
Debian GNU/Linux 7 syzkaller ttyS0

executing program
syzkaller login: [   25.885158] refcount_t: underflow; use-after-free.
[   25.885622] ------------[ cut here ]------------
[   25.885953] WARNING: CPU: 3 PID: 3027 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0
[   25.886782] Kernel panic - not syncing: panic_on_warn set ...
[   25.886782] 
[   25.887357] CPU: 3 PID: 3027 Comm: syzkaller225878 Not tainted 4.13.0-rc6-next-20170825+ #9
[   25.887959] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   25.888552] Call Trace:
[   25.888736]  dump_stack+0x194/0x257
[   25.888995]  ? arch_local_irq_restore+0x53/0x53
[   25.889352]  panic+0x1e4/0x41c
[   25.889604]  ? refcount_error_report+0x214/0x214
[   25.889948]  ? show_regs_print_info+0x65/0x65
[   25.890282]  ? refcount_sub_and_test+0x167/0x1b0
[   25.890640]  __warn+0x1c4/0x1e0
[   25.890899]  ? refcount_sub_and_test+0x167/0x1b0
[   25.891745]  report_bug+0x211/0x2d0
[   25.892073]  fixup_bug+0x40/0x90
[   25.892370]  do_trap+0x260/0x390
[   25.892669]  do_error_trap+0x120/0x390
[   25.893015]  ? do_trap+0x390/0x390
[   25.893545]  ? refcount_sub_and_test+0x167/0x1b0
[   25.893919]  ? vprintk_emit+0x3ea/0x590
[   25.894296]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   25.894685]  do_invalid_op+0x1b/0x20
[   25.894998]  invalid_op+0x18/0x20
[   25.895326] RIP: 0010:refcount_sub_and_test+0x167/0x1b0
[   25.895752] RSP: 0018:ffff88003a926920 EFLAGS: 00010286
[   25.896183] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000
[   25.896730] RDX: 0000000000000026 RSI: 1ffff10007524ce4 RDI: ffffed0007524d18
[   25.897326] RBP: ffff88003a9269b0 R08: ffff88003a926010 R09: 0000000000000000
[   25.897902] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff10007524d25
[   25.898472] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff88006a08eae4
[   25.899099]  ? refcount_inc+0x50/0x50
[   25.899417]  ? __sctp_outq_teardown+0xc7d/0x15a0
[   25.899808]  ? sctp_association_free+0x2d0/0x930
[   25.900201]  ? sctp_do_sm+0x28e7/0x6dd0
[   25.900515]  ? sctp_primitive_SHUTDOWN+0xa0/0xd0
[   25.901025]  ? sctp_close+0x3c6/0x980
[   25.901471]  ? inet_release+0xed/0x1c0
[   25.901875]  sctp_wfree+0x183/0x620
[   25.902387]  ? __sctp_write_space+0x910/0x910
[   25.903040]  skb_release_head_state+0x124/0x200
[   25.903711]  skb_release_all+0x15/0x60
[   25.904225]  consume_skb+0x153/0x490
[   25.904821]  ? sctp_chunk_put+0x99/0x420
[   25.905358]  ? alloc_skb_with_frags+0x710/0x710
[   25.906028]  ? sctp_chunk_hold+0x20/0x20
[   25.906568]  ? refcount_sub_and_test+0x115/0x1b0
[   25.907285]  ? refcount_inc+0x50/0x50
[   25.907780]  ? mark_held_locks+0xb2/0x100
[   25.908315]  ? sctp_datamsg_put+0x456/0x560
[   25.908923]  sctp_chunk_put+0x29c/0x420
[   25.909447]  ? sctp_chunk_hold+0x20/0x20
[   25.909973]  ? sctp_transport_dst_confirm+0x50/0x50
[   25.910543]  sctp_chunk_free+0x53/0x60
[   25.911098]  __sctp_outq_teardown+0xc7d/0x15a0
[   25.911769]  ? inet6_release+0x50/0x70
[   25.912261]  ? sctp_inq_set_th_handler+0x1b0/0x1b0
[   25.912775]  ? unwind_next_frame.part.6+0x1ae/0xc70
[   25.913355]  ? unwind_next_frame.part.6+0x1ae/0xc70
[   25.914055]  ? unwind_dump+0x4c0/0x4c0
[   25.915546]  ? unwind_dump+0x4c0/0x4c0
[   25.915860]  ? copy_trace+0x1d0/0x1d0
[   25.916141]  ? check_noncircular+0x20/0x20
[   25.916474]  ? check_noncircular+0x20/0x20
[   25.916834]  ? unwind_get_return_address+0x61/0xa0
[   25.917292]  ? __save_stack_trace+0x61/0xd0
[   25.917669]  ? check_noncircular+0x20/0x20
[   25.918037]  ? print_usage_bug+0x480/0x480
[   25.918428]  ? find_held_lock+0x39/0x1d0
[   25.918789]  ? lock_downgrade+0x990/0x990
[   25.919159]  ? sk_dst_check+0x560/0x560
[   25.919504]  ? rcu_read_lock_sched_held+0x108/0x120
[   25.919938]  ? lock_release+0xd70/0xd70
[   25.920287]  sctp_outq_free+0x15/0x20
[   25.920619]  sctp_association_free+0x2d0/0x930
[   25.921021]  ? sctp_asconf_queue_teardown+0x700/0x700
[   25.921465]  ? sock_def_wakeup+0x222/0x350
[   25.921835]  ? sk_dst_check+0x560/0x560
[   25.922187]  ? sctp_association_put+0x74/0x2f0
[   25.922580]  ? sctp_association_hold+0x20/0x20
[   25.922974]  ? unwind_dump+0x4c0/0x4c0
[   25.923305]  ? sctp_sm_lookup_event+0x95/0x3c0
[   25.923707]  sctp_do_sm+0x28e7/0x6dd0
[   25.924058]  ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0
[   25.924598]  ? print_usage_bug+0x480/0x480
[   25.924985]  ? __lock_acquire+0x20f4/0x4620
[   25.925363]  ? print_usage_bug+0x480/0x480
[   25.925732]  ? find_held_lock+0x39/0x1d0
[   25.926094]  ? lock_downgrade+0x990/0x990
[   25.926458]  ? skb_dequeue+0x22/0x180
[   25.926797]  ? do_raw_spin_trylock+0x190/0x190
[   25.927196]  ? mark_held_locks+0xb2/0x100
[   25.927571]  ? trace_hardirqs_on+0xd/0x10
[   25.927948]  sctp_primitive_SHUTDOWN+0xa0/0xd0
[   25.928350]  sctp_close+0x3c6/0x980
[   25.928676]  ? sctp_apply_peer_addr_params+0xf30/0xf30
[   25.929151]  ? unwind_get_return_address+0x61/0xa0
[   25.929581]  ? check_noncircular+0x20/0x20
[   25.929951]  ? depot_save_stack+0x12c/0x490
[   25.930327]  ? ipv6_sock_ac_close+0x2e8/0x3e0
[   25.930717]  ? ipv6_sock_mc_close+0x148/0x1a0
[   25.931103]  ? ipv6_sock_ac_drop+0x580/0x580
[   25.931489]  ? ip_mc_drop_socket+0x1ce/0x230
[   25.931873]  ? __fsnotify_parent+0xb4/0x3a0
[   25.932251]  inet_release+0xed/0x1c0
[   25.932578]  inet6_release+0x50/0x70
[   25.932908]  sock_release+0x8d/0x1e0
[   25.933232]  ? sock_release+0x1e0/0x1e0
[   25.933582]  sock_close+0x16/0x20
[   25.933890]  __fput+0x333/0x7f0
[   25.934259]  ? fput+0x140/0x140
[   25.934566]  ? _raw_spin_unlock_irq+0x27/0x70
[   25.934973]  ____fput+0x15/0x20
[   25.935260]  task_work_run+0x199/0x270
[   25.935588]  ? task_work_cancel+0x210/0x210
[   25.936307]  ? _raw_spin_unlock+0x22/0x30
[   25.936676]  ? switch_task_namespaces+0x87/0xc0
[   25.937115]  do_exit+0xa52/0x1b40
[   25.937447]  ? lock_downgrade+0x990/0x990
[   25.937837]  ? mm_update_next_owner+0x930/0x930
[   25.938271]  ? __lock_is_held+0xbc/0x140
[   25.938722]  ? __fd_install+0x2f7/0x6a0
[   25.939077]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.939512]  ? get_unused_fd_flags+0x190/0x190
[   25.939959]  ? copy_user_generic_string+0x2c/0x40
[   25.940343]  ? _copy_to_user+0xa2/0xc0
[   25.940699]  ? fd_install+0x4d/0x60
[   25.941047]  ? SYSC_accept4+0x4f2/0x850
[   25.941421]  ? kernel_accept+0x2f0/0x2f0
[   25.941780]  ? do_page_fault+0x70/0x70
[   25.942132]  ? selinux_socket_listen+0x36/0x40
[   25.942535]  ? security_socket_listen+0x81/0xb0
[   25.942953]  do_group_exit+0x149/0x400
[   25.943289]  ? SyS_bind+0x30/0x30
[   25.943702]  ? SyS_exit+0x30/0x30
[   25.944015]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   25.944471]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   25.944901]  SyS_exit_group+0x1d/0x20
[   25.945265]  entry_SYSCALL_64_fastpath+0x1f/0xbe
[   25.945722] RIP: 0033:0x433aa9
[   25.946018] RSP: 002b:00007ffe6609df38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   25.946692] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000433aa9
[   25.947322] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[   25.947956] RBP: 0000000000000086 R08: 000000000000003c R09: 00000000000000e7
[   25.948589] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000000
[   25.949224] R13: 00000000004018e0 R14: 0000000000401970 R15: 0000000000000000
[   25.950214] Dumping ftrace buffer:
[   25.950603]    (ftrace buffer empty)
[   25.950945] Kernel Offset: disabled
[   25.951281] Rebooting in 86400 seconds..