syzbot

==================================================================
BUG: KASAN: wild-memory-access on address ffe708746dda1000
Read of size 28 by task syz-executor2/13185
CPU: 1 PID: 13185 Comm: syz-executor2 Not tainted 4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c8b779e8 ffffffff81d93149 ffe708746dda1000 000000000000001c
 0000000000000000 ffff8801d0c2f720 ffe708746dda1000 ffff8801c8b77a70
 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d08f>] kasan_report_error mm/kasan/report.c:284 [inline]
 [<ffffffff8153d08f>] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309
 [<ffffffff8153d460>] kasan_report+0x20/0x30 mm/kasan/report.c:296
 [<ffffffff8153bda7>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff8153bda7>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff8153be11>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320
 [<ffffffff826648db>] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
 [<ffffffff826648db>] sg_read_oxfer drivers/scsi/sg.c:1978 [inline]
 [<ffffffff826648db>] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520
 [<ffffffff8156b741>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156f510>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156f510>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156f7c4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156f8e6>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81572ca7>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81572ca7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor3'.
device gre0 entered promiscuous mode
binder: 13293:13294 ioctl c0145401 20659000 returned -22
binder: 13293:13294 ioctl 8916 20ef9000 returned -22
binder: 13293:13294 ioctl c0145401 20659000 returned -22
binder: 13293:13294 ioctl 8916 20ef9000 returned -22
loop_reread_partitions: partition scan of loop5 (���t�?��`��J�z�P[�� �p��>�TK6C�=�"��L�� ��l��!�V�#�F-��') failed (rc=-13)
binder: 13473:13474 ioctl 540f 20f24000 returned -22
binder: 13473:13474 ioctl 540f 20f24000 returned -22
TCP: request_sock_TCP: Possible SYN flooding on port 20009. Sending cookies.  Check SNMP counters.
device gre0 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=13570 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=33 sclass=netlink_audit_socket pig=13576 comm=syz-executor5
device lo entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13801 comm=syz-executor5
binder: 13802:13804 ioctl 2403 7fff returned -22
device syz3 left promiscuous mode
binder: 13802:13845 ioctl 2403 7fff returned -22
device gre0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
keychord: using input dev AT Translated Set 2 keyboard for fevent
keychord: invalid keycode count 0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=255 sclass=netlink_route_socket pig=13947 comm=syz-executor6
keychord: using input dev AT Translated Set 2 keyboard for fevent
device syz6 entered promiscuous mode
keychord: invalid keycode count 0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=255 sclass=netlink_route_socket pig=13947 comm=syz-executor6
device syz6 left promiscuous mode
device syz6 entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=14009 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=14009 comm=syz-executor3
TCP: request_sock_TCPv6: Possible SYN flooding on port 20030. Sending cookies.  Check SNMP counters.
selinux_nlmsg_perm: 1 callbacks suppressed
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=18116 sclass=netlink_route_socket pig=14356 comm=syz-executor1
device gre0 entered promiscuous mode
keychord: keycode 46132 out of range
keychord: keycode 46132 out of range
device gre0 entered promiscuous mode
9pnet_virtio: no channels available for device ./bus
ALSA: seq fatal error: cannot create timer (-22)
device syz6 left promiscuous mode
ALSA: seq fatal error: cannot create timer (-22)
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 14599 Comm: syz-executor4 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d9aef8e0 ffffffff81d93149 ffff8801d9aefbc0 0000000000000000
 ffff8801c6b98b90 ffff8801d9aefab0 ffff8801c6b98a80 ffff8801d9aefad8
 ffffffff81660dc8 ffff8801d9aefa30 ffffffff812dce90 00000001a8271067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
FAULT_FLAG_ALLOW_RETRY missing 30
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff81006527>] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
 [<ffffffff838ac70d>] entry_SYSCALL64_slow_path+0x25/0x25
CPU: 1 PID: 14621 Comm: syz-executor4 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca36f740 ffffffff81d93149 ffff8801ca36fa20 0000000000000000
 ffff8801c6b98b90 ffff8801ca36f910 ffff8801c6b98a80 ffff8801ca36f938
 ffffffff81660dc8 ffff8801ca36f890 ffff8801ca36f810 00000001a8271067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815ace0a>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815ace0a>] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679
 [<ffffffff815addaf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815addaf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 14631 Comm: syz-executor4 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d8e8f740 ffffffff81d93149 ffff8801d8e8fa20 0000000000000000
 ffff8801c6b98a10 ffff8801d8e8f910 ffff8801c6b98900 ffff8801d8e8f938
 ffffffff81660dc8 ffff8801d8e8f890 0000000000000000 00000001a7a25067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815ace0a>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815ace0a>] do_vfs_ioctl+0x1aa/0x10c0 fs/ioctl.c:679
 [<ffffffff815addaf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815addaf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 14621 Comm: syz-executor4 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca36f8e0 ffffffff81d93149 ffff8801ca36fbc0 0000000000000000
 ffff8801c6b98a10 ffff8801ca36fab0 ffff8801c6b98900 ffff8801ca36fad8
 ffffffff81660dc8 ffff8801ca36fa30 ffffffff812dce90 00000001a7a25067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff81006527>] do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280
 [<ffffffff838ac70d>] entry_SYSCALL64_slow_path+0x25/0x25
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=14650 comm=syz-executor2
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=14674 comm=syz-executor2
binder: 14710:14712 ioctl 4b3b 1 returned -22
binder: 14710:14712 ioctl 4b3b 1 returned -22
device syz4 entered promiscuous mode
device gre0 entered promiscuous mode
nla_parse: 18 callbacks suppressed
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
TCP: request_sock_TCP: Possible SYN flooding on port 20009. Sending cookies.  Check SNMP counters.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'.
keychord: Insufficient bytes present for keycount 13560
keychord: invalid keycode count 0
keychord: Insufficient bytes present for keycount 13560
9pnet_virtio: no channels available for device ./file0
keychord: invalid keycode count 0
binder: 14858:14859 ioctl 8904 209beffc returned -22
binder: 14858:14859 ioctl 8904 209beffc returned -22
9pnet_virtio: no channels available for device ./file0
keychord: Insufficient bytes present for keycount 4090
keychord: Insufficient bytes present for keycount 4090
device gre0 entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): syz3: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): syz3: link becomes ready
keychord: invalid keycode count 0
netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'.
IPv6: NLM_F_REPLACE set, but no existing node found!
netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'.
IPv6: NLM_F_REPLACE set, but no existing node found!
keychord: invalid keycode count 0
binder: 15252:15253 ioctl 5424 20603ffc returned -22
binder: 15252:15261 ioctl 5424 20603ffc returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=15290 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=10 sclass=netlink_route_socket pig=15290 comm=syz-executor4
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
IPv6: NLM_F_REPLACE set, but no existing node found!
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
IPv6: NLM_F_REPLACE set, but no existing node found!
IPVS: Creating netns size=2536 id=31
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 15454 Comm: syz-executor3 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c4af7a30 ffffffff81d93149 ffff8801c4af7d10 0000000000000000
 ffff8801c436aa10 ffff8801c4af7c00 ffff8801c436a900 ffff8801c4af7c28
 ffffffff81660dc8 ffff8801c4af7b80 ffff8801c4af7a88 00000001c68b0067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff81bbd4cb>] SYSC_keyctl security/keys/keyctl.c:1600 [inline]
 [<ffffffff81bbd4cb>] SyS_keyctl+0x1fb/0x230 security/keys/keyctl.c:1588
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
IPVS: Creating netns size=2536 id=32
CPU: 0 PID: 15464 Comm: syz-executor3 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cabd7770 ffffffff81d93149 ffff8801cabd7a50 0000000000000000
 ffff8801c436aa10 ffff8801cabd7940 ffff8801c436a900 ffff8801cabd7968
 ffffffff81660dc8 ffff8801cabd78c0 0000000000000046 00000001c68b0067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff81dd1338>] import_iovec+0xc8/0x3c0 lib/iov_iter.c:1243
 [<ffffffff81bbc040>] keyctl_instantiate_key_iov+0xd0/0x150 security/keys/keyctl.c:1160
 [<ffffffff81bbd349>] SYSC_keyctl security/keys/keyctl.c:1679 [inline]
 [<ffffffff81bbd349>] SyS_keyctl+0x79/0x230 security/keys/keyctl.c:1588
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
IPv6: NLM_F_REPLACE set, but no existing node found!
binder: 15587:15603 ioctl 8910 20000ff0 returned -22
binder: 15587:15603 ioctl 641e 0 returned -22
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
IPv6: NLM_F_REPLACE set, but no existing node found!
IPVS: Creating netns size=2536 id=33
binder_alloc: binder_alloc_mmap_handler: 15808 204f0000-204f4000 already mapped failed -16
binder_alloc: binder_alloc_mmap_handler: 15808 204f0000-204f4000 already mapped failed -16
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
PF_BRIDGE: RTM_NEWNEIGH with invalid address
PF_BRIDGE: RTM_NEWNEIGH with invalid address
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=15905 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15905 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=15912 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15905 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=15921 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=3 sclass=netlink_route_socket pig=15905 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15935 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15935 comm=syz-executor3
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 15932 Comm: syz-executor1 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c5ef79a0 ffffffff81d93149 ffff8801c5ef7c80 0000000000000000
 ffff8801c6b99190 ffff8801c5ef7b70 ffff8801c6b99080 ffff8801c5ef7b98
 ffffffff81660dc8 ffff8801c5ef7af0 ffff8801c5ef7bb8 00000001d8595067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51