[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 64.064497][ T25] audit: type=1800 audit(1575143195.860:25): pid=8851 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 64.084692][ T25] audit: type=1800 audit(1575143195.860:26): pid=8851 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 64.141577][ T25] audit: type=1800 audit(1575143195.870:27): pid=8851 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.561798][ T9002] ------------[ cut here ]------------ [ 74.567528][ T9002] refcount_t: underflow; use-after-free. [ 74.573798][ T9002] WARNING: CPU: 1 PID: 9002 at lib/refcount.c:28 refcount_warn_saturate+0x1dc/0x1f0 [ 74.583278][ T9002] Kernel panic - not syncing: panic_on_warn set ... [ 74.589867][ T9002] CPU: 1 PID: 9002 Comm: syz-executor847 Not tainted 5.4.0-syzkaller #0 [ 74.598163][ T9002] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.608196][ T9002] Call Trace: [ 74.611474][ T9002] dump_stack+0x197/0x210 [ 74.615795][ T9002] ? refcount_warn_saturate+0x1b0/0x1f0 [ 74.621333][ T9002] panic+0x2e3/0x75c [ 74.625209][ T9002] ? add_taint.cold+0x16/0x16 [ 74.629871][ T9002] ? __kasan_check_write+0x14/0x20 [ 74.634960][ T9002] ? __warn.cold+0x14/0x3e [ 74.639353][ T9002] ? __warn+0xd9/0x1cf [ 74.643427][ T9002] ? refcount_warn_saturate+0x1dc/0x1f0 [ 74.648949][ T9002] __warn.cold+0x2f/0x3e [ 74.653173][ T9002] ? refcount_warn_saturate+0x1dc/0x1f0 [ 74.658698][ T9002] report_bug+0x289/0x300 [ 74.663008][ T9002] do_error_trap+0x11b/0x200 [ 74.667600][ T9002] do_invalid_op+0x37/0x50 [ 74.672009][ T9002] ? refcount_warn_saturate+0x1dc/0x1f0 [ 74.677555][ T9002] invalid_op+0x23/0x30 [ 74.681709][ T9002] RIP: 0010:refcount_warn_saturate+0x1dc/0x1f0 [ 74.687854][ T9002] Code: e9 d8 fe ff ff 48 89 df e8 31 65 25 fe e9 85 fe ff ff e8 07 37 e8 fd 48 c7 c7 60 53 4f 88 c6 05 7d b6 a5 06 01 e8 73 eb b8 fd <0f> 0b e9 ac fe ff ff 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 [ 74.707477][ T9002] RSP: 0018:ffff888090cef5c0 EFLAGS: 00010286 [ 74.713528][ T9002] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 74.721490][ T9002] RDX: 0000000000000000 RSI: ffffffff815e4316 RDI: ffffed101219deaa [ 74.729552][ T9002] RBP: ffff888090cef5d0 R08: ffff888095dee1c0 R09: fffffbfff15d29b2 [ 74.737508][ T9002] R10: fffffbfff15d29b1 R11: ffffffff8ae94d8f R12: 0000000000000003 [ 74.745479][ T9002] R13: ffff8880a1645a04 R14: 0000000000000900 R15: ffff8880a93337c0 [ 74.753454][ T9002] ? vprintk_func+0x86/0x189 [ 74.758035][ T9002] sock_wfree+0x1f8/0x260 [ 74.762380][ T9002] sctp_wfree+0x389/0x990 [ 74.766698][ T9002] ? __sctp_write_space+0x5d0/0x5d0 [ 74.771894][ T9002] skb_release_head_state+0xeb/0x260 [ 74.777159][ T9002] skb_release_all+0x16/0x60 [ 74.781747][ T9002] consume_skb+0xfb/0x410 [ 74.786091][ T9002] sctp_chunk_put+0x1d4/0x2f0 [ 74.790767][ T9002] sctp_chunk_free+0x56/0x70 [ 74.795351][ T9002] __sctp_outq_teardown+0x1d0/0xc60 [ 74.800536][ T9002] sctp_outq_free+0x16/0x20 [ 74.805024][ T9002] sctp_association_free+0x208/0x7e0 [ 74.810294][ T9002] sctp_do_sm+0x3a6a/0x5190 [ 74.814780][ T9002] ? __kmalloc_node_track_caller+0x3d/0x70 [ 74.820592][ T9002] ? sctp_do_8_2_transport_strike.isra.0+0xa60/0xa60 [ 74.827342][ T9002] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 74.833478][ T9002] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 74.839002][ T9002] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 74.844965][ T9002] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 74.851268][ T9002] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 74.856998][ T9002] ? sctp_init_cause+0x1ae/0x230 [ 74.861938][ T9002] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 74.867650][ T9002] ? skb_put+0x177/0x1d0 [ 74.871877][ T9002] ? memcpy+0x46/0x50 [ 74.875916][ T9002] sctp_primitive_ABORT+0xa0/0xd0 [ 74.880951][ T9002] sctp_close+0x259/0x960 [ 74.885280][ T9002] ? sctp_accept+0x710/0x710 [ 74.889954][ T9002] ? __kasan_check_write+0x14/0x20 [ 74.895070][ T9002] ? down_write+0xdf/0x150 [ 74.899472][ T9002] ? ip_mc_drop_socket+0x211/0x270 [ 74.904569][ T9002] inet_release+0xed/0x200 [ 74.908988][ T9002] __sock_release+0xce/0x280 [ 74.913612][ T9002] sock_close+0x1e/0x30 [ 74.917771][ T9002] __fput+0x2ff/0x890 [ 74.921763][ T9002] ? __sock_release+0x280/0x280 [ 74.926603][ T9002] ____fput+0x16/0x20 [ 74.930580][ T9002] task_work_run+0x145/0x1c0 [ 74.935172][ T9002] do_exit+0x8e7/0x2ef0 [ 74.939337][ T9002] ? mm_update_next_owner+0x7c0/0x7c0 [ 74.944690][ T9002] ? fput+0x1b/0x20 [ 74.948486][ T9002] ? __compat_sys_getsockopt+0x1ab/0x2c0 [ 74.954097][ T9002] ? sock_common_getsockopt+0xd0/0xd0 [ 74.959454][ T9002] ? get_compat_bpf_fprog+0x140/0x140 [ 74.964808][ T9002] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 74.970246][ T9002] do_group_exit+0x135/0x360 [ 74.974816][ T9002] __ia32_sys_exit_group+0x44/0x50 [ 74.979991][ T9002] do_fast_syscall_32+0x27b/0xe16 [ 74.985016][ T9002] entry_SYSENTER_compat+0x70/0x7f [ 74.990118][ T9002] RIP: 0023:0xf7f23a39 [ 74.994219][ T9002] Code: Bad RIP value. [ 74.998266][ T9002] RSP: 002b:00000000ffffaecc EFLAGS: 00000296 ORIG_RAX: 00000000000000fc [ 75.006665][ T9002] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000080eb2d8 [ 75.015422][ T9002] RDX: 0000000000000000 RSI: 00000000080d5f78 RDI: 00000000080eb2e0 [ 75.023378][ T9002] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 75.031346][ T9002] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 75.039311][ T9002] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 75.048811][ T9002] Kernel Offset: disabled [ 75.053204][ T9002] Rebooting in 86400 seconds..