KASAN: stack-out-of-bounds Read in iov_iter_advance

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit: 85b352c4 Merge remote-tracking branch 'origin/upstream-f2f..
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15f92181400000
kernel config: https://syzkaller.appspot.com/x/.config?x=22427be3cc83c9e4
dashboard link: https://syzkaller.appspot.com/bug?extid=a4adc46d8d1b1335a4fd
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=114dc4e6400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16884b56400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+a4adc4...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: stack-out-of-bounds in iov_iter_advance+0x4b3/0x4f0
lib/iov_iter.c:491
Read of size 8 at addr ffff8800b6a77d50 by task syz-executor329/2069

CPU: 1 PID: 2069 Comm: syz-executor329 Not tainted 4.4.158+ #105
0000000000000000 e66ae0773ea2a43f ffff8800b6a77990 ffffffff81a991dd
ffffea0002da9dc0 ffff8800b6a77d50 0000000000000000 ffff8800b6a77d50
ffff8800b6a77d48 ffff8800b6a779c8 ffffffff8148a7c9 ffff8800b6a77d50
Call Trace:
[<ffffffff81a991dd>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81a991dd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
[<ffffffff8148a7c9>] print_address_description+0x6c/0x217
mm/kasan/report.c:252
[<ffffffff8148aae9>] kasan_report_error mm/kasan/report.c:351 [inline]
[<ffffffff8148aae9>] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408
[<ffffffff8147f764>] __asan_report_load8_noabort+0x14/0x20
mm/kasan/report.c:429
[<ffffffff81ad4b93>] iov_iter_advance+0x4b3/0x4f0 lib/iov_iter.c:491
[<ffffffff81e0c3d9>] tun_put_user drivers/net/tun.c:1369 [inline]
[<ffffffff81e0c3d9>] tun_do_read+0x659/0xc10 drivers/net/tun.c:1421
[<ffffffff81e0cc32>] tun_chr_read_iter+0xe2/0x1d0 drivers/net/tun.c:1439
[<ffffffff81490b91>] new_sync_read fs/read_write.c:422 [inline]
[<ffffffff81490b91>] __vfs_read+0x301/0x3d0 fs/read_write.c:434
[<ffffffff81492680>] vfs_read+0x130/0x360 fs/read_write.c:454
[<ffffffff81495295>] SYSC_pread64 fs/read_write.c:607 [inline]
[<ffffffff81495295>] SyS_pread64+0x145/0x170 fs/read_write.c:594
[<ffffffff82705a61>] entry_SYSCALL_64_fastpath+0x1e/0x9a

The buggy address belongs to the page:
page:ffffea0002da9dc0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected

Memory state around the buggy address:
ffff8800b6a77c00: 04 f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 00 00 00 00
ffff8800b6a77c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8800b6a77d00: 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f2 f2 f2 f2 00
^
ffff8800b6a77d80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00
ffff8800b6a77e00: f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches