================================================================== BUG: KASAN: slab-out-of-bounds in list_empty include/linux/list.h:189 [inline] BUG: KASAN: slab-out-of-bounds in sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 Read of size 8 at addr ffff8801d283f240 by task syzkaller130200/3315 CPU: 1 PID: 3315 Comm: syzkaller130200 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 a62814c7d0b61e57 ffff8801d0627ab0 ffffffff81d0278d ffffea00074a0fc0 ffff8801d283f240 0000000000000000 ffff8801d283f240 ffff8801d0590238 ffff8801d0627ae8 ffffffff814fd053 ffff8801d283f240 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] list_empty include/linux/list.h:189 [inline] [] sg_remove_request+0xf9/0x110 drivers/scsi/sg.c:2120 [] sg_finish_rem_req+0x295/0x340 drivers/scsi/sg.c:1837 [] sg_read+0xa1b/0x1490 drivers/scsi/sg.c:537 [] __vfs_read+0x103/0x440 fs/read_write.c:432 [] vfs_read+0x123/0x3a0 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1b0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d283f200 which belongs to the cache fasync_cache of size 96 The buggy address is located 64 bytes inside of 96-byte region [ffff8801d283f200, ffff8801d283f260) The buggy address belongs to the page: BUG: unable to handle kernel NULL pointer dereference at 00000000000000c4 IP: [] qlist_free_all+0x2e/0xc0 mm/kasan/quarantine.c:157 PGD 80000001d3f03067 PUD 1d2b4f067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3159 Comm: rsyslogd Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d31b5f00 task.stack: ffff8800b6f70000 RIP: 0010:[] [] qlist_free_all+0x2e/0xc0 mm/kasan/quarantine.c:157 RSP: 0018:ffff8800b6f77c50 EFLAGS: 00010246 RAX: ffffea00000e2a00 RBX: 0000000000000000 RCX: ffffea00000e2a1f RDX: 0000000000000000 RSI: ffffffff838a8de0 RDI: 0000000000000000 RBP: ffff8800b6f77c78 R08: ffff8801d05a9f78 R09: 00000001802e002d R10: ffffea0007416a40 R11: 0000000000000000 R12: ffffffff838a8de0 R13: ffff8800b6f77c90 R14: ffffffff814fd8ee R15: 0000000080000000 FS: 00007f249c022700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 00000001d2a2c000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000000 ffff8800b6f77c90 00000000024000c0 ffff8800b081e4d8 ffff8801da263140 ffff8800b6f77cc0 ffffffff814fdd8f ffffffff814fdc92 ffff8800b47fa200 ffff8800b3e0e600 0000000000100408 b369440afd2b99b6 Call Trace: [] quarantine_reduce+0x18f/0x1d0 mm/kasan/quarantine.c:259 [] kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xba/0x290 mm/slub.c:2628 [] __split_vma.isra.40+0x171/0x750 mm/mmap.c:2516 [] split_vma+0x5b/0x80 mm/mmap.c:2579 [] mprotect_fixup+0x4d7/0x600 mm/mprotect.c:312 [] SYSC_mprotect mm/mprotect.c:427 [inline] [] SyS_mprotect+0x304/0x660 mm/mprotect.c:348 [] entry_SYSCALL_64_fastpath+0x1c/0x98 Code: e5 41 57 41 56 41 55 41 54 53 48 89 f3 48 8b 37 48 85 f6 0f 84 8e 00 00 00 49 89 fd 49 c7 c6 ee d8 4f 81 41 bf 00 00 00 80 eb 1d <48> 63 87 c4 00 00 00 4c 89 f2 4c 8b 26 48 29 c6 e8 9d d3 ff ff RIP [] qlist_free_all+0x2e/0xc0 mm/kasan/quarantine.c:157 RSP CR2: 00000000000000c4 ---[ end trace 61f7749b3d7e7cd8 ]---