[] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 ffff8801a7df7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 Freed: [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Allocated: ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Call Trace: slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Call Trace: [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 Object at ffff8801a7df7a80, in cache fasync_cache size: 96 [] do_readv+0xe6/0x250 fs/read_write.c:924 ^ __do_softirq+0x206/0x951 kernel/softirq.c:284 PID = 29146 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Allocated: ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 Memory state around the buggy address: ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Freed: ================================================================== [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 Call Trace: [] entry_SYSCALL_64_fastpath+0x23/0xc6 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 fasync_alloc fs/fcntl.c:604 [inline] fasync_add_entry fs/fcntl.c:662 [inline] fasync_helper+0x37/0xb0 fs/fcntl.c:691 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ffff8801a7df7b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 [] entry_SYSCALL_64_fastpath+0x23/0xc6 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 ================================================================== [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] entry_SYSCALL_64_fastpath+0x23/0xc6 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 __do_softirq+0x206/0x951 kernel/softirq.c:284 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ================================================================== [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ================================================================== >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 Memory state around the buggy address: [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 ================================================================== [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ^ [] do_readv+0xe6/0x250 fs/read_write.c:924 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 ================================================================== [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Memory state around the buggy address: [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ^ [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 ffff8801a7df7b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 ffff8801a7df7980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 ^ Call Trace: [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 Read of size 4 by task syz-executor7/29383 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] entry_SYSCALL_64_fastpath+0x23/0xc6 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Memory state around the buggy address: ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 ^ >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ^ save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc Call Trace: Allocated: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 PID = 29383 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 Allocated: ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Allocated: ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ffff8801a7df7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 Call Trace: [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801a7df7980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 ffff8801a7df7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 __do_softirq+0x206/0x951 kernel/softirq.c:284 ffff8801a7df7980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 Freed: [] vfs_readv+0x84/0xc0 fs/read_write.c:898 Call Trace: [] do_readv+0xe6/0x250 fs/read_write.c:924 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 Read of size 4 by task syz-executor7/29383 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 ================================================================== [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Allocated: ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 ================================================================== [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 Allocated: Call Trace: [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 [] do_readv+0xe6/0x250 fs/read_write.c:924 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 ioctl_fioasync fs/ioctl.c:534 [inline] do_vfs_ioctl+0x2d8/0x1140 fs/ioctl.c:639 ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Allocated: ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 ================================================================== [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 Object at ffff8801a7df7a80, in cache fasync_cache size: 96 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 PID = 29383 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 Read of size 4 by task syz-executor7/29383 Call Trace: [] entry_SYSCALL_64_fastpath+0x23/0xc6 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 Read of size 4 by task syz-executor7/29383 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 ffff8801a7df7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ^ [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 ================================================================== [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 Read of size 4 by task syz-executor7/29383 Call Trace: [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ================================================================== [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Allocated: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 Read of size 4 by task syz-executor7/29383 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 ================================================================== [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 __do_softirq+0x206/0x951 kernel/softirq.c:284 >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 ffff8801a7df7b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Allocated: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 PID = 29383 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 Allocated: ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 Read of size 4 by task syz-executor7/29383 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 entry_SYSCALL_64_fastpath+0x23/0xc6 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 Call Trace: Allocated: ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 ^ [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 Memory state around the buggy address: [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 entry_SYSCALL_64_fastpath+0x23/0xc6 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 Freed: Call Trace: SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 ^ [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 ================================================================== [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] do_readv+0xe6/0x250 fs/read_write.c:924 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 Freed: [] do_readv+0xe6/0x250 fs/read_write.c:924 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1838 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] sg_read+0xa1c/0x1440 drivers/scsi/sg.c:527 ================================================================== [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 ================================================================== [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] do_readv+0xe6/0x250 fs/read_write.c:924 Call Trace: ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffffffff8153a3fc ffffed0034fbef5c ffff8801d7847b40 0000000000000000 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 ================================================================== ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] at addr ffff8801a7df7ae4 BUG: KASAN: slab-out-of-bounds in native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 at addr ffff8801a7df7ae4 ================================================================== >ffff8801a7df7a80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 Memory state around the buggy address: [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:329 [inline] [] __asan_report_load4_noabort+0x29/0x30 mm/kasan/report.c:329 ================================================================== [] sg_remove_request+0x70/0x120 drivers/scsi/sg.c:2122 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 Call Trace: [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ================================================================== Call Trace: [] __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:187 [inline] [] _raw_write_lock_irqsave+0x56/0x62 kernel/locking/spinlock.c:303 [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 ffff8801a7df7b80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 ffff8801a7df7b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] virt_spin_lock arch/x86/include/asm/qspinlock.h:56 [inline] [] native_queued_spin_lock_slowpath+0x6a1/0x6c0 kernel/locking/qspinlock.c:421 [] do_readv+0xe6/0x250 fs/read_write.c:924 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 ffff8801a7df7a00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Read of size 4 by task syz-executor7/29383 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 Memory state around the buggy address: [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] queued_write_lock include/asm-generic/qrwlock.h:134 [inline] [] do_raw_write_lock+0xc7/0x1d0 kernel/locking/spinlock_debug.c:203 sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1203 ^ [] pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:663 [inline] [] queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:28 [inline] [] queued_spin_lock include/asm-generic/qspinlock.h:103 [inline] [] queued_write_lock_slowpath+0x116/0x150 kernel/locking/qrwlock.c:115 [] do_loop_readv_writev fs/read_write.c:880 [inline] [] do_readv_writev+0x520/0x750 fs/read_write.c:874 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7df7ae0 ffffed0034fbef5c ffff8801a7df7ae4 ffff8801d5eff8d8 SYSC_ioctl fs/ioctl.c:694 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 ================================================================== ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 fasync_free_rcu+0x1d/0x20 fs/fcntl.c:563 CPU: 1 PID: 29383 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 [] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714 ffff8801d5eff8b0 ffffffff81d90469 ffff8801d7847b40 ffff8801a7df7a80 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 [] vfs_readv+0x84/0xc0 fs/read_write.c:898 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 Call Trace: [] SYSC_readv fs/read_write.c:1011 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1008 Memory state around the buggy address: [] kasan_report mm/kasan/report.c:329 [inline] [