==================================================================
BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline]
BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120
Read of size 8 at addr ffff8800b41d0140 by task syzkaller504686/4040

CPU: 0 PID: 4040 Comm: syzkaller504686 Not tainted 4.4.114-gfe09418 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 206a73368769ed68 ffff8801ca8779f0 ffffffff81d02e6d
 ffffea0002d07400 ffff8800b41d0140 0000000000000000 ffff8800b41d0140
 ffff8801d86ec438 ffff8801ca877a28 ffffffff814fd6f3 ffff8800b41d0140
Call Trace:
 [<ffffffff81d02e6d>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d02e6d>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fd6f3>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fdc05>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fdc05>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814fdd64>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff825b75a9>] list_empty include/linux/list.h:189 [inline]
 [<ffffffff825b75a9>] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120
 [<ffffffff825b7b25>] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1837
 [<ffffffff825b99cb>] sg_read+0xa1b/0x1490 drivers/scsi/sg.c:537
 [<ffffffff8151cc01>] do_loop_readv_writev+0x141/0x1e0 fs/read_write.c:680
 [<ffffffff8151ef5d>] do_readv_writev+0x5dd/0x6e0 fs/read_write.c:810
 [<ffffffff8151f0d8>] vfs_readv+0x78/0xb0 fs/read_write.c:834
 [<ffffffff81521409>] SYSC_readv fs/read_write.c:860 [inline]
 [<ffffffff81521409>] SyS_readv+0xd9/0x240 fs/read_write.c:852
 [<ffffffff8377341f>] entry_SYSCALL_64_fastpath+0x1c/0x98

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8800b41d0100
 which belongs to the cache fasync_cache of size 96
The buggy address is located 64 bytes inside of
 96-byte region [ffff8800b41d0100, ffff8800b41d0160)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4018 Comm: getty Not tainted 4.4.114-gfe09418 #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8800ba48af80 task.stack: ffff8800baab0000
RIP: 0010:[<ffffffff81d65f78>]  [<ffffffff81d65f78>] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline]
RIP: 0010:[<ffffffff81d65f78>]  [<ffffffff81d65f78>] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726
RSP: 0000:ffff8800baab7610  EFLAGS: 00010803
RAX: 0000000000000296 RBX: ffff8800b25b7000 RCX: 0000000000000002
RDX: 1d2000dbb71d0161 RSI: ffff8800baab76a0 RDI: ffffffff8148ff89
RBP: ffff8800baab7708 R08: 1ffffffff0291ff1 R09: ffffffff8512d900
R10: dead000000000200 R11: 1ffff10017556e88 R12: ed02fee8ffffff45
R13: ffff8800b25b6000 R14: e90006ddb8e80b0f R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43221c0688 CR3: 000000000420c000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 000000008122f661 0000000000000046 ffff8800ba48b7f8 ffff8800ba48af80
 1ffff10017556ed0 ffffffff85820000 ffff8800b25b7000 ffff8800b25b7000
 ffffffff847ebb38 ffffffff847cd020 00000000000be5c0 fffffbfff0b04000
Call Trace:
 [<ffffffff8142d849>] free_pages_prepare+0x4a9/0xb30 mm/page_alloc.c:1049
 [<ffffffff8143367f>] free_hot_cold_page+0x3f/0x3a0 mm/page_alloc.c:2112
 [<ffffffff81433a6f>] free_hot_cold_page_list+0x8f/0x3b0 mm/page_alloc.c:2160
 [<ffffffff81449307>] release_pages+0x1f7/0x4f0 mm/swap.c:970
 [<ffffffff814cfe42>] free_pages_and_swap_cache+0x102/0x140 mm/swap_state.c:266
 [<ffffffff81494604>] tlb_flush_mmu_free+0xb4/0x160 mm/memory.c:255
 [<ffffffff814972c3>] tlb_flush_mmu mm/memory.c:264 [inline]
 [<ffffffff814972c3>] tlb_finish_mmu+0x23/0xa0 mm/memory.c:275
 [<ffffffff814b3c14>] exit_mmap+0x1f4/0x3a0 mm/mmap.c:2929
 [<ffffffff81123548>] __mmput kernel/fork.c:715 [inline]
 [<ffffffff81123548>] mmput+0xf8/0x2d0 kernel/fork.c:735
 [<ffffffff81132e64>] exit_mm kernel/exit.c:440 [inline]
 [<ffffffff81132e64>] do_exit+0x714/0x2a10 kernel/exit.c:742
 [<ffffffff81139418>] do_group_exit+0x108/0x320 kernel/exit.c:885
 [<ffffffff8115c872>] get_signal+0x4f2/0x1550 kernel/signal.c:2317
 [<ffffffff8100e7fb>] do_signal+0x8b/0x1d40 arch/x86/kernel/signal.c:712
 [<ffffffff810035fa>] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:247
 [<ffffffff81006363>] prepare_exit_to_usermode+0xe3/0x100 arch/x86/entry/common.c:282
 [<ffffffff83773fc8>] retint_user+0x8/0x3c
Code: 48 c7 c6 40 1a 76 85 4c 8b 34 0e 4d 85 f6 0f 84 c5 03 00 00 49 ba 00 02 00 00 00 00 ad de 31 c9 48 8d 75 98 4c 89 f2 48 c1 ea 03 <42> 80 3c 3a 00 0f 85 f0 03 00 00 49 8d 7e 18 83 c1 01 49 8b 16 
RIP  [<ffffffff81d65f78>] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline]
RIP  [<ffffffff81d65f78>] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726
 RSP <ffff8800baab7610>
---[ end trace 466ebb1c1caeef48 ]---