BUG: KASAN: wild-memory-access on address ffe708746e867000
Read of size 28 by task syz-executor0/6546
CPU: 0 PID: 6546 Comm: syz-executor0 Not tainted 4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d193f9e8 ffffffff81d93149 ffe708746e867000 000000000000001c
 0000000000000000 ffff8801d85dfd80 ffe708746e867000 ffff8801d193fa70
 ffffffff8153d08f 0000000000000000 0000000000000001 ffffffff826648db
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153d08f>] kasan_report_error mm/kasan/report.c:284 [inline]
 [<ffffffff8153d08f>] kasan_report.part.1+0x40f/0x500 mm/kasan/report.c:309
 [<ffffffff8153d460>] kasan_report+0x20/0x30 mm/kasan/report.c:296
 [<ffffffff8153bda7>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff8153bda7>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff8153be11>] kasan_check_read+0x11/0x20 mm/kasan/kasan.c:320
 [<ffffffff826648db>] __copy_to_user arch/x86/include/asm/uaccess_64.h:182 [inline]
 [<ffffffff826648db>] sg_read_oxfer drivers/scsi/sg.c:1978 [inline]
 [<ffffffff826648db>] sg_read+0x124b/0x1400 drivers/scsi/sg.c:520
 [<ffffffff8156b741>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
 [<ffffffff8156f510>] do_loop_readv_writev fs/read_write.c:880 [inline]
 [<ffffffff8156f510>] do_readv_writev+0x520/0x750 fs/read_write.c:874
 [<ffffffff8156f7c4>] vfs_readv+0x84/0xc0 fs/read_write.c:898
 [<ffffffff8156f8e6>] do_readv+0xe6/0x250 fs/read_write.c:924
 [<ffffffff81572ca7>] SYSC_readv fs/read_write.c:1011 [inline]
 [<ffffffff81572ca7>] SyS_readv+0x27/0x30 fs/read_write.c:1008
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
==================================================================
netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'.
sg_write: data in/out 34319/34 bytes for SCSI command 0xfc-- guessing data in;
   program syz-executor0 not setting count and/or reply_len properly
device gre0 entered promiscuous mode
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
device syz2 entered promiscuous mode
device syz2 left promiscuous mode
device syz2 entered promiscuous mode
device syz2 left promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'.
IPVS: Creating netns size=2536 id=15
binder: 6944:6947 ioctl 400454d4 204b0000 returned -22
binder: 6944:6950 ioctl 400454d4 204b0000 returned -22
9pnet_virtio: no channels available for device ./file0
device lo left promiscuous mode
9pnet_virtio: no channels available for device ./file0
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7054 comm=syz-executor6
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
device lo entered promiscuous mode
device lo left promiscuous mode
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
device lo entered promiscuous mode
device lo left promiscuous mode
device syz1 entered promiscuous mode
device syz1 left promiscuous mode
����: renamed from syz1
device syz2 entered promiscuous mode
IPVS: Creating netns size=2536 id=16
nla_parse: 12 callbacks suppressed
netlink: 6 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 6 bytes leftover after parsing attributes in process `syz-executor0'.
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device gre0 left promiscuous mode
device lo left promiscuous mode
sock: sock_set_timeout: `syz-executor6' (pid 7717) tries to set negative timeout
IPVS: Creating netns size=2536 id=17
IPVS: Creating netns size=2536 id=18
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'.
binder: 7802:7850 ioctl 4b60 205baf8c returned -22
IPVS: Creating netns size=2536 id=19
binder: 7802:7809 ioctl 4b60 205baf8c returned -22
pktgen: kernel_thread() failed for cpu 0
sg_write: data in/out 93/34 bytes for SCSI command 0xfc-- guessing data in;
   program syz-executor4 not setting count and/or reply_len properly
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
binder: 7939:7941 ioctl 80045200 20eb1ffc returned -22
binder: 7939:7941 ioctl 80045200 20eb1ffc returned -22
netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
IPVS: length: 24 != 8
FAULT_FLAG_ALLOW_RETRY missing 30
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 8063 Comm: syz-executor3 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801aaaf77b0 ffffffff81d93149 ffff8801aaaf7a90 0000000000000000
 ffff8801a61df910 ffff8801aaaf7980 ffff8801a61df800 ffff8801aaaf79a8
 ffffffff81660dc8 ffff8801aaaf7900 ffffffff811b99c1 00000001cce64067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815aaa8d>] do_fcntl fs/fcntl.c:274 [inline]
 [<ffffffff815aaa8d>] SYSC_fcntl fs/fcntl.c:372 [inline]
 [<ffffffff815aaa8d>] SyS_fcntl+0x8fd/0xc70 fs/fcntl.c:357
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 8048 Comm: syz-executor3 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cebef840 ffffffff81d93149 ffff8801cebefb20 0000000000000000
 ffff8801a61df910 ffff8801cebefa10 ffff8801a61df800 ffff8801cebefa38
 ffffffff81660dc8 ffff8801cebef990 ffff8801db221518 00000001cce64067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff811525fb>] SYSC_capset kernel/capability.c:232 [inline]
 [<ffffffff811525fb>] SyS_capset+0xbb/0x8e0 kernel/capability.c:223
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 8111 Comm: syz-executor6 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a9f6f8d0 ffffffff81d93149 ffff8801a9f6fbb0 0000000000000000
 ffff8801a7415010 ffff8801a9f6faa0 ffff8801a7414f00 ffff8801a9f6fac8
 ffffffff81660dc8 ffff8801a9f6fa20 0000000000000000 00000001d13be067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff8116a27d>] SyS_rt_sigtimedwait+0x2d/0x40 kernel/signal.c:2819
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 0 PID: 8105 Comm: syz-executor6 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca85f9a0 ffffffff81d93149 ffff8801ca85fc80 0000000000000000
 ffff8801a7415010 ffff8801ca85fb70 ffff8801a7414f00 ffff8801ca85fb98
 ffffffff81660dc8 ffff8801ca85faf0 ffff8801ca85fbb8 00000001d13be067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'.
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 8114 Comm: syz-executor6 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801cbc5f8d0 ffffffff81d93149 ffff8801cbc5fbb0 0000000000000000
 ffff8801a7414e90 ffff8801cbc5faa0 ffff8801a7414d80 ffff8801cbc5fac8
 ffffffff81660dc8 ffff8801cbc5fa20 ffffffff811ba655 00000001a265c067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff8116a27d>] SyS_rt_sigtimedwait+0x2d/0x40 kernel/signal.c:2819
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 8111 Comm: syz-executor6 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a9f6f9a0 ffffffff81d93149 ffff8801a9f6fc80 0000000000000000
 ffff8801a7414e90 ffff8801a9f6fb70 ffff8801a7414d80 ffff8801a9f6fb98
 ffffffff81660dc8 ffff8801a9f6faf0 ffff8801a9f6fbb8 00000001a265c067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
CPU: 0 PID: 8080 Comm: syz-executor3 Tainted: G    B           4.9.52-g9b2b081 #55
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ceb2f9b0 ffffffff81d93149 ffff8801ceb2fc90 0000000000000000
 ffff8801a61df910 ffff8801ceb2fb80 ffff8801a61df800 ffff8801ceb2fba8
 ffffffff81660dc8 ffff8801ceb2fb00 ffff8801ceb2fbe0 00000001cce64067
Call Trace:
 [<ffffffff81d93149>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d93149>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81660dc8>] handle_userfault+0xa48/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cfd71>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cfd71>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cfd71>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cfd71>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810e020b>] __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397
 [<ffffffff810e0917>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
 [<ffffffff838ad818>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff838ac645>] entry_SYSCALL_64_fastpath+0x23/0xc6
binder: 8158:8162 ioctl c0206416 20ff9000 returned -22
binder: 8158:8162 ioctl c0206416 20ff9000 returned -22