------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xf4/0x130 lib/refcount.c:28, CPU#2: syz.1.1388/11394 Modules linked in: CPU: 2 UID: 0 PID: 11394 Comm: syz.1.1388 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:refcount_warn_saturate+0xf4/0x130 lib/refcount.c:28 Code: 06 e8 40 07 11 fd 48 8d 3d 99 7f eb 0b 67 48 0f b9 3a e8 2f 07 11 fd 5b 5d c3 cc cc cc cc e8 23 07 11 fd 48 8d 3d 8c 7f eb 0b <67> 48 0f b9 3a e8 12 07 11 fd 5b 5d e9 cb 46 93 06 e8 06 07 11 fd RSP: 0000:ffffc9000c7f70f8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88804d981b80 RCX: ffffffff84f6d3ab RDX: ffff888040eda500 RSI: ffffffff84f6d43d RDI: ffffffff90e253d0 RBP: 0000000000000003 R08: 0000000000000005 R09: 0000000000000004 R10: 0000000000000003 R11: 000000000000001e R12: ffff88804d981b80 R13: ffffffff8a3dcf50 R14: 0000000000000000 R15: 0000000000000018 FS: 0000000000000000(0000) GS:ffff888097380000(0063) knlGS:00000000f53bcb40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000f539bda4 CR3: 0000000045f1d000 CR4: 0000000000352ef0 Call Trace: __refcount_sub_and_test include/linux/refcount.h:400 [inline] __refcount_dec_and_test include/linux/refcount.h:432 [inline] refcount_dec_and_test include/linux/refcount.h:450 [inline] sock_put include/net/sock.h:2009 [inline] sk_common_release+0x260/0x370 net/core/sock.c:4024 inet_release+0xed/0x200 net/ipv4/af_inet.c:442 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:472 __sock_release net/socket.c:722 [inline] sock_release+0x91/0x1c0 net/socket.c:750 rxe_release_udp_tunnel drivers/infiniband/sw/rxe/rxe_net.c:294 [inline] rxe_sock_put+0xae/0x130 drivers/infiniband/sw/rxe/rxe_net.c:639 rxe_net_del+0xaf/0x120 drivers/infiniband/sw/rxe/rxe_net.c:664 rxe_dellink+0x15/0x20 drivers/infiniband/sw/rxe/rxe.c:254 nldev_dellink+0x289/0x3c0 drivers/infiniband/core/nldev.c:1849 rdma_nl_rcv_msg+0x392/0x6f0 drivers/infiniband/core/netlink.c:195 rdma_nl_rcv_skb.constprop.0.isra.0+0x2cb/0x410 drivers/infiniband/core/netlink.c:239 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x585/0x850 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8b0/0xda0 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:787 [inline] __sock_sendmsg net/socket.c:802 [inline] ____sys_sendmsg+0x9e1/0xb70 net/socket.c:2698 ___sys_sendmsg+0x190/0x1e0 net/socket.c:2752 __sys_sendmsg+0x170/0x220 net/socket.c:2784 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xe7/0x950 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf6feefcc Code: d2 74 05 c1 e8 0c 89 02 8b 5d fc 31 c0 c9 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 2e 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 58 b8 RSP: 002b:00000000f53bc50c EFLAGS: 00000292 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 000000000000000e RCX: 00000000800002c0 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ---------------- Code disassembly (best guess), 1 bytes skipped: 0: e8 40 07 11 fd call 0xfd110745 5: 48 8d 3d 99 7f eb 0b lea 0xbeb7f99(%rip),%rdi # 0xbeb7fa5 c: 67 48 0f b9 3a ud1 (%edx),%rdi 11: e8 2f 07 11 fd call 0xfd110745 16: 5b pop %rbx 17: 5d pop %rbp 18: c3 ret 19: cc int3 1a: cc int3 1b: cc int3 1c: cc int3 1d: e8 23 07 11 fd call 0xfd110745 22: 48 8d 3d 8c 7f eb 0b lea 0xbeb7f8c(%rip),%rdi # 0xbeb7fb5 * 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2e: e8 12 07 11 fd call 0xfd110745 33: 5b pop %rbx 34: 5d pop %rbp 35: e9 cb 46 93 06 jmp 0x6934705 3a: e8 06 07 11 fd call 0xfd110745