------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 17799 at lib/refcount.c:187 refcount_sub_and_test_checked+0x2c9/0x310 lib/refcount.c:187 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 17799 Comm: syz-executor0 Not tainted 4.19.0-rc5+ #156 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 panic+0x238/0x4e7 kernel/panic.c:184 __warn.cold.8+0x163/0x1ba kernel/panic.c:536 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993 RIP: 0010:refcount_sub_and_test_checked+0x2c9/0x310 lib/refcount.c:187 Code: 89 de e8 3a 88 ef fd 84 db 74 07 31 db e9 4d ff ff ff e8 5a 87 ef fd 48 c7 c7 80 83 44 88 c6 05 e3 7e 91 06 01 e8 e7 6d b9 fd <0f> 0b 31 db e9 2c ff ff ff 48 89 cf e8 f6 ef 32 fe e9 41 fe ff ff RSP: 0018:ffff8801dac075a0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000100 RSI: ffffffff81650cb5 RDI: 0000000000000005 RBP: ffff8801dac07688 R08: ffff8801d26623c0 R09: ffffed003b583ee2 R10: ffffed003b583ee2 R11: ffff8801dac1f717 R12: ffff8801b949c960 R13: 00000000ffffffff R14: ffff8801dac07660 R15: ffff8801b855e6c8 refcount_dec_and_test_checked+0x1a/0x20 lib/refcount.c:212 sctp_transport_put+0x76/0x1f0 net/sctp/transport.c:339 sctp_generate_heartbeat_event+0x187/0x480 net/sctp/sm_sideeffect.c:416 call_timer_fn+0x272/0x920 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7e5/0xc70 kernel/time/timer.c:1682 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1695 __do_softirq+0x30b/0xad8 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x760 arch/x86/kernel/apic/apic.c:1056 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:864 RIP: 0010:update_stack_state+0x529/0x690 arch/x86/kernel/unwind_frame.c:262 kobject: 'loop1' (0000000030db5e4f): kobject_uevent_env Code: 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 26 01 00 00 48 8b 85 30 ff ff ff 49 c7 46 50 00 00 00 00 <49> 89 46 38 4c 8d 60 08 e9 b6 fd ff ff e8 c5 fb 8b 00 e9 60 fb ff RSP: 0018:ffff8801cd83edb0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff8801cd83f070 RBX: ffff8801cd83f070 RCX: 1ffff10039b07e00 RDX: 1ffff10039b07e03 RSI: ffff8801cd83f080 RDI: ffff8801cd83f018 RBP: ffff8801cd83eeb8 R08: ffff8801cd83f018 R09: ffff8801d26623c0 R10: ffffed0039b07e06 R11: ffff8801cd83f037 R12: dffffc0000000000 R13: ffff8801cd83efd0 R14: ffff8801cd83efe0 R15: ffff8801cd83f020 unwind_next_frame.part.7+0x1ae/0x9e0 arch/x86/kernel/unwind_frame.c:329 unwind_next_frame+0x3e/0x50 arch/x86/kernel/unwind_frame.c:287 __save_stack_trace+0x7d/0xf0 arch/x86/kernel/stacktrace.c:44 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620 kmalloc include/linux/slab.h:513 [inline] kzalloc include/linux/slab.h:707 [inline] sctp_add_bind_addr+0x101/0x4b0 net/sctp/bind_addr.c:159 sctp_copy_local_addr_list+0x497/0x690 net/sctp/protocol.c:180 sctp_copy_one_addr+0x5d/0x170 net/sctp/bind_addr.c:449 sctp_bind_addr_copy+0x173/0x47c net/sctp/bind_addr.c:71 sctp_assoc_set_bind_addr_from_ep+0x165/0x1c0 net/sctp/associola.c:1600 sctp_sendmsg_new_asoc+0x3c2/0x11f0 net/sctp/socket.c:1746 kobject: 'loop1' (0000000030db5e4f): fill_kobj_path: path = '/devices/virtual/block/loop1' sctp_sendmsg+0x18d9/0x1dd0 net/sctp/socket.c:2103 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:631 __sys_sendto+0x3d7/0x670 net/socket.c:1788 kobject: 'loop3' (00000000585f5d58): kobject_uevent_env __do_sys_sendto net/socket.c:1800 [inline] __se_sys_sendto net/socket.c:1796 [inline] __ia32_sys_sendto+0xdf/0x1a0 net/socket.c:1796 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f75ca9 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f5f710cc EFLAGS: 00000296 ORIG_RAX: 0000000000000171 RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 0000000020000080 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 000000002005ffe4 RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Kernel Offset: disabled Rebooting in 86400 seconds..