==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline]
BUG: KASAN: use-after-free in list_empty include/linux/list.h:189 [inline]
BUG: KASAN: use-after-free in sg_remove_request+0x103/0x120 drivers/scsi/sg.c:2120
Read of size 8 at addr ffff8801cd59f040 by task syzkaller040432/3338

CPU: 1 PID: 3338 Comm: syzkaller040432 Not tainted 4.9.76-g8dec074 #13
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c7def9b0 ffffffff81d93169 ffffea00073567c0 ffff8801cd59f040
 0000000000000000 ffff8801cd59f040 ffff8801c7d84438 ffff8801c7def9e8
 ffffffff8153cb43 ffff8801cd59f040 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81d93169>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93169>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153cb43>] print_address_description+0x73/0x280 mm/kasan/report.c:252
 [<ffffffff8153d065>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff8153d065>] kasan_report+0x275/0x360 mm/kasan/report.c:408
 [<ffffffff8153d1c4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff82666273>] __read_once_size include/linux/compiler.h:243 [inline]
 [<ffffffff82666273>] list_empty include/linux/list.h:189 [inline]
 [<ffffffff82666273>] sg_remove_request+0x103/0x120 drivers/scsi/sg.c:2120
 [<ffffffff826667f5>] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838
 [<ffffffff8266862c>] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527
 [<ffffffff8156b571>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156f3e0>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156f3e0>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156f694>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156f7b6>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81572ca7>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81572ca7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838b0aa8>] entry_SYSCALL_64_fastpath+0x23/0xe2

Allocated by task 3334:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
 skb_clone+0x142/0x2c0 net/core/skbuff.c:1032
 dev_queue_xmit_nit+0x29f/0x870 net/core/dev.c:1897
 xmit_one net/core/dev.c:2944 [inline]
 dev_hard_start_xmit+0xa6/0x8a0 net/core/dev.c:2964
 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182
 __dev_xmit_skb net/core/dev.c:3133 [inline]
 __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3393
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3458
 neigh_hh_output include/net/neighbour.h:468 [inline]
 dst_neigh_output include/net/dst.h:468 [inline]
 ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225
 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313
 NF_HOOK_COND include/linux/netfilter.h:246 [inline]
 ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401
 dst_output include/net/dst.h:507 [inline]
 ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500
 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036
 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182
 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363
 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688
 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 sock_write_iter+0x226/0x3b0 net/socket.c:843
 new_sync_write fs/read_write.c:499 [inline]
 __vfs_write+0x4bf/0x680 fs/read_write.c:512
 vfs_write+0x189/0x530 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xe2

Freed by task 3334:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kmem_cache_free+0xc7/0x300 mm/slub.c:2980
 kfree_skbmem+0xd7/0xf0 net/core/skbuff.c:623
 __kfree_skb+0x1d/0x20 net/core/skbuff.c:685
 kfree_skb+0xcc/0x330 net/core/skbuff.c:705
 packet_rcv_spkt+0xda/0x4c0 net/packet/af_packet.c:1832
 dev_queue_xmit_nit+0x5ab/0x870 net/core/dev.c:1928
 xmit_one net/core/dev.c:2944 [inline]
 dev_hard_start_xmit+0xa6/0x8a0 net/core/dev.c:2964
 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182
 __dev_xmit_skb net/core/dev.c:3133 [inline]
 __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3393
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3458
 neigh_hh_output include/net/neighbour.h:468 [inline]
 dst_neigh_output include/net/dst.h:468 [inline]
 ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225
 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313
 NF_HOOK_COND include/linux/netfilter.h:246 [inline]
 ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401
 dst_output include/net/dst.h:507 [inline]
 ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124
 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500
 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036
 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182
 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363
 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688
 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 sock_write_iter+0x226/0x3b0 net/socket.c:843
 new_sync_write fs/read_write.c:499 [inline]
 __vfs_write+0x4bf/0x680 fs/read_write.c:512
 vfs_write+0x189/0x530 fs/read_write.c:560
 SYSC_write fs/read_write.c:607 [inline]
 SyS_write+0xd9/0x1b0 fs/read_write.c:599
 entry_SYSCALL_64_fastpath+0x23/0xe2

The buggy address belongs to the object at ffff8801cd59f000
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 64 bytes inside of
 224-byte region [ffff8801cd59f000, ffff8801cd59f0e0)
The buggy address belongs to the page:
page:ffffea00073567c0 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x8000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cd59ef00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
 ffff8801cd59ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801cd59f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff8801cd59f080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8801cd59f100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================