syzbot

erofs: (device loop0): z_erofs_extent_lookback: bogus lookback distance @ nid 36
erofs: (device loop0): z_erofs_readahead: readahead error at page 46 @ nid 36
attempt to access beyond end of device
loop0: rw=524288, want=32, limit=16
erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -29 in[58, 4038] out[3537]
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in hex_dump_to_buffer+0x3c0/0xd50 lib/hexdump.c:193
Read of size 1 at addr ffffc90000e47000 by task syz-executor301/4166

CPU: 1 PID: 4166 Comm: syz-executor301 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 print_address_description+0x60/0x2d0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0xdf/0x130 mm/kasan/report.c:451
 hex_dump_to_buffer+0x3c0/0xd50 lib/hexdump.c:193
 print_hex_dump+0x136/0x260 lib/hexdump.c:276
 z_erofs_lz4_decompress+0xc7f/0x1180 fs/erofs/decompressor.c:243
 z_erofs_decompress_generic fs/erofs/decompressor.c:332 [inline]
 z_erofs_decompress+0x767/0xde0 fs/erofs/decompressor.c:410
 z_erofs_decompress_pcluster fs/erofs/zdata.c:980 [inline]
 z_erofs_decompress_queue+0x11a6/0x1990 fs/erofs/zdata.c:1058
 z_erofs_runqueue+0x164c/0x1890 fs/erofs/zdata.c:1370
 z_erofs_readahead+0xb81/0x10c0 fs/erofs/zdata.c:1459
 read_pages+0x165/0x920 mm/readahead.c:130
 page_cache_ra_unbounded+0x830/0x930 mm/readahead.c:239
 do_page_cache_ra mm/readahead.c:269 [inline]
 force_page_cache_ra+0x3e5/0x440 mm/readahead.c:301
 force_page_cache_readahead mm/internal.h:78 [inline]
 generic_fadvise+0x520/0x7d0 mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:186 [inline]
 ksys_fadvise64_64 mm/fadvise.c:200 [inline]
 __do_sys_fadvise64 mm/fadvise.c:215 [inline]
 __se_sys_fadvise64 mm/fadvise.c:213 [inline]
 __x64_sys_fadvise64+0x139/0x180 mm/fadvise.c:213
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fec7c8406b9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 61 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd721e6068 EFLAGS: 00000246 ORIG_RAX: 00000000000000dd
RAX: ffffffffffffffda RBX: 00007ffd721e6238 RCX: 00007fec7c8406b9
RDX: 0000000000020000 RSI: 000000000000fcff RDI: 0000000000000004
RBP: 00007fec7c8b3610 R08: 0000000000000000 R09: 00007ffd721e6238
R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd721e6228 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


Memory state around the buggy address:
 ffffc90000e46f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffc90000e46f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffc90000e47000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffc90000e47080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90000e47100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================