
Debian GNU/Linux 7 syzkaller ttyS0

executing program
syzkaller login: [   15.391635] refcount_t: underflow; use-after-free.
[   15.392278] ------------[ cut here ]------------
[   15.392697] WARNING: CPU: 1 PID: 2987 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0
[   15.393327] Kernel panic - not syncing: panic_on_warn set ...
[   15.393327] 
[   15.394075] CPU: 1 PID: 2987 Comm: syzkaller543129 Not tainted 4.14.0-rc5-next-20171018+ #8
[   15.396495] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
[   15.397346] Call Trace:
[   15.397625]  dump_stack+0x194/0x257
[   15.398009]  ? arch_local_irq_restore+0x53/0x53
[   15.398501]  ? vsnprintf+0x1ed/0x1900
[   15.398919]  panic+0x1e4/0x41c
[   15.399265]  ? refcount_error_report+0x214/0x214
[   15.399766]  ? show_regs_print_info+0x65/0x65
[   15.400245]  ? __warn+0x1a9/0x1e0
[   15.400612]  ? refcount_sub_and_test+0x167/0x1b0
[   15.401111]  __warn+0x1c4/0x1e0
[   15.401466]  ? refcount_sub_and_test+0x167/0x1b0
[   15.401966]  report_bug+0x211/0x2d0
[   15.402358]  fixup_bug+0x40/0x90
[   15.402725]  do_trap+0x260/0x390
[   15.403344]  do_error_trap+0x120/0x390
[   15.403772]  ? do_trap+0x390/0x390
[   15.404137]  ? refcount_sub_and_test+0x167/0x1b0
[   15.404630]  ? vprintk_emit+0x3ea/0x590
[   15.405056]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   15.405527]  do_invalid_op+0x1b/0x20
[   15.405813]  invalid_op+0x18/0x20
[   15.406078] RIP: 0010:refcount_sub_and_test+0x167/0x1b0
[   15.406438] RSP: 0018:ffff880067e764e0 EFLAGS: 00010282
[   15.406831] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000
[   15.416139] RDX: 0000000000000026 RSI: 1ffff1000cfcec5c RDI: ffffed000cfcec90
[   15.416895] RBP: ffff880067e76570 R08: 0000000000000001 R09: 0000000000000000
[   15.417650] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000cfcec9d
[   15.418395] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff8800690aca3c
[   15.419215]  ? refcount_inc+0x50/0x50
[   15.419609]  ? sctp_outq_free+0x15/0x20
[   15.420020]  ? sctp_do_sm+0x271b/0x6a30
[   15.420404]  ? sctp_primitive_SHUTDOWN+0xa0/0xd0
[   15.420863]  ? sctp_close+0x3c6/0x980
[   15.421233]  ? inet_release+0xed/0x1c0
[   15.421611]  ? inet6_release+0x50/0x70
[   15.421991]  sctp_wfree+0x183/0x620
[   15.422339]  ? __sctp_write_space+0x910/0x910
[   15.422783]  skb_release_head_state+0x124/0x200
[   15.426269]  skb_release_all+0x15/0x60
[   15.426696]  consume_skb+0x153/0x490
[   15.427101]  ? sctp_chunk_put+0x99/0x420
[   15.427526]  ? alloc_skb_with_frags+0x750/0x750
[   15.428025]  ? sctp_chunk_hold+0x20/0x20
[   15.428460]  ? refcount_sub_and_test+0x115/0x1b0
[   15.428966]  ? refcount_inc+0x50/0x50
[   15.429359]  ? mark_held_locks+0xaf/0x100
[   15.429802]  ? sctp_datamsg_put+0x456/0x560
[   15.431313]  sctp_chunk_put+0x29c/0x420
[   15.431688]  ? sctp_chunk_hold+0x20/0x20
[   15.432071]  ? sctp_transport_dst_confirm+0x50/0x50
[   15.432538]  ? sctp_sched_fcfs_dequeue+0x198/0x290
[   15.432993]  ? sctp_sched_dequeue_common+0x5d0/0x5d0
[   15.433459]  ? __free_insn_slot+0x5c0/0x5c0
[   15.433862]  sctp_chunk_free+0x53/0x60
[   15.434220]  __sctp_outq_teardown+0xa5b/0x1230
[   15.434644]  ? sctp_inq_set_th_handler+0x1b0/0x1b0
[   15.435249]  ? __kernel_text_address+0xd/0x40
[   15.435721]  ? unwind_get_return_address+0x61/0xa0
[   15.436161]  ? __save_stack_trace+0x7e/0xd0
[   15.436556]  ? add_lock_to_list.isra.32+0x292/0x39b
[   15.437010]  ? print_lockdep_cache.isra.35+0xe6/0xe6
[   15.437471]  ? check_noncircular+0x20/0x20
[   15.437850]  ? graph_lock+0x170/0x170
[   15.438195]  ? print_irqtrace_events+0x270/0x270
[   15.438634]  ? lock_acquire+0x1d5/0x580
[   15.439034]  ? lock_acquire+0x1d5/0x580
[   15.439394]  ? lock_timer_base+0x1a3/0x2b0
[   15.439781]  ? find_held_lock+0x35/0x1d0
[   15.440158]  ? sock_def_wakeup+0x1f9/0x350
[   15.440543]  ? lock_downgrade+0x990/0x990
[   15.440924]  ? lock_release+0xa40/0xa40
[   15.441293]  sctp_outq_free+0x15/0x20
[   15.441642]  sctp_association_free+0x2d0/0x930
[   15.442068]  ? sctp_asconf_queue_teardown+0x700/0x700
[   15.442545]  ? sock_def_wakeup+0x222/0x350
[   15.442981]  ? sk_dst_check+0x560/0x560
[   15.443372]  ? sctp_association_put+0x74/0x2f0
[   15.443779]  ? sctp_association_hold+0x20/0x20
[   15.444186]  ? __lock_acquire+0x6aa/0x3d50
[   15.444571]  sctp_do_sm+0x271b/0x6a30
[   15.444930]  ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0
[   15.445468]  ? __lock_acquire+0x6aa/0x3d50
[   15.445851]  ? print_irqtrace_events+0x270/0x270
[   15.446287]  ? print_irqtrace_events+0x270/0x270
[   15.446708]  ? debug_check_no_locks_freed+0x3c0/0x3c0
[   15.447197]  ? find_held_lock+0x35/0x1d0
[   15.447564]  ? skb_dequeue+0x12a/0x180
[   15.447907]  ? lock_downgrade+0x990/0x990
[   15.448277]  ? do_raw_spin_trylock+0x190/0x190
[   15.448686]  ? mark_held_locks+0xaf/0x100
[   15.449061]  ? trace_hardirqs_on+0xd/0x10
[   15.449434]  sctp_primitive_SHUTDOWN+0xa0/0xd0
[   15.449844]  sctp_close+0x3c6/0x980
[   15.450197]  ? sctp_apply_peer_addr_params+0xf30/0xf30
[   15.450704]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   15.451197]  ? trace_hardirqs_on+0xd/0x10
[   15.451566]  ? rcu_process_callbacks+0x17d0/0x17d0
[   15.451994]  ? ipv6_sock_ac_close+0x2e8/0x3e0
[   15.452389]  ? ipv6_sock_mc_close+0x148/0x1a0
[   15.452784]  ? ip_mc_drop_socket+0x1ce/0x230
[   15.453173]  ? __fsnotify_parent+0xb4/0x3a0
[   15.453557]  inet_release+0xed/0x1c0
[   15.453889]  inet6_release+0x50/0x70
[   15.454242]  sock_release+0x8d/0x1e0
[   15.454585]  ? sock_release+0x1e0/0x1e0
[   15.455835]  sock_close+0x16/0x20
[   15.456157]  __fput+0x327/0x7e0
[   15.456468]  ? fput+0x140/0x140
[   15.456776]  ? trace_event_raw_event_sched_switch+0x8a0/0x8a0
[   15.457321]  ____fput+0x15/0x20
[   15.457626]  task_work_run+0x199/0x270
[   15.457987]  ? task_work_cancel+0x210/0x210
[   15.458400]  ? free_nsproxy+0x185/0x1f0
[   15.458785]  ? switch_task_namespaces+0xa2/0xc0
[   15.459237]  do_exit+0x9b5/0x1ad0
[   15.459547]  ? find_held_lock+0x35/0x1d0
[   15.459916]  ? mm_update_next_owner+0x930/0x930
[   15.460337]  ? release_sock+0x1d4/0x2a0
[   15.460698]  ? lock_downgrade+0x990/0x990
[   15.461074]  ? lock_downgrade+0x990/0x990
[   15.461453]  ? do_raw_spin_trylock+0x190/0x190
[   15.461869]  ? trace_hardirqs_on+0xd/0x10
[   15.462247]  ? __local_bh_enable_ip+0x9d/0x160
[   15.462667]  ? __local_bh_enable_ip+0x9d/0x160
[   15.463122]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   15.463575]  ? release_sock+0x1d4/0x2a0
[   15.463933]  ? trace_hardirqs_on+0xd/0x10
[   15.464309]  ? __local_bh_enable_ip+0x9d/0x160
[   15.464723]  ? _raw_spin_unlock_bh+0x30/0x40
[   15.465122]  ? release_sock+0x1d4/0x2a0
[   15.465486]  ? sctp_shutdown+0x2d0/0x2d0
[   15.465885]  ? __release_sock+0x360/0x360
[   15.466287]  ? sctp_primitive_SEND+0xa0/0xd0
[   15.466668]  ? check_noncircular+0x20/0x20
[   15.467079]  ? sctp_sendmsg+0x570/0x32b0
[   15.467450]  ? sctp_id2assoc+0x390/0x390
[   15.467811]  ? find_held_lock+0x35/0x1d0
[   15.468176]  ? get_signal+0x7ae/0x16d0
[   15.468518]  ? lock_downgrade+0x990/0x990
[   15.468889]  do_group_exit+0x149/0x400
[   15.469233]  ? __lock_is_held+0xb6/0x140
[   15.469591]  ? SyS_exit+0x30/0x30
[   15.469898]  ? _raw_spin_unlock_irq+0x27/0x70
[   15.470297]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   15.470742]  get_signal+0x73f/0x16d0
[   15.471115]  ? ptrace_notify+0x130/0x130
[   15.471473]  ? inet_sendmsg+0x11f/0x5e0
[   15.471825]  ? inet_sendmsg+0x126/0x5e0
[   15.472176]  ? rcu_pm_notify+0xc0/0xc0
[   15.472535]  ? ___sys_sendmsg+0x49a/0x890
[   15.473208]  ? rcu_read_lock_sched_held+0x108/0x120
[   15.473687]  ? kfree+0x1e7/0x250
[   15.473992]  ? ___sys_sendmsg+0x49f/0x890
[   15.474366]  do_signal+0x94/0x1ee0
[   15.474687]  ? __do_page_fault+0x64c/0xd60
[   15.475082]  ? lock_downgrade+0x990/0x990
[   15.475461]  ? setup_sigcontext+0x7d0/0x7d0
[   15.475884]  ? exit_to_usermode_loop+0x8c/0x310
[   15.476308]  exit_to_usermode_loop+0x214/0x310
[   15.476716]  ? __sys_sendmsg+0x13b/0x210
[   15.477085]  ? trace_event_raw_event_sys_exit+0x260/0x260
[   15.477587]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   15.478046]  syscall_return_slowpath+0x42f/0x510
[   15.478474]  ? finish_task_switch+0x1f6/0x740
[   15.478923]  ? prepare_exit_to_usermode+0x2d0/0x2d0
[   15.479385]  ? entry_SYSCALL_64_fastpath+0x91/0xbe
[   15.479831]  ? trace_hardirqs_on_caller+0x421/0x5c0
[   15.480290]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   15.480727]  entry_SYSCALL_64_fastpath+0xbc/0xbe
[   15.481249] RIP: 0033:0x43aff9
[   15.482045] RSP: 002b:00007f45c5655db8 EFLAGS: 00000206 ORIG_RAX: 000000000000002e
[   15.482934] RAX: 000000000000000e RBX: 0000000000000000 RCX: 000000000043aff9
[   15.483607] RDX: 0000000000040000 RSI: 0000000020ee7000 RDI: 0000000000000003
[   15.484281] RBP: 0000000000000000 R08: 00007f45c5656700 R09: 0000000000000000
[   15.484992] R10: 00007f45c5656700 R11: 0000000000000206 R12: 0000000000000000
[   15.485675] R13: 0000000000000000 R14: 00007f45c56569c0 R15: 00007f45c5656700
[   15.489034] Dumping ftrace buffer:
[   15.489457]    (ftrace buffer empty)
[   15.489792] Kernel Offset: disabled
[   15.490133] Rebooting in 86400 seconds..