program:
syz_mount_image$erofs(&(0x7f0000000040), &(0x7f0000000140)='./file0\x00', 0xc8c8, &(0x7f0000000000)=ANY=[], 0x1, 0x208, &(0x7f0000000240)="$eJzslb9v1DAUx7920uRaVcyIhYFKlIHcJZUQS6V2YWJA4kfFgMSJ5qqDlKI2A62EgL+AnY2BPwMEKwN/AipICJaycCwsRo4dx3ckIcfdwdD3kc752n6237N9zyAI4tjy6eOPQzFY/dICsIgl+Lr9q1PYcP39KYT40Pr26O3lSxvPbr185x8G82VzCtF8fRfAm3UHqRk7PHpJf6+BG30dHOe03gBDoPVtcNzQOgbDTa3vWnpH2gdBr5/EwZ2dZFOKjixCWUS9fsLcUf+OnjJsWv4xq39v/+BeN0ni3RmKP+3f0TrHqvEPLbv/IpS3HWv/QnCEWq+A4aqx9fO9UVtixX/KLeJ3auP3MGHYnwEULb0SGz7pErnw5FLVNnmgJV0Am9bZRycaGDv1Iedn3mjRxaLFQSayQOcbDreFvBW6Rd6MWf8TxhdwpzLPQCh+6/Lr7s/k4v1rLXit8as1dfx5i3is6uMtulbR5Y05j955k5/EC4azVv5UqeR59tS00+0H7b39g/P97e5WvBXfj6KVC50FAFE7S0SqrEp/vry2Mj8tFPObN8kZMfaYh4fdNN0NVWnqkSrLMi7P8h/H8hnMybrMpt7IvN8tzbKfHMWeqNrykBtz0E/syaqQCIIg/g2nwaDfNuHmQr8mpkOI6Mp/9pMgCIIgCIIgCIIgiL/nVwAAAP//qatccw==")
open(&(0x7f0000000200)='./file2\x00', 0x60100, 0x32)

[   90.615125][ T5296] Bluetooth: hci0: command tx timeout
[   90.798804][ T5316] loop0: detected capacity change from 0 to 16
[   90.860941][ T5316] =======================================================
[   90.860941][ T5316] WARNING: The mand mount option has been deprecated and
[   90.860941][ T5316]          and is ignored by this kernel. Remove the mand
[   90.860941][ T5316]          option from the mount to silence this warning.
[   90.860941][ T5316] =======================================================
[   90.939329][ T5316] erofs (device loop0): mounted with root inode @ nid 36.
[   90.957447][ T5316] erofs (device loop0): unknown algorithm 7 @ pos 8192 for nid 89, please upgrade kernel
[   90.962340][ T5316] erofs (device loop0): readahead error at folio 2 @ nid 89
[   90.974075][ T5316] syz.0.0: attempt to access beyond end of device
[   90.974075][ T5316] loop0: rw=524288, sector=256, nr_sectors = 8 limit=16
[   90.982821][ T5316] syz.0.0: attempt to access beyond end of device
[   90.982821][ T5316] loop0: rw=524288, sector=0, nr_sectors = 1024 limit=16
[   90.993992][   T12] ==================================================================
[   90.997443][   T12] BUG: KASAN: use-after-free in z_erofs_transform_plain+0x33c/0xa00
[   91.000918][   T12] Read of size 4096 at addr ffff88804470a800 by task kworker/u4:0/12
[   91.004309][   T12] 
[   91.005326][   T12] CPU: 0 UID: 0 PID: 12 Comm: kworker/u4:0 Not tainted syzkaller #0 PREEMPT(full) 
[   91.005340][   T12] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   91.005348][   T12] Workqueue: loop0 loop_workfn
[   91.005371][   T12] Call Trace:
[   91.005378][   T12]  <TASK>
[   91.005384][   T12]  dump_stack_lvl+0xe8/0x150
[   91.005401][   T12]  print_report+0xba/0x230
[   91.005413][   T12]  ? z_erofs_transform_plain+0x33c/0xa00
[   91.005426][   T12]  kasan_report+0x117/0x150
[   91.005437][   T12]  ? z_erofs_transform_plain+0x33c/0xa00
[   91.005448][   T12]  kasan_check_range+0x264/0x2c0
[   91.005458][   T12]  ? z_erofs_transform_plain+0x33c/0xa00
[   91.005471][   T12]  __asan_memcpy+0x29/0x70
[   91.005485][   T12]  z_erofs_transform_plain+0x33c/0xa00
[   91.005497][   T12]  ? z_erofs_decompress_queue+0x9ee/0x3740
[   91.005535][   T12]  ? __kmalloc_cache_noprof+0x15b/0x660
[   91.005559][   T12]  z_erofs_decompress_queue+0x1af7/0x3740
[   91.005583][   T12]  ? __pfx_z_erofs_decompress_queue+0x10/0x10
[   91.005597][   T12]  ? lockdep_unlock+0x5d/0xd0
[   91.005609][   T12]  ? __lock_acquire+0x146e/0x2cf0
[   91.005628][   T12]  ? seqcount_lockdep_reader_access+0xa9/0x100
[   91.005647][   T12]  ? lockdep_hardirqs_on+0x7a/0x110
[   91.005817][   T12]  ? ktime_get_coarse_real_ts64_mg+0x59/0x1e0
[   91.005825][   T12]  ? seqcount_lockdep_reader_access+0xea/0x100
[   91.005837][   T12]  z_erofs_decompress_kickoff+0x2a2/0x330
[   91.005848][   T12]  ? __pfx_z_erofs_decompress_kickoff+0x10/0x10
[   91.005859][   T12]  ? blkg_put+0x22/0x240
[   91.005876][   T12]  ? bio_first_folio+0x468/0x670
[   91.005889][   T12]  z_erofs_endio+0x5c5/0x6d0
[   91.005902][   T12]  blk_update_request+0x57e/0xe60
[   91.005916][   T12]  blk_mq_end_request+0x3e/0x70
[   91.005927][   T12]  lo_rw_aio+0xcde/0xf00
[   91.005948][   T12]  ? __pfx_lo_rw_aio+0x10/0x10
[   91.005964][   T12]  ? kthread_associate_blkcg+0x490/0x600
[   91.005974][   T12]  ? _raw_spin_unlock_irq+0x23/0x50
[   91.005988][   T12]  loop_process_work+0x958/0x11a0
[   91.006003][   T12]  ? arch_stack_walk+0x11b/0x150
[   91.006023][   T12]  ? __pfx_loop_process_work+0x10/0x10
[   91.006039][   T12]  ? check_path+0x21/0x40
[   91.006055][   T12]  ? add_lock_to_list+0xc7/0x100
[   91.006069][   T12]  ? lockdep_unlock+0x5d/0xd0
[   91.006080][   T12]  ? __lock_acquire+0x146e/0x2cf0
[   91.006100][   T12]  ? process_scheduled_works+0xa25/0x1830
[   91.006115][   T12]  ? process_scheduled_works+0xa25/0x1830
[   91.006127][   T12]  process_scheduled_works+0xb02/0x1830
[   91.006148][   T12]  ? __pfx_process_scheduled_works+0x10/0x10
[   91.006162][   T12]  ? assign_work+0x3d5/0x5e0
[   91.006175][   T12]  worker_thread+0xa50/0xfc0
[   91.006198][   T12]  kthread+0x388/0x470
[   91.006208][   T12]  ? __pfx_worker_thread+0x10/0x10
[   91.006221][   T12]  ? __pfx_kthread+0x10/0x10
[   91.006231][   T12]  ret_from_fork+0x51e/0xb90
[   91.006247][   T12]  ? __pfx_ret_from_fork+0x10/0x10
[   91.006260][   T12]  ? __switch_to+0xc7d/0x1450
[   91.006277][   T12]  ? __pfx_kthread+0x10/0x10
[   91.006287][   T12]  ret_from_fork_asm+0x1a/0x30
[   91.006306][   T12]  </TASK>
[   91.006310][   T12] 
[   91.135585][   T12] The buggy address belongs to the physical page:
[   91.138092][   T12] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88804470a000 pfn:0x4470a
[   91.142003][   T12] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   91.145352][   T12] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[   91.148969][   T12] raw: ffff88804470a000 fffffffffffffffc 00000001ffffffff 0000000000000000
[   91.152614][   T12] page dumped because: kasan: bad access detected
[   91.155399][   T12] page_owner tracks the page as allocated
[   91.157860][   T12] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xc40(GFP_NOFS), pid 5316, tgid 5315 (syz.0.0), ts 90992916478, free_ts 90992326660
[   91.164458][   T12]  post_alloc_hook+0x231/0x280
[   91.166613][   T12]  get_page_from_freelist+0x24dc/0x2580
[   91.169139][   T12]  __alloc_frozen_pages_noprof+0x18d/0x380
[   91.171916][   T12]  alloc_pages_mpol+0x232/0x4a0
[   91.174078][   T12]  alloc_pages_noprof+0xa8/0x190
[   91.176242][   T12]  __erofs_allocpage+0x193/0x260
[   91.178250][   T12]  z_erofs_runqueue+0xb2f/0x20f0
[   91.180178][   T12]  z_erofs_readahead+0x8ad/0xc10
[   91.182088][   T12]  read_pages+0x193/0x5a0
[   91.183820][   T12]  page_cache_ra_order+0x926/0xeb0
[   91.185902][   T12]  filemap_get_pages+0x897/0x1f10
[   91.187883][   T12]  filemap_read+0x447/0x1230
[   91.189770][   T12]  erofs_file_read_iter+0x247/0x2d0
[   91.191831][   T12]  __kernel_read+0x504/0x9b0
[   91.193741][   T12]  integrity_kernel_read+0x89/0xd0
[   91.195961][   T12]  ima_calc_file_hash+0x12c3/0x17f0
[   91.198163][   T12] page last free pid 5316 tgid 5315 stack trace:
[   91.200586][   T12]  __free_frozen_pages+0xc2b/0xdb0
[   91.202570][   T12]  __folio_put+0x414/0x4f0
[   91.204304][   T12]  erofs_release_pages+0x1c0/0x270
[   91.206377][   T12]  z_erofs_decompress_kickoff+0x2aa/0x330
[   91.208716][   T12]  z_erofs_runqueue+0x1db8/0x20f0
[   91.210923][   T12]  z_erofs_readahead+0x8ad/0xc10
[   91.213009][   T12]  read_pages+0x193/0x5a0
[   91.214910][   T12]  page_cache_ra_order+0x926/0xeb0
[   91.217071][   T12]  filemap_get_pages+0x4c0/0x1f10
[   91.219202][   T12]  filemap_read+0x447/0x1230
[   91.221216][   T12]  erofs_file_read_iter+0x247/0x2d0
[   91.223472][   T12]  __kernel_read+0x504/0x9b0
[   91.225545][   T12]  integrity_kernel_read+0x89/0xd0
[   91.227820][   T12]  ima_calc_file_hash+0x12c3/0x17f0
[   91.230098][   T12]  ima_collect_measurement+0x48b/0x930
[   91.232509][   T12]  process_measurement+0x12cd/0x1c80
[   91.234871][   T12] 
[   91.235984][   T12] Memory state around the buggy address:
[   91.238514][   T12]  ffff88804470af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   91.241968][   T12]  ffff88804470af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   91.245436][   T12] >ffff88804470b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.248849][   T12]                    ^
[   91.250612][   T12]  ffff88804470b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.253965][   T12]  ffff88804470b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   91.257217][   T12] ==================================================================
[   91.261668][ T5316] syz.0.0: attempt to access beyond end of device
[   91.261668][ T5316] loop0: rw=0, sector=256, nr_sectors = 8 limit=16
[   91.267813][ T5316] erofs (device loop0): read error -5 @ 1 of nid 89
[   91.272417][   T24] audit: type=1800 audit(1771558851.860:2): pid=5316 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.0" name="file2" dev="loop0" ino=89 res=0 errno=0