================================================================== BUG: KASAN: out-of-bounds in list_empty include/linux/list.h:189 [inline] BUG: KASAN: out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 Read of size 8 at addr ffff8800b2e1a240 by task syzkaller935857/5412 CPU: 1 PID: 5412 Comm: syzkaller935857 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 319e2360fd73a9a7 ffff8800b2737ab0 ffffffff81d0278d ffffea0002cb8680 ffff8800b2e1a240 0000000000000000 ffff8800b2e1a248 ffff8800b2792338 ffff8800b2737ae8 ffffffff814fd053 ffff8800b2e1a240 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] list_empty include/linux/list.h:189 [inline] [] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1837 [] sg_read+0xa1b/0x1490 drivers/scsi/sg.c:537 [] __vfs_read+0x103/0x440 fs/read_write.c:432 [] vfs_read+0x123/0x3a0 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Allocated by task 5428: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xba/0x290 mm/slub.c:2628 [] fasync_alloc fs/fcntl.c:603 [inline] [] fasync_add_entry fs/fcntl.c:661 [inline] [] fasync_helper+0x37/0xb0 fs/fcntl.c:690 [] sg_fasync+0x86/0xb0 drivers/scsi/sg.c:1202 [] setfl fs/fcntl.c:69 [inline] [] do_fcntl fs/fcntl.c:266 [inline] [] SYSC_fcntl fs/fcntl.c:371 [inline] [] SyS_fcntl+0x64f/0xc40 fs/fcntl.c:356 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8800b2e1a200 which belongs to the cache fasync_cache of size 96 The buggy address is located 64 bytes inside of 96-byte region [ffff8800b2e1a200, ffff8800b2e1a260) The buggy address belongs to the page: BUG: spinlock bad magic on CPU#0, syzkaller935857/5539 lock: 0xffff8800b26fb180, .magic: 00000000, .owner: HXo/0, .owner_cpu: 0 CPU: 0 PID: 5539 Comm: syzkaller935857 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8c40b882d3a3a464 ffff8800b2817d30 ffffffff81d0278d ffff8800b26fb180 ffff8800b26fb1d0 ffff8800b2808000 1ffff10016502fd3 0000000000000000 ffff8800b2817d70 ffffffff81245a5d ffffea0000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] spin_dump+0x14d/0x280 kernel/locking/spinlock_debug.c:67 [] spin_bug kernel/locking/spinlock_debug.c:75 [inline] [] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] [] do_raw_spin_lock+0x228/0x2c0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] __alloc_fd+0x35/0x500 fs/file.c:503 [] get_unused_fd_flags+0x9e/0xd0 fs/file.c:561 [] do_sys_open+0x221/0x4b0 fs/open.c:1036 [] SYSC_open fs/open.c:1056 [inline] [] SyS_open+0x2d/0x40 fs/open.c:1051 [] entry_SYSCALL_64_fastpath+0x1c/0x98 kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 5539 Comm: syzkaller935857 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800b2808000 task.stack: ffff8800b2810000 RIP: 0010:[] [] _find_next_bit.part.0+0x3e/0x120 lib/find_bit.c:39 RSP: 0018:ffff8800b2817d70 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 00000000020e2a37 RCX: ffffffff81d46c42 RDX: 00000000000838a8 RSI: 0000000002c9bec6 RDI: 0000000000000000 RBP: ffff8800b2817da0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000002 R11: fffffbfff0ad7e28 R12: 0000000002c9bec6 R13: ffffffffffffffff R14: 0000000000000000 R15: 000000000041c540 FS: 00007f603d119700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020bbdff7 CR3: 00000000b293a000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8800b2817da8 0000000002c9bec6 00000000020e2a37 0000000000000000 ffff8800b26fb150 0000000000000000 ffff8800b2817dc8 ffffffff81d46dcb 00000000b26fb190 00000000838a8de0 ffff8800b26fb0c0 ffff8800b2817e40 Call Trace: [] _find_next_bit lib/find_bit.c:36 [inline] [] find_next_zero_bit+0x3b/0x50 lib/find_bit.c:73 [] find_next_fd fs/file.c:485 [inline] [] __alloc_fd+0x16e/0x500 fs/file.c:511 [] get_unused_fd_flags+0x9e/0xd0 fs/file.c:561 [] do_sys_open+0x221/0x4b0 fs/open.c:1036 [] SYSC_open fs/open.c:1056 [inline] [] SyS_open+0x2d/0x40 fs/open.c:1051 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Code: 89 f4 53 48 89 d3 48 83 ec 08 e8 de 8f 61 ff 48 89 d8 48 c1 e8 06 4d 8d 3c c6 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 bc 00 00 00 49 8b 07 89 d9 48 83 e3 c0 4c 31 RIP [] _find_next_bit.part.0+0x3e/0x120 lib/find_bit.c:39 RSP ---[ end trace 065fdc87d11b217d ]---