Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '[localhost]:37952' (ECDSA) to the list of known hosts. syzkaller login: [ 116.618986][ T40] kauditd_printk_skb: 7 callbacks suppressed [ 116.619017][ T40] audit: type=1400 audit(1584459425.908:42): avc: denied { map } for pid=8993 comm="syz-executor295" path="/syz-executor295538224" dev="sda1" ino=16526 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 116.739040][ T8994] IPVS: ftp: loaded support on port[0] = 21 executing program [ 116.863258][ T8994] netlink: 16 bytes leftover after parsing attributes in process `syz-executor295'. [ 117.054620][ C2] ------------[ cut here ]------------ [ 117.067734][ C2] refcount_t: underflow; use-after-free. [ 117.083095][ C2] WARNING: CPU: 2 PID: 22 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] Kernel panic - not syncing: panic_on_warn set ... [ 117.089079][ C2] CPU: 2 PID: 22 Comm: ksoftirqd/2 Not tainted 5.6.0-rc6-syzkaller #0 [ 117.089079][ C2] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 117.089079][ C2] Call Trace: [ 117.089079][ C2] dump_stack+0x188/0x20d [ 117.089079][ C2] ? refcount_warn_saturate+0x170/0x1e0 [ 117.089079][ C2] panic+0x2e3/0x75c [ 117.089079][ C2] ? add_taint.cold+0x16/0x16 [ 117.089079][ C2] ? __probe_kernel_read+0x188/0x1d0 [ 117.089079][ C2] ? __warn.cold+0x14/0x35 [ 117.089079][ C2] ? __warn+0xd5/0x1c8 [ 117.089079][ C2] ? refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] __warn.cold+0x2f/0x35 [ 117.089079][ C2] ? refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] report_bug+0x27b/0x2f0 [ 117.089079][ C2] do_error_trap+0x12b/0x220 [ 117.089079][ C2] ? refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] do_invalid_op+0x32/0x40 [ 117.089079][ C2] ? refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] invalid_op+0x23/0x30 [ 117.089079][ C2] RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] Code: e9 db fe ff ff 48 89 df e8 0c 06 20 fe e9 8a fe ff ff e8 d2 47 e3 fd 48 c7 c7 00 aa 51 88 c6 05 24 4e d2 06 01 e8 b7 58 b5 fd <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 [ 117.089079][ C2] RSP: 0018:ffffc90000517c18 EFLAGS: 00010282 [ 117.089079][ C2] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 117.089079][ C2] RDX: 0000000000000100 RSI: ffffffff815c06c1 RDI: fffff520000a2f75 [ 117.089079][ C2] RBP: 0000000000000003 R08: ffff88802c7506c0 R09: 0000000000000000 [ 117.089079][ C2] R10: 0000000000000000 R11: 0000000000000000 R12: ffff888000598000 [ 117.089079][ C2] R13: ffff888021fa0040 R14: ffff888021fa0044 R15: ffff88802c7506c0 [ 117.089079][ C2] ? vprintk_func+0x81/0x17e [ 117.089079][ C2] ? refcount_warn_saturate+0x1d1/0x1e0 [ 117.089079][ C2] __sk_destruct+0x696/0x7c0 [ 117.089079][ C2] sk_destruct+0xc6/0x100 [ 117.089079][ C2] __sk_free+0xef/0x3d0 [ 117.089079][ C2] sk_free+0x78/0xa0 [ 117.089079][ C2] deferred_put_nlk_sk+0x151/0x2e0 [ 117.089079][ C2] rcu_core+0x5a4/0x12d0 [ 117.089079][ C2] ? __rcu_read_unlock+0x700/0x700 [ 117.089079][ C2] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 117.089079][ C2] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 117.089079][ C2] __do_softirq+0x26c/0x99d [ 117.089079][ C2] ? takeover_tasklets+0x810/0x810 [ 117.089079][ C2] run_ksoftirqd+0x89/0x100 [ 117.089079][ C2] smpboot_thread_fn+0x653/0x9e0 [ 117.089079][ C2] ? __smpboot_create_thread.part.0+0x340/0x340 [ 117.089079][ C2] ? __kthread_parkme+0x10a/0x1c0 [ 117.089079][ C2] ? __smpboot_create_thread.part.0+0x340/0x340 [ 117.089079][ C2] kthread+0x357/0x430 [ 117.089079][ C2] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 117.089079][ C2] ret_from_fork+0x24/0x30 [ 117.089079][ C2] Kernel Offset: disabled [ 117.089079][ C2] Rebooting in 86400 seconds..