RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000200000 R11: 0000000000000246 R12: 0000000000000014 R13: 00000000000003fa R14: 00000000006f8010 R15: 0000000000000020 ------------[ cut here ]------------ refcount_t: increment on 0; use-after-free. WARNING: CPU: 1 PID: 32592 at lib/refcount.c:153 refcount_inc+0x47/0x50 lib/refcount.c:153 Kernel panic - not syncing: panic_on_warn set ... ------------[ cut here ]------------ CPU: 1 PID: 32592 Comm: syz-executor7 Not tainted 4.16.0-rc6+ #40 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 refcount_t: underflow; use-after-free. panic+0x1e4/0x41c kernel/panic.c:183 WARNING: CPU: 0 PID: 32596 at lib/refcount.c:187 refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187 Modules linked in: CPU: 0 PID: 32596 Comm: syz-executor7 Not tainted 4.16.0-rc6+ #40 __warn+0x1dc/0x200 kernel/panic.c:547 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:refcount_sub_and_test+0x167/0x1b0 lib/refcount.c:187 report_bug+0x1f4/0x2b0 lib/bug.c:186 RSP: 0018:ffff8801d2217948 EFLAGS: 00010282 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff815ba4be fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 RDX: 0000000000010000 RSI: ffffc90003c01000 RDI: 1ffff1003a442eae RBP: ffff8801d22179d8 R08: 0000000000000000 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff1003a442f2a R13: 00000000ffffffff R14: 0000000000000001 R15: ffff8801adb0a1c4 FS: 00007fbc068f6700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbc068f5db8 CR3: 00000001a7c3c003 CR4: 00000000001606f0 DR0: 0000000020000000 DR1: 00000000200003c0 DR2: 0000000020000000 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 invalid_op+0x1b/0x40 arch/x86/entry/entry_64.S:986 Call Trace: RIP: 0010:refcount_inc+0x47/0x50 lib/refcount.c:153 RSP: 0018:ffff8801c3dcf7d8 EFLAGS: 00010286 RAX: dffffc0000000008 RBX: ffff8801adb0a1c4 RCX: ffffffff815ba4be RDX: 0000000000003ab2 RSI: ffffc900035f5000 RDI: 1ffff100387b9e80 RBP: ffff8801c3dcf7e0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801c3dcfa70 refcount_dec_and_test+0x1a/0x20 lib/refcount.c:212 R13: ffff8801b063b013 R14: ffff8801adb0a1c0 R15: ffff8801b063b001 put_net include/net/net_namespace.h:222 [inline] __sk_destruct+0x560/0x920 net/core/sock.c:1592 get_net include/net/net_namespace.h:204 [inline] sk_alloc+0x3f9/0x1440 net/core/sock.c:1540 sk_destruct+0x47/0x80 net/core/sock.c:1601 __sk_free+0xf1/0x2b0 net/core/sock.c:1612 sk_free+0x2a/0x40 net/core/sock.c:1623 unix_create1+0x16a/0x610 net/unix/af_unix.c:765 sock_put include/net/sock.h:1660 [inline] smc_release+0x33f/0x580 net/smc/af_smc.c:162 sock_release+0x8d/0x1e0 net/socket.c:594 SYSC_socketpair net/socket.c:1421 [inline] SyS_socketpair+0x481/0x6f0 net/socket.c:1366 unix_create+0x14f/0x1c0 net/unix/af_unix.c:828 __sock_create+0x4d4/0x850 net/socket.c:1285 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 sock_create net/socket.c:1325 [inline] SYSC_socketpair net/socket.c:1409 [inline] SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4548b9 RSP: 002b:00007fbc068f5c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 00007fbc068f66d4 RCX: 00000000004548b9 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002b RBP: 000000000072bf58 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000020000980 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000063f R14: 00000000006fb688 R15: 0000000000000001 Code: 5e 41 entry_SYSCALL_64_after_hwframe+0x42/0xb7 5f RIP: 0033:0x4548b9 5d RSP: 002b:00007fbc06916c68 EFLAGS: 00000246 c3 ORIG_RAX: 0000000000000035 e8 RAX: ffffffffffffffda RBX: 00007fbc069176d4 RCX: 00000000004548b9 RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000001 ea RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 3a R10: 0000000020002d00 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000644 R14: 00000000006fb700 R15: 0000000000000000 be fe 80 3d 20 f4 84 05 00 75 1a e8 dc 3a be fe 48 c7 c7 e0 78 e5 86 c6 05 0b f4 84 05 01 e8 89 46 8e fe <0f> 0b 31 db eb a3 e8 be 3a be fe 83 fb ff 0f 85 63 ff ff ff 31 ---[ end trace 1bb6bb01b8355bd1 ]--- Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: disabled Rebooting in 86400 seconds..