================================================================== BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130 Read of size 8 at addr ffff8801d0534f40 by task syzkaller940113/3322 CPU: 1 PID: 3322 Comm: syzkaller940113 Not tainted 4.4.112-g3fc4284 #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 4e63484279038935 ffff8800b4fcfab0 ffffffff81d054ed ffffea0007414d00 ffff8801d0534f40 0000000000000000 ffff8801d0534f40 ffff8801d55ba338 ffff8800b4fcfae8 ffffffff814fd953 ffff8801d0534f40 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] list_empty include/linux/list.h:189 [inline] [] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2130 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1848 [] sg_read+0xa21/0x1490 drivers/scsi/sg.c:538 [] __vfs_read+0x103/0x440 fs/read_write.c:432 [] vfs_read+0x123/0x3a0 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x16/0x92 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d0534f00 which belongs to the cache fasync_cache of size 96 The buggy address is located 64 bytes inside of 96-byte region [ffff8801d0534f00, ffff8801d0534f60) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3324 Comm: Not tainted 4.4.112-g3fc4284 #32 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800b4f317c0 task.stack: (null) RIP: 0010:[] [] __read_once_size include/linux/compiler.h:218 [inline] RIP: 0010:[] [] cputimer_running kernel/sched/stats.h:178 [inline] RIP: 0010:[] [] account_group_system_time kernel/sched/stats.h:237 [inline] RIP: 0010:[] [] __account_system_time kernel/sched/cputime.c:211 [inline] RIP: 0010:[] [] account_system_time+0x12e/0x4d0 kernel/sched/cputime.c:244 RSP: 0018:ffff8801db207ce8 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: ffff8800b4f317c0 RCX: 0000000000000001 RDX: 000000000000002d RSI: 0000000000010000 RDI: 0000000000000168 RBP: ffff8801db207d20 R08: fffffbfff0ae02ea R09: fffffbfff0ae02ea R10: 00000000ffffea00 R11: fffffbfff0ae02e9 R12: 0000000000000001 R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000002 FS: 00007f287bbbd700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f287bbbce78 CR3: 00000001d1212000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 000000000001f4c0 ffff8800b4f317c0 ffff8801db21f4c0 ffff8800b4f317c0 0000000000000000 000000000001f4c0 ffff8801db200000 ffff8801db207d70 ffffffff811d5bdf 0000000000989680 000000094e65cc80 ffff8801db207d90 Call Trace: [] account_process_tick+0xef/0x310 kernel/sched/cputime.c:499 [] update_process_times+0x23/0x70 kernel/time/timer.c:1418 [] tick_sched_handle.isra.16+0x55/0xf0 kernel/time/tick-sched.c:151 [] tick_sched_timer+0x72/0x120 kernel/time/tick-sched.c:1097 [] __run_hrtimer kernel/time/hrtimer.c:1253 [inline] [] __hrtimer_run_queues+0x306/0xfe0 kernel/time/hrtimer.c:1317 [] hrtimer_interrupt+0x1a6/0x440 kernel/time/hrtimer.c:1351 [] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:725 Code: ea 03 80 3c 02 00 0f 85 73 03 00 00 4c 8b b3 00 07 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d be 68 01 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 3b 02 00 RIP [] __read_once_size include/linux/compiler.h:218 [inline] RIP [] cputimer_running kernel/sched/stats.h:178 [inline] RIP [] account_group_system_time kernel/sched/stats.h:237 [inline] RIP [] __account_system_time kernel/sched/cputime.c:211 [inline] RIP [] account_system_time+0x12e/0x4d0 kernel/sched/cputime.c:244 RSP ---[ end trace 343b969f1b611045 ]---