------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. WARNING: CPU: 0 PID: 25991 at lib/refcount.c:156 refcount_inc_checked+0x4b/0x50 /lib/refcount.c:156 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 25991 Comm: syz-executor.3 Not tainted 5.2.0+ #35 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack /lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x2f8 /lib/dump_stack.c:113 panic+0x29b/0x7d9 /kernel/panic.c:219 __warn+0x22f/0x230 /kernel/panic.c:576 report_bug+0x190/0x290 /lib/bug.c:186 fixup_bug /arch/x86/kernel/traps.c:179 [inline] do_error_trap+0xd7/0x440 /arch/x86/kernel/traps.c:272 do_invalid_op+0x36/0x40 /arch/x86/kernel/traps.c:291 invalid_op+0x14/0x20 /arch/x86/entry/entry_64.S:1008 RIP: 0010:refcount_inc_checked+0x4b/0x50 /lib/refcount.c:156 Code: 3d cf cc 93 05 01 75 08 e8 82 f7 10 fe 5b 5d c3 e8 7a f7 10 fe c6 05 b9 cc 93 05 01 48 c7 c7 69 23 88 88 31 c0 e8 b5 12 e2 fd <0f> 0b eb df 90 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 RSP: 0018:ffff8880aea09b40 EFLAGS: 00010246 RAX: 9250692a0cdbc600 RBX: ffff88805c7a2580 RCX: ffff888091c3c1c0 RDX: 0000000000000301 RSI: 0000000000000301 RDI: 0000000000000000 RBP: ffff8880aea09b48 R08: ffffffff81604d94 R09: fffffbfff13bc2c2 R10: fffffbfff13bc2c2 R11: 0000000000000000 R12: ffff8880a865f2c0 R13: dffffc0000000000 R14: 0000000000000004 R15: ffff88805c7a2500 sock_hold /./include/net/sock.h:649 [inline] sk_add_node /./include/net/sock.h:701 [inline] nr_insert_socket /net/netrom/af_netrom.c:137 [inline] nr_rx_frame+0x17bc/0x1e40 /net/netrom/af_netrom.c:1023 nr_loopback_timer+0x6a/0x140 /net/netrom/nr_loopback.c:59 call_timer_fn+0xec/0x200 /kernel/time/timer.c:1322 expire_timers /kernel/time/timer.c:1366 [inline] __run_timers+0x7cd/0x9c0 /kernel/time/timer.c:1685 run_timer_softirq+0x4a/0x90 /kernel/time/timer.c:1698 __do_softirq+0x333/0x7c4 /./arch/x86/include/asm/paravirt.h:777 invoke_softirq /kernel/softirq.c:373 [inline] irq_exit+0x227/0x230 /kernel/softirq.c:413 exiting_irq /./arch/x86/include/asm/apic.h:537 [inline] smp_apic_timer_interrupt+0x113/0x280 /arch/x86/kernel/apic/apic.c:1095 apic_timer_interrupt+0xf/0x20 /arch/x86/entry/entry_64.S:828 RIP: 0010:get_current /./arch/x86/include/asm/current.h:15 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0x4/0x50 /kernel/kcov.c:101 Code: 84 00 00 00 00 00 55 48 89 e5 53 48 89 fb e8 13 00 00 00 48 8b 3d 94 0f 86 07 48 89 de e8 44 2b 3a 00 5b 5d c3 90 48 8b 04 24 <65> 48 8b 0c 25 40 fd 01 00 65 8b 15 d8 38 8a 7e f7 c2 00 01 1f 00 RSP: 0018:ffff88808f157938 EFLAGS: 00000283 ORIG_RAX: ffffffffffffff13 RAX: ffffffff81c8f215 RBX: ffff888095adcd18 RCX: 0000000000040000 RDX: ffffc9000c590000 RSI: 00000000000001f0 RDI: ffffffff88c12700 RBP: ffff88808f157968 R08: dffffc0000000000 R09: ffffed1015d46c0c R10: ffffed1015d46c0c R11: 0000000000000000 R12: ffff88808f157ab0 R13: 1ffff11011e2af4c R14: ffffffff88c12700 R15: ffff88808f157a90 read_seqbegin /./include/linux/seqlock.h:433 [inline] read_seqbegin_or_lock /./include/linux/seqlock.h:529 [inline] prepend_path+0xb7/0xa30 /fs/d_path.c:89 d_absolute_path+0x15e/0x240 /fs/d_path.c:199 tomoyo_get_absolute_path /security/tomoyo/realpath.c:100 [inline] tomoyo_realpath_from_path+0x46b/0x7c0 /security/tomoyo/realpath.c:304 tomoyo_get_realpath /security/tomoyo/file.c:151 [inline] tomoyo_path_number_perm+0x1e0/0x740 /security/tomoyo/file.c:723 tomoyo_file_ioctl+0x23/0x30 /security/tomoyo/tomoyo.c:335 security_file_ioctl+0x6d/0xd0 /security/security.c:1369 ksys_ioctl /fs/ioctl.c:711 [inline] __do_sys_ioctl /fs/ioctl.c:720 [inline] __se_sys_ioctl /fs/ioctl.c:718 [inline] __x64_sys_ioctl+0xa3/0x120 /fs/ioctl.c:718 do_syscall_64+0xfe/0x140 /arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x459819 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f4e59c7cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819 RDX: 0000000000000000 RSI: 0000000000004c81 RDI: 0000000000000005 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4e59c7d6d4 R13: 00000000004c2f5a R14: 00000000004d6400 R15: 00000000ffffffff Kernel Offset: disabled Rebooting in 86400 seconds..