================================================================== BUG: KASAN: use-after-free in list_empty include/linux/list.h:189 [inline] BUG: KASAN: use-after-free in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket Read of size 8 at addr ffff8800b22200c0 by task syz-executor7/8325 CPU: 1 PID: 8325 Comm: syz-executor7 Not tainted 4.4.118-g5f7f76a #25 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000[ 55.819624] netlink: 2100 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2100 bytes leftover after parsing attributes in process `syz-executor2'. d045bd8e5b13956a ffff8801d176fa40 ffffffff81d0402d ffffea0002c88800 ffff8800b22200c0 0000000000000000 ffff8800b22200c0 ffff8800a80f4438 ffff8801d176fa78 ffffffff814fe103 ffff8800b22200c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] list_empty include/linux/list.h:189 [inline] [] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1837 [] sg_read+0xa1b/0x1490 drivers/scsi/sg.c:537 [] __vfs_read+0x103/0x440 fs/read_write.c:432 [] vfs_read+0x123/0x3a0 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:562 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 3868: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kmem_cache_alloc_trace+0x100/0x2b0 mm/slub.c:2642 [] kmem_cache_alloc_node_trace include/linux/slab.h:367 [inline] [] kmalloc_node include/linux/slab.h:514 [inline] [] alloc_vmap_area.isra.20+0x11e/0x860 mm/vmalloc.c:366 [] __get_vm_area_node.isra.21+0xe1/0x310 mm/vmalloc.c:1353 [] __vmalloc_node_range+0xa4/0x630 mm/vmalloc.c:1666 [] __vmalloc_node mm/vmalloc.c:1715 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1729 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1744 [] xt_compat_add_offset+0x228/0x380 net/netfilter/x_tables.c:471 [] compat_calc_entry net/ipv4/netfilter/ip_tables.c:1050 [inline] [] compat_table_info+0x22d/0x470 net/ipv4/netfilter/ip_tables.c:1081 [] compat_get_entries net/ipv4/netfilter/ip_tables.c:1804 [inline] [] compat_do_ipt_get_ctl+0x2d4/0x8a0 net/ipv4/netfilter/ip_tables.c:1838 [] compat_nf_sockopt net/netfilter/nf_sockopt.c:138 [inline] [] compat_nf_getsockopt+0x8b/0x130 net/netfilter/nf_sockopt.c:162 [] compat_ip_getsockopt+0x17c/0x1d0 net/ipv4/ip_sockglue.c:1566 [] inet_csk_compat_getsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:901 [] compat_tcp_getsockopt+0x3d/0x70 net/ipv4/tcp.c:2956 [] compat_sock_common_getsockopt+0xb2/0x140 net/core/sock.c:2629 [] C_SYSC_getsockopt net/compat.c:504 [inline] [] compat_SyS_getsockopt net/compat.c:487 [inline] [] C_SYSC_socketcall net/compat.c:838 [inline] [] compat_SyS_socketcall+0x739/0xb00 net/compat.c:769 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Freed by task 14: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xfc/0x300 mm/slub.c:3749 [] __rcu_reclaim kernel/rcu/rcu.h:113 [inline] [] rcu_do_batch kernel/rcu/tree.c:2705 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] [] rcu_process_callbacks+0x922/0x14a0 kernel/rcu/tree.c:2957 [] __do_softirq+0x227/0xa38 kernel/softirq.c:273 The buggy address belongs to the object at ffff8800b22200c0 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 0 bytes inside of 128-byte region [ffff8800b22200c0, ffff8800b2220140) The buggy address belongs to the page: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:3123 __lock_acquire+0x1625/0x4b50 kernel/locking/lockdep.c:3123() DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)