[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.765680][ T26] audit: type=1800 audit(1573900125.188:25): pid=8824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.788162][ T26] audit: type=1800 audit(1573900125.188:26): pid=8824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.821814][ T26] audit: type=1800 audit(1573900125.188:27): pid=8824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.9' (ECDSA) to the list of known hosts. syzkaller login: [ 67.220169][ T8979] IPVS: ftp: loaded support on port[0] = 21 [ 67.282632][ T8979] chnl_net:caif_netlink_parms(): no params data found [ 67.310553][ T8979] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.318104][ T8979] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.325811][ T8979] device bridge_slave_0 entered promiscuous mode [ 67.333918][ T8979] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.341120][ T8979] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.348926][ T8979] device bridge_slave_1 entered promiscuous mode [ 67.365963][ T8979] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 67.376958][ T8979] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 67.396489][ T8979] team0: Port device team_slave_0 added [ 67.404087][ T8979] team0: Port device team_slave_1 added [ 67.469905][ T8979] device hsr_slave_0 entered promiscuous mode [ 67.507670][ T8979] device hsr_slave_1 entered promiscuous mode [ 67.599184][ T8979] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 67.659749][ T8979] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 67.729188][ T8979] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 67.789390][ T8979] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 67.856423][ T8979] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.863625][ T8979] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.871547][ T8979] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.878698][ T8979] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.913718][ T8979] 8021q: adding VLAN 0 to HW filter on device bond0 [ 67.927062][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 67.948431][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.966680][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.975447][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 67.987128][ T8979] 8021q: adding VLAN 0 to HW filter on device team0 [ 67.997689][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.006006][ T2907] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.013108][ T2907] bridge0: port 1(bridge_slave_0) entered forwarding state [ 68.027666][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.035967][ T45] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.043090][ T45] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.058938][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.067745][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.076382][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 68.089546][ T8979] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 68.100898][ T8979] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 68.113177][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 68.122174][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 68.130657][ T45] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 68.145487][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 68.153459][ T2907] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 68.165406][ T8979] 8021q: adding VLAN 0 to HW filter on device batadv0 executing program [ 68.254854][ T8984] ------------[ cut here ]------------ [ 68.261300][ T8984] refcount_t: underflow; use-after-free. [ 68.267165][ T8984] WARNING: CPU: 1 PID: 8984 at lib/refcount.c:190 refcount_sub_and_test_checked+0x1d0/0x200 [ 68.277242][ T8984] Kernel panic - not syncing: panic_on_warn set ... [ 68.283845][ T8984] CPU: 1 PID: 8984 Comm: syz-executor828 Not tainted 5.4.0-rc7-next-20191115 #0 [ 68.292841][ T8984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.302875][ T8984] Call Trace: [ 68.306151][ T8984] dump_stack+0x197/0x210 [ 68.310462][ T8984] ? refcount_sub_and_test_checked+0x120/0x200 [ 68.316590][ T8984] panic+0x2e3/0x75c [ 68.320463][ T8984] ? add_taint.cold+0x16/0x16 [ 68.325120][ T8984] ? __kasan_check_write+0x14/0x20 [ 68.330207][ T8984] ? __warn.cold+0x14/0x35 [ 68.334601][ T8984] ? __warn+0xd9/0x1d0 [ 68.338661][ T8984] ? refcount_sub_and_test_checked+0x1d0/0x200 [ 68.344812][ T8984] __warn.cold+0x2f/0x35 [ 68.349044][ T8984] ? refcount_sub_and_test_checked+0x1d0/0x200 [ 68.355182][ T8984] report_bug+0x289/0x300 [ 68.359521][ T8984] do_error_trap+0x11b/0x200 [ 68.364100][ T8984] do_invalid_op+0x37/0x50 [ 68.368496][ T8984] ? refcount_sub_and_test_checked+0x1d0/0x200 [ 68.374626][ T8984] invalid_op+0x23/0x30 [ 68.378759][ T8984] RIP: 0010:refcount_sub_and_test_checked+0x1d0/0x200 [ 68.385497][ T8984] Code: 1d cc c7 7c 06 31 ff 89 de e8 ec 0e 2c fe 84 db 75 94 e8 a3 0d 2c fe 48 c7 c7 80 33 e7 87 c6 05 ac c7 7c 06 01 e8 d8 0a fd fd <0f> 0b e9 75 ff ff ff e8 84 0d 2c fe e9 6e ff ff ff 48 89 df e8 f7 [ 68.405085][ T8984] RSP: 0018:ffff88808ed07cb0 EFLAGS: 00010286 [ 68.411136][ T8984] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 68.419111][ T8984] RDX: 0000000000000000 RSI: ffffffff815d6fe6 RDI: ffffed1011da0f88 [ 68.427063][ T8984] RBP: ffff88808ed07d48 R08: ffff888099578100 R09: ffffed1015d245c9 [ 68.435015][ T8984] R10: ffffed1015d245c8 R11: ffff8880ae922e43 R12: 00000000ffffffff [ 68.442975][ T8984] R13: 0000000000000001 R14: ffff88808ed07d20 R15: 0000000000000000 [ 68.450941][ T8984] ? vprintk_func+0x86/0x189 [ 68.455524][ T8984] ? refcount_dec_not_one+0x1f0/0x1f0 [ 68.460881][ T8984] ? __sk_free+0x100/0x360 [ 68.465278][ T8984] refcount_dec_and_test_checked+0x1b/0x20 [ 68.471073][ T8984] smc_release+0x236/0x3e0 [ 68.475472][ T8984] __sock_release+0xce/0x280 [ 68.480041][ T8984] sock_close+0x1e/0x30 [ 68.484177][ T8984] __fput+0x2ff/0x890 [ 68.488136][ T8984] ? __sock_release+0x280/0x280 [ 68.492973][ T8984] ____fput+0x16/0x20 [ 68.496938][ T8984] task_work_run+0x145/0x1c0 [ 68.501520][ T8984] exit_to_usermode_loop+0x316/0x380 [ 68.506788][ T8984] do_syscall_64+0x676/0x790 [ 68.511357][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.517225][ T8984] RIP: 0033:0x403de0 [ 68.521101][ T8984] Code: 01 f0 ff ff 0f 83 c0 0f 00 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 83 3d 6d ff 2d 00 00 75 14 b8 03 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 94 0f 00 00 c3 48 83 ec 08 e8 fa 04 00 00 [ 68.540678][ T8984] RSP: 002b:00007ffd8e9e9008 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 68.549076][ T8984] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000403de0 [ 68.557022][ T8984] RDX: 0000000000000017 RSI: 0000000000000006 RDI: 0000000000000003 [ 68.565836][ T8984] RBP: 0000000000000000 R08: 0000000000000004 R09: 00000000000003e8 [ 68.573786][ T8984] R10: 0000000020000240 R11: 0000000000000246 R12: 0000000000000000 [ 68.581737][ T8984] R13: 0000000000405290 R14: 0000000000000000 R15: 0000000000000000 [ 68.591054][ T8984] Kernel Offset: disabled [ 68.595446][ T8984] Rebooting in 86400 seconds..