==================================================================
BUG: KASAN: use-after-free in get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline]
BUG: KASAN: use-after-free in LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline]
BUG: KASAN: use-after-free in LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469
Read of size 2 at addr ffff8880641b5000 by task kworker/u5:1/6565

CPU: 1 PID: 6565 Comm: kworker/u5:1 Not tainted 5.15.0-rc6-next-20211025-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: erofs_unzipd z_erofs_decompressqueue_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
 get_unaligned_le16 include/asm-generic/unaligned.h:27 [inline]
 LZ4_readLE16 lib/lz4/lz4defs.h:132 [inline]
 LZ4_decompress_generic lib/lz4/lz4_decompress.c:285 [inline]
 LZ4_decompress_safe_partial+0x102a/0x11a0 lib/lz4/lz4_decompress.c:469
 z_erofs_lz4_decompress_mem fs/erofs/decompressor.c:220 [inline]
 z_erofs_lz4_decompress+0x78c/0x1400 fs/erofs/decompressor.c:289
 z_erofs_decompress_pcluster.isra.0+0x1301/0x2250 fs/erofs/zdata.c:975
 z_erofs_decompress_queue fs/erofs/zdata.c:1053 [inline]
 z_erofs_decompressqueue_work+0xe1/0x170 fs/erofs/zdata.c:1064
 process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
 worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

The buggy address belongs to the page:
page:ffffea0001906d40 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x641b5
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea00018fdd88 ffffea0001906e48 0000000000000000
raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 0, migratetype Movable, gfp_mask 0x1100dca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), pid 6537, ts 138985931572, free_ts 287477674508
 prep_new_page mm/page_alloc.c:2418 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
 alloc_pages_vma+0xf3/0x7d0 mm/mempolicy.c:2152
 wp_page_copy+0xec6/0x2280 mm/memory.c:2984
 do_wp_page+0x2cb/0x1ae0 mm/memory.c:3299
 handle_pte_fault mm/memory.c:4569 [inline]
 __handle_mm_fault+0x1f40/0x5120 mm/memory.c:4686
 handle_mm_fault+0x1c8/0x790 mm/memory.c:4784
 do_user_addr_fault+0x489/0x11c0 arch/x86/mm/fault.c:1397
 handle_page_fault arch/x86/mm/fault.c:1485 [inline]
 exc_page_fault+0x9e/0x180 arch/x86/mm/fault.c:1541
 asm_exc_page_fault+0x1e/0x30 arch/x86/include/asm/idtentry.h:568
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1338 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
 free_unref_page_prepare mm/page_alloc.c:3309 [inline]
 free_unref_page_list+0x1a9/0xfa0 mm/page_alloc.c:3425
 release_pages+0x3f4/0x1480 mm/swap.c:979
 __pagevec_lru_add+0x8b3/0xf20 mm/swap.c:1074
 folio_add_lru+0x467/0x6a0 mm/swap.c:468
 putback_lru_page+0x14/0x220 mm/vmscan.c:1326
 __collapse_huge_page_copy mm/khugepaged.c:767 [inline]
 collapse_huge_page mm/khugepaged.c:1182 [inline]
 khugepaged_scan_pmd mm/khugepaged.c:1367 [inline]
 khugepaged_scan_mm_slot mm/khugepaged.c:2149 [inline]
 khugepaged_do_scan mm/khugepaged.c:2230 [inline]
 khugepaged+0x428e/0x5390 mm/khugepaged.c:2275
 kthread+0x405/0x4f0 kernel/kthread.c:327
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Memory state around the buggy address:
 ffff8880641b4f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880641b4f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880641b5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8880641b5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8880641b5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================