[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 45.605308][ T25] audit: type=1800 audit(1575184203.820:25): pid=8177 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 45.624838][ T25] audit: type=1800 audit(1575184203.820:26): pid=8177 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 45.671090][ T25] audit: type=1800 audit(1575184203.820:27): pid=8177 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. 2019/12/01 07:10:16 parsed 1 programs 2019/12/01 07:10:17 executed programs: 0 syzkaller login: [ 59.529705][ T8345] IPVS: ftp: loaded support on port[0] = 21 [ 59.595942][ T8345] chnl_net:caif_netlink_parms(): no params data found [ 59.622186][ T8345] bridge0: port 1(bridge_slave_0) entered blocking state [ 59.630259][ T8345] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.639102][ T8345] device bridge_slave_0 entered promiscuous mode [ 59.647569][ T8345] bridge0: port 2(bridge_slave_1) entered blocking state [ 59.654671][ T8345] bridge0: port 2(bridge_slave_1) entered disabled state [ 59.662884][ T8345] device bridge_slave_1 entered promiscuous mode [ 59.678632][ T8345] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 59.689343][ T8345] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 59.706672][ T8345] team0: Port device team_slave_0 added [ 59.714456][ T8345] team0: Port device team_slave_1 added [ 59.779717][ T8345] device hsr_slave_0 entered promiscuous mode [ 59.817794][ T8345] device hsr_slave_1 entered promiscuous mode [ 59.880894][ T8345] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 59.940184][ T8345] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 59.999685][ T8345] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 60.039686][ T8345] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 60.088271][ T8345] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.095420][ T8345] bridge0: port 2(bridge_slave_1) entered forwarding state [ 60.103413][ T8345] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.110517][ T8345] bridge0: port 1(bridge_slave_0) entered forwarding state [ 60.140850][ T8345] 8021q: adding VLAN 0 to HW filter on device bond0 [ 60.153728][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 60.175240][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 60.194605][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 60.203937][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 60.216235][ T8345] 8021q: adding VLAN 0 to HW filter on device team0 [ 60.226712][ T3694] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 60.235793][ T3694] bridge0: port 1(bridge_slave_0) entered blocking state [ 60.242936][ T3694] bridge0: port 1(bridge_slave_0) entered forwarding state [ 60.265459][ T8345] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 60.276850][ T8345] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 60.291302][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 60.300782][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 60.308020][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 60.316627][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 60.325538][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 60.334243][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 60.343091][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 60.351517][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 60.359621][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 60.376477][ T8345] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 60.386817][ T8347] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 60.394823][ T8347] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready 2019/12/01 07:10:22 executed programs: 204 [ 64.675113][ T9172] ------------[ cut here ]------------ [ 64.680960][ T9172] refcount_t: underflow; use-after-free. [ 64.690848][ T9172] WARNING: CPU: 0 PID: 9172 at lib/refcount.c:28 refcount_warn_saturate+0x165/0x1b0 [ 64.700476][ T9172] Kernel panic - not syncing: panic_on_warn set ... [ 64.707061][ T9172] CPU: 0 PID: 9172 Comm: syz-executor.0 Not tainted 5.4.0-syzkaller #0 [ 64.715342][ T9172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.725387][ T9172] Call Trace: [ 64.728829][ T9172] dump_stack+0x1fb/0x318 [ 64.733187][ T9172] panic+0x264/0x7a9 [ 64.737067][ T9172] ? __warn+0x105/0x210 [ 64.741242][ T9172] ? refcount_warn_saturate+0x165/0x1b0 [ 64.746769][ T9172] __warn+0x20e/0x210 [ 64.750730][ T9172] ? refcount_warn_saturate+0x165/0x1b0 [ 64.756251][ T9172] report_bug+0x1b6/0x2f0 [ 64.760556][ T9172] ? refcount_warn_saturate+0x165/0x1b0 [ 64.766089][ T9172] do_error_trap+0xd7/0x440 [ 64.770576][ T9172] do_invalid_op+0x36/0x40 [ 64.774967][ T9172] ? refcount_warn_saturate+0x165/0x1b0 [ 64.780578][ T9172] invalid_op+0x23/0x30 [ 64.784718][ T9172] RIP: 0010:refcount_warn_saturate+0x165/0x1b0 [ 64.790957][ T9172] Code: c7 28 7b c8 88 31 c0 e8 99 1b ba fd 0f 0b eb 83 e8 40 02 e8 fd c6 05 db 3e b1 05 01 48 c7 c7 54 7b c8 88 31 c0 e8 7b 1b ba fd <0f> 0b e9 62 ff ff ff e8 1f 02 e8 fd c6 05 bb 3e b1 05 01 48 c7 c7 [ 64.810544][ T9172] RSP: 0018:ffff888087cdfca8 EFLAGS: 00010246 [ 64.816591][ T9172] RAX: ef690df9a7bff700 RBX: 0000000000000003 RCX: ffff888098f02200 [ 64.824539][ T9172] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 64.832502][ T9172] RBP: ffff888087cdfcb8 R08: ffffffff815fa274 R09: ffffed1015d465d8 [ 64.840549][ T9172] R10: ffffed1015d465d8 R11: 0000000000000000 R12: ffff8880a5cc4b40 [ 64.848497][ T9172] R13: dffffc0000000000 R14: 0000000000000003 R15: dffffc0000000000 [ 64.856467][ T9172] ? vprintk_emit+0x2d4/0x3a0 [ 64.861132][ T9172] ? refcount_warn_saturate+0x165/0x1b0 [ 64.866655][ T9172] smc_release+0x37c/0x3f0 [ 64.871073][ T9172] sock_close+0xe1/0x260 [ 64.875290][ T9172] ? sock_mmap+0xa0/0xa0 [ 64.879520][ T9172] __fput+0x2e4/0x740 [ 64.883483][ T9172] ____fput+0x15/0x20 [ 64.887442][ T9172] task_work_run+0x17e/0x1b0 [ 64.892013][ T9172] prepare_exit_to_usermode+0x483/0x5b0 [ 64.897539][ T9172] syscall_return_slowpath+0x113/0x4a0 [ 64.902983][ T9172] do_syscall_64+0x11f/0x1c0 [ 64.907573][ T9172] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.913461][ T9172] RIP: 0033:0x414211 [ 64.917360][ T9172] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 64.937134][ T9172] RSP: 002b:00007ffef77f1400 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 64.945524][ T9172] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000414211 [ 64.953574][ T9172] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 64.961523][ T9172] RBP: 0000000000000000 R08: ffffffffffffffff R09: ffffffffffffffff [ 64.969478][ T9172] R10: 00007ffef77f14e0 R11: 0000000000000293 R12: 000000000075bfc8 [ 64.977427][ T9172] R13: 000000000000fc8a R14: 0000000000760458 R15: 000000000075bfd4 [ 64.987287][ T9172] Kernel Offset: disabled [ 64.991716][ T9172] Rebooting in 86400 seconds..