BUG: unable to handle kernel paging request at ffffed010d662bff
IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline]
IP: ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727
PGD 7fff6067 P4D 7fff6067 PUD 0 
Oops: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5661 Comm: syz-executor3 Not tainted 4.13.0-next-20170915+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003a7f86c0 task.stack: ffff880039850000
RIP: 0010:ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline]
RIP: 0010:ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727
RSP: 0018:ffff880039856ef8 EFLAGS: 00010807
RAX: dffffc0000000000 RBX: ffff88086b315ff8 RCX: ffffc90001fe4000
RDX: 1ffff1010d662bff RSI: ffffffff83667421 RDI: ffff88086b315ffc
RBP: ffff880039856f58 R08: ffff88006b3e0234 R09: ffff88006b3e0238
R10: 0000000000000003 R11: ffffed000d67c043 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: dffffc0000000000
FS:  00007f9432fd3700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffed010d662bff CR3: 000000006a0dc000 CR4: 00000000000006e0
DR0: 0000000000000009 DR1: 0000000000000000 DR2: 0000000000000007
DR3: 0000000000000008 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 ata_qc_issue+0x625/0xea0 drivers/ata/libata-core.c:5410
 ata_scsi_translate+0x34a/0x5e0 drivers/ata/libata-scsi.c:2023
 __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4325 [inline]
 ata_scsi_queuecmd+0x2ae/0x6b0 drivers/ata/libata-scsi.c:4374
 scsi_dispatch_cmd+0x432/0xb60 drivers/scsi/scsi_lib.c:1712
 scsi_request_fn+0xdf0/0x1e50 drivers/scsi/scsi_lib.c:1847
 __blk_run_queue_uncond block/blk-core.c:376 [inline]
 __blk_run_queue+0x1a6/0x370 block/blk-core.c:396
 blk_execute_rq_nowait+0x200/0x310 block/blk-exec.c:78
 sg_common_write.isra.17+0xbf8/0x1cb0 drivers/scsi/sg.c:806
 sg_write+0x7a6/0xca0 drivers/scsi/sg.c:677
 __vfs_write+0xef/0x970 fs/read_write.c:479
 vfs_write+0x18f/0x510 fs/read_write.c:543
 SYSC_write fs/read_write.c:588 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:580
 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
 entry_SYSCALL64_slow_path+0x25/0x25
RIP: 0033:0x4474f9
RSP: 002b:00007f9432fd2c08 EFLAGS: 00000292 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00000000004474f9
RDX: 00000000000000c7 RSI: 0000000020515000 RDI: 0000000000000005
RBP: 0000000000708000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 00000000ffffffff
R13: 0000000000006040 R14: 00000000006e9100 R15: 0000000020515000
Code: 41 8d 5e ff e8 18 5c 07 fe 48 c1 e3 03 e8 0f 5c 07 fe 48 03 5d c8 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 0c 
RIP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2650 [inline] RSP: ffff880039856ef8
RIP: ata_bmdma_qc_prep+0x30a/0x3d0 drivers/ata/libata-sff.c:2727 RSP: ffff880039856ef8
CR2: ffffed010d662bff
---[ end trace 955a02dec60cc680 ]---