usercopy: kernel memory overwrite attempt detected to 00000000e3fb68f3 (kmalloc-1024) (983 bytes)
------------[ cut here ]------------
kernel BUG at mm/usercopy.c:84!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 23386 Comm: syz-executor1 Not tainted 4.15.0-rc4-next-20171221+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:report_usercopy mm/usercopy.c:76 [inline]
RIP: 0010:__check_object_size+0x3a2/0x4f0 mm/usercopy.c:276
RSP: 0018:ffff8801c19af3e0 EFLAGS: 00010282
RAX: 0000000000000061 RBX: ffffffff859297a0 RCX: 0000000000000000
RDX: 0000000000000061 RSI: ffffc90002229000 RDI: ffffed0038335e70
RBP: ffff8801c19af4d0 R08: 1ffff10038335dfe R09: 0000000000000000
R10: 0000000043659aa6 R11: 0000000000000000 R12: ffffffff85929760
R13: ffff8801cb3e1b90 R14: 00000000000003d7 R15: ffffea00072cf800
FS:  00007f3860686700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe88e7ff1c CR3: 00000001ce0a3003 CR4: 00000000001626e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 check_object_size include/linux/thread_info.h:112 [inline]
 check_copy_size include/linux/thread_info.h:143 [inline]
 copy_from_user include/linux/uaccess.h:146 [inline]
 memdup_user_nul+0x47/0x110 mm/util.c:227
 map_write+0x3c3/0x19f0 kernel/user_namespace.c:903
 proc_projid_map_write+0x159/0x1c0 kernel/user_namespace.c:1085
 __vfs_write+0xef/0x970 fs/read_write.c:480
 __kernel_write+0xf8/0x350 fs/read_write.c:501
 write_pipe_buf+0x175/0x220 fs/splice.c:797
 splice_from_pipe_feed fs/splice.c:502 [inline]
 __splice_from_pipe+0x328/0x730 fs/splice.c:626
 splice_from_pipe+0x1e9/0x330 fs/splice.c:661
 default_file_splice_write+0x40/0x90 fs/splice.c:809
 do_splice_from fs/splice.c:851 [inline]
 direct_splice_actor+0x125/0x180 fs/splice.c:1018
 splice_direct_to_actor+0x2c1/0x820 fs/splice.c:973
 do_splice_direct+0x29b/0x3c0 fs/splice.c:1061
 do_sendfile+0x5c9/0xe80 fs/read_write.c:1413
 SYSC_sendfile64 fs/read_write.c:1468 [inline]
 SyS_sendfile64+0xbd/0x160 fs/read_write.c:1460
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452ac9
RSP: 002b:00007f3860685c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9
RDX: 000000002030f000 RSI: 0000000000000013 RDI: 0000000000000014
RBP: 00000000000005d4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000007563 R11: 0000000000000212 R12: 00000000006f6c80
R13: 00000000ffffffff R14: 00007f38606866d4 R15: 0000000000000000
Code: 48 0f 44 da e8 d0 7a c1 ff 48 8b 85 28 ff ff ff 4d 89 f1 4c 89 e9 4c 89 e2 48 89 de 48 c7 c7 60 98 92 85 49 89 c0 e8 d6 33 ab ff <0f> 0b 48 c7 c0 20 96 92 85 eb 96 48 c7 c0 60 96 92 85 eb 8d 48 
RIP: report_usercopy mm/usercopy.c:76 [inline] RSP: ffff8801c19af3e0
RIP: __check_object_size+0x3a2/0x4f0 mm/usercopy.c:276 RSP: ffff8801c19af3e0
---[ end trace 7a48132cd059f1bd ]---