syzbot

loop0: rw=524288, want=32, limit=16
erofs: (device loop0): z_erofs_lz4_decompress: failed to decompress -29 in[58, 4038] out[3537]
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in hex_dump_to_buffer+0x5dc/0x984 lib/hexdump.c:193
Read of size 1 at addr ffff80001bdff000 by task syz-executor148/4023

CPU: 0 PID: 4023 Comm: syz-executor148 Not tainted 5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
Call trace:
 dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
 print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
 __kasan_report mm/kasan/report.c:434 [inline]
 kasan_report+0x174/0x1e4 mm/kasan/report.c:451
 __asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
 hex_dump_to_buffer+0x5dc/0x984 lib/hexdump.c:193
 print_hex_dump+0x140/0x248 lib/hexdump.c:276
 z_erofs_lz4_decompress+0x7a0/0xf28 fs/erofs/decompressor.c:243
 z_erofs_decompress_generic fs/erofs/decompressor.c:332 [inline]
 z_erofs_decompress+0x720/0xeec fs/erofs/decompressor.c:410
 z_erofs_decompress_pcluster fs/erofs/zdata.c:980 [inline]
 z_erofs_decompress_queue+0x1158/0x1bc0 fs/erofs/zdata.c:1058
 z_erofs_runqueue+0x11d0/0x1474 fs/erofs/zdata.c:1370
 z_erofs_readahead+0x864/0xc98 fs/erofs/zdata.c:1459
 read_pages+0x13c/0x420 mm/readahead.c:130
 page_cache_ra_unbounded+0x534/0x654 mm/readahead.c:239
 do_page_cache_ra mm/readahead.c:269 [inline]
 force_page_cache_ra+0x320/0x388 mm/readahead.c:301
 force_page_cache_readahead mm/internal.h:78 [inline]
 generic_fadvise+0x490/0x750 mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:186 [inline]
 ksys_fadvise64_64 mm/fadvise.c:200 [inline]
 __do_sys_fadvise64_64 mm/fadvise.c:208 [inline]
 __se_sys_fadvise64_64 mm/fadvise.c:206 [inline]
 __arm64_sys_fadvise64_64+0x12c/0x174 mm/fadvise.c:206
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584


Memory state around the buggy address:
 ffff80001bdfef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff80001bdfef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff80001bdff000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffff80001bdff080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffff80001bdff100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
Unable to handle kernel paging request at virtual address ffff80001bdff000
Mem abort info:
  ESR = 0x0000000096000007
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x07: level 3 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000007
  CM = 0, WnR = 0
swapper pgtable: 4k pages, 48-bit VAs, pgdp=00000001ae196000
[ffff80001bdff000] pgd=100000023ffff003, p4d=100000023ffff003, pud=100000023fffe003, pmd=100000023fff8003, pte=0000000000000000
Internal error: Oops: 0000000096000007 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4023 Comm: syz-executor148 Tainted: G    B             5.15.178-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : hex_dump_to_buffer+0x4d4/0x984 lib/hexdump.c:193
lr : hex_dump_to_buffer+0x5dc/0x984 lib/hexdump.c:193
sp : ffff80001f216a00
x29: ffff80001f216a40 x28: 000000000000000b x27: 0000000000000021
x26: ffff80001f216b1f x25: ffff80001bdff000 x24: 0000000000000022
x23: dfff800000000000 x22: 0000000000000083 x21: 0000000000000021
x20: 0000000000000000 x19: 0000000000000023 x18: 0000000000000005
x17: 0000000000000000 x16: ffff80000824ec08 x15: 00000000ffffffff
x14: ffff0000da3f9b40 x13: 0000000000000001 x12: ffff700002e3a964
x11: 0000000000000003 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff0000da3f9b40 x7 : 0000000000000000 x6 : 0000000000000001
x5 : ffff80001f216098 x4 : 0000000000000000 x3 : ffff80000819c3f0
x2 : 0000000000000001 x1 : 0000000000000001 x0 : 0000000000000001
Call trace:
 hex_dump_to_buffer+0x4d4/0x984 lib/hexdump.c:193
 print_hex_dump+0x140/0x248 lib/hexdump.c:276
 z_erofs_lz4_decompress+0x7a0/0xf28 fs/erofs/decompressor.c:243
 z_erofs_decompress_generic fs/erofs/decompressor.c:332 [inline]
 z_erofs_decompress+0x720/0xeec fs/erofs/decompressor.c:410
 z_erofs_decompress_pcluster fs/erofs/zdata.c:980 [inline]
 z_erofs_decompress_queue+0x1158/0x1bc0 fs/erofs/zdata.c:1058
 z_erofs_runqueue+0x11d0/0x1474 fs/erofs/zdata.c:1370
 z_erofs_readahead+0x864/0xc98 fs/erofs/zdata.c:1459
 read_pages+0x13c/0x420 mm/readahead.c:130
 page_cache_ra_unbounded+0x534/0x654 mm/readahead.c:239
 do_page_cache_ra mm/readahead.c:269 [inline]
 force_page_cache_ra+0x320/0x388 mm/readahead.c:301
 force_page_cache_readahead mm/internal.h:78 [inline]
 generic_fadvise+0x490/0x750 mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:186 [inline]
 ksys_fadvise64_64 mm/fadvise.c:200 [inline]
 __do_sys_fadvise64_64 mm/fadvise.c:208 [inline]
 __se_sys_fadvise64_64 mm/fadvise.c:206 [inline]
 __arm64_sys_fadvise64_64+0x12c/0x174 mm/fadvise.c:206
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
 do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
 el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
 el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
 el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Code: 8b1c0119 d343ff28 38f76908 350007c8 (39400334) 
---[ end trace b6f48e541b709fa9 ]---
----------------
Code disassembly (best guess):
   0:	8b1c0119 	add	x25, x8, x28
   4:	d343ff28 	lsr	x8, x25, #3
   8:	38f76908 	ldrsb	w8, [x8, x23]
   c:	350007c8 	cbnz	w8, 0x104
* 10:	39400334 	ldrb	w20, [x25] <-- trapping instruction