==================================================================
BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline]
BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130
Read of size 8 at addr ffff8801d0ddf240 by task syzkaller368226/3317

CPU: 0 PID: 3317 Comm: syzkaller368226 Not tainted 4.4.112-g5f6325b #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 e07800a3729c5e85 ffff8800b40679f0 ffffffff81d0579d
 ffffea00074377c0 ffff8801d0ddf240 0000000000000000 ffff8801d0ddf240
 ffff8801d51d0238 ffff8800b4067a28 ffffffff814fd9f3 ffff8801d0ddf240
Call Trace:
 [<ffffffff81d0579d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d0579d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fd9f3>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fdf05>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fdf05>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814fe064>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff825ba579>] list_empty include/linux/list.h:189 [inline]
 [<ffffffff825ba579>] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130
 [<ffffffff825baaf5>] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1848
 [<ffffffff825bc931>] sg_read+0xa21/0x1490 drivers/scsi/sg.c:538
 [<ffffffff8151d211>] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680
 [<ffffffff8151f56d>] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810
 [<ffffffff8151f6e8>] vfs_readv+0x78/0xb0 fs/read_write.c:834
 [<ffffffff81521a39>] SYSC_readv fs/read_write.c:860 [inline]
 [<ffffffff81521a39>] SyS_readv+0xd9/0x240 fs/read_write.c:852
 [<ffffffff83776499>] entry_SYSCALL_64_fastpath+0x16/0x92

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801d0ddf200
 which belongs to the cache fasync_cache of size 96
The buggy address is located 64 bytes inside of
 96-byte region [ffff8801d0ddf200, ffff8801d0ddf260)
The buggy address belongs to the page:
SELinux:  Invalid class 34336
------------[ cut here ]------------
kernel BUG at security/selinux/avc.c:119!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 1733 Comm: udevd Not tainted 4.4.112-g5f6325b #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d3b58000 task.stack: ffff8801d3b60000
RIP: 0010:[<ffffffff81b49eff>]  [<ffffffff81b49eff>] avc_dump_av security/selinux/avc.c:119 [inline]
RIP: 0010:[<ffffffff81b49eff>]  [<ffffffff81b49eff>] avc_audit_pre_callback+0x25f/0x2b0 security/selinux/avc.c:716
RSP: 0018:ffff8801d3b67858  EFLAGS: 00010293
RAX: ffff8801d3b58000 RBX: 0000000000008620 RCX: ffffffff81b49eff
RDX: 0000000000000000 RSI: 000000000000000d RDI: ffff8801d3b67ad8
RBP: ffff8801d3b67890 R08: ffffed003a1c9dd7 R09: ffffed003a1c9dd7
R10: 0000000000000001 R11: ffffed003a1c9dd6 R12: ffffffff839c6f40
R13: 0000000000000004 R14: ffffffff81b498a0 R15: ffffffff81b49ca0
FS:  00007fda4f30a7a0(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200bbff7 CR3: 00000001d3ad6000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffff8801da1f7f60 99af98a530c0cab4 1ffff1003a76cf18 ffff8801d3b67d08
 ffff8801da1f7f60 ffffffff81b498a0 ffffffff81b49ca0 ffff8801d3b67a88
 ffffffff81bad998 0000000000000000 ffff8801d3b58868 00000002842bca80
Call Trace:
 [<ffffffff81bad998>] common_lsm_audit+0x128/0x1a40 security/lsm_audit.c:428
 [<ffffffff81b4c6c1>] slow_avc_audit+0x181/0x210 security/selinux/avc.c:775
 [<ffffffff81b4e010>] avc_audit security/selinux/include/avc.h:140 [inline]
 [<ffffffff81b4e010>] avc_has_perm+0x420/0x500 security/selinux/avc.c:1150
 [<ffffffff81b50e8e>] inode_has_perm security/selinux/hooks.c:1630 [inline]
 [<ffffffff81b50e8e>] file_has_perm+0x28e/0x3e0 security/selinux/hooks.c:1708
 [<ffffffff81b5fca7>] selinux_revalidate_file_permission security/selinux/hooks.c:3204 [inline]
 [<ffffffff81b5fca7>] selinux_file_permission+0x2f7/0x460 security/selinux/hooks.c:3224
 [<ffffffff81b454ed>] security_file_permission+0x7d/0x1e0 security/security.c:734
 [<ffffffff8151e4b0>] rw_verify_area+0xe0/0x2f0 fs/read_write.c:404
 [<ffffffff8151eb6b>] vfs_write+0x10b/0x530 fs/read_write.c:534
 [<ffffffff815212d9>] SYSC_write fs/read_write.c:585 [inline]
 [<ffffffff815212d9>] SyS_write+0xd9/0x1b0 fs/read_write.c:577
 [<ffffffff83776499>] entry_SYSCALL_64_fastpath+0x16/0x92
Code: ea 48 c7 c6 c0 70 9c 83 e8 9f 01 7f ff eb ad e8 08 60 81 ff 48 8b 7d c8 48 c7 c6 00 70 9c 83 e8 88 01 7f ff eb ab e8 f1 5f 81 ff <0f> 0b e8 0a 41 9b ff e9 c2 fe ff ff 48 89 df e8 3d 41 9b ff e9 
RIP  [<ffffffff81b49eff>] avc_dump_av security/selinux/avc.c:119 [inline]
RIP  [<ffffffff81b49eff>] avc_audit_pre_callback+0x25f/0x2b0 security/selinux/avc.c:716
 RSP <ffff8801d3b67858>
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access[   29.625330] ---[ end trace fa0ae58ea07dc13a ]---