======================================
| [  631.402004][ T2888] ==================================================================
| [ 631.402353][ T2888] BUG: KASAN: wild-memory-access in _copy_to_iter (./arch/x86/include/asm/smap.h:35 ./arch/x86/include/asm/uaccess_64.h:121 ./arch/x86/include/asm/uaccess_64.h:147 lib/iov_iter.c:25 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:185) 
| [  631.402684][ T2888] Read of size 982 at addr 0005088000000000 by task ncdevmem/2888
| [  631.402980][ T2888]
[  631.403088][ T2888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[  631.403091][ T2888] Call Trace:
[  631.403093][ T2888]  <TASK>
[ 631.403095][ T2888] dump_stack_lvl (lib/dump_stack.c:123) 
[ 631.403105][ T2888] ? _copy_to_iter (./arch/x86/include/asm/smap.h:35 ./arch/x86/include/asm/uaccess_64.h:121 ./arch/x86/include/asm/uaccess_64.h:147 lib/iov_iter.c:25 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:185) 
[ 631.403108][ T2888] kasan_report (mm/kasan/report.c:597) 
[ 631.403117][ T2888] ? _copy_to_iter (./arch/x86/include/asm/smap.h:35 ./arch/x86/include/asm/uaccess_64.h:121 ./arch/x86/include/asm/uaccess_64.h:147 lib/iov_iter.c:25 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:185) 
[ 631.403122][ T2888] kasan_check_range (mm/kasan/generic.c:183 mm/kasan/generic.c:189) 
[ 631.403127][ T2888] _copy_to_iter (./arch/x86/include/asm/smap.h:35 ./arch/x86/include/asm/uaccess_64.h:121 ./arch/x86/include/asm/uaccess_64.h:147 lib/iov_iter.c:25 ./include/linux/iov_iter.h:30 ./include/linux/iov_iter.h:302 ./include/linux/iov_iter.h:330 lib/iov_iter.c:185) 
[ 631.403131][ T2888] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 631.403137][ T2888] ? find_held_lock (kernel/locking/lockdep.c:5350) 
[ 631.403144][ T2888] ? _copy_from_iter_flushcache (lib/iov_iter.c:180) 
[ 631.403147][ T2888] ? mark_held_locks (kernel/locking/lockdep.c:4325) 
[ 631.403152][ T2888] ? _raw_spin_unlock_irqrestore (./include/linux/spinlock_api_smp.h:151 kernel/locking/spinlock.c:194) 
[ 631.403158][ T2888] ? lockdep_hardirqs_on (kernel/locking/lockdep.c:4472) 
[ 631.403163][ T2888] ? _raw_spin_unlock_irqrestore (./arch/x86/include/asm/preempt.h:104 ./include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) 
[ 631.403166][ T2888] ? sk_wait_data (net/core/sock.c:3225) 
[ 631.403173][ T2888] __skb_datagram_iter (net/core/datagram.c:440) 
[ 631.403178][ T2888] ? skb_free_datagram (net/core/datagram.c:520) 
[ 631.403185][ T2888] skb_copy_datagram_iter (net/core/datagram.c:535) 
[ 631.403189][ T2888] tcp_recvmsg_locked (net/ipv4/tcp.c:2802) 
[ 631.403198][ T2888] ? do_raw_spin_lock (./arch/x86/include/asm/atomic.h:107 ./include/linux/atomic/atomic-arch-fallback.h:2170 ./include/linux/atomic/atomic-instrumented.h:1302 ./include/asm-generic/qspinlock.h:111 kernel/locking/spinlock_debug.c:116) 
[ 631.403201][ T2888] ? tcp_update_recv_tstamps (net/ipv4/tcp.c:2613) 
[ 631.403206][ T2888] ? __local_bh_enable_ip (./arch/x86/include/asm/irqflags.h:42 ./arch/x86/include/asm/irqflags.h:119 kernel/softirq.c:412) 
[ 631.403212][ T2888] tcp_recvmsg (net/ipv4/tcp.c:2906) 
[ 631.403215][ T2888] ? filemap_map_pages (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 mm/filemap.c:3794) 
[ 631.403220][ T2888] ? tcp_recv_timestamp (net/ipv4/tcp.c:2892) 
[ 631.403225][ T2888] ? rcu_read_lock_any_held (kernel/rcu/update.c:386 kernel/rcu/update.c:380) 
[ 631.403231][ T2888] ? validate_chain (kernel/locking/lockdep.c:3801 kernel/locking/lockdep.c:3821 kernel/locking/lockdep.c:3876) 
[ 631.403237][ T2888] inet6_recvmsg (net/ipv6/af_inet6.c:680 (discriminator 2)) 
[ 631.403241][ T2888] ? inet6_sk_rebuild_header (net/ipv6/af_inet6.c:667) 
[ 631.403247][ T2888] ____sys_recvmsg (./arch/x86/include/asm/jump_label.h:36 ./include/trace/events/sock.h:304 net/socket.c:1069 net/socket.c:1087 net/socket.c:2834) 
[ 631.403252][ T2888] ? kernel_sendmsg (net/socket.c:2812) 
[ 631.403254][ T2888] ? _copy_from_user (./arch/x86/include/asm/smap.h:29 ./arch/x86/include/asm/uaccess_64.h:134 ./arch/x86/include/asm/uaccess_64.h:141 ./include/linux/uaccess.h:178 lib/usercopy.c:18) 
[ 631.403260][ T2888] ? copy_msghdr_from_user (net/socket.c:2554) 
[ 631.403264][ T2888] ? __copy_msghdr (net/socket.c:2540) 
[ 631.403270][ T2888] ___sys_recvmsg (net/socket.c:2877) 
[ 631.403274][ T2888] ? ___sys_sendmsg (net/socket.c:2866) 
[ 631.403277][ T2888] ? __handle_mm_fault (mm/memory.c:6195) 
[ 631.403283][ T2888] ? __pmd_alloc (mm/memory.c:6104) 
[ 631.403290][ T2888] ? lock_vma_under_rcu (./include/linux/rcupdate.h:874 mm/mmap_lock.c:170) 
[ 631.403297][ T2888] __sys_recvmsg (net/socket.c:2909) 
[ 631.403300][ T2888] ? __sys_recvmsg_sock (net/socket.c:2894) 
[ 631.403303][ T2888] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:109 ./arch/x86/include/asm/irqflags.h:151 arch/x86/mm/fault.c:1484 arch/x86/mm/fault.c:1532) 
[ 631.403309][ T2888] ? do_user_addr_fault (./arch/x86/include/asm/atomic.h:93 ./include/linux/atomic/atomic-arch-fallback.h:949 ./include/linux/atomic/atomic-instrumented.h:401 ./include/linux/refcount.h:389 ./include/linux/refcount.h:432 ./include/linux/mmap_lock.h:143 ./include/linux/mmap_lock.h:267 arch/x86/mm/fault.c:1338) 
[ 631.403316][ T2888] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 631.403320][ T2888] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 631.403327][ T2888] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  631.403331][ T2888] RIP: 0033:0x7f4b6446d07d
[ 631.403334][ T2888] Code: eb b7 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 41 54 48 83 ec 10 64 8b 04 25 18 00 00 00 85 c0 75 22 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 5b 4c 63 e0 48 83 c4 10 4c 89 e0 41 5c c3 66
All code
========
   0:	eb b7                	jmp    0xffffffffffffffb9
   2:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
   9:	00 00 00 
   c:	90                   	nop
   d:	f3 0f 1e fa          	endbr64
  11:	41 54                	push   %r12
  13:	48 83 ec 10          	sub    $0x10,%rsp
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 22                	jne    0x45
  23:	b8 2f 00 00 00       	mov    $0x2f,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 5b                	ja     0x8d
  32:	4c 63 e0             	movslq %eax,%r12
  35:	48 83 c4 10          	add    $0x10,%rsp
  39:	4c 89 e0             	mov    %r12,%rax
  3c:	41 5c                	pop    %r12
  3e:	c3                   	ret
  3f:	66                   	data16

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 5b                	ja     0x63
   8:	4c 63 e0             	movslq %eax,%r12
   b:	48 83 c4 10          	add    $0x10,%rsp
   f:	4c 89 e0             	mov    %r12,%rax
  12:	41 5c                	pop    %r12
  14:	c3                   	ret
  15:	66                   	data16
[  631.403337][ T2888] RSP: 002b:00007ffd10ef9540 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
[  631.403341][ T2888] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4b6446d07d
[  631.403344][ T2888] RDX: 0000000002000000 RSI: 00007ffd10ef9570 RDI: 0000000000000008
[  631.403345][ T2888] RBP: 00007ffd10fd5020 R08: 0000000000000000 R09: 00007ffd10ef72d3
[  631.403347][ T2888] R10: 00007f4b6436d1c8 R11: 0000000000000246 R12: 00007ffd10fd5188
[  631.403349][ T2888] R13: 000000000040571b R14: 000000000042bdf0 R15: 00007f4b645aa000
| fbnic-err: bad TWQ descriptor ordering, previous: 0 current 0
| fbnic-err: bad TWQ descriptor ordering, previous: 0 current 0
| [  730.393001][ T2888] ncdevmem invoked oom-killer: gfp_mask=0x500cc2(GFP_HIGHUSER|__GFP_ACCOUNT), order=0, oom_score_adj=0
| [  730.393426][ T2888] Tainted: [B]=BAD_PAGE
[  730.393428][ T2888] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[  730.393430][ T2888] Call Trace:
[  730.393432][ T2888]  <TASK>
[ 730.393435][ T2888] dump_stack_lvl (lib/dump_stack.c:123) 
[ 730.393448][ T2888] dump_header (mm/oom_kill.c:74 mm/oom_kill.c:468) 
[ 730.393457][ T2888] oom_kill_process (mm/oom_kill.c:1041) 
[ 730.393461][ T2888] out_of_memory (mm/oom_kill.c:1180 (discriminator 4)) 
[ 730.393465][ T2888] ? oom_killer_disable (mm/oom_kill.c:1113) 
[ 730.393471][ T2888] __alloc_pages_may_oom (mm/page_alloc.c:4026) 
[ 730.393479][ T2888] ? __alloc_pages_direct_compact (mm/page_alloc.c:3958) 
[ 730.393484][ T2888] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 730.393491][ T2888] __alloc_pages_slowpath.constprop.0 (mm/page_alloc.c:4836) 
[ 730.393498][ T2888] ? warn_alloc (mm/page_alloc.c:4596) 
[ 730.393504][ T2888] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:113) 
[ 730.393512][ T2888] __alloc_frozen_pages_noprof (mm/page_alloc.c:5161) 
[ 730.393515][ T2888] ? __alloc_pages_slowpath.constprop.0 (mm/page_alloc.c:5114) 
[ 730.393519][ T2888] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 730.393522][ T2888] ? trace_contention_end (./include/trace/events/lock.h:122 (discriminator 21)) 
[ 730.393526][ T2888] ? inet6_recvmsg (net/ipv6/af_inet6.c:680 (discriminator 2)) 
[ 730.393530][ T2888] ? anon_pipe_write (fs/pipe.c:460) 
[ 730.393534][ T2888] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 730.393538][ T2888] alloc_pages_mpol (mm/mempolicy.c:2418) 
[ 730.393542][ T2888] ? spin_bug (kernel/locking/spinlock_debug.c:114) 
[ 730.393546][ T2888] ? policy_nodemask (mm/mempolicy.c:2373) 
[ 730.393549][ T2888] ? lock_acquire (./include/trace/events/lock.h:24 kernel/locking/lockdep.c:5831) 
[ 730.393553][ T2888] ? __wake_up_sync_key (kernel/sched/wait.c:125 kernel/sched/wait.c:192) 
[ 730.393559][ T2888] alloc_pages_noprof (mm/mempolicy.c:2487 mm/mempolicy.c:2507) 
[ 730.393563][ T2888] anon_pipe_write (fs/pipe.c:124 fs/pipe.c:513) 
[ 730.393567][ T2888] ? kfree (mm/slub.c:4868) 
[ 730.393573][ T2888] ? anon_pipe_put_page (fs/pipe.c:432) 
[ 730.393576][ T2888] ? ___sys_recvmsg (net/socket.c:2866) 
[ 730.393581][ T2888] ? ___sys_sendmsg (net/socket.c:2866) 
[ 730.393586][ T2888] vfs_write (fs/read_write.c:594 fs/read_write.c:686) 
[ 730.393592][ T2888] ? __run_hrtimer (kernel/time/hrtimer.c:1778) 
[ 730.393596][ T2888] ? kernel_write (fs/read_write.c:667) 
[ 730.393603][ T2888] ? __sys_recvmsg_sock (net/socket.c:2894) 
[ 730.393606][ T2888] ? clockevents_program_event (kernel/time/clockevents.c:336 (discriminator 3)) 
[ 730.393612][ T2888] ksys_write (fs/read_write.c:738) 
[ 730.393615][ T2888] ? __ia32_sys_read (fs/read_write.c:728) 
[ 730.393621][ T2888] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 730.393627][ T2888] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[  730.393631][ T2888] RIP: 0033:0x7f4b6445b337
[ 730.393635][ T2888] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
All code
========
   0:	0f 00                	(bad)
   2:	f7 d8                	neg    %eax
   4:	64 89 02             	mov    %eax,%fs:(%rdx)
   7:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   e:	eb b7                	jmp    0xffffffffffffffc7
  10:	0f 1f 00             	nopl   (%rax)
  13:	f3 0f 1e fa          	endbr64
  17:	64 8b 04 25 18 00 00 	mov    %fs:0x18,%eax
  1e:	00 
  1f:	85 c0                	test   %eax,%eax
  21:	75 10                	jne    0x33
  23:	b8 01 00 00 00       	mov    $0x1,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 51                	ja     0x83
  32:	c3                   	ret
  33:	48 83 ec 28          	sub    $0x28,%rsp
  37:	48 89 54 24 18       	mov    %rdx,0x18(%rsp)
  3c:	48                   	rex.W
  3d:	89                   	.byte 0x89
  3e:	74 24                	je     0x64

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 51                	ja     0x59
   8:	c3                   	ret
   9:	48 83 ec 28          	sub    $0x28,%rsp
   d:	48 89 54 24 18       	mov    %rdx,0x18(%rsp)
  12:	48                   	rex.W
  13:	89                   	.byte 0x89
  14:	74 24                	je     0x3a
[  730.393637][ T2888] RSP: 002b:00007ffd10ef6d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[  730.393642][ T2888] RAX: ffffffffffffffda RBX: 00007f4b645576a0 RCX: 00007f4b6445b337
[  730.393644][ T2888] RDX: 0000000000000015 RSI: 00007ffd10ef6f70 RDI: 0000000000000002
[  730.393646][ T2888] RBP: 0000000000000015 R08: 0000000000000000 R09: 00007f4b6450dd40
[  730.393647][ T2888] R10: 00007f4b6450dc40 R11: 0000000000000246 R12: 0000000000000015


Finger prints:
kasan_report:kasan_check_range:_copy_to_iter:__skb_datagram_iter:skb_copy_datagram_iter
dump_header:oom_kill_process:out_of_memory:__alloc_pages_may_oom:__alloc_frozen_pages_noprof