syzbot

 sign-in | mailing list | source | docs
🐞 Open [746]
🐞 Fixed [120]
🐞 Invalid [776]
Missing Backports [75]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING: refcount bug in tipc_crypto_xmit

Status: upstream: reported syz repro on 2025/06/04 16:45
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+4b0296c76b665a755187@syzkaller.appspotmail.com
First crash: 11d, last: 18h01m
Bug presence (2)
Date Name Commit Repro Result
2025/06/07 linux-6.1.y (ToT) 58485ff1a74f C [report] WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 upstream (ToT) 8630c59e9936 C Didn't crash
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 WARNING: refcount bug in tipc_crypto_xmit origin:upstream syz 186 5h55m 11d 0/3 upstream: reported syz repro on 2025/06/04 19:21
upstream WARNING: refcount bug in tipc_crypto_xmit tipc C done 4968 9d23h 21d 26/28 upstream: reported C repro on 2025/05/26 08:50

Sample crash report:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 0 at lib/refcount.c:25 refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
lr : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
sp : ffff8000080078c0
x29: ffff8000080078c0 x28: ffff0000db6c7400 x27: ffff0000c3505808
x26: ffff0000d9244af0 x25: dfff800000000000 x24: 1fffe000186a0b01
x23: ffff0000dbe91c00 x22: ffff0000efc89d94 x21: ffff0000c2d5e080
x20: ffff0000efc89d94 x19: ffff800017a32000 x18: ffff800011a7bce0
x17: 0000000000000000 x16: ffff8000082d1c00 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff0080000819149c x10: 0000000000000000 x9 : 51ede113c267dc00
x8 : 51ede113c267dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800008007358 x4 : ffff800015154700 x3 : ffff80000852da40
x2 : 0000000000000001 x1 : 0000000000000101 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_net include/net/net_namespace.h:257 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x1518/0x2014 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x1f0/0x384 net/tipc/bearer.c:574
 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338
 call_timer_fn+0x1b8/0x964 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1549 [inline]
 __run_timers+0x460/0x6bc kernel/time/timer.c:1820
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
 handle_softirqs+0x318/0xc6c kernel/softirq.c:596
 __do_softirq+0x14/0x20 kernel/softirq.c:630
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
 invoke_softirq kernel/softirq.c:477 [inline]
 __irq_exit_rcu+0x23c/0x43c kernel/softirq.c:679
 irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
 default_idle_call+0x68/0xdc kernel/sched/idle.c:109
 cpuidle_idle_call kernel/sched/idle.c:191 [inline]
 do_idle+0x1d8/0x4bc kernel/sched/idle.c:303
 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:401
 rest_init+0x2d4/0x2f0 init/main.c:733
 start_kernel+0x0/0x554 init/main.c:893
 start_kernel+0x4a4/0x554 init/main.c:1140
 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:468
irq event stamp: 342435
hardirqs last  enabled at (342434): [<ffff800008307d18>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (342435): [<ffff80001191c930>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (342392): [<ffff8000081a8e70>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last  enabled at (342392): [<ffff8000081a8e70>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (342405): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W          6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
lr : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
sp : ffff8000080078c0
x29: ffff8000080078c0 x28: ffff0000db6c7400 x27: 0000000000000000
x26: ffff0000d9244af0 x25: dfff800000000000 x24: 1fffe0001b248968
x23: 1ffff00002a12901 x22: ffff0000c3505800 x21: 00000000c0000000
x20: ffff0000efc89d94 x19: ffff800017a32000 x18: ffff800011a7bce0
x17: 0000000000000000 x16: ffff8000082d1c00 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff0080000819149c x10: 0000000000000000 x9 : 51ede113c267dc00
x8 : 51ede113c267dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800008007358 x4 : ffff800015154700 x3 : ffff8000083115f4
x2 : 0000000000000001 x1 : 0000000000000101 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 put_net include/net/net_namespace.h:276 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:829 [inline]
 tipc_crypto_xmit+0x1664/0x2014 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x1f0/0x384 net/tipc/bearer.c:574
 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338
 call_timer_fn+0x1b8/0x964 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1549 [inline]
 __run_timers+0x460/0x6bc kernel/time/timer.c:1820
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
 handle_softirqs+0x318/0xc6c kernel/softirq.c:596
 __do_softirq+0x14/0x20 kernel/softirq.c:630
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
 invoke_softirq kernel/softirq.c:477 [inline]
 __irq_exit_rcu+0x23c/0x43c kernel/softirq.c:679
 irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
 default_idle_call+0x68/0xdc kernel/sched/idle.c:109
 cpuidle_idle_call kernel/sched/idle.c:191 [inline]
 do_idle+0x1d8/0x4bc kernel/sched/idle.c:303
 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:401
 rest_init+0x2d4/0x2f0 init/main.c:733
 start_kernel+0x0/0x554 init/main.c:893
 start_kernel+0x4a4/0x554 init/main.c:1140
 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:468
irq event stamp: 342469
hardirqs last  enabled at (342468): [<ffff800008307d18>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (342469): [<ffff80001191c930>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (342392): [<ffff8000081a8e70>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last  enabled at (342392): [<ffff8000081a8e70>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (342405): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---

Crashes (129):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/12 06:52 linux-6.1.y 58485ff1a74f 98683f8f .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/05 20:28 linux-6.1.y 58485ff1a74f 6b6b5f21 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 21:43 linux-6.1.y 58485ff1a74f 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 19:25 linux-6.1.y 58485ff1a74f 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 05:31 linux-6.1.y 58485ff1a74f 0e8da31f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 05:06 linux-6.1.y 58485ff1a74f 0e8da31f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/12 21:35 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/12 05:33 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/11 21:51 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/11 19:21 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 23:15 linux-6.1.y 58485ff1a74f 5d7e17ca .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 08:42 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 00:53 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/09 01:48 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/08 13:11 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/08 07:26 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 18:52 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 17:31 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:57 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:52 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:52 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:34 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:34 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 15:33 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/04 16:45 linux-6.1.y 58485ff1a74f e565f08d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/15 14:38 linux-6.1.y 58485ff1a74f 5f4b362d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 10:51 linux-6.1.y 58485ff1a74f 0e8da31f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 09:50 linux-6.1.y 58485ff1a74f 0e8da31f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/14 08:27 linux-6.1.y 58485ff1a74f 0e8da31f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/13 18:33 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/13 11:44 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/13 00:59 linux-6.1.y 58485ff1a74f 98683f8f .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/11 12:57 linux-6.1.y 58485ff1a74f 5d7e17ca .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/11 05:45 linux-6.1.y 58485ff1a74f 5d7e17ca .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 10:10 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 07:38 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/10 05:09 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/09 16:45 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/09 11:14 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/09 00:45 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/08 14:46 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/08 10:38 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/08 02:08 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 23:42 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 21:27 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 13:43 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 10:58 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 10:11 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 09:29 linux-6.1.y 58485ff1a74f 4826c28e .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
* Struck through repros no longer work on HEAD.