================================================================== BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 Read of size 2 at addr ffff88809fc13000 by task kworker/u5:3/12316 CPU: 0 PID: 12316 Comm: kworker/u5:3 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: erofs_unzipd z_erofs_decompressqueue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:256 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:220 [inline] z_erofs_lz4_decompress+0x78c/0x1400 fs/erofs/decompressor.c:288 z_erofs_decompress_pcluster.isra.0+0x1322/0x2250 fs/erofs/zdata.c:975 z_erofs_decompress_queue fs/erofs/zdata.c:1053 [inline] z_erofs_decompressqueue_work+0xe1/0x170 fs/erofs/zdata.c:1064 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea00027f04c0 refcount:1 mapcount:1 mapping:0000000000000000 index:0x7f9794f1c pfn:0x9fc13 memcg:ffff88814076c000 anon flags: 0xfff00000080014(uptodate|lru|swapbacked|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000080014 ffffea00029bcc88 ffffea00029bcc48 ffff88808ef89401 raw: 00000007f9794f1c 0000000000000000 0000000100000000 ffff88814076c000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 7577, ts 1168162892854, free_ts 1168159391033 prep_new_page mm/page_alloc.c:2426 [inline] get_page_from_freelist+0xa72/0x2f80 mm/page_alloc.c:4155 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5381 alloc_pages_vma+0xf3/0x7d0 mm/mempolicy.c:2152 wp_page_copy+0x1be/0x2450 mm/memory.c:3003 do_wp_page+0x2cb/0x1ae0 mm/memory.c:3313 handle_pte_fault mm/memory.c:4588 [inline] __handle_mm_fault+0x1f12/0x5280 mm/memory.c:4705 handle_mm_fault+0x1c8/0x790 mm/memory.c:4803 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1485 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1541 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1340 [inline] free_pcp_prepare+0x326/0x810 mm/page_alloc.c:1391 free_unref_page_prepare mm/page_alloc.c:3317 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3433 release_pages+0x3f4/0x1480 mm/swap.c:970 __pagevec_release+0x77/0x100 mm/swap.c:990 pagevec_release include/linux/pagevec.h:81 [inline] shmem_undo_range+0x76e/0x17a0 mm/shmem.c:958 shmem_truncate_range mm/shmem.c:1057 [inline] shmem_evict_inode+0x3a4/0xbd0 mm/shmem.c:1139 evict+0x2ed/0x6b0 fs/inode.c:588 iput_final fs/inode.c:1664 [inline] iput.part.0+0x539/0x850 fs/inode.c:1690 iput+0x58/0x70 fs/inode.c:1680 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:376 __dentry_kill+0x3c0/0x640 fs/dcache.c:582 dentry_kill fs/dcache.c:720 [inline] dput+0x669/0xbc0 fs/dcache.c:888 do_renameat2+0xb6b/0xc80 fs/namei.c:4779 __do_sys_rename fs/namei.c:4823 [inline] __se_sys_rename fs/namei.c:4821 [inline] __x64_sys_rename+0x7d/0xa0 fs/namei.c:4821 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff88809fc12f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809fc12f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88809fc13000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff88809fc13080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88809fc13100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================