executing program
syzkaller login: [   19.137541] refcount_t: underflow; use-after-free.
[   19.138182] ------------[ cut here ]------------
[   19.138660] WARNING: CPU: 0 PID: 2991 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0
[   19.139617] Kernel panic - not syncing: panic_on_warn set ...
[   19.139617] 
[   19.140359] CPU: 0 PID: 2991 Comm: syzkaller293053 Not tainted 4.14.0-rc5-next-20171018+ #8
[   19.140931] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   19.141544] Call Trace:
[   19.141731]  dump_stack+0x194/0x257
[   19.141986]  ? arch_local_irq_restore+0x53/0x53
[   19.142303]  ? vsnprintf+0x1ed/0x1900
[   19.142578]  panic+0x1e4/0x41c
[   19.142801]  ? refcount_error_report+0x214/0x214
[   19.143127]  ? show_regs_print_info+0x65/0x65
[   19.143439]  ? __warn+0x1a9/0x1e0
[   19.143693]  ? refcount_sub_and_test+0x167/0x1b0
[   19.144019]  __warn+0x1c4/0x1e0
[   19.144248]  ? refcount_sub_and_test+0x167/0x1b0
[   19.144588]  report_bug+0x211/0x2d0
[   19.144847]  fixup_bug+0x40/0x90
[   19.145113]  do_trap+0x260/0x390
[   19.145356]  do_error_trap+0x120/0x390
[   19.145650]  ? do_trap+0x390/0x390
[   19.145896]  ? refcount_sub_and_test+0x167/0x1b0
[   19.146251]  ? vprintk_emit+0x3ea/0x590
[   19.146617]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   19.146954]  do_invalid_op+0x1b/0x20
[   19.147212]  invalid_op+0x18/0x20
[   19.147485] RIP: 0010:refcount_sub_and_test+0x167/0x1b0
[   19.147852] RSP: 0018:ffff880039e9e4e0 EFLAGS: 00010282
[   19.148206] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000
[   19.148714] RDX: 0000000000000026 RSI: 1ffff100073d3c5c RDI: ffffed00073d3c90
[   19.149482] RBP: ffff880039e9e570 R08: 0000000000000001 R09: 0000000000000000
[   19.149986] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff100073d3c9d
[   19.150489] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff88006a033a3c
[   19.150999]  ? refcount_inc+0x50/0x50
[   19.151260]  ? sctp_outq_free+0x15/0x20
[   19.151535]  ? sctp_do_sm+0x271b/0x6a30
[   19.151811]  ? sctp_primitive_SHUTDOWN+0xa0/0xd0
[   19.152135]  ? sctp_close+0x3c6/0x980
[   19.152400]  ? inet_release+0xed/0x1c0
[   19.152775]  ? inet6_release+0x50/0x70
[   19.153167]  sctp_wfree+0x183/0x620
[   19.153508]  ? __sctp_write_space+0x910/0x910
[   19.153924]  skb_release_head_state+0x124/0x200
[   19.154356]  skb_release_all+0x15/0x60
[   19.154718]  consume_skb+0x153/0x490
[   19.155062]  ? sctp_chunk_put+0x99/0x420
[   19.155440]  ? alloc_skb_with_frags+0x750/0x750
[   19.155873]  ? sctp_chunk_hold+0x20/0x20
[   19.156256]  ? refcount_sub_and_test+0x115/0x1b0
[   19.156701]  ? refcount_inc+0x50/0x50
[   19.157063]  ? mark_held_locks+0xaf/0x100
[   19.157448]  ? sctp_datamsg_put+0x456/0x560
[   19.157850]  sctp_chunk_put+0x29c/0x420
[   19.158218]  ? sctp_chunk_hold+0x20/0x20
[   19.158594]  ? sctp_transport_dst_confirm+0x50/0x50
[   19.159076]  ? sctp_sched_fcfs_dequeue+0x198/0x290
[   19.159084]  ? sctp_sched_dequeue_common+0x5d0/0x5d0
[   19.159091]  ? __free_insn_slot+0x5c0/0x5c0
[   19.159101]  sctp_chunk_free+0x53/0x60
[   19.159106]  __sctp_outq_teardown+0xa5b/0x1230
[   19.159116]  ? sctp_inq_set_th_handler+0x1b0/0x1b0
[   19.159119]  ? __kernel_text_address+0xd/0x40
[   19.159124]  ? unwind_get_return_address+0x61/0xa0
[   19.159129]  ? __save_stack_trace+0x7e/0xd0
[   19.159137]  ? add_lock_to_list.isra.32+0x292/0x39b
[   19.159143]  ? print_lockdep_cache.isra.35+0xe6/0xe6
[   19.159149]  ? check_noncircular+0x20/0x20
[   19.159152]  ? graph_lock+0x170/0x170
[   19.159157]  ? print_irqtrace_events+0x270/0x270
[   19.159168]  ? lock_acquire+0x1d5/0x580
[   19.159170]  ? lock_acquire+0x1d5/0x580
[   19.159174]  ? lock_timer_base+0x1a3/0x2b0
[   19.159181]  ? find_held_lock+0x35/0x1d0
[   19.159191]  ? sock_def_wakeup+0x1f9/0x350
[   19.159195]  ? lock_downgrade+0x990/0x990
[   19.159201]  ? lock_release+0xa40/0xa40
[   19.159209]  sctp_outq_free+0x15/0x20
[   19.159213]  sctp_association_free+0x2d0/0x930
[   19.159221]  ? sctp_asconf_queue_teardown+0x700/0x700
[   19.159225]  ? sock_def_wakeup+0x222/0x350
[   19.159230]  ? sk_dst_check+0x560/0x560
[   19.159235]  ? sctp_association_put+0x74/0x2f0
[   19.159239]  ? sctp_association_hold+0x20/0x20
[   19.159242]  ? print_irqtrace_events+0x270/0x270
[   19.159253]  sctp_do_sm+0x271b/0x6a30
[   19.159257]  ? _raw_spin_unlock_irqrestore+0xa6/0xba
[   19.159271]  ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0
[   19.159276]  ? kasan_slab_free+0x71/0xc0
[   19.159284]  ? print_irqtrace_events+0x270/0x270
[   19.159291]  ? print_irqtrace_events+0x270/0x270
[   19.159306]  ? find_held_lock+0x35/0x1d0
[   19.159315]  ? skb_dequeue+0x12a/0x180
[   19.159319]  ? lock_downgrade+0x990/0x990
[   19.159326]  ? do_raw_spin_trylock+0x190/0x190
[   19.159333]  ? mark_held_locks+0xaf/0x100
[   19.159342]  ? trace_hardirqs_on+0xd/0x10
[   19.159351]  sctp_primitive_SHUTDOWN+0xa0/0xd0
[   19.159358]  sctp_close+0x3c6/0x980
[   19.159369]  ? sctp_apply_peer_addr_params+0xf30/0xf30
[   19.159372]  ? unwind_get_return_address+0x61/0xa0
[   19.159379]  ? check_noncircular+0x20/0x20
[   19.159385]  ? check_noncircular+0x20/0x20
[   19.159393]  ? ipv6_sock_ac_close+0x2e8/0x3e0
[   19.159399]  ? ipv6_sock_mc_close+0x148/0x1a0
[   19.159404]  ? ip_mc_drop_socket+0x1ce/0x230
[   19.159408]  ? __fsnotify_parent+0xb4/0x3a0
[   19.159416]  inet_release+0xed/0x1c0
[   19.159422]  inet6_release+0x50/0x70
[   19.159427]  sock_release+0x8d/0x1e0
[   19.159432]  ? sock_release+0x1e0/0x1e0
[   19.159435]  sock_close+0x16/0x20
[   19.159439]  __fput+0x327/0x7e0
[   19.159447]  ? fput+0x140/0x140
[   19.159453]  ? _raw_spin_unlock_irq+0x27/0x70
[   19.159461]  ____fput+0x15/0x20
[   19.159465]  task_work_run+0x199/0x270
[   19.159471]  ? task_work_cancel+0x210/0x210
[   19.159476]  ? _raw_spin_unlock+0x22/0x30
[   19.159480]  ? switch_task_namespaces+0x87/0xc0
[   19.159487]  do_exit+0x9b5/0x1ad0
[   19.159495]  ? mm_update_next_owner+0x930/0x930
[   19.159502]  ? check_noncircular+0x20/0x20
[   19.159506]  ? check_noncircular+0x20/0x20
[   19.159508]  ? lock_downgrade+0x990/0x990
[   19.159515]  ? do_raw_spin_trylock+0x190/0x190
[   19.159517]  ? mark_held_locks+0xaf/0x100
[   19.159524]  ? reacquire_held_locks+0x1fd/0x3d0
[   19.159528]  ? reacquire_held_locks+0x1fd/0x3d0
[   19.159534]  ? find_held_lock+0x35/0x1d0
[   19.159543]  ? release_sock+0x1d4/0x2a0
[   19.159548]  ? lock_downgrade+0x990/0x990
[   19.159552]  ? check_noncircular+0x20/0x20
[   19.159557]  ? do_raw_spin_trylock+0x190/0x190
[   19.159561]  ? trace_hardirqs_on+0xd/0x10
[   19.159564]  ? __local_bh_enable_ip+0x9d/0x160
[   19.159568]  ? __local_bh_enable_ip+0x9d/0x160
[   19.159573]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   19.159576]  ? release_sock+0x1d4/0x2a0
[   19.159579]  ? trace_hardirqs_on+0xd/0x10
[   19.159583]  ? __local_bh_enable_ip+0x9d/0x160
[   19.159590]  ? find_held_lock+0x35/0x1d0
[   19.159599]  ? get_signal+0x7ae/0x16d0
[   19.159603]  ? lock_downgrade+0x990/0x990
[   19.159612]  do_group_exit+0x149/0x400
[   19.159616]  ? __lock_is_held+0xb6/0x140
[   19.159620]  ? SyS_exit+0x30/0x30
[   19.159623]  ? _raw_spin_unlock_irq+0x27/0x70
[   19.159628]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   19.159635]  get_signal+0x73f/0x16d0
[   19.159645]  ? ptrace_notify+0x130/0x130
[   19.159648]  ? inet_autobind+0x1f/0x180
[   19.159652]  ? __local_bh_enable_ip+0x9d/0x160
[   19.159657]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   19.159660]  ? release_sock+0x1d4/0x2a0
[   19.159663]  ? trace_hardirqs_on+0xd/0x10
[   19.159667]  ? __local_bh_enable_ip+0x9d/0x160
[   19.159671]  ? _raw_spin_unlock_bh+0x30/0x40
[   19.159675]  ? release_sock+0x1d4/0x2a0
[   19.159682]  ? trace_hardirqs_on+0xd/0x10
[   19.159690]  do_signal+0x94/0x1ee0
[   19.159698]  ? inet_sendmsg+0x126/0x5e0
[   19.159701]  ? __might_sleep+0x95/0x190
[   19.159708]  ? setup_sigcontext+0x7d0/0x7d0
[   19.159712]  ? selinux_socket_sendmsg+0x36/0x40
[   19.159716]  ? security_socket_sendmsg+0x89/0xb0
[   19.159720]  ? inet_recvmsg+0x5f0/0x5f0
[   19.159725]  ? sock_sendmsg+0x4f/0x110
[   19.159728]  ? fput+0xd2/0x140
[   19.159732]  ? SYSC_sendto+0x40d/0x5a0
[   19.159739]  ? SYSC_connect+0x470/0x470
[   19.159748]  ? mm_fault_error+0x2c0/0x2c0
[   19.159752]  ? exit_to_usermode_loop+0x8c/0x310
[   19.159761]  exit_to_usermode_loop+0x214/0x310
[   19.159767]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   19.159773]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   19.159780]  syscall_return_slowpath+0x42f/0x510
[   19.159784]  ? finish_task_switch+0x1f6/0x740
[   19.159789]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   19.159795]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   19.159800]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   19.159804]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   19.159813]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   19.159816] RIP: 0033:0x43a989
[   19.159818] RSP: 002b:00007f1c6f0dadb8 EFLAGS: 00000206 ORIG_RAX: 000000000000002c
[   19.159822] RAX: 0000000000000001 RBX: 0000000000000000 RCX: 000000000043a989
[   19.159824] RDX: 0000000000000001 RSI: 00000000203f1000 RDI: 0000000000000003
[   19.159826] RBP: 0000000000000000 R08: 00000000202cf000 R09: 000000000000001c
[   19.159827] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
[   19.159829] R13: 0000000000000000 R14: 00007f1c6f0db9c0 R15: 00007f1c6f0db700
[   19.160213] Dumping ftrace buffer:
[   19.160261]    (ftrace buffer empty)
[   19.160263] Kernel Offset: disabled
[   19.211518] Rebooting in 86400 seconds..