dd3000 000000000010000c 00000000f5000000 0000000000000000
[   57.356780][ T6437] head: 05ffc00000000002 fffffdffc31b7401 ffffffffffffffff 0000000000000000
[   57.359060][ T6437] head: 0000000000000004 0000000000000000 00000000ffffffff 0000000000000000
[   57.361371][ T6437] page dumped because: kasan: bad access detected
[   57.363069][ T6437] 
[   57.363674][ T6437] Memory state around the buggy address:
[   57.365143][ T6437]  ffff0000c6dd0700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   57.367267][ T6437]  ffff0000c6dd0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   57.369405][ T6437] >ffff0000c6dd0800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.371514][ T6437]                       ^
[   57.372638][ T6437]  ffff0000c6dd0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.374759][ T6437]  ffff0000c6dd0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.376899][ T6437] ==================================================================
[   57.383599][ T6437] Disabling lock debugging due to kernel taint
[   58.115605][ T4279] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   58.117733][ T4279] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   58.126718][   T13] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[   58.128688][   T13] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[   58.244921][ T6478] chnl_net:caif_netlink_parms(): no params data found
[   58.262999][ T6478] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.265000][ T6478] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.266851][ T6478] bridge_slave_0: entered allmulticast mode
[   58.268702][ T6478] bridge_slave_0: entered promiscuous mode
[   58.271065][ T6478] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.273065][ T6478] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.274890][ T6478] bridge_slave_1: entered allmulticast mode
[   58.276725][ T6478] bridge_slave_1: entered promiscuous mode
[   58.284565][ T6478] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   58.287976][ T6478] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   58.301618][ T6478] team0: Port device team_slave_0 added
[   58.304562][ T6478] team0: Port device team_slave_1 added
[   58.311150][ T6478] batman_adv: batadv0: Adding interface: batadv_slave_0
[   58.313047][ T6478] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.319801][ T6478] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   58.323279][ T6478] batman_adv: batadv0: Adding interface: batadv_slave_1
[   58.325087][ T6478] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   58.331871][ T6478] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   58.342983][ T6478] hsr_slave_0: entered promiscuous mode
[   58.344857][ T6478] hsr_slave_1: entered promiscuous mode
[   58.524904][ T6478] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   58.527825][ T6478] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   58.531091][ T6478] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   58.534071][ T6478] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   58.545093][ T6478] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.546954][ T6478] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.548836][ T6478] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.550658][ T6478] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.574099][ T6478] 8021q: adding VLAN 0 to HW filter on device bond0
[   58.579075][   T13] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.581405][   T13] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.588160][ T6478] 8021q: adding VLAN 0 to HW filter on device team0
[   58.592344][   T13] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.594257][   T13] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.604549][   T13] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.606435][   T13] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.652607][ T6478] 8021q: adding VLAN 0 to HW filter on device batadv0
[   58.794002][ T6478] veth0_vlan: entered promiscuous mode
[   58.797290][ T6478] veth1_vlan: entered promiscuous mode
[   58.805304][ T6478] veth0_macvtap: entered promiscuous mode
[   58.808030][ T6478] veth1_macvtap: entered promiscuous mode
[   58.812929][ T6478] batman_adv: batadv0: Interface activated: batadv_slave_0
[   58.816774][ T6478] batman_adv: batadv0: Interface activated: batadv_slave_1
[   58.819924][ T6478] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   58.822355][ T6478] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   58.824638][ T6478] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   58.826870][ T6478] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[   59.181587][ T6504] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   59.183994][ T6504] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   59.186180][ T6504] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   59.188548][ T6504] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   59.190979][ T6504] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   59.193973][ T6504] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   59.553232][  T257] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   59.653590][  T257] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
1970/01/01 00:00:59 executed programs: 0
[   59.716294][ T5990] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[   59.718426][ T5990] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[   59.720378][ T5990] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[   59.722847][ T5990] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[   59.725079][ T5990] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[   59.727126][ T5990] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[   59.742863][  T257] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   59.781899][ T6514] chnl_net:caif_netlink_parms(): no params data found
[   59.799281][ T6514] bridge0: port 1(bridge_slave_0) entered blocking state
[   59.801138][ T6514] bridge0: port 1(bridge_slave_0) entered disabled state
[   59.803268][ T6514] bridge_slave_0: entered allmulticast mode
[   59.805074][ T6514] bridge_slave_0: entered promiscuous mode
[   59.807421][ T6514] bridge0: port 2(bridge_slave_1) entered blocking state
[   59.809257][ T6514] bridge0: port 2(bridge_slave_1) entered disabled state
[   59.811156][ T6514] bridge_slave_1: entered allmulticast mode
[   59.813176][ T6514] bridge_slave_1: entered promiscuous mode
[   59.820939][ T6514] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   59.824994][ T6514] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   59.833658][ T6514] team0: Port device team_slave_0 added
[   59.835905][ T6514] team0: Port device team_slave_1 added
[   59.843368][ T6514] batman_adv: batadv0: Adding interface: batadv_slave_0
[   59.845253][ T6514] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   59.852280][ T6514] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   59.856347][ T6514] batman_adv: batadv0: Adding interface: batadv_slave_1
[   59.858065][ T6514] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   59.864869][ T6514] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   59.877687][ T6514] hsr_slave_0: entered promiscuous mode
[   59.879458][ T6514] hsr_slave_1: entered promiscuous mode
[   59.881038][ T6514] debugfs: Directory 'hsr0' with parent 'hsr' already present!
[   59.883460][ T6514] Cannot create hsr debugfs directory
[   61.232999][  T257] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
[   61.761844][ T6504] Bluetooth: hci0: command tx timeout
[   62.710778][  T257] bridge_slave_1: left allmulticast mode
[   62.712502][  T257] bridge_slave_1: left promiscuous mode
[   62.714043][  T257] bridge0: port 2(bridge_slave_1) entered disabled state
[   62.716970][  T257] bridge_slave_0: left allmulticast mode
[   62.718466][  T257] bridge_slave_0: left promiscuous mode
[   62.719970][  T257] bridge0: port 1(bridge_slave_0) entered disabled state
[   63.841936][ T6504] Bluetooth: hci0: command tx timeout
[   64.293085][  T257] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
[   64.333054][  T257] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
[   64.392493][  T257] bond0 (unregistering): Released all slaves
[   64.469913][  T257] hsr_slave_0: left promiscuous mode
[   64.472182][  T257] hsr_slave_1: left promiscuous mode
[   64.474029][  T257] batman_adv: batadv0: Interface deactivated: batadv_slave_0
[   64.476001][  T257] batman_adv: batadv0: Removing interface: batadv_slave_0
[   64.478226][  T257] batman_adv: batadv0: Interface deactivated: batadv_slave_1
[   64.480195][  T257] batman_adv: batadv0: Removing interface: batadv_slave_1
[   64.482596][ T2353] ieee802154 phy0 wpan0: encryption failed: -22
[   64.484280][ T2353] ieee802154 phy1 wpan1: encryption failed: -22
[   64.486954][  T257] veth1_macvtap: left promiscuous mode
[   64.488498][  T257] veth0_macvtap: left promiscuous mode
[   64.489971][  T257] veth1_vlan: left promiscuous mode
[   64.491353][  T257] veth0_vlan: left promiscuous mode
[   65.921776][ T6504] Bluetooth: hci0: command tx timeout
[   66.482380][  T257] team0 (unregistering): Port device team_slave_1 removed
[   66.683057][  T257] team0 (unregistering): Port device team_slave_0 removed


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1032201832=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 6e87cfa299
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=arm64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6e87cfa299c98d36e79e8b8718a4126899a3ba2f -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250120-133027'" "-tags=syz_target syz_os_linux syz_arch_arm64 " -o ./bin/linux_arm64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_arm64
aarch64-linux-gnu-g++ -o ./bin/linux_arm64/syz-executor executor/executor.cc \
	-O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include   -DGOOS_linux=1 -DGOARCH_arm64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6e87cfa299c98d36e79e8b8718a4126899a3ba2f\"
/usr/lib/gcc-cross/aarch64-linux-gnu/12/../../../../aarch64-linux-gnu/bin/ld: /tmp/ccpnBTge.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0xd8): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=114d043f980000


Tested on:

commit:         a8dfb216 jfs: add index corruption check to DT_GETPAGE()
git tree:       https://github.com/kleikamp/linux-shaggy.git jfs-next
kernel config:  https://syzkaller.appspot.com/x/.config?x=2ad2ff9db77be525
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16b895e4580000

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[Aditya Dutt]

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git master

diff --git i/fs/jfs/jfs_dtree.c w/fs/jfs/jfs_dtree.c
index 93db6eec4465..de33026d18d2 100644
--- i/fs/jfs/jfs_dtree.c
+++ w/fs/jfs/jfs_dtree.c
@@ -2613,7 +2613,7 @@ void dtInitRoot(tid_t tid, struct inode *ip, u32 idotdot)
  *	     fsck.jfs should really fix this, but it currently does not.
  *	     Called from jfs_readdir when bad index is detected.
  */
-static void add_missing_indices(struct inode *inode, s64 bn)
+static int add_missing_indices(struct inode *inode, s64 bn)
 {
 	struct ldtentry *d;
 	struct dt_lock *dtlck;
@@ -2622,7 +2622,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	struct lv *lv;
 	struct metapage *mp;
 	dtpage_t *p;
-	int rc;
+	int rc = 0;
 	s8 *stbl;
 	tid_t tid;
 	struct tlock *tlck;
@@ -2647,6 +2647,16 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 
 	stbl = DT_GETSTBL(p);
 	for (i = 0; i < p->header.nextindex; i++) {
+		if (stbl[i] < 0) {
+			jfs_err("jfs: add_missing_indices: Invalid stbl[%d] = %d for inode %ld, block = %lld",
+				i, stbl[i], (long)inode->i_ino, (long long)bn);
+			rc = -EIO;
+
+			DT_PUTPAGE(mp);
+			txAbort(tid, 0);
+			goto end;
+		}
+
 		d = (struct ldtentry *) &p->slot[stbl[i]];
 		index = le32_to_cpu(d->index);
 		if ((index < 2) || (index >= JFS_IP(inode)->next_index)) {
@@ -2664,6 +2674,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	(void) txCommit(tid, 1, &inode, 0);
 end:
 	txEnd(tid);
+	return rc;
 }
 
 /*
@@ -3017,7 +3028,10 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
 		}
 
 		if (fix_page) {
-			add_missing_indices(ip, bn);
+			if ((rc = add_missing_indices(ip, bn))) {
+				jfs_err("jfs_readdir: add_missing_indices returned %d", rc);
+				goto out;
+			}
 			page_fixed = 1;
 		}

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
unregister_netdevice: waiting for DEV to become free

unregister_netdevice: waiting for batadv0 to become free. Usage count = 3


Tested on:

commit:         9388ec57 Add linux-next specific files for 20250321
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=147b043f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=b4f3153a0a8b9aaf
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1054b004580000

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[Aditya Dutt]

#syz test

diff --git i/fs/jfs/jfs_dtree.c w/fs/jfs/jfs_dtree.c
index 93db6eec4465..de33026d18d2 100644
--- i/fs/jfs/jfs_dtree.c
+++ w/fs/jfs/jfs_dtree.c
@@ -2613,7 +2613,7 @@ void dtInitRoot(tid_t tid, struct inode *ip, u32 idotdot)
  *	     fsck.jfs should really fix this, but it currently does not.
  *	     Called from jfs_readdir when bad index is detected.
  */
-static void add_missing_indices(struct inode *inode, s64 bn)
+static int add_missing_indices(struct inode *inode, s64 bn)
 {
 	struct ldtentry *d;
 	struct dt_lock *dtlck;
@@ -2622,7 +2622,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	struct lv *lv;
 	struct metapage *mp;
 	dtpage_t *p;
-	int rc;
+	int rc = 0;
 	s8 *stbl;
 	tid_t tid;
 	struct tlock *tlck;
@@ -2647,6 +2647,16 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 
 	stbl = DT_GETSTBL(p);
 	for (i = 0; i < p->header.nextindex; i++) {
+		if (stbl[i] < 0) {
+			jfs_err("jfs: add_missing_indices: Invalid stbl[%d] = %d for inode %ld, block = %lld",
+				i, stbl[i], (long)inode->i_ino, (long long)bn);
+			rc = -EIO;
+
+			DT_PUTPAGE(mp);
+			txAbort(tid, 0);
+			goto end;
+		}
+
 		d = (struct ldtentry *) &p->slot[stbl[i]];
 		index = le32_to_cpu(d->index);
 		if ((index < 2) || (index >= JFS_IP(inode)->next_index)) {
@@ -2664,6 +2674,7 @@ static void add_missing_indices(struct inode *inode, s64 bn)
 	(void) txCommit(tid, 1, &inode, 0);
 end:
 	txEnd(tid);
+	return rc;
 }
 
 /*
@@ -3017,7 +3028,10 @@ int jfs_readdir(struct file *file, struct dir_context *ctx)
 		}
 
 		if (fix_page) {
-			add_missing_indices(ip, bn);
+			if ((rc = add_missing_indices(ip, bn))) {
+				jfs_err("jfs_readdir: add_missing_indices returned %d", rc);
+				goto out;
+			}
 			page_fixed = 1;
 		}

Re: [syzbot] [jfs?] UBSAN: array-index-out-of-bounds in add_missing_indices

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
BUG: unable to handle kernel paging request in lmLogSync

Unable to handle kernel paging request at virtual address dfff800000000006
KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
Mem abort info:
  ESR = 0x0000000096000005
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x05: level 1 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[dfff800000000006] address between user and kernel address ranges
Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 UID: 0 PID: 102 Comm: jfsCommit Not tainted 6.14.0-rc7-syzkaller-ga2392f333575-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline]
pc : lmLogSync+0xec/0x978 fs/jfs/jfs_logmgr.c:935
lr : lmLogSync+0xa4/0x978 fs/jfs/jfs_logmgr.c:934
sp : ffff80009ba17aa0
x29: ffff80009ba17b70 x28: ffff80009b359000 x27: dfff800000000000
x26: dfff800000000000 x25: ffff80009ba17ac0 x24: 1ffff0001202ba48
x23: 0000000000000002 x22: 0000000000000006 x21: 0000000000000030
x20: ffff0000edad3838 x19: ffff0000e80de000 x18: 1fffe000366f8886
x17: ffff80008fb6d000 x16: ffff80008b74b408 x15: ffff700013742f60
x14: 1ffff00013742f5d x13: 0000000000000004 x12: ffffffffffffffff
x11: ffff700013742f60 x10: 0000000000ff0100 x9 : 0000000000000000
x8 : 0000000000000006 x7 : 0000000000000000 x6 : 0000000000000000
x5 : 0000000000000001 x4 : 0000000000000004 x3 : 0000000000000010
x2 : 0000000000000004 x1 : 0000000000000001 x0 : 0000000000000000
Call trace:
 write_special_inodes fs/jfs/jfs_logmgr.c:207 [inline] (P)
 lmLogSync+0xec/0x978 fs/jfs/jfs_logmgr.c:935 (P)
 jfs_syncpt+0x74/0x98 fs/jfs/jfs_logmgr.c:1041
 txEnd+0x2ec/0x558 fs/jfs/jfs_txnmgr.c:549
 txLazyCommit fs/jfs/jfs_txnmgr.c:2684 [inline]
 jfs_lazycommit+0x4e0/0x9a8 fs/jfs/jfs_txnmgr.c:2733
 kthread+0x65c/0x7b0 kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862
Code: 97bd83a8 f94002a8 9100c115 d343fea8 (387b6908) 
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
   0:	97bd83a8 	bl	0xfffffffffef60ea0
   4:	f94002a8 	ldr	x8, [x21]
   8:	9100c115 	add	x21, x8, #0x30
   c:	d343fea8 	lsr	x8, x21, #3
* 10:	387b6908 	ldrb	w8, [x8, x27] <-- trapping instruction


Tested on:

commit:         a2392f33 drm/panthor: Clean up FW version information ..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-kernelci
console output: https://syzkaller.appspot.com/x/log.txt?x=12ae95e4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=5f4c5deae8cc60fe
dashboard link: https://syzkaller.appspot.com/bug?extid=b974bd41515f770c608b
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
patch:          https://syzkaller.appspot.com/x/patch.diff?x=11c7043f980000

Re: [syzbot] Test if it's still reproducible

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Test if it's still reproducible
Author: duttaditya18@gmail.com

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git linux-5.15.y

diff --git a/fs/jfs/jfs_dinode.h b/fs/jfs/jfs_dinode.h
index 5fa9fd594115..e630810a48c6 100644
--- a/fs/jfs/jfs_dinode.h
+++ b/fs/jfs/jfs_dinode.h
@@ -96,7 +96,7 @@ struct dinode {
 #define di_gengen	u._file._u1._imap._gengen
 
 			union {
-				xtpage_t _xtroot;
+				xtroot_t _xtroot;
 				struct {
 					u8 unused[16];	/* 16: */
 					dxd_t _dxd;	/* 16: */
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index 937ca07b58b1..5a360cd54098 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -671,7 +671,7 @@ int diWrite(tid_t tid, struct inode *ip)
 		 * This is the special xtree inside the directory for storing
 		 * the directory table
 		 */
-		xtpage_t *p, *xp;
+		xtroot_t *p, *xp;
 		xad_t *xad;
 
 		jfs_ip->xtlid = 0;
@@ -685,7 +685,7 @@ int diWrite(tid_t tid, struct inode *ip)
 		 * copy xtree root from inode to dinode:
 		 */
 		p = &jfs_ip->i_xtroot;
-		xp = (xtpage_t *) &dp->di_dirtable;
+		xp = (xtroot_t *) &dp->di_dirtable;
 		lv = ilinelock->lv;
 		for (n = 0; n < ilinelock->index; n++, lv++) {
 			memcpy(&xp->xad[lv->offset], &p->xad[lv->offset],
@@ -714,7 +714,7 @@ int diWrite(tid_t tid, struct inode *ip)
 	 *	regular file: 16 byte (XAD slot) granularity
 	 */
 	if (type & tlckXTREE) {
-		xtpage_t *p, *xp;
+		xtroot_t *p, *xp;
 		xad_t *xad;
 
 		/*
diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h
index a466ec41cfbb..852f4c1f2946 100644
--- a/fs/jfs/jfs_incore.h
+++ b/fs/jfs/jfs_incore.h
@@ -66,7 +66,7 @@ struct jfs_inode_info {
 	lid_t	xtlid;		/* lid of xtree lock on directory */
 	union {
 		struct {
-			xtpage_t _xtroot;	/* 288: xtree root */
+			xtroot_t _xtroot;	/* 288: xtree root */
 			struct inomap *_imap;	/* 4: inode map header	*/
 		} file;
 		struct {
diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index dca8edd2378c..7d19324f5a83 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -778,7 +778,7 @@ struct tlock *txLock(tid_t tid, struct inode *ip, struct metapage * mp,
 			if (mp->xflag & COMMIT_PAGE)
 				p = (xtpage_t *) mp->data;
 			else
-				p = &jfs_ip->i_xtroot;
+				p = (xtpage_t *) &jfs_ip->i_xtroot;
 			xtlck->lwm.offset =
 			    le16_to_cpu(p->header.nextindex);
 		}
@@ -1708,7 +1708,7 @@ static void xtLog(struct jfs_log * log, struct tblock * tblk, struct lrd * lrd,
 
 	if (tlck->type & tlckBTROOT) {
 		lrd->log.redopage.type |= cpu_to_le16(LOG_BTROOT);
-		p = &JFS_IP(ip)->i_xtroot;
+		p = (xtpage_t *) &JFS_IP(ip)->i_xtroot;
 		if (S_ISDIR(ip->i_mode))
 			lrd->log.redopage.type |=
 			    cpu_to_le16(LOG_DIR_XTREE);
diff --git a/fs/jfs/jfs_xtree.c b/fs/jfs/jfs_xtree.c
index 3148e9b35f3b..34db519933b4 100644
--- a/fs/jfs/jfs_xtree.c
+++ b/fs/jfs/jfs_xtree.c
@@ -1224,7 +1224,7 @@ xtSplitRoot(tid_t tid,
 	struct xtlock *xtlck;
 	int rc;
 
-	sp = &JFS_IP(ip)->i_xtroot;
+	sp = (xtpage_t *) &JFS_IP(ip)->i_xtroot;
 
 	INCREMENT(xtStat.split);
 
@@ -3059,7 +3059,7 @@ static int xtRelink(tid_t tid, struct inode *ip, xtpage_t * p)
  */
 void xtInitRoot(tid_t tid, struct inode *ip)
 {
-	xtpage_t *p;
+	xtroot_t *p;
 
 	/*
 	 * acquire a transaction lock on the root
diff --git a/fs/jfs/jfs_xtree.h b/fs/jfs/jfs_xtree.h
index 5f51be8596b3..dc9b5f8d6385 100644
--- a/fs/jfs/jfs_xtree.h
+++ b/fs/jfs/jfs_xtree.h
@@ -65,24 +65,33 @@ struct xadlist {
 #define XTPAGEMAXSLOT	256
 #define XTENTRYSTART	2
 
-/*
- *	xtree page:
- */
-typedef union {
-	struct xtheader {
-		__le64 next;	/* 8: */
-		__le64 prev;	/* 8: */
+struct xtheader {
+	__le64 next;	/* 8: */
+	__le64 prev;	/* 8: */
 
-		u8 flag;	/* 1: */
-		u8 rsrvd1;	/* 1: */
-		__le16 nextindex;	/* 2: next index = number of entries */
-		__le16 maxentry;	/* 2: max number of entries */
-		__le16 rsrvd2;	/* 2: */
+	u8 flag;	/* 1: */
+	u8 rsrvd1;	/* 1: */
+	__le16 nextindex;	/* 2: next index = number of entries */
+	__le16 maxentry;	/* 2: max number of entries */
+	__le16 rsrvd2;	/* 2: */
 
-		pxd_t self;	/* 8: self */
-	} header;		/* (32) */
+	pxd_t self;	/* 8: self */
+};
 
+/*
+ *	xtree root (in inode):
+ */
+typedef union {
+	struct xtheader header;
 	xad_t xad[XTROOTMAXSLOT];	/* 16 * maxentry: xad array */
+} xtroot_t;
+
+/*
+ *	xtree page:
+ */
+typedef union {
+	struct xtheader header;
+	xad_t xad[XTPAGEMAXSLOT];	/* 16 * maxentry: xad array */
 } xtpage_t;
 
 /*