kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor4/6343
caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
CPU: 1 PID: 6343 Comm: syz-executor4 Not tainted 4.9.80-g550c01d #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801aea7f658 ffffffff81d94b69 0000000000000001 ffffffff83c18800
ffffffff83f454c0 ffff8801ae996000 0000000000000003 ffff8801aea7f698
ffffffff81dfc144 ffff8801aea7f6b0 ffffffff83f454c0 dffffc0000000000
Call Trace:
[<ffffffff81d94b69>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94b69>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff81dfc144>] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46
[<ffffffff81dfc1ac>] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62
[<ffffffff833fcdd8>] ipcomp_alloc_tfms net/xfrm/xfrm_ipcomp.c:286 [inline]
[<ffffffff833fcdd8>] ipcomp_init_state+0x188/0x930 net/xfrm/xfrm_ipcomp.c:363
[<ffffffff83512ee5>] ipcomp6_init_state+0xb5/0x820 net/ipv6/ipcomp6.c:165
[<ffffffff833db4c7>] __xfrm_init_state+0x3e7/0xb30 net/xfrm/xfrm_state.c:2096
[<ffffffff833dbc2a>] xfrm_init_state+0x1a/0x20 net/xfrm/xfrm_state.c:2122
[<ffffffff83575b69>] pfkey_msg2xfrm_state net/key/af_key.c:1289 [inline]
[<ffffffff83575b69>] pfkey_add+0x1fb9/0x3470 net/key/af_key.c:1506
[<ffffffff8356d65b>] pfkey_process+0x68b/0x750 net/key/af_key.c:2834
[<ffffffff8356eeb9>] pfkey_sendmsg+0x3a9/0x760 net/key/af_key.c:3678
[<ffffffff82ed7baa>] sock_sendmsg_nosec net/socket.c:635 [inline]
[<ffffffff82ed7baa>] sock_sendmsg+0xca/0x110 net/socket.c:645
[<ffffffff82ed97a1>] ___sys_sendmsg+0x6d1/0x7e0 net/socket.c:1969
[<ffffffff82edb7d6>] __sys_sendmsg+0xd6/0x190 net/socket.c:2003
[<ffffffff82fde04a>] C_SYSC_sendmsg net/compat.c:734 [inline]
[<ffffffff82fde04a>] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:732
[<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
[<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
[<ffffffff838b4d34>] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127
Modules linked in:
CPU: 0 PID: 6331 Comm: syz-executor6 Not tainted 4.9.80-g550c01d #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801aea23000 task.stack: ffff8801ae9e8000
RIP: 0010:[<ffffffff8144ee81>] [<ffffffff8144ee81>] __read_once_size include/linux/compiler.h:243 [inline]
RIP: 0010:[<ffffffff8144ee81>] [<ffffffff8144ee81>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP: 0010:[<ffffffff8144ee81>] [<ffffffff8144ee81>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP: 0010:[<ffffffff8144ee81>] [<ffffffff8144ee81>] put_page_testzero include/linux/mm.h:450 [inline]
RIP: 0010:[<ffffffff8144ee81>] [<ffffffff8144ee81>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP: 0018:ffff8801ae9ef940 EFLAGS: 00010a07
RAX: dffffc0000000000 RBX: dead4ead00000000 RCX: ffffffff8266806b
RDX: 1bd5a9d5a0000003 RSI: 0000000000000002 RDI: dead4ead0000001c
RBP: ffff8801ae9ef950 R08: 0000000048000000 R09: 0000000000001e30
R10: 0000000000002100 R11: ffff8801aea23000 R12: 0000000000000004
R13: 0000000000000020 R14: ffff8801c473a100 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:00000000f6fb9b40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 00000000f6f1cbf0 CR3: 00000001c46f0000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
0000000000000001 ffff8801c473a258 ffff8801ae9ef9b0 ffffffff82668091
ffff8801c473a270 ffffed00388e744b ffffed00388e744e ffff8801c473a268
dead4ead00000000 ffff8801c473a240 0000000000000000 0000000000000000
Call Trace:
[<ffffffff82668091>] sg_remove_scat.isra.19+0x1c1/0x2d0 drivers/scsi/sg.c:1944
[<ffffffff82668455>] sg_finish_rem_req+0x2b5/0x340 drivers/scsi/sg.c:1825
[<ffffffff8266866d>] sg_new_read.isra.20+0x18d/0x3e0 drivers/scsi/sg.c:566
[<ffffffff8266a187>] sg_read+0x8b7/0x1440 drivers/scsi/sg.c:455
[<ffffffff8156cc21>] do_loop_readv_writev.part.17+0x141/0x1e0 fs/read_write.c:714
[<ffffffff81571b42>] do_loop_readv_writev fs/read_write.c:1105 [inline]
[<ffffffff81571b42>] compat_do_readv_writev+0x522/0x760 fs/read_write.c:1099
[<ffffffff81571e63>] compat_readv+0xe3/0x150 fs/read_write.c:1128
[<ffffffff81571fc4>] do_compat_readv+0xf4/0x1d0 fs/read_write.c:1148
[<ffffffff81574536>] C_SYSC_readv fs/read_write.c:1160 [inline]
[<ffffffff81574536>] compat_SyS_readv+0x26/0x30 fs/read_write.c:1156
[<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
[<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
[<ffffffff838b4d34>] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127
Code: e9 27 fc ff ff 0f 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 55 48 89 e5 53 48 89 fb 48 83 c7 1c 48 89 fa 48 83 ec 08 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 3d
RIP [<ffffffff8144ee81>] __read_once_size include/linux/compiler.h:243 [inline]
RIP [<ffffffff8144ee81>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
RIP [<ffffffff8144ee81>] page_ref_count include/linux/page_ref.h:66 [inline]
RIP [<ffffffff8144ee81>] put_page_testzero include/linux/mm.h:450 [inline]
RIP [<ffffffff8144ee81>] __free_pages+0x21/0x80 mm/page_alloc.c:3897
RSP <ffff8801ae9ef940>
---[ end trace 7176eb4430fb7fce ]---