executing program syzkaller login: [ 13.535487] refcount_t: underflow; use-after-free. [ 13.535915] ------------[ cut here ]------------ [ 13.536398] WARNING: CPU: 0 PID: 2991 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0 [ 13.537067] Kernel panic - not syncing: panic_on_warn set ... [ 13.537067] [ 13.537550] CPU: 0 PID: 2991 Comm: syzkaller987274 Not tainted 4.13.0-rc5-next-20170815+ #3 [ 13.538145] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 13.538751] Call Trace: [ 13.538927] dump_stack+0x194/0x257 [ 13.539174] ? arch_local_irq_restore+0x53/0x53 [ 13.539489] panic+0x1e4/0x417 [ 13.539741] ? __warn+0x1d9/0x1d9 [ 13.539983] ? show_regs_print_info+0x65/0x65 [ 13.540309] ? refcount_sub_and_test+0x167/0x1b0 [ 13.540623] __warn+0x1c4/0x1d9 [ 13.540840] ? refcount_sub_and_test+0x167/0x1b0 [ 13.541153] report_bug+0x211/0x2d0 [ 13.541461] fixup_bug+0x40/0x90 [ 13.541691] do_trap+0x260/0x390 [ 13.541935] do_error_trap+0x120/0x390 [ 13.542257] ? do_trap+0x390/0x390 [ 13.542507] ? refcount_sub_and_test+0x167/0x1b0 [ 13.542819] ? vprintk_emit+0x3ea/0x590 [ 13.543089] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 13.543420] do_invalid_op+0x1b/0x20 [ 13.543687] invalid_op+0x1e/0x30 [ 13.543939] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 13.544404] RSP: 0018:ffff88006b926920 EFLAGS: 00010286 [ 13.544755] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000 [ 13.545252] RDX: 0000000000000026 RSI: 1ffff1000d724ce4 RDI: ffffed000d724d18 [ 13.545743] RBP: ffff88006b9269b0 R08: 0000000000000000 R09: 1ffff1000d724cb6 [ 13.546280] R10: ffff88006b926750 R11: ffffffff85b2d438 R12: 1ffff1000d724d25 [ 13.546767] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff880039169a3c [ 13.547312] ? refcount_inc+0x50/0x50 [ 13.547585] ? __sctp_outq_teardown+0xc7d/0x15a0 [ 13.547911] ? sctp_association_free+0x2d0/0x930 [ 13.548285] ? sctp_do_sm+0x28e7/0x6d90 [ 13.548583] ? sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 13.549279] ? sctp_close+0x3c6/0x980 [ 13.549554] ? inet_release+0xed/0x1c0 [ 13.549825] ? inet6_release+0x50/0x70 [ 13.550110] ? sock_release+0x8d/0x1e0 [ 13.550396] sctp_wfree+0x183/0x620 [ 13.550678] ? entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.551031] ? __sctp_write_space+0x910/0x910 [ 13.551343] skb_release_head_state+0x124/0x200 [ 13.551640] skb_release_all+0x15/0x60 [ 13.551886] consume_skb+0x153/0x490 [ 13.552111] ? sctp_chunk_put+0x99/0x420 [ 13.552367] ? alloc_skb_with_frags+0x710/0x710 [ 13.552681] ? sctp_chunk_hold+0x20/0x20 [ 13.552938] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.553296] ? refcount_sub_and_test+0x115/0x1b0 [ 13.553611] ? refcount_inc+0x50/0x50 [ 13.553891] ? trace_hardirqs_off+0xd/0x10 [ 13.554172] ? quarantine_put+0xeb/0x190 [ 13.554447] sctp_chunk_put+0x29c/0x420 [ 13.554711] ? sctp_chunk_hold+0x20/0x20 [ 13.554981] ? sctp_transport_dst_confirm+0x50/0x50 [ 13.555314] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.555669] ? kernel_poison_pages+0xe5/0x210 [ 13.555966] ? trace_hardirqs_on+0xd/0x10 [ 13.556307] ? trace_hardirqs_on+0xd/0x10 [ 13.556672] sctp_chunk_free+0x53/0x60 [ 13.556960] __sctp_outq_teardown+0xc7d/0x15a0 [ 13.557293] ? sctp_inq_set_th_handler+0x1b0/0x1b0 [ 13.557647] ? pagevec_move_tail_fn+0x1210/0x1210 [ 13.558032] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.558374] ? lock_acquire+0x1d5/0x580 [ 13.558683] ? free_transhuge_page+0x2ca/0x430 [ 13.559030] ? ptlock_free+0x38/0x42 [ 13.559298] ? lock_release+0xa40/0xa40 [ 13.559593] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.559940] ? lock_downgrade+0x990/0x990 [ 13.560242] ? SyS_exit_group+0x1d/0x20 [ 13.560550] ? lock_acquire+0x1d5/0x580 [ 13.560875] ? release_pages+0xb67/0x11d0 [ 13.561180] ? free_hot_cold_page_list+0x101/0x470 [ 13.561553] ? lock_acquire+0x1d5/0x580 [ 13.561817] ? lock_acquire+0x1d5/0x580 [ 13.562108] ? lock_timer_base+0x1a3/0x2b0 [ 13.562404] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.562808] ? lock_acquire+0x1d5/0x580 [ 13.563126] ? lock_acquire+0x1d5/0x580 [ 13.563403] ? sock_def_wakeup+0x1f9/0x350 [ 13.563699] ? lock_downgrade+0x990/0x990 [ 13.564031] ? lock_release+0xa40/0xa40 [ 13.564322] ? __next_timer_interrupt+0x150/0x150 [ 13.564675] sctp_outq_free+0x15/0x20 [ 13.564943] sctp_association_free+0x2d0/0x930 [ 13.565258] ? refcount_inc+0x50/0x50 [ 13.565513] ? sctp_asconf_queue_teardown+0x700/0x700 [ 13.565880] ? sock_def_wakeup+0x222/0x350 [ 13.566202] ? sk_dst_check+0x560/0x560 [ 13.566482] ? sctp_association_put+0x74/0x2f0 [ 13.566802] ? sctp_association_hold+0x20/0x20 [ 13.567146] ? lock_downgrade+0x990/0x990 [ 13.567426] ? sctp_sm_lookup_event+0x95/0x3c0 [ 13.567800] sctp_do_sm+0x28e7/0x6d90 [ 13.568067] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 13.568428] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 13.568843] ? lock_release+0xa40/0xa40 [ 13.569111] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.569455] ? unwind_dump+0x4c0/0x4c0 [ 13.569717] ? mark_free_pages+0x350/0x350 [ 13.569998] ? ptlock_free+0x38/0x42 [ 13.570280] ? lock_acquire+0x1d5/0x580 [ 13.570836] ? lock_acquire+0x1d5/0x580 [ 13.571116] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 13.571490] ? lock_acquire+0x1d5/0x580 [ 13.571825] ? skb_dequeue+0x12a/0x180 [ 13.572095] ? lock_downgrade+0x990/0x990 [ 13.572376] ? do_raw_spin_trylock+0x190/0x190 [ 13.572681] ? lock_release+0xa40/0xa40 [ 13.572951] ? trace_hardirqs_on+0xd/0x10 [ 13.573230] sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 13.573537] sctp_close+0x3c6/0x980 [ 13.573785] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 13.574149] ? unwind_get_return_address+0x61/0xa0 [ 13.574530] ? __save_stack_trace+0x7e/0xd0 [ 13.574834] ? depot_save_stack+0x12c/0x490 [ 13.575136] ? free_fs_struct+0x4f/0x60 [ 13.575402] ? ipv6_sock_ac_close+0x2e8/0x3e0 [ 13.575704] ? ipv6_sock_mc_close+0x148/0x1a0 [ 13.576100] ? ipv6_sock_ac_drop+0x580/0x580 [ 13.576529] ? ip_mc_drop_socket+0x1ce/0x230 [ 13.576928] ? __fsnotify_parent+0xb4/0x3a0 [ 13.577248] inet_release+0xed/0x1c0 [ 13.577497] inet6_release+0x50/0x70 [ 13.577747] sock_release+0x8d/0x1e0 [ 13.578011] ? sock_release+0x1e0/0x1e0 [ 13.578290] sock_close+0x16/0x20 [ 13.578523] __fput+0x327/0x7e0 [ 13.578746] ? fput+0x140/0x140 [ 13.578967] ? do_raw_spin_trylock+0x190/0x190 [ 13.579305] ____fput+0x15/0x20 [ 13.579566] task_work_run+0x199/0x270 [ 13.579855] ? task_work_cancel+0x210/0x210 [ 13.580171] ? _raw_spin_unlock+0x22/0x30 [ 13.580449] ? switch_task_namespaces+0x87/0xc0 [ 13.580790] do_exit+0xa52/0x1b30 [ 13.581113] ? lock_acquire+0x1d5/0x580 [ 13.581490] ? lock_downgrade+0x990/0x990 [ 13.581869] ? mm_update_next_owner+0x930/0x930 [ 13.582242] ? lock_release+0xa40/0xa40 [ 13.582547] ? check_same_owner+0x320/0x320 [ 13.582898] ? inet_accept+0x147/0x930 [ 13.583171] ? lock_acquire+0x1d5/0x580 [ 13.583436] ? rcu_note_context_switch+0x710/0x710 [ 13.583763] ? __might_sleep+0x95/0x190 [ 13.584048] ? __fd_install+0x2f7/0x6a0 [ 13.584303] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 13.584623] ? get_unused_fd_flags+0x190/0x190 [ 13.585015] ? copy_user_generic_string+0x2c/0x40 [ 13.585365] ? _copy_to_user+0xa2/0xc0 [ 13.585628] ? fd_install+0x4d/0x60 [ 13.585872] ? SYSC_accept4+0x4ec/0x850 [ 13.586140] ? kernel_accept+0x2f0/0x2f0 [ 13.586485] ? do_page_fault+0x70/0x70 [ 13.586834] ? selinux_socket_listen+0x36/0x40 [ 13.587255] ? security_socket_listen+0x81/0xb0 [ 13.587571] do_group_exit+0x149/0x400 [ 13.587874] ? SyS_bind+0x30/0x30 [ 13.588147] ? SyS_exit+0x30/0x30 [ 13.588373] ? perf_trace_sys_enter+0xc20/0xc20 [ 13.588679] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 13.589067] SyS_exit_group+0x1d/0x20 [ 13.589453] entry_SYSCALL_64_fastpath+0x1f/0xbe [ 13.589925] RIP: 0033:0x433aa9 [ 13.590217] RSP: 002b:00007ffd026a5308 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 13.590945] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000433aa9 [ 13.591679] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 13.592776] RBP: 00000000006c0018 R08: 000000000000003c R09: 00000000000000e7 [ 13.593333] R10: ffffffffffffffc0 R11: 0000000000000246 R12: 0000000000000000 [ 13.593982] R13: 00000000004018e0 R14: 0000000000401970 R15: 0000000000000000 [ 13.594745] Dumping ftrace buffer: [ 13.595090] (ftrace buffer empty) [ 13.595429] Kernel Offset: disabled [ 13.595767] Rebooting in 86400 seconds..