syzbot

loop0: rw=524288, sector=720, nr_sectors = 16 limit=16
syz.0.17: attempt to access beyond end of device
loop0: rw=524288, sector=525144, nr_sectors = 16 limit=16
syz.0.17: attempt to access beyond end of device
loop0: rw=524288, sector=16, nr_sectors = 8 limit=16
syz.0.17: attempt to access beyond end of device
loop0: rw=524288, sector=13716630376, nr_sectors = 8 limit=16
==================================================================
BUG: KASAN: slab-use-after-free in memcpy_to_page include/linux/highmem.h:427 [inline]
BUG: KASAN: slab-use-after-free in z_erofs_transform_plain+0x38c/0x460 fs/erofs/decompressor.c:346
Read of size 4095 at addr ffff88807745f400 by task syz.0.17/5950

CPU: 1 PID: 5950 Comm: syz.0.17 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xac/0x220 mm/kasan/report.c:468
 kasan_report+0x117/0x150 mm/kasan/report.c:581
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x288/0x290 mm/kasan/generic.c:187
 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105
 memcpy_to_page include/linux/highmem.h:427 [inline]
 z_erofs_transform_plain+0x38c/0x460 fs/erofs/decompressor.c:346
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1296 [inline]
 z_erofs_decompress_queue+0x16fb/0x2660 fs/erofs/zdata.c:1377
 z_erofs_runqueue+0x18a3/0x19d0 fs/erofs/zdata.c:1774
 z_erofs_readahead+0xa7c/0xd50 fs/erofs/zdata.c:1903
 read_pages+0x177/0x840 mm/readahead.c:160
 page_cache_ra_unbounded+0x692/0x770 mm/readahead.c:269
 do_page_cache_ra mm/readahead.c:299 [inline]
 force_page_cache_ra+0x2c1/0x320 mm/readahead.c:330
 force_page_cache_readahead mm/internal.h:175 [inline]
 generic_fadvise+0x44f/0x730 mm/fadvise.c:106
 vfs_fadvise mm/fadvise.c:185 [inline]
 ksys_fadvise64_64 mm/fadvise.c:199 [inline]
 __do_sys_fadvise64 mm/fadvise.c:214 [inline]
 __se_sys_fadvise64 mm/fadvise.c:212 [inline]
 __x64_sys_fadvise64+0x140/0x180 mm/fadvise.c:212
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f0bc958efc9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f0bca4c2038 EFLAGS: 00000246 ORIG_RAX: 00000000000000dd
RAX: ffffffffffffffda RBX: 00007f0bc97e5fa0 RCX: 00007f0bc958efc9
RDX: 000000000000ff39 RSI: 000000000000aa17 RDI: 0000000000000004
RBP: 00007f0bc9611f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0bc97e6038 R14: 00007f0bc97e5fa0 R15: 00007ffd4c23b398
 </TASK>

The buggy address belongs to the physical page:
page:ffffea0001dd17c0 refcount:3 mapcount:0 mapping:ffff8880615087c8 index:0x1 pfn:0x7745f
memcg:ffff88807b794000
aops:z_erofs_cache_aops ino:0
flags: 0xfff00000008008(uptodate|private|node=0|zone=1|lastcpupid=0x7ff)
page_type: 0xffffffff()
raw: 00fff00000008008 0000000000000000 dead000000000122 ffff8880615087c8
raw: 0000000000000001 ffff888074320000 00000003ffffffff ffff88807b794000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x192840(GFP_NOWAIT|__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5951, tgid 5949 (syz.0.17), ts 92296075355, free_ts 92285233963
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554
 prep_new_page mm/page_alloc.c:1561 [inline]
 get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191
 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457
 z_erofs_bind_cache fs/erofs/zdata.c:605 [inline]
 z_erofs_pcluster_begin fs/erofs/zdata.c:889 [inline]
 z_erofs_do_read_page+0x20c0/0x3680 fs/erofs/zdata.c:1024
 z_erofs_read_folio+0x213/0x540 fs/erofs/zdata.c:1854
 filemap_read_folio+0x167/0x760 mm/filemap.c:2420
 do_read_cache_folio+0x470/0x7e0 mm/filemap.c:3789
 erofs_bread+0x16f/0x630 fs/erofs/data.c:48
 erofs_find_target_block fs/erofs/namei.c:103 [inline]
 erofs_namei+0x28c/0xf00 fs/erofs/namei.c:177
 erofs_lookup+0x135/0x310 fs/erofs/namei.c:206
 lookup_open fs/namei.c:3474 [inline]
 open_last_lookups fs/namei.c:3564 [inline]
 path_openat+0x10b8/0x3190 fs/namei.c:3794
 do_filp_open+0x1c5/0x3d0 fs/namei.c:3824
 do_sys_openat2+0x12c/0x1c0 fs/open.c:1419
 do_sys_open fs/open.c:1434 [inline]
 __do_sys_openat fs/open.c:1450 [inline]
 __se_sys_openat fs/open.c:1445 [inline]
 __x64_sys_openat+0x139/0x160 fs/open.c:1445
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x55/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1154 [inline]
 free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336
 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429
 discard_slab mm/slub.c:2127 [inline]
 __unfreeze_partials+0x1cf/0x210 mm/slub.c:2667
 put_cpu_partial+0x17c/0x250 mm/slub.c:2743
 __slab_free+0x31d/0x410 mm/slub.c:3700
 qlink_free mm/kasan/quarantine.c:166 [inline]
 qlist_free_all+0x75/0xe0 mm/kasan/quarantine.c:185
 kasan_quarantine_reduce+0x143/0x160 mm/kasan/quarantine.c:292
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:305
 kasan_slab_alloc include/linux/kasan.h:188 [inline]
 slab_post_alloc_hook+0x6e/0x4d0 mm/slab.h:767
 slab_alloc_node mm/slub.c:3495 [inline]
 kmem_cache_alloc_node+0x150/0x330 mm/slub.c:3540
 __alloc_skb+0x108/0x2c0 net/core/skbuff.c:640
 alloc_skb include/linux/skbuff.h:1284 [inline]
 nlmsg_new include/net/netlink.h:1010 [inline]
 inet_netconf_notify_devconf+0x173/0x230 net/ipv4/devinet.c:2149
 __devinet_sysctl_unregister net/ipv4/devinet.c:2660 [inline]
 devinet_sysctl_unregister net/ipv4/devinet.c:2684 [inline]
 inetdev_destroy net/ipv4/devinet.c:330 [inline]
 inetdev_event+0x789/0x15c0 net/ipv4/devinet.c:1636
 notifier_call_chain+0x197/0x390 kernel/notifier.c:93
 call_netdevice_notifiers_extack net/core/dev.c:2064 [inline]
 call_netdevice_notifiers net/core/dev.c:2078 [inline]
 unregister_netdevice_many_notify+0xf36/0x1810 net/core/dev.c:11086
 ip6gre_exit_batch_net+0x449/0x490 net/ipv6/ip6_gre.c:1647

Memory state around the buggy address:
 ffff88807745ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88807745ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888077460000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888077460080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc
 ffff888077460100: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
==================================================================