================================================================== BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 Read of size 2 at addr ffff88805f152000 by task kworker/u5:0/32137 CPU: 0 PID: 32137 Comm: kworker/u5:0 Not tainted 5.15.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: erofs_unzipd z_erofs_decompressqueue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:220 [inline] z_erofs_lz4_decompress+0x78c/0x1400 fs/erofs/decompressor.c:288 z_erofs_decompress_pcluster.isra.0+0x1301/0x2250 fs/erofs/zdata.c:975 z_erofs_decompress_queue fs/erofs/zdata.c:1053 [inline] z_erofs_decompressqueue_work+0xe1/0x170 fs/erofs/zdata.c:1064 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea00017c5480 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x5f152 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001a40888 ffffea0002165ac8 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 2970, ts 2813896816181, free_ts 3367270129786 prep_new_page mm/page_alloc.c:2418 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 alloc_pages_vma+0xf3/0x7d0 mm/mempolicy.c:2152 do_anonymous_page mm/memory.c:3760 [inline] handle_pte_fault mm/memory.c:4549 [inline] __handle_mm_fault+0x1d61/0x5120 mm/memory.c:4686 handle_mm_fault+0x1c8/0x790 mm/memory.c:4784 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397 handle_page_fault arch/x86/mm/fault.c:1485 [inline] exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1541 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3309 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3425 release_pages+0x3f4/0x1480 mm/swap.c:979 __pagevec_lru_add+0x8b3/0xf20 mm/swap.c:1074 folio_add_lru+0x467/0x6a0 mm/swap.c:468 collapse_huge_page mm/khugepaged.c:1203 [inline] khugepaged_scan_pmd mm/khugepaged.c:1370 [inline] khugepaged_scan_mm_slot mm/khugepaged.c:2157 [inline] khugepaged_do_scan mm/khugepaged.c:2238 [inline] khugepaged+0x46a8/0x5390 mm/khugepaged.c:2283 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Memory state around the buggy address: ffff88805f151f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88805f151f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88805f152000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88805f152080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88805f152100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================