syzbot

==================================================================
BUG: KASAN: wild-memory-access in __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
BUG: KASAN: wild-memory-access in sg_read_oxfer drivers/scsi/sg.c:1970 [inline]
BUG: KASAN: wild-memory-access in sg_read+0x12c5/0x1470 drivers/scsi/sg.c:519
Read of size 184 at addr ffe70873f7349000 by task syzkaller953683/3659
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3660 Comm: syzkaller953683 Not tainted 4.9.91-gbb94f9d #68
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801c2d10000 task.stack: ffff8801c2128000
RIP: 0010:[<ffffffff8144e131>]  [<ffffffff8144e131>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff8144e131>]  [<ffffffff8144e131>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8144e131>]  [<ffffffff8144e131>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:[<ffffffff8144e131>]  [<ffffffff8144e131>] put_page_testzero include/linux/mm.h:450 [inline]
RIP: 0010:[<ffffffff8144e131>]  [<ffffffff8144e131>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP: 0018:ffff8801c212f938  EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff8266930b
RDX: 1bd5a9d5a0000003 RSI: 0000000000000001 RDI: dead4ead0000001c
RBP: ffff8801c212f948 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801c2d10000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801c2038000 R15: dffffc0000000000
FS:  00007f4def96a700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020979fff CR3: 00000001c3868000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 0000000000000001 ffff8801c2038158 ffff8801c212f9a8 ffffffff82669331
 ffff8801c2038170 ffffed003840702b ffffed003840702e ffff8801c2038168
 dead4ead00000000 ffff8801c2038140 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff82669331>] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1946
 [<ffffffff826696e6>] sg_finish_rem_req+0x2a6/0x320 drivers/scsi/sg.c:1829
 [<ffffffff82669aec>] sg_new_read+0x38c/0x440 drivers/scsi/sg.c:567
 [<ffffffff8266b475>] sg_read+0x8c5/0x1470 drivers/scsi/sg.c:455
 [<ffffffff8156c1c8>] do_loop_readv_writev.part.17+0xc8/0x2b0 fs/read_write.c:715
 [<ffffffff8157030d>] do_loop_readv_writev fs/read_write.c:879 [inline]
 [<ffffffff8157030d>] do_readv_writev+0x5fd/0x740 fs/read_write.c:873
 [<ffffffff815704d4>] vfs_readv+0x84/0xc0 fs/read_write.c:897
 [<ffffffff815705f6>] do_readv+0xe6/0x250 fs/read_write.c:923
 [<ffffffff81573ac7>] SYSC_readv fs/read_write.c:1010 [inline]
 [<ffffffff81573ac7>] SyS_readv+0x27/0x30 fs/read_write.c:1007
 [<ffffffff81006504>] do_syscall_64+0x1a4/0x490 arch/x86/entry/common.c:282
 [<ffffffff838b8493>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d 
RIP  [<ffffffff8144e131>] __read_once_size include/linux/compiler.h:243 [inline]
RIP  [<ffffffff8144e131>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP  [<ffffffff8144e131>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP  [<ffffffff8144e131>] put_page_testzero include/linux/mm.h:450 [inline]
RIP  [<ffffffff8144e131>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
 RSP <ffff8801c212f938>
---[ end trace de539e4c0ef6a2cc ]---