bisecting fixing commit since 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 building syzkaller on 99a9604483616177d7cd7d3e092ce42a3eaff74a testing commit 7e63420847ae5f1036e4f7c42f0b3282e73efbc2 with gcc (GCC) 8.1.0 kernel signature: a5f74bd98b94cbb5456e415ab00a3914862f507b2c1d0b538c996970b669f0c3 run #0: crashed: WARNING: refcount bug in __sk_destruct run #1: crashed: WARNING: refcount bug in sk_alloc run #2: crashed: WARNING: refcount bug in __sk_destruct run #3: crashed: WARNING: refcount bug in sk_alloc run #4: crashed: WARNING: refcount bug in sk_alloc run #5: crashed: WARNING: refcount bug in __sk_destruct run #6: crashed: WARNING: refcount bug in sk_alloc run #7: crashed: WARNING: refcount bug in __sk_destruct run #8: crashed: WARNING: refcount bug in sk_alloc run #9: crashed: WARNING: refcount bug in sk_alloc testing current HEAD 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8 testing commit 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8 with gcc (GCC) 8.1.0 kernel signature: eb6d13d35757201a6b7e49ed92600cf7e50e0412e4d6b81c6383580285f064b0 run #0: crashed: WARNING: refcount bug in sk_alloc run #1: crashed: WARNING: refcount bug in sk_alloc run #2: crashed: WARNING: refcount bug in sk_alloc run #3: crashed: WARNING: refcount bug in sk_alloc run #4: crashed: WARNING: refcount bug in __sk_destruct run #5: crashed: WARNING: refcount bug in __sk_destruct run #6: crashed: WARNING: refcount bug in __sk_destruct run #7: crashed: WARNING: refcount bug in sk_alloc run #8: crashed: WARNING: refcount bug in sk_alloc run #9: crashed: WARNING: refcount bug in __sk_destruct revisions tested: 2, total time: 19m41.969089349s (build: 12m35.147516098s, test: 6m44.06976431s) the crash still happens on HEAD commit msg: Linux 5.7-rc5 crash: WARNING: refcount bug in __sk_destruct ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 1 PID: 8490 at lib/refcount.c:28 refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 8490 Comm: syz-executor.4 Not tainted 5.7.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 panic+0x22a/0x4e3 kernel/panic.c:221 __warn.cold.10+0x25/0x26 kernel/panic.c:582 report_bug+0x1ad/0x270 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] do_error_trap+0x123/0x210 arch/x86/kernel/traps.c:267 do_invalid_op+0x31/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:refcount_warn_saturate+0x12b/0x140 lib/refcount.c:28 Code: a1 f2 fd 0f 0b e9 53 ff ff ff 48 89 df e8 1d 98 51 fe e9 23 ff ff ff 48 c7 c7 20 80 ce 87 c6 05 cf d7 6d 06 01 e8 51 a1 f2 fd <0f> 0b e9 2c ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 41 RSP: 0018:ffffc90000da8e28 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8880967161c4 RCX: 0000000000000000 RDX: 0000000000000102 RSI: 0000000000000008 RDI: ffffffff8b8d60e0 RBP: 0000000000000003 R08: ffffed1015d266a9 R09: ffffed1015d266a9 R10: ffff8880ae933547 R11: ffffed1015d266a8 R12: ffff8880967161c0 R13: ffff8880967161c4 R14: ffff8880955b7360 R15: 0000000000000000 refcount_sub_and_test include/linux/refcount.h:274 [inline] refcount_dec_and_test include/linux/refcount.h:294 [inline] put_net include/net/net_namespace.h:264 [inline] __sk_destruct+0x524/0x640 net/core/sock.c:1724 rcu_do_batch kernel/rcu/tree.c:2206 [inline] rcu_core+0x581/0x1340 kernel/rcu/tree.c:2433 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1140 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:759 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0xa4/0xd0 kernel/locking/spinlock.c:191 Code: a0 67 d4 88 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 28 48 83 3d 93 42 aa 01 00 74 15 48 89 df 57 9d <0f> 1f 44 00 00 eb af e8 f9 43 d6 f9 eb bd 0f 0b 0f 0b e8 c5 8f 72 RSP: 0018:ffffc90004907828 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 0000000000000286 RCX: 0000000000000000 RDX: 1ffffffff11a8cf4 RSI: 0000000000000006 RDI: 0000000000000286 RBP: ffff8880ae929700 R08: ffffed1015d252e1 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90004907a48 R13: ffffed1015d252f0 R14: dffffc0000000000 R15: ffff8880ae929780 unlock_hrtimer_base kernel/time/hrtimer.c:898 [inline] hrtimer_start_range_ns+0x4c7/0xa00 kernel/time/hrtimer.c:1136 futex_wait_queue_me+0x205/0x530 kernel/futex.c:2618 futex_wait+0x214/0x4b0 kernel/futex.c:2737 do_futex+0x55c/0x14b0 kernel/futex.c:3808 __do_sys_futex kernel/futex.c:3869 [inline] __se_sys_futex kernel/futex.c:3837 [inline] __x64_sys_futex+0x1af/0x320 kernel/futex.c:3837 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c879 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffe45c713b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: ffffffffffffffda RBX: 00000000000003e8 RCX: 000000000045c879 RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000076bfac RBP: 000000000000002d R08: 00ffffffffffffff R09: 00ffffffffffffff R10: 00007ffe45c71490 R11: 0000000000000246 R12: 000000000076bfa0 R13: 000000000000f0b8 R14: 000000000000f0e5 R15: 000000000076bfac Kernel Offset: disabled Rebooting in 86400 seconds..