executing program executing program syzkaller login: [ 31.538516] refcount_t: underflow; use-after-free. [ 31.539146] ------------[ cut here ]------------ [ 31.539585] WARNING: CPU: 2 PID: 3008 at lib/refcount.c:186 refcount_sub_and_test+0x167/0x1b0 [ 31.540430] Kernel panic - not syncing: panic_on_warn set ... [ 31.540430] [ 31.541104] CPU: 2 PID: 3008 Comm: syzkaller421131 Not tainted 4.14.0-rc5-next-20171018+ #8 [ 31.555116] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 [ 31.555754] Call Trace: [ 31.555942] dump_stack+0x194/0x257 [ 31.556182] ? arch_local_irq_restore+0x53/0x53 [ 31.556481] ? vsnprintf+0x1ed/0x1900 [ 31.556716] panic+0x1e4/0x41c [ 31.558050] ? refcount_error_report+0x214/0x214 [ 31.558534] ? show_regs_print_info+0x65/0x65 [ 31.558961] ? __warn+0x1a9/0x1e0 [ 31.559285] ? refcount_sub_and_test+0x167/0x1b0 [ 31.559714] __warn+0x1c4/0x1e0 [ 31.560012] ? refcount_sub_and_test+0x167/0x1b0 [ 31.560674] report_bug+0x211/0x2d0 [ 31.561032] fixup_bug+0x40/0x90 [ 31.561341] do_trap+0x260/0x390 [ 31.561655] do_error_trap+0x120/0x390 [ 31.562209] ? vprintk_emit+0x49b/0x590 [ 31.562556] ? do_trap+0x390/0x390 [ 31.562883] ? refcount_sub_and_test+0x167/0x1b0 [ 31.563310] ? vprintk_emit+0x3ea/0x590 [ 31.563801] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.564246] do_invalid_op+0x1b/0x20 [ 31.564577] invalid_op+0x18/0x20 [ 31.564993] RIP: 0010:refcount_sub_and_test+0x167/0x1b0 [ 31.565475] RSP: 0018:ffff88003c85e9c8 EFLAGS: 00010282 [ 31.566244] RAX: 0000000000000026 RBX: 0000000000000001 RCX: 0000000000000000 [ 31.566904] RDX: 0000000000000026 RSI: 1ffff1000790bcf9 RDI: ffffed000790bd2d [ 31.567570] RBP: ffff88003c85ea58 R08: 0000000000000001 R09: 0000000000000000 [ 31.568225] R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1000790bd3a [ 31.569133] R13: 00000000ffffff01 R14: 0000000000000100 R15: ffff88006a7e527c [ 31.569813] ? refcount_sub_and_test+0x167/0x1b0 [ 31.570441] ? refcount_inc+0x50/0x50 [ 31.570809] ? sctp_outq_free+0x15/0x20 [ 31.571165] ? sctp_do_sm+0x271b/0x6a30 [ 31.571517] ? sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 31.571943] ? sctp_close+0x3c6/0x980 [ 31.572609] ? inet_release+0xed/0x1c0 [ 31.572985] ? sock_release+0x8d/0x1e0 [ 31.573460] sctp_wfree+0x183/0x620 [ 31.573807] ? __sctp_write_space+0x910/0x910 [ 31.574215] skb_release_head_state+0x124/0x200 [ 31.574748] skb_release_all+0x15/0x60 [ 31.575265] consume_skb+0x153/0x490 [ 31.575608] ? sctp_chunk_put+0x99/0x420 [ 31.575986] ? alloc_skb_with_frags+0x750/0x750 [ 31.576409] ? sctp_chunk_hold+0x20/0x20 [ 31.576775] ? refcount_sub_and_test+0x115/0x1b0 [ 31.577204] ? refcount_inc+0x50/0x50 [ 31.577539] ? mark_held_locks+0xaf/0x100 [ 31.577918] ? sctp_datamsg_put+0x456/0x560 [ 31.578317] sctp_chunk_put+0x29c/0x420 [ 31.578676] ? sctp_chunk_hold+0x20/0x20 [ 31.579040] ? sctp_transport_dst_confirm+0x50/0x50 [ 31.579492] ? sctp_sched_fcfs_dequeue+0x198/0x290 [ 31.579930] ? sctp_sched_dequeue_common+0x5d0/0x5d0 [ 31.580394] sctp_chunk_free+0x53/0x60 [ 31.580751] __sctp_outq_teardown+0xa5b/0x1230 [ 31.582037] ? sctp_inq_set_th_handler+0x1b0/0x1b0 [ 31.582639] ? print_irqtrace_events+0x270/0x270 [ 31.583100] ? print_irqtrace_events+0x270/0x270 [ 31.583545] ? trace_hardirqs_off+0x10/0x10 [ 31.583954] ? __bfs+0xaa/0x750 [ 31.584265] ? __is_insn_slot_addr+0x1fc/0x330 [ 31.584706] ? check_noncircular+0x20/0x20 [ 31.585117] ? default_wake_function+0x30/0x50 [ 31.585555] ? autoremove_wake_function+0x78/0x350 [ 31.586320] ? bpf_prog_kallsyms_find+0xbd/0x440 [ 31.586754] ? find_held_lock+0x35/0x1d0 [ 31.587132] ? find_held_lock+0x35/0x1d0 [ 31.587678] ? sock_def_wakeup+0x1f9/0x350 [ 31.588057] ? lock_downgrade+0x990/0x990 [ 31.588435] ? lock_release+0xa40/0xa40 [ 31.588799] sctp_outq_free+0x15/0x20 [ 31.589142] sctp_association_free+0x2d0/0x930 [ 31.589558] ? sctp_asconf_queue_teardown+0x700/0x700 [ 31.590030] ? sock_def_wakeup+0x222/0x350 [ 31.590403] ? sk_dst_check+0x560/0x560 [ 31.590785] sctp_do_sm+0x271b/0x6a30 [ 31.591141] ? sctp_do_8_2_transport_strike.isra.16+0x8a0/0x8a0 [ 31.591685] ? print_irqtrace_events+0x270/0x270 [ 31.592112] ? __lock_acquire+0x6aa/0x3d50 [ 31.592487] ? debug_check_no_locks_freed+0x3c0/0x3c0 [ 31.592958] ? print_irqtrace_events+0x270/0x270 [ 31.593398] ? find_held_lock+0x35/0x1d0 [ 31.594103] ? skb_dequeue+0x12a/0x180 [ 31.594448] ? lock_downgrade+0x990/0x990 [ 31.594834] ? do_raw_spin_trylock+0x190/0x190 [ 31.595266] ? mark_held_locks+0xaf/0x100 [ 31.595640] ? trace_hardirqs_on+0xd/0x10 [ 31.596026] sctp_primitive_SHUTDOWN+0xa0/0xd0 [ 31.596545] sctp_close+0x3c6/0x980 [ 31.596878] ? sctp_apply_peer_addr_params+0xf30/0xf30 [ 31.597355] ? __lock_acquire+0x6aa/0x3d50 [ 31.598660] ? check_noncircular+0x20/0x20 [ 31.599040] ? check_noncircular+0x20/0x20 [ 31.599829] ? __lock_acquire+0x6aa/0x3d50 [ 31.600212] ? locks_remove_file+0x3fa/0x5a0 [ 31.600614] ? fcntl_setlk+0x10c0/0x10c0 [ 31.600976] ? __fsnotify_parent+0xb4/0x3a0 [ 31.601364] ? ip_mc_drop_socket+0x1ce/0x230 [ 31.601773] inet_release+0xed/0x1c0 [ 31.602113] sock_release+0x8d/0x1e0 [ 31.602450] ? sock_release+0x1e0/0x1e0 [ 31.602811] sock_close+0x16/0x20 [ 31.603124] __fput+0x327/0x7e0 [ 31.603428] ? fput+0x140/0x140 [ 31.603732] ? _raw_spin_unlock_irq+0x27/0x70 [ 31.604134] ____fput+0x15/0x20 [ 31.604427] task_work_run+0x199/0x270 [ 31.604784] ? task_work_cancel+0x210/0x210 [ 31.605163] ? __do_page_fault+0x3d6/0xd60 [ 31.605553] get_signal+0x1343/0x16d0 [ 31.612627] ? mm_fault_error+0x2c0/0x2c0 [ 31.612997] ? check_noncircular+0x20/0x20 [ 31.613377] ? ptrace_notify+0x130/0x130 [ 31.613739] ? check_noncircular+0x20/0x20 [ 31.614119] ? __do_page_fault+0xd60/0xd60 [ 31.614495] ? do_page_fault+0xee/0x720 [ 31.614866] ? lock_downgrade+0x990/0x990 [ 31.615226] ? __do_page_fault+0xd60/0xd60 [ 31.615590] ? do_raw_spin_trylock+0x190/0x190 [ 31.616000] ? check_noncircular+0x20/0x20 [ 31.617174] ? find_held_lock+0x35/0x1d0 [ 31.617528] ? retint_kernel+0x10/0x10 [ 31.617892] do_signal+0x94/0x1ee0 [ 31.618225] ? put_unused_fd+0x62/0x70 [ 31.618578] ? lock_downgrade+0x990/0x990 [ 31.618956] ? setup_sigcontext+0x7d0/0x7d0 [ 31.619354] ? do_raw_spin_trylock+0x190/0x190 [ 31.619768] ? __put_unused_fd+0x183/0x250 [ 31.620260] ? alloc_fdtable+0x280/0x280 [ 31.620753] ? cpumask_weight.constprop.1+0x48/0x48 [ 31.621195] ? _copy_to_user+0xa2/0xc0 [ 31.621553] ? _raw_spin_unlock+0x22/0x30 [ 31.622045] ? fput+0xd2/0x140 [ 31.622333] ? SYSC_accept4+0x4ec/0x850 [ 31.622699] ? exit_to_usermode_loop+0x8c/0x310 [ 31.623119] exit_to_usermode_loop+0x214/0x310 [ 31.623532] ? trace_event_raw_event_sys_exit+0x260/0x260 [ 31.624031] ? __do_page_fault+0xd60/0xd60 [ 31.624408] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.625047] syscall_return_slowpath+0x42f/0x510 [ 31.625472] ? finish_task_switch+0x1f6/0x740 [ 31.625892] ? prepare_exit_to_usermode+0x2d0/0x2d0 [ 31.626339] ? entry_SYSCALL_64_fastpath+0x91/0xbe [ 31.626875] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 31.627323] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.627753] entry_SYSCALL_64_fastpath+0xbc/0xbe [ 31.628183] RIP: 0033:0x43c7b9 [ 31.628465] RSP: 002b:00007f7cc45d5db8 EFLAGS: 00000206 ORIG_RAX: 0000000000000120 [ 31.629151] RAX: fffffffffffffff2 RBX: 0000000000000000 RCX: 000000000043c7b9 [ 31.629939] RDX: 0000000020137ffc RSI: 0000000020b53ff0 RDI: 0000000000000003 [ 31.630578] RBP: 0000000000000000 R08: 00007f7cc45d6700 R09: 0000000000000000 [ 31.631218] R10: 0000000000080000 R11: 0000000000000206 R12: 0000000000000000 [ 31.631847] R13: 0000000000000000 R14: 00007f7cc45d69c0 R15: 00007f7cc45d6700 [ 31.633836] Dumping ftrace buffer: [ 31.634260] (ftrace buffer empty) [ 31.634591] Kernel Offset: disabled [ 31.634928] Rebooting in 86400 seconds..