KASAN: use-after-free Read in z_erofs_transform

Title	Replies (including bot)	Last reply
[PATCH 6.19 490/844] erofs: fix interlaced plain identification for encoded extents	1 (1)	2026/02/28 17:26
[syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)	1 (3)	2026/02/24 14:46
[PATCH] erofs: fix interlaced plain identification for encoded extents	1 (1)	2026/02/24 10:31

Title

Replies (including bot)

Last reply

[PATCH 6.19 490/844] erofs: fix interlaced plain identification for encoded extents

1 (1)

2026/02/28 17:26

[syzbot] [erofs?] KASAN: use-after-free Read in z_erofs_transform_plain (2)

1 (3)

2026/02/24 14:46

[PATCH] erofs: fix interlaced plain identification for encoded extents

1 (1)

2026/02/24 10:31

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-6.1	KASAN: use-after-free Read in z_erofs_transform_plain origin:lts-only	19	C		inconclusive	457	3d12h	768d	0/3	upstream: reported C repro on 2024/02/07 05:17
upstream	KASAN: use-after-free Read in z_erofs_transform_plain erofs	19	C	done		4	1120d	1197d	22/29	fixed on 2023/02/24 13:50
linux-6.6	KASAN: use-after-free Read in z_erofs_transform_plain origin:lts-only	19	C		done	49	12d	264d	0/2	upstream: reported C repro on 2025/06/24 12:21

Created	Duration	User	Patch	Repo	Result
2026/02/24 14:22	22m	hsiangkao@linux.alibaba.com		git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test	OK log

Created

Duration

User

Patch

Repo

Result

2026/02/24 14:22

22m

hsiangkao@linux.alibaba.com

git://git.kernel.org/pub/scm/linux/kernel/git/xiang/erofs.git dev-test

OK log

================================================================== BUG: KASAN: slab-out-of-bounds in memcpy_to_page include/linux/highmem.h:552 [inline] BUG: KASAN: slab-out-of-bounds in z_erofs_transform_plain+0x33c/0xa00 fs/erofs/decompressor.c:309 Read of size 4096 at addr ffff88803f175800 by task kworker/u9:2/5851 CPU: 1 UID: 0 PID: 5851 Comm: kworker/u9:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: erofs_worker z_erofs_decompressqueue_work Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 memcpy_to_page include/linux/highmem.h:552 [inline] z_erofs_transform_plain+0x33c/0xa00 fs/erofs/decompressor.c:309 z_erofs_decompress_pcluster fs/erofs/zdata.c:1297 [inline] z_erofs_decompress_queue+0x1af7/0x3740 fs/erofs/zdata.c:1410 z_erofs_decompressqueue_work+0x88/0xe0 fs/erofs/zdata.c:1422 process_one_work kernel/workqueue.c:3275 [inline] process_scheduled_works+0xb02/0x1830 kernel/workqueue.c:3358 worker_thread+0xa50/0xfc0 kernel/workqueue.c:3439 kthread+0x388/0x470 kernel/kthread.c:467 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88803f175900 pfn:0x3f175 flags: 0x80000000000000(node=0|zone=1) raw: 0080000000000000 0000000000000000 dead000000000122 0000000000000000 raw: ffff88803f175900 fffffffffffffffc 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 6046, tgid 6046 (syz.1.18), ts 99298614076, free_ts 99297784595 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_pages_mpol+0xd1/0x380 mm/mempolicy.c:2485 alloc_frozen_pages_noprof mm/mempolicy.c:2556 [inline] alloc_pages_noprof+0xce/0x1e0 mm/mempolicy.c:2576 __erofs_allocpage+0x1a0/0x270 fs/erofs/zutil.c:190 z_erofs_fill_bio_vec fs/erofs/zdata.c:1560 [inline] z_erofs_submit_queue fs/erofs/zdata.c:1728 [inline] z_erofs_runqueue+0xb2f/0x20f0 fs/erofs/zdata.c:1808 z_erofs_readahead+0x8ad/0xc10 fs/erofs/zdata.c:1936 read_pages+0x193/0x5a0 mm/readahead.c:163 page_cache_ra_unbounded+0x704/0x9b0 mm/readahead.c:304 do_page_cache_ra mm/readahead.c:334 [inline] page_cache_ra_order+0x2b5/0x4b0 mm/readahead.c:538 filemap_readahead mm/filemap.c:2658 [inline] filemap_get_pages+0x832/0x1ea0 mm/filemap.c:2704 filemap_read+0x44a/0x1240 mm/filemap.c:2800 erofs_file_read_iter+0x249/0x2d0 fs/erofs/data.c:441 __kernel_read+0x50d/0x9c0 fs/read_write.c:532 integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28 page last free pid 6046 tgid 6046 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xfe3/0x1170 mm/page_alloc.c:2978 __folio_put+0x25d/0x310 mm/swap.c:112 erofs_release_pages+0x1c9/0x270 fs/erofs/zutil.c:213 z_erofs_decompressqueue_work fs/erofs/zdata.c:1423 [inline] z_erofs_decompress_kickoff+0x2aa/0x330 fs/erofs/zdata.c:1480 z_erofs_submit_queue fs/erofs/zdata.c:1791 [inline] z_erofs_runqueue+0x1db8/0x20f0 fs/erofs/zdata.c:1808 z_erofs_readahead+0x8ad/0xc10 fs/erofs/zdata.c:1936 read_pages+0x193/0x5a0 mm/readahead.c:163 page_cache_ra_unbounded+0x704/0x9b0 mm/readahead.c:304 do_page_cache_ra mm/readahead.c:334 [inline] page_cache_ra_order+0x2b5/0x4b0 mm/readahead.c:538 filemap_get_pages+0x47c/0x1ea0 mm/filemap.c:2690 filemap_read+0x44a/0x1240 mm/filemap.c:2800 erofs_file_read_iter+0x249/0x2d0 fs/erofs/data.c:441 __kernel_read+0x50d/0x9c0 fs/read_write.c:532 integrity_kernel_read+0x89/0xd0 security/integrity/iint.c:28 ima_calc_file_hash_tfm security/integrity/ima/ima_crypto.c:480 [inline] ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline] ima_calc_file_hash+0x12cf/0x1800 security/integrity/ima/ima_crypto.c:568 ima_collect_measurement+0x491/0x930 security/integrity/ima/ima_api.c:294 Memory state around the buggy address: ffff88803f175f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88803f176000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88803f176080: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 ^ ffff88803f176100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88803f176180: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 ==================================================================

Crashes (5):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Assets (help?)	Manager	Title
2026/02/20 10:56	upstream	8bf22c33e7a1	17d780d6	.config	console log	report	syz / log	C	[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci2-upstream-fs	KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2026/02/20 11:39	upstream	8bf22c33e7a1	17d780d6	.config	console log	report	syz / log		[disk image] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci2-upstream-fs	KASAN: slab-use-after-free Read in z_erofs_transform_plain
2026/02/20 08:08	upstream	8bf22c33e7a1	17d780d6	.config	console log	report	syz / log		[disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci-snapshot-upstream-root	KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
2026/02/20 07:54	upstream	8bf22c33e7a1	17d780d6	.config	console log	report	syz / log		[disk image (non-bootable)] [vmlinux] [kernel image] [mounted in repro (corrupt fs)]	ci-snapshot-upstream-root	KASAN: slab-use-after-free Read in z_erofs_transform_plain
2026/02/20 07:38	upstream	8bf22c33e7a1	17d780d6	.config	console log	report			[disk image (non-bootable)] [vmlinux] [kernel image]	ci-snapshot-upstream-root	KASAN: use-after-free Read in z_erofs_transform_plain

Crashes (5):

Assets (help?)