================================================================== BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 Read of size 2 at addr ffff8880ac5f4000 by task kworker/u5:0/46 CPU: 1 PID: 46 Comm: kworker/u5:0 Not tainted 5.16.0-rc3-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: erofs_unzipd z_erofs_decompressqueue_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:450 get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline] LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline] LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline] LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469 z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:220 [inline] z_erofs_lz4_decompress+0x78c/0x1400 fs/erofs/decompressor.c:288 z_erofs_decompress_pcluster.isra.0+0x1301/0x2250 fs/erofs/zdata.c:965 z_erofs_decompress_queue fs/erofs/zdata.c:1043 [inline] z_erofs_decompressqueue_work+0xe1/0x170 fs/erofs/zdata.c:1054 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445 kthread+0x405/0x4f0 kernel/kthread.c:327 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the page: page:ffffea0002b17d00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0xac5f4 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea00029d4ec8 ffffea0002b40808 0000000000000000 raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Movable, gfp_mask 0x1100cca(GFP_HIGHUSER_MOVABLE), pid 20589, ts 1409263712765, free_ts 1409266288765 prep_new_page mm/page_alloc.c:2418 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369 alloc_pages_vma+0xf3/0x7d0 mm/mempolicy.c:2152 shmem_alloc_page+0x11f/0x1f0 mm/shmem.c:1579 shmem_alloc_and_acct_page+0x161/0x8c0 mm/shmem.c:1604 shmem_getpage_gfp+0x643/0x22d0 mm/shmem.c:1902 shmem_getpage mm/shmem.c:150 [inline] shmem_write_begin+0xff/0x1e0 mm/shmem.c:2470 generic_perform_write+0x205/0x510 mm/filemap.c:3756 __generic_file_write_iter+0x1c7/0x510 mm/filemap.c:3883 generic_file_write_iter+0xd7/0x220 mm/filemap.c:3915 call_write_iter include/linux/fs.h:2162 [inline] new_sync_write+0x429/0x660 fs/read_write.c:503 vfs_write+0x7cd/0xae0 fs/read_write.c:590 ksys_pwrite64 fs/read_write.c:697 [inline] __do_sys_pwrite64 fs/read_write.c:707 [inline] __se_sys_pwrite64 fs/read_write.c:704 [inline] __x64_sys_pwrite64+0x1fd/0x250 fs/read_write.c:704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1338 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389 free_unref_page_prepare mm/page_alloc.c:3309 [inline] free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3425 release_pages+0x3f4/0x1480 mm/swap.c:980 __pagevec_release+0x77/0x100 mm/swap.c:1000 pagevec_release include/linux/pagevec.h:81 [inline] shmem_undo_range+0x749/0x16d0 mm/shmem.c:957 shmem_truncate_range mm/shmem.c:1056 [inline] shmem_evict_inode+0x3a4/0xbd0 mm/shmem.c:1138 evict+0x2ed/0x6b0 fs/inode.c:590 iput_final fs/inode.c:1670 [inline] iput.part.0+0x539/0x850 fs/inode.c:1696 iput+0x58/0x70 fs/inode.c:1686 dentry_unlink_inode+0x2b1/0x460 fs/dcache.c:376 __dentry_kill+0x3c0/0x640 fs/dcache.c:582 dentry_kill fs/dcache.c:708 [inline] dput+0x738/0xbc0 fs/dcache.c:888 __fput+0x3ab/0x9f0 fs/file_table.c:293 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline] syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300 Memory state around the buggy address: ffff8880ac5f3f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880ac5f3f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880ac5f4000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880ac5f4080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880ac5f4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================