1TITLE: BUG: using __this_cpu_read() in preemptible code in ipcomp_init_state
2
3[   45.818290] BUG: using __this_cpu_read() in preemptible [00000000] code: syz-executor7/6729
4[   45.826891] caller is __this_cpu_preempt_check+0x1c/0x20
5[   45.832355] CPU: 0 PID: 6729 Comm: syz-executor7 Not tainted 4.9.68-gfb66dc2 #107
6[   45.839956] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
7[   45.849288]  ffff8801d5eef6d8 ffffffff81d90889 0000000000000000 ffffffff83c17800
8[   45.857305]  ffffffff83f42ec0 ffff8801aed31800 0000000000000003 ffff8801d5eef718
9[   45.865990]  ffffffff81df7854 ffff8801d5eef730 ffffffff83f42ec0[   45.871305] tc_dump_action: action bad kind
10[   45.876416]  dffffc0000000000Call Trace:
11[   45.880614]  [<ffffffff81d90889>] dump_stack+0xc1/0x128
12[   45.885972]  [<ffffffff81df7854>] check_preemption_disabled+0x1d4/0x200
13[   45.892723]  [<ffffffff81df78bc>] __this_cpu_preempt_check+0x1c/0x20
14[   45.893653] tc_dump_action: action bad kind
15[   45.903495]  [<ffffffff833f3f78>] ipcomp_init_state+0x188/0x930
16[   45.909534]  [<ffffffff81232141>] ? __lock_is_held+0xa1/0xf0
172017/12/12 14:10:33 executing program 3:
18mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
19setsockopt$inet_sctp6_SCTP_RTOINFO(0xffffffffffffffff, 0x84, 0x0, &(0x7f0000727000)={0x0, 0x0, 0x0, 0x0}, 0x10)
20r0 = socket$netlink(0x10, 0x3, 0x0)
21writev(r0, &(0x7f0000131000-0x10)=[{&(0x7f000083b000-0x39)="3900000013000904690000008000fffd180000400100000045000107000000140d001a000400020004000a00000000000000010c00001ee400", 0x39}], 0x1)
222017/12/12 14:10:33 executing program 3:
23mmap(&(0x7f0000000000/0x788000)=nil, 0x788000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
24mmap(&(0x7f0000788000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
25mmap(&(0x7f0000789000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
26mmap(&(0x7f0000000000/0x8000)=nil, 0x8000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
27r0 = socket$inet_udp(0x2, 0x2, 0x0)
28mmap(&(0x7f000078a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
29ioctl$sock_inet_SIOCSARP(r0, 0x8955, &(0x7f00005ea000-0x44)={{0x2, 0x1, @broadcast=0xffffffff, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, {0x4000004, @local={[0xaa, 0xaa, 0xaa, 0xaa, 0xaa], 0x0}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x28, {0x2, 0x0, @broadcast=0xffffffff, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, @generic="00fe50018b000000000000c6b760fae5"})
30mmap(&(0x7f0000008000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
31connect$inet(r0, &(0x7f0000009000-0x10)={0x2, 0x2, @multicast2=0xe0000002, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}, 0x10)
32mmap(&(0x7f000078a000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
33socketpair$unix(0x1, 0x1, 0x0, &(0x7f000078b000-0x8)={<r1=>0xffffffffffffffff, 0xffffffffffffffff})
34setsockopt$SO_TIMESTAMPING(r1, 0x1, 0x25, &(0x7f0000001000-0x4)=0xff, 0x4)
35mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
36r2 = socket(0x10, 0x3, 0x0)
37getsockname$inet6(0xffffffffffffffff, &(0x7f0000cd1000-0x1c)={0x0, 0x0, 0x0, @loopback={0x0, 0x0}, 0x0}, &(0x7f00008b5000)=0x1c)
38socket$inet_tcp(0x2, 0x1, 0x0)
39write(r2, &(0x7f0000e26000-0x25)="2400000032001f1f14b2f3fd000904000200071008000100ffffffff08000000000000009b", 0x25)
40getsockopt$inet_sctp6_SCTP_GET_ASSOC_ID_LIST(0xffffffffffffffff, 0x84, 0x1d, &(0x7f000069c000)={0x2, [0x0, <r3=>0x0]}, &(0x7f00002f2000)=0xc)
41getsockopt$inet_sctp6_SCTP_PR_SUPPORTED(r2, 0x84, 0x71, &(0x7f00007de000-0x8)={<r4=>r3, 0xa0}, &(0x7f000078a000)=0x8)
42getsockopt$inet_sctp_SCTP_PR_ASSOC_STATUS(0xffffffffffffffff, 0x84, 0x73, &(0x7f00001ec000)={<r5=>r4, 0x6, 0x1000000000002, 0x9d1, 0x4}, &(0x7f0000bc6000-0x4)=0x18)
43getsockopt$inet_sctp6_SCTP_PRIMARY_ADDR(0xffffffffffffffff, 0x84, 0x6, &(0x7f0000685000)={0x0, @in6={{0xa, 0x1, 0x7, @remote={0xfe, 0x80, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x0, 0xbb}, 0x4}, [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0]}}, &(0x7f0000abe000-0x4)=0x8c)
44getsockopt$inet_sctp6_SCTP_PEER_AUTH_CHUNKS(r2, 0x84, 0x1a, &(0x7f0000ac6000-0x4b)={r5, 0x43, "c24501c4985a7f4a4186dfcd064f93e32cb51df33214b28ffc6368d8b95adb46f1f6606065ba57257d022424c28f100f0a54d01adb15141079803f8c25434a102a27d5"}, &(0x7f00009ac000)=0x4b)
45mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
46mmap(&(0x7f0000000000/0x16000)=nil, 0x16000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
47mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
48mmap(&(0x7f0000000000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
49clone(0x82000, &(0x7f0000001000-0x1)="d3", &(0x7f0000a7b000-0x4)=0x0, &(0x7f000027a000-0x4)=0x0, &(0x7f0000458000)="")
50symlink(&(0x7f0000814000-0x8)="2e2f66696c653000", &(0x7f0000c1a000)="2e2f66696c653000")
51mmap(&(0x7f0000001000/0x1000)=nil, 0x1000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
52openat$ppp(0xffffffffffffff9c, &(0x7f0000001000)="2f6465762f70707000", 0x0, 0x0)
53[   45.915314]  [<ffffffff83360470>] ipcomp4_init_state+0xb0/0x7d0
54[   45.921359]  [<ffffffff833d2677>] __xfrm_init_state+0x3e7/0xb30
55[   45.927402]  [<ffffffff833d2dda>] xfrm_init_state+0x1a/0x20
56[   45.933101]  [<ffffffff8356cb49>] pfkey_add+0x1fb9/0x3470
57[   45.938630]  [<ffffffff8356ab90>] ? pfkey_delete+0x360/0x360
58[   45.944418]  [<ffffffff83561f00>] ? pfkey_seq_stop+0x80/0x80
59[   45.950200]  [<ffffffff82eea81a>] ? __skb_clone+0x24a/0x7d0
60[   45.955899]  [<ffffffff8356ab90>] ? pfkey_delete+0x360/0x360
61[   45.961689]  [<ffffffff835645ee>] pfkey_process+0x61e/0x730
62[   45.967402]  [<ffffffff83563fd0>] ? pfkey_send_new_mapping+0x11b0/0x11b0
63[   45.974234]  [<ffffffff81238c3b>] ? trace_hardirqs_on_caller+0x38b/0x590
64[   45.981076]  [<ffffffff83565e99>] pfkey_sendmsg+0x3a9/0x760
65[   45.986776]  [<ffffffff83565af0>] ? pfkey_spdget+0x820/0x820
66[   45.992566]  [<ffffffff82ecfb9a>] sock_sendmsg+0xca/0x110
67[   45.998092]  [<ffffffff82ed1791>] ___sys_sendmsg+0x6d1/0x7e0
68[   46.003885]  [<ffffffff82ed10c0>] ? copy_msghdr_from_user+0x550/0x550
69[   46.010454]  [<ffffffff81df76bb>] ? check_preemption_disabled+0x3b/0x200
70[   46.017272]  [<ffffffff815cd581>] ? __fget+0x201/0x3a0
71[   46.022525]  [<ffffffff815cd5a8>] ? __fget+0x228/0x3a0
72[   46.027784]  [<ffffffff815cd3c7>] ? __fget+0x47/0x3a0
73[   46.032959]  [<ffffffff815cd8e8>] ? __fget_light+0x188/0x1e0
74[   46.038734]  [<ffffffff815cd958>] ? __fdget+0x18/0x20
75[   46.043891]  [<ffffffff82ed37c6>] __sys_sendmsg+0xd6/0x190
76[   46.049486]  [<ffffffff82ed36f0>] ? SyS_shutdown+0x1b0/0x1b0
77[   46.055251]  [<ffffffff814952f0>] ? vma_is_stack_for_current+0xa0/0xa0
78[   46.061883]  [<ffffffff812e260e>] ? SyS_futex+0x22e/0x2d0
79[   46.067386]  [<ffffffff81238c3b>] ? trace_hardirqs_on_caller+0x38b/0x590
80[   46.074191]  [<ffffffff82ed38ad>] SyS_sendmsg+0x2d/0x50
81[   46.079523]  [<ffffffff838aa9c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
82