Debian GNU/Linux 7 syzkaller ttyS0 executing program syzkaller login: [ 20.959941] refcount_t: underflow; use-after-free. [ 20.960406] ------------[ cut here ]------------ [ 20.960815] WARNING: CPU: 2 PID: 3006 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0 [ 20.961534] Kernel panic - not syncing: panic_on_warn set ... [ 20.961534] [ 20.962132] CPU: 2 PID: 3006 Comm: syzkaller488318 Not tainted 4.13.0-rc4-next-20170811 #2 [ 20.962843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 20.963478] Call Trace: [ 20.963691] dump_stack+0x194/0x257 [ 20.964218] ? arch_local_irq_restore+0x53/0x53 [ 20.965402] panic+0x1e4/0x417 [ 20.966197] ? __warn+0x1d9/0x1d9 [ 20.967272] ? show_regs_print_info+0x65/0x65 [ 20.968396] ? refcount_sub_and_test+0x167/0x1b0 [ 20.969309] __warn+0x1c4/0x1d9 [ 20.969935] ? refcount_sub_and_test+0x167/0x1b0 [ 20.970860] report_bug+0x211/0x2d0 [ 20.971456] fixup_bug+0x40/0x90 [ 20.971817] do_trap+0x260/0x390 [ 20.972161] do_error_trap+0x120/0x390 [ 20.972554] ? do_trap+0x390/0x390 [ 20.972930] ? refcount_sub_and_test+0x167/0x1b0 [ 20.973437] ? vprintk_emit+0x3ea/0x590 [ 20.973854] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 20.974343] do_invalid_op+0x1b/0x20 [ 20.974695] invalid_op+0x1e/0x30 [ 20.975350] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 20.975945] RSP: 0018:ffff880039806300 EFLAGS: 00010282 [ 20.976481] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000 [ 20.977177] RDX: 0000000000000026 RSI: 1ffff10007300c20 RDI: ffffed0007300c54 [ 20.977903] RBP: ffff880039806390 R08: 0000000000000000 R09: 1ffff10007300bf2 [ 20.978679] R10: ffff880039806130 R11: ffffffff85b2d3b8 R12: 1ffff10007300c61 [ 20.979383] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff880068dd723c [ 20.980139] ? refcount_inc+0x50/0x50 [ 20.980523] ? __sctp_outq_teardown+0xc7d/0x15a0 [ 20.980993] ? sctp_association_free+0x2d0/0x930 [ 20.981468] ? sctp_do_sm+0x28e7/0x6d90 [ 20.981870] ? sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 20.982338] ? sctp_close+0x3c6/0x980 [ 20.982718] ? inet_release+0xed/0x1c0 [ 20.983124] ? inet6_release+0x50/0x70 [ 20.983520] ? sock_release+0x8d/0x1e0 [ 20.983916] sctp_wfree+0x183/0x620 [ 20.984279] ? do_signal+0x94/0x1ee0 [ 20.984653] ? exit_to_usermode_loop+0x224/0x300 [ 20.985148] ? __sctp_write_space+0x910/0x910 [ 20.985581] skb_release_head_state+0x124/0x200 [ 20.986000] skb_release_all+0x15/0x60 [ 20.986394] consume_skb+0x153/0x490 [ 20.986768] ? sctp_chunk_put+0x99/0x420 [ 20.987204] ? alloc_skb_with_frags+0x710/0x710 [ 20.987677] ? sctp_chunk_hold+0x20/0x20 [ 20.988099] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.988617] ? refcount_sub_and_test+0x115/0x1b0 [ 20.989068] ? refcount_inc+0x50/0x50 [ 20.989407] ? trace_hardirqs_off+0xd/0x10 [ 20.989782] ? quarantine_put+0xeb/0x190 [ 20.990144] sctp_chunk_put+0x29c/0x420 [ 20.990494] ? sctp_chunk_hold+0x20/0x20 [ 20.990852] ? sctp_transport_dst_confirm+0x50/0x50 [ 20.991284] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.991744] ? kernel_poison_pages+0xe5/0x210 [ 20.992143] ? trace_hardirqs_on+0xd/0x10 [ 20.992517] sctp_chunk_free+0x53/0x60 [ 20.992865] __sctp_outq_teardown+0xc7d/0x15a0 [ 20.993345] ? sctp_inq_set_th_handler+0x1b0/0x1b0 [ 20.993842] ? pagevec_move_tail_fn+0x1210/0x1210 [ 20.994330] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.994838] ? lock_acquire+0x1d5/0x580 [ 20.995266] ? free_transhuge_page+0x2ca/0x430 [ 20.996290] ? lock_release+0xa40/0xa40 [ 20.996652] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.997145] ? lock_downgrade+0x990/0x990 [ 20.997518] ? get_signal+0x7e8/0x17e0 [ 20.997863] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 20.998318] ? lock_acquire+0x1d5/0x580 [ 20.998623] ? release_pages+0xb67/0x11d0 [ 20.998929] ? free_hot_cold_page_list+0x101/0x470 [ 20.999318] ? lock_acquire+0x1d5/0x580 [ 20.999617] ? lock_acquire+0x1d5/0x580 [ 20.999915] ? lock_timer_base+0x1a3/0x2b0 [ 21.000235] ? lock_acquire+0x1d5/0x580 [ 21.000535] ? lock_acquire+0x1d5/0x580 [ 21.000833] ? lock_acquire+0x1d5/0x580 [ 21.001145] ? sock_def_wakeup+0x1f9/0x350 [ 21.001470] ? lock_downgrade+0x990/0x990 [ 21.001774] ? lock_release+0xa40/0xa40 [ 21.002070] ? __next_timer_interrupt+0x150/0x150 [ 21.002420] sctp_outq_free+0x15/0x20 [ 21.002700] sctp_association_free+0x2d0/0x930 [ 21.003038] ? refcount_inc+0x50/0x50 [ 21.003329] ? sctp_asconf_queue_teardown+0x700/0x700 [ 21.003699] ? sock_def_wakeup+0x222/0x350 [ 21.004006] ? sk_dst_check+0x560/0x560 [ 21.004301] ? sctp_association_put+0x74/0x2f0 [ 21.004677] ? sctp_association_hold+0x20/0x20 [ 21.005042] ? __kernel_text_address+0xae/0xe0 [ 21.005299] ? unwind_get_return_address+0x61/0xa0 [ 21.005572] ? sctp_sm_lookup_event+0x95/0x3c0 [ 21.005828] sctp_do_sm+0x28e7/0x6d90 [ 21.006051] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 21.006383] ? save_stack_trace+0x16/0x20 [ 21.006613] ? kasan_slab_free+0x71/0xc0 [ 21.006838] ? kfree+0xca/0x250 [ 21.007034] ? exit_sem+0x9b0/0x1f70 [ 21.007309] ? do_exit+0xa1b/0x1b30 [ 21.007557] ? do_group_exit+0x149/0x400 [ 21.007837] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.008202] ? unwind_dump+0x4c0/0x4c0 [ 21.008472] ? lock_acquire+0x1d5/0x580 [ 21.008730] ? lock_acquire+0x1d5/0x580 [ 21.009016] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 21.009387] ? lock_acquire+0x1d5/0x580 [ 21.009628] ? skb_dequeue+0x12a/0x180 [ 21.009895] ? lock_downgrade+0x990/0x990 [ 21.010197] ? do_raw_spin_trylock+0x190/0x190 [ 21.010536] ? lock_release+0xa40/0xa40 [ 21.010823] ? trace_hardirqs_on+0xd/0x10 [ 21.011160] sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 21.011482] sctp_close+0x3c6/0x980 [ 21.011734] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 21.012085] ? unwind_get_return_address+0x61/0xa0 [ 21.012423] ? trace_hardirqs_off+0xd/0x10 [ 21.012716] ? _raw_spin_unlock_irqrestore+0xa6/0xba [ 21.013071] ? depot_save_stack+0x3b5/0x490 [ 21.013372] ? free_fs_struct+0x4f/0x60 [ 21.013643] ? ipv6_sock_ac_close+0x2e8/0x3e0 [ 21.013943] ? ipv6_sock_mc_close+0x148/0x1a0 [ 21.014263] ? ipv6_sock_ac_drop+0x580/0x580 [ 21.014572] ? ip_mc_drop_socket+0x1ce/0x230 [ 21.014886] ? __fsnotify_parent+0xb4/0x3a0 [ 21.015240] inet_release+0xed/0x1c0 [ 21.015507] inet6_release+0x50/0x70 [ 21.015796] sock_release+0x8d/0x1e0 [ 21.016076] ? sock_release+0x1e0/0x1e0 [ 21.016372] sock_close+0x16/0x20 [ 21.016644] __fput+0x327/0x7e0 [ 21.016873] ? fput+0x140/0x140 [ 21.017116] ? do_raw_spin_trylock+0x190/0x190 [ 21.017438] ____fput+0x15/0x20 [ 21.018489] task_work_run+0x199/0x270 [ 21.018792] ? task_work_cancel+0x210/0x210 [ 21.019082] ? _raw_spin_unlock+0x22/0x30 [ 21.019361] ? switch_task_namespaces+0x87/0xc0 [ 21.019726] do_exit+0xa52/0x1b30 [ 21.019960] ? __sched_text_start+0x8/0x8 [ 21.020347] ? lock_release+0xa40/0xa40 [ 21.020805] ? mm_update_next_owner+0x930/0x930 [ 21.021227] ? sctp_outq_uncork+0x5a/0x70 [ 21.021585] ? sctp_do_sm+0x49b/0x6d90 [ 21.021939] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 21.022341] ? lock_acquire+0x1d5/0x580 [ 21.022618] ? finish_wait+0x268/0x490 [ 21.022881] ? lock_downgrade+0x990/0x990 [ 21.023172] ? do_raw_spin_trylock+0x190/0x190 [ 21.023498] ? trace_hardirqs_on+0xd/0x10 [ 21.023824] ? refcount_sub_and_test+0x115/0x1b0 [ 21.024239] ? release_sock+0x1d4/0x2a0 [ 21.024583] ? lock_downgrade+0x990/0x990 [ 21.024939] ? lock_downgrade+0x990/0x990 [ 21.025250] ? __dequeue_signal+0x103/0x7b0 [ 21.025605] ? recalc_sigpending_tsk+0x117/0x150 [ 21.026011] ? get_signal+0x855/0x17e0 [ 21.026388] ? lock_downgrade+0x990/0x990 [ 21.026793] ? __local_bh_enable_ip+0x9d/0x160 [ 21.027251] do_group_exit+0x149/0x400 [ 21.027620] ? SyS_exit+0x30/0x30 [ 21.027966] ? sctp_primitive_SEND+0xa0/0xd0 [ 21.028390] get_signal+0x7e8/0x17e0 [ 21.028779] ? ptrace_notify+0x130/0x130 [ 21.030683] ? release_sock+0x1d4/0x2a0 [ 21.033420] ? trace_hardirqs_on+0xd/0x10 [ 21.036215] ? __local_bh_enable_ip+0x9d/0x160 [ 21.038096] ? _raw_spin_unlock_bh+0x30/0x40 [ 21.038751] ? release_sock+0x1d4/0x2a0 [ 21.039184] ? trace_hardirqs_on+0xd/0x10 [ 21.039553] do_signal+0x94/0x1ee0 [ 21.039889] ? inet_sendmsg+0x11f/0x5e0 [ 21.040286] ? inet_sendmsg+0x126/0x5e0 [ 21.040637] ? __might_sleep+0x95/0x190 [ 21.041309] ? setup_sigcontext+0x7d0/0x7d0 [ 21.041739] ? selinux_socket_sendmsg+0x36/0x40 [ 21.042201] ? security_socket_sendmsg+0x89/0xb0 [ 21.042683] ? inet_recvmsg+0x5f0/0x5f0 [ 21.043084] ? sock_sendmsg+0x4f/0x110 [ 21.043468] ? fput+0xd2/0x140 [ 21.043791] ? SYSC_sendto+0x40d/0x5a0 [ 21.044176] ? SYSC_connect+0x470/0x470 [ 21.044572] ? up_read+0x1a/0x40 [ 21.044909] ? __do_page_fault+0x35b/0xb60 [ 21.045328] exit_to_usermode_loop+0x224/0x300 [ 21.045782] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 21.046357] syscall_return_slowpath+0x42f/0x500 [ 21.046837] ? prepare_exit_to_usermode+0x2c0/0x2c0 [ 21.047562] ? perf_trace_sys_enter+0xc20/0xc20 [ 21.048032] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 21.048508] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 21.048985] RIP: 0033:0x43a999 [ 21.049304] RSP: 002b:00007fae94a0bdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 21.050053] RAX: 00000000000000d1 RBX: 0000000000000000 RCX: 000000000043a999 [ 21.050767] RDX: 00000000000000d1 RSI: 0000000020446000 RDI: 0000000000000003 [ 21.051471] RBP: 0000000000000000 R08: 0000000020e88000 R09: 0000000000000080 [ 21.052148] R10: 0000000000000010 R11: 0000000000000246 R12: 0000000000000000 [ 21.052790] R13: 0000000000000000 R14: 00007fae94a0c9c0 R15: 00007fae94a0c700 [ 21.053510] Dumping ftrace buffer: [ 21.053830] (ftrace buffer empty) [ 21.054150] Kernel Offset: disabled [ 21.054467] Rebooting in 86400 seconds..