net.ipv6.conf.syz0.accept_dad = 0 net.ipv6.conf.syz0.router_solicitations = 0 executing program syzkaller login: [ 21.492198] refcount_t: underflow; use-after-free. [ 21.492575] ------------[ cut here ]------------ [ 21.492901] WARNING: CPU: 0 PID: 3027 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0 [ 21.493527] Kernel panic - not syncing: panic_on_warn set ... [ 21.493527] [ 21.494027] CPU: 0 PID: 3027 Comm: syzkaller660256 Not tainted 4.13.0-rc5-next-20170816+ #4 [ 21.494576] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 21.495113] Call Trace: [ 21.495288] dump_stack+0x194/0x257 [ 21.495528] ? arch_local_irq_restore+0x53/0x53 [ 21.495839] panic+0x1e4/0x417 [ 21.496050] ? __warn+0x1d9/0x1d9 [ 21.496277] ? show_regs_print_info+0x65/0x65 [ 21.496578] ? refcount_sub_and_test+0x167/0x1b0 [ 21.496891] __warn+0x1c4/0x1d9 [ 21.497107] ? refcount_sub_and_test+0x167/0x1b0 [ 21.497421] report_bug+0x211/0x2d0 [ 21.497664] fixup_bug+0x40/0x90 [ 21.497887] do_trap+0x260/0x390 [ 21.498115] do_error_trap+0x120/0x390 [ 21.498373] ? do_trap+0x390/0x390 [ 21.498606] ? refcount_sub_and_test+0x167/0x1b0 [ 21.498916] ? vprintk_emit+0x3ea/0x590 [ 21.499189] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 21.499518] do_invalid_op+0x1b/0x20 [ 21.499767] invalid_op+0x1e/0x30 [ 21.499996] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 21.500350] RSP: 0018:ffff88003afc6320 EFLAGS: 00010286 [ 21.500703] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000 [ 21.501187] RDX: 0000000000000026 RSI: 1ffff100075f8c24 RDI: ffffed00075f8c58 [ 21.501663] RBP: ffff88003afc63b0 R08: 0000000000000000 R09: 1ffff100075f8bf6 [ 21.502143] R10: 000000008c3cd647 R11: ffffffff85b2d438 R12: 1ffff100075f8c65 [ 21.502617] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff88003d07427c [ 21.503101] ? refcount_inc+0x50/0x50 [ 21.503351] ? __sctp_outq_teardown+0xc7d/0x15a0 [ 21.503663] ? sctp_association_free+0x2d0/0x930 [ 21.503974] ? sctp_do_sm+0x28e7/0x6d90 [ 21.504234] ? sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 21.504546] ? sctp_close+0x3c6/0x980 [ 21.504803] ? inet_release+0xed/0x1c0 [ 21.505062] ? sock_release+0x8d/0x1e0 [ 21.505318] ? sock_close+0x16/0x20 [ 21.505559] sctp_wfree+0x183/0x620 [ 21.505798] ? exit_to_usermode_loop+0x224/0x300 [ 21.506121] ? syscall_return_slowpath+0x42f/0x500 [ 21.506445] ? __sctp_write_space+0x910/0x910 [ 21.506742] skb_release_head_state+0x124/0x200 [ 21.507049] skb_release_all+0x15/0x60 [ 21.507306] consume_skb+0x153/0x490 [ 21.507553] ? sctp_chunk_put+0x99/0x420 [ 21.507824] ? alloc_skb_with_frags+0x710/0x710 [ 21.508133] ? sctp_chunk_hold+0x20/0x20 [ 21.508404] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.508748] ? refcount_sub_and_test+0x115/0x1b0 [ 21.509068] ? refcount_inc+0x50/0x50 [ 21.509320] ? trace_hardirqs_off+0xd/0x10 [ 21.509602] ? quarantine_put+0xeb/0x190 [ 21.509876] sctp_chunk_put+0x29c/0x420 [ 21.510142] ? sctp_chunk_hold+0x20/0x20 [ 21.510412] ? sctp_transport_dst_confirm+0x50/0x50 [ 21.510754] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.511098] ? lock_acquire+0x1d5/0x580 [ 21.511729] ? __is_insn_slot_addr+0x1fc/0x330 [ 21.512082] ? lock_downgrade+0x990/0x990 [ 21.512377] sctp_chunk_free+0x53/0x60 [ 21.512658] __sctp_outq_teardown+0xc7d/0x15a0 [ 21.512960] ? sctp_inq_set_th_handler+0x1b0/0x1b0 [ 21.513296] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.513640] ? lock_release+0xa40/0xa40 [ 21.513903] ? lock_acquire+0x1d5/0x580 [ 21.514185] ? depot_save_stack+0x3b5/0x490 [ 21.514471] ? lock_downgrade+0x990/0x990 [ 21.514744] ? unwind_dump+0x4c0/0x4c0 [ 21.515003] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.515345] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.515684] ? trace_hardirqs_off+0xd/0x10 [ 21.515965] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 21.516300] ? depot_save_stack+0x3b5/0x490 [ 21.516588] ? sock_destroy_inode+0x56/0x70 [ 21.516886] ? save_stack+0xa3/0xd0 [ 21.517129] ? lock_acquire+0x1d5/0x580 [ 21.517392] ? lock_acquire+0x1d5/0x580 [ 21.517655] ? lock_timer_base+0x1a3/0x2b0 [ 21.517938] ? task_work_run+0x199/0x270 [ 21.518235] ? do_exit+0xa52/0x1b30 [ 21.518491] ? lock_acquire+0x1d5/0x580 [ 21.518795] ? lock_acquire+0x1d5/0x580 [ 21.519073] ? sock_def_wakeup+0x1f9/0x350 [ 21.519358] ? lock_downgrade+0x990/0x990 [ 21.519634] ? lock_release+0xa40/0xa40 [ 21.519897] ? __next_timer_interrupt+0x150/0x150 [ 21.520220] sctp_outq_free+0x15/0x20 [ 21.520472] sctp_association_free+0x2d0/0x930 [ 21.520774] ? refcount_inc+0x50/0x50 [ 21.521027] ? sctp_asconf_queue_teardown+0x700/0x700 [ 21.521370] ? sock_def_wakeup+0x222/0x350 [ 21.521657] ? sk_dst_check+0x560/0x560 [ 21.521924] ? sctp_association_put+0x74/0x2f0 [ 21.522233] ? sctp_association_hold+0x20/0x20 [ 21.522541] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.522953] ? entry_SYSCALL_64_fastpath+0xbc/0xbe [ 21.523308] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 21.523689] ? sctp_sm_lookup_event+0x95/0x3c0 [ 21.524046] sctp_do_sm+0x28e7/0x6d90 [ 21.524310] ? lock_acquire+0x1d5/0x580 [ 21.524600] ? lock_acquire+0x1d5/0x580 [ 21.524911] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 21.525338] ? lock_downgrade+0x990/0x990 [ 21.525625] ? unwind_dump+0x4c0/0x4c0 [ 21.525896] ? do_raw_spin_trylock+0x190/0x190 [ 21.526242] ? __kernel_text_address+0xae/0xe0 [ 21.526543] ? unwind_get_return_address+0x61/0xa0 [ 21.526928] ? trace_hardirqs_off+0xd/0x10 [ 21.527211] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 21.527551] ? dentry_free+0xcd/0x130 [ 21.527816] ? lock_acquire+0x1d5/0x580 [ 21.528133] ? skb_dequeue+0x12a/0x180 [ 21.528404] ? lock_downgrade+0x990/0x990 [ 21.528721] ? do_raw_spin_trylock+0x190/0x190 [ 21.529053] ? lock_release+0xa40/0xa40 [ 21.529317] ? trace_hardirqs_on+0xd/0x10 [ 21.529592] sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 21.529896] sctp_close+0x3c6/0x980 [ 21.530140] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 21.530462] ? trace_hardirqs_on+0xd/0x10 [ 21.530715] ? kmem_cache_free+0x21b/0x280 [ 21.530987] ? dentry_free+0xd2/0x130 [ 21.531247] ? locks_remove_file+0x3fa/0x5a0 [ 21.531537] ? fcntl_setlk+0x10c0/0x10c0 [ 21.531793] ? mnt_get_count+0x160/0x160 [ 21.532048] ? __fsnotify_parent+0xb4/0x3a0 [ 21.532320] ? ip_mc_drop_socket+0x1ce/0x230 [ 21.532956] inet_release+0xed/0x1c0 [ 21.533219] sock_release+0x8d/0x1e0 [ 21.533466] ? sock_release+0x1e0/0x1e0 [ 21.533730] sock_close+0x16/0x20 [ 21.533974] __fput+0x327/0x7e0 [ 21.534196] ? fput+0x140/0x140 [ 21.534414] ? check_same_owner+0x320/0x320 [ 21.534706] ____fput+0x15/0x20 [ 21.534926] task_work_run+0x199/0x270 [ 21.535179] ? task_work_cancel+0x210/0x210 [ 21.535446] ? free_nsproxy+0x185/0x1f0 [ 21.535691] ? switch_task_namespaces+0xa2/0xc0 [ 21.535978] do_exit+0xa52/0x1b30 [ 21.536177] ? lock_page_memcg+0x3b0/0x3b0 [ 21.536417] ? move_addr_to_user+0x169/0x1b0 [ 21.536718] ? SYSC_accept4+0x5c5/0x850 [ 21.536973] ? mm_update_next_owner+0x930/0x930 [ 21.537261] ? lru_cache_add+0x1c7/0x3a0 [ 21.537510] ? get_mem_cgroup_from_mm+0x710/0x710 [ 21.537832] ? lru_cache_add_file+0x20/0x20 [ 21.538140] ? __mem_cgroup_threshold+0x8f0/0x8f0 [ 21.538434] ? page_add_new_anon_rmap+0x36c/0x750 [ 21.538732] ? page_add_anon_rmap+0x50/0x50 [ 21.539018] ? lru_cache_add_active_or_unevictable+0x20e/0x540 [ 21.539410] ? __handle_mm_fault+0x2461/0x3980 [ 21.539713] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.540055] ? do_raw_spin_trylock+0x190/0x190 [ 21.540359] ? lockdep_init_map+0x9/0x10 [ 21.540634] ? _raw_spin_unlock+0x22/0x30 [ 21.540909] ? __handle_mm_fault+0x57f/0x3980 [ 21.541210] ? __dequeue_signal+0x103/0x7b0 [ 21.541497] ? recalc_sigpending_tsk+0x117/0x150 [ 21.541813] ? get_signal+0x855/0x17e0 [ 21.542077] ? lock_downgrade+0x990/0x990 [ 21.542353] do_group_exit+0x149/0x400 [ 21.542620] ? lock_downgrade+0x990/0x990 [ 21.542875] ? SyS_exit+0x30/0x30 [ 21.543095] get_signal+0x7e8/0x17e0 [ 21.543337] ? ptrace_notify+0x130/0x130 [ 21.543592] ? lock_acquire+0x1d5/0x580 [ 21.543834] ? lock_acquire+0x1d5/0x580 [ 21.544084] ? __fd_install+0x2da/0x6a0 [ 21.544349] ? lock_downgrade+0x990/0x990 [ 21.544664] ? lock_release+0xa40/0xa40 [ 21.544940] ? check_same_owner+0x320/0x320 [ 21.545225] ? inet_accept+0x147/0x930 [ 21.545481] ? lock_acquire+0x1d5/0x580 [ 21.545788] do_signal+0x94/0x1ee0 [ 21.546022] ? __fd_install+0x2f7/0x6a0 [ 21.546296] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.546611] ? get_unused_fd_flags+0x190/0x190 [ 21.546994] ? setup_sigcontext+0x7d0/0x7d0 [ 21.547285] ? copy_user_generic_string+0x18/0x40 [ 21.547632] ? _copy_to_user+0xa2/0xc0 [ 21.547932] ? fd_install+0x4d/0x60 [ 21.548178] ? fput+0xd2/0x140 [ 21.548417] ? SYSC_accept4+0x4ec/0x850 [ 21.548683] exit_to_usermode_loop+0x224/0x300 [ 21.548985] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 21.549346] ? do_page_fault+0x70/0x70 [ 21.549603] syscall_return_slowpath+0x42f/0x500 [ 21.549914] ? finish_task_switch+0x1aa/0x740 [ 21.550202] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 21.550533] ? prepare_exit_to_usermode+0x1a0/0x2c0 [ 21.550861] ? perf_trace_sys_enter+0xc20/0xc20 [ 21.551172] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.551522] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 21.551825] RIP: 0033:0x440499 [ 21.552022] RSP: 002b:00007f6d1e43ccf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 21.552521] RAX: 0000000000000005 RBX: 0000000000000000 RCX: 0000000000440499 [ 21.553008] RDX: 000000002048bffc RSI: 0000000020b4afe4 RDI: 0000000000000004 [ 21.553481] RBP: 0000000000000000 R08: 00007f6d1e43d700 R09: 0000000000000000 [ 21.554345] R10: 00007f6d1e43d700 R11: 0000000000000246 R12: 0000000000000000 [ 21.554970] R13: 0000000000000000 R14: 00007f6d1e43d9c0 R15: 00007f6d1e43d700 [ 21.555577] Dumping ftrace buffer: [ 21.555827] (ftrace buffer empty) [ 21.556087] Kernel Offset: disabled [ 21.556338] Rebooting in 86400 seconds..