Extracting prog: 35.814086554s
Minimizing prog: 25m44.054018461s
Simplifying prog options: 0s
Extracting C: 28.284343474s
Simplifying C: 10m23.182759378s


extracting reproducer from 66 programs
first checking the prog from the crash report
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-bpf$BPF_RAW_TRACEPOINT_OPEN-write$FUSE_NOTIFY_RETRIEVE-openat$vga_arbiter-openat$incfs-ioctl$FS_IOC_READ_VERITY_METADATA
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f0000000140)={0x30, 0x5, 0x0, {0x0, 0x6, 0xac38, 0x9}}, 0x30)
openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x240000, 0x0)
r4 = openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)
ioctl$FS_IOC_READ_VERITY_METADATA(r4, 0xc0286687, &(0x7f00000001c0)={0x3, 0x7ff, 0x13, &(0x7f0000000080)=""/19})

program crashed: KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
single: successfully extracted reproducer
found reproducer with 16 syscalls
minimizing guilty program
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-bpf$BPF_RAW_TRACEPOINT_OPEN-write$FUSE_NOTIFY_RETRIEVE-openat$vga_arbiter-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f0000000140)={0x30, 0x5, 0x0, {0x0, 0x6, 0xac38, 0x9}}, 0x30)
openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x240000, 0x0)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-bpf$BPF_RAW_TRACEPOINT_OPEN-write$FUSE_NOTIFY_RETRIEVE-openat$vga_arbiter
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r2, &(0x7f0000000140)={0x30, 0x5, 0x0, {0x0, 0x6, 0xac38, 0x9}}, 0x30)
openat$vga_arbiter(0xffffffffffffff9c, 0x0, 0x240000, 0x0)

program did not crash
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-bpf$BPF_RAW_TRACEPOINT_OPEN-write$FUSE_NOTIFY_RETRIEVE-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
write$FUSE_NOTIFY_RETRIEVE(r3, &(0x7f0000000140)={0x30, 0x5, 0x0, {0x0, 0x6, 0xac38, 0x9}}, 0x30)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-bpf$BPF_RAW_TRACEPOINT_OPEN-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-openat-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program did not crash
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-syz_mount_image$erofs-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
fadvise64(0xffffffffffffffff, 0xaa17, 0xff39, 0x3)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program did not crash
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-readv-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
readv(r1, &(0x7f0000000100)=[{&(0x7f00000002c0)=""/215, 0xd7}], 0x1)
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(0xffffffffffffffff, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program did not crash
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-readv-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
readv(r1, &(0x7f0000001340)=[{&(0x7f0000000580)=""/148, 0x94}], 0x1)
r2 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r3 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r3, 0xaa17, 0xff39, 0x3)
openat$incfs(r2, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-openat$ptmx-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
openat$ptmx(0xffffffffffffff9c, &(0x7f0000000000), 0x109100, 0x0)
r1 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(r1, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-ptrace-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
ptrace(0x10, 0x0)
r1 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(r1, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-timer_settime-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
timer_settime(0x0, 0x0, &(0x7f0000000280)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0)
r1 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(r1, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-timer_create-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004}, &(0x7f0000bbdffc))
r1 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(r1, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-setsockopt$IP6T_SO_SET_ADD_COUNTERS-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = socket$inet6_tcp(0xa, 0x1, 0x0)
setsockopt$IP6T_SO_SET_ADD_COUNTERS(r0, 0x29, 0x41, &(0x7f00000002c0)=ANY=[@ANYRES16=r0], 0x48)
r1 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r2 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r2, 0xaa17, 0xff39, 0x3)
openat$incfs(r1, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): socket$inet6_tcp-syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
socket$inet6_tcp(0xa, 0x1, 0x0)
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, 0x0, 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program did not crash
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, 0x0, 0x103000, 0x40)

program did not crash
extracting C reproducer
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
simplifying C reproducer
testing compiled C program (duration=45.196984894s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program did not crash
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:false RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:false Cgroups:false BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program did not crash
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program did not crash
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program crashed: KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program did not crash
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing compiled C program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
validation run: crashed=true
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: use-after-free Read in z_erofs_transform_plain
validation run: crashed=true
testing program (duration=45.196984894s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:false Swap:false UseTmpDir:true HandleSegv:false Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_mount_image$erofs-openat-fadvise64-openat$incfs
detailed listing:
executing program 0:
r0 = syz_mount_image$erofs(&(0x7f0000000180), &(0x7f0000000100)='./file1\x00', 0x1000803, &(0x7f0000002ac0)=ANY=[], 0x0, 0x1fb, &(0x7f0000000b00)="$eJzsmb+L1EAUx78z+bHnIQc2FjYWHniil02yKtdccYKlIJyilsGLx2nuVvYi3B0ILjY22lkItjaWFhZWFv4FtlqoIFq4pZ0wMpNJMsTskl1Xm30f2NnvTN6+mffYfIsEBEHMLF8+//z0+MLKlTMADmMRLb3+3SpjuBH/8dm9009XLz5/9eHFu52F+2+q+RgAIZrv7wJ4u2YhBbOzFSGwUF5fLLKWXAXHKa2vgcHL5C+hyCYxGG7omNuG7h7SIom9m91k49ZWEvtyCOQQyqFj7iUPNegzbACYU6cTwjzN7v7BnShJ4l5VOCLf549L4wo+on/qfGscq8i7J4SMv/7oYV/OdW/gg+teAgE4Aq07YFjXegUteJ5XtsSo/5hd5rea1P9PxJOmwS+VOLLcLLOji5n8YPk98l+7MXvCmUoeVl2RN3SxcnSQe6AZ83XsvdxJT/jNnXLrlHEBiJzKP/z9fJJc+ovMbk2jClH6k3T2k4Y/2bAL/2in23fbu/sHy1vb0Wa8Ge+EYee8f9b3z4VtZUTZOML/5pQ/zRv5nSGxLnOxF6VpL9gD0l5QzMNsLAvA+uvuD/UbrvzPxtIJNVWeqspu1e/B9Ierb6mWrPrIB0NrIgiCIAiCIAiCIAiCIAiCqOc4GLI3YYLpB6J1hJfVE8rfAQAA//9DhGHK")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000200)='./file1\x00', 0x0, 0x0)
fadvise64(r1, 0xaa17, 0xff39, 0x3)
openat$incfs(r0, &(0x7f0000000040)='.log\x00', 0x103000, 0x40)

program crashed: KASAN: slab-out-of-bounds Read in z_erofs_transform_plain
validation run: crashed=true
reproducing took 41m21.082813276s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in z_erofs_transform_plain+0x374/0x480 fs/erofs/decompressor.c:350
Read of size 4095 at addr ffff0000cc822400 by task syz.3.19/4532

CPU: 0 PID: 4532 Comm: syz.3.19 Not tainted 6.1.147-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x88/0x200 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:418
 kasan_report+0xa8/0x100 mm/kasan/report.c:522
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x260/0x2a0 mm/kasan/generic.c:189
 memcpy+0x48/0x90 mm/kasan/shadow.c:65
 z_erofs_transform_plain+0x374/0x480 fs/erofs/decompressor.c:350
 z_erofs_decompress+0x9c/0xd4 fs/erofs/decompressor.c:439
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1167 [inline]
 z_erofs_decompress_queue+0x1054/0x1d30 fs/erofs/zdata.c:1250
 z_erofs_runqueue+0x14a4/0x1620 fs/erofs/zdata.c:1607
 z_erofs_readahead+0x854/0xbf8 fs/erofs/zdata.c:1743
 read_pages+0x158/0x680 mm/readahead.c:161
 page_cache_ra_unbounded+0x498/0x57c mm/readahead.c:270
 do_page_cache_ra mm/readahead.c:300 [inline]
 force_page_cache_ra+0x248/0x2b0 mm/readahead.c:331
 force_page_cache_readahead mm/internal.h:125 [inline]
 generic_fadvise+0x32c/0x57c mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:185 [inline]
 ksys_fadvise64_64 mm/fadvise.c:199 [inline]
 __do_sys_fadvise64_64 mm/fadvise.c:207 [inline]
 __se_sys_fadvise64_64 mm/fadvise.c:205 [inline]
 __arm64_sys_fadvise64_64+0x12c/0x174 mm/fadvise.c:205
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the physical page:
page:000000006384e702 refcount:2 mapcount:0 mapping:0000000019c8af56 index:0x1 pfn:0x10c822
memcg:ffff0000da09e000
aops:managed_cache_aops ino:0
flags: 0x5ffd00000002014(uptodate|lru|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffd00000002014 fffffc0003c508c8 fffffc000343afc8 ffff0000f3e287c8
raw: 0000000000000001 ffff0000c065e138 00000002ffffffff ffff0000da09e000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cc822f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cc823000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cc823080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
                                  ^
 ffff0000cc823100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cc823180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================

final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-out-of-bounds in z_erofs_transform_plain+0x374/0x480 fs/erofs/decompressor.c:350
Read of size 4095 at addr ffff0000cc822400 by task syz.3.19/4532

CPU: 0 PID: 4532 Comm: syz.3.19 Not tainted 6.1.147-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call trace:
 dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
 __dump_stack+0x30/0x40 lib/dump_stack.c:88
 dump_stack_lvl+0xf8/0x160 lib/dump_stack.c:106
 print_address_description+0x88/0x200 mm/kasan/report.c:316
 print_report+0x50/0x68 mm/kasan/report.c:418
 kasan_report+0xa8/0x100 mm/kasan/report.c:522
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x260/0x2a0 mm/kasan/generic.c:189
 memcpy+0x48/0x90 mm/kasan/shadow.c:65
 z_erofs_transform_plain+0x374/0x480 fs/erofs/decompressor.c:350
 z_erofs_decompress+0x9c/0xd4 fs/erofs/decompressor.c:439
 z_erofs_decompress_pcluster fs/erofs/zdata.c:1167 [inline]
 z_erofs_decompress_queue+0x1054/0x1d30 fs/erofs/zdata.c:1250
 z_erofs_runqueue+0x14a4/0x1620 fs/erofs/zdata.c:1607
 z_erofs_readahead+0x854/0xbf8 fs/erofs/zdata.c:1743
 read_pages+0x158/0x680 mm/readahead.c:161
 page_cache_ra_unbounded+0x498/0x57c mm/readahead.c:270
 do_page_cache_ra mm/readahead.c:300 [inline]
 force_page_cache_ra+0x248/0x2b0 mm/readahead.c:331
 force_page_cache_readahead mm/internal.h:125 [inline]
 generic_fadvise+0x32c/0x57c mm/fadvise.c:107
 vfs_fadvise mm/fadvise.c:185 [inline]
 ksys_fadvise64_64 mm/fadvise.c:199 [inline]
 __do_sys_fadvise64_64 mm/fadvise.c:207 [inline]
 __se_sys_fadvise64_64 mm/fadvise.c:205 [inline]
 __arm64_sys_fadvise64_64+0x12c/0x174 mm/fadvise.c:205
 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
 invoke_syscall+0x98/0x2bc arch/arm64/kernel/syscall.c:52
 el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:140
 do_el0_svc+0x58/0x13c arch/arm64/kernel/syscall.c:204
 el0_svc+0x58/0x138 arch/arm64/kernel/entry-common.c:637
 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:585

The buggy address belongs to the physical page:
page:000000006384e702 refcount:2 mapcount:0 mapping:0000000019c8af56 index:0x1 pfn:0x10c822
memcg:ffff0000da09e000
aops:managed_cache_aops ino:0
flags: 0x5ffd00000002014(uptodate|lru|private|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffd00000002014 fffffc0003c508c8 fffffc000343afc8 ffff0000f3e287c8
raw: 0000000000000001 ffff0000c065e138 00000002ffffffff ffff0000da09e000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000cc822f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cc823000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff0000cc823080: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00
                                  ^
 ffff0000cc823100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff0000cc823180: 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================