WARNING: refcount bug in sctp_association

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
2b765ded-7b24-4b2b-9b17-f8439490955a	assessment-security	DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌	❓	WARNING: refcount bug in sctp_association_hold	2026/05/31 17:39	2026/05/31 17:39	2026/05/31 18:48	6b4a844333e83556da95d61d7f207e7ef5cd4bc6
3d8fb2a5-67de-4704-9fd4-e6bf4c121be7	assessment-security		💥	WARNING: refcount bug in sctp_association_hold	2026/05/15 05:57	2026/05/15 05:57	2026/05/15 05:58	6ccb967e465e832a7bfd7a116ad00d52a0923a5d	failed to run ["make" "KERNELVERSION=syzkaller" "KERNELRELEASE=syzkaller" "LOCALVERSION=-syzkaller" "-j" "32" "ARCH=x86_64" "CC=ccache clang" "LD=ld.lld" "O=/app/workdir/cache/build/bd4ba0ca7e1b0be70c2dd4d88eda7b951040ee98" "-s" "bzImage" "compile_commands.json"]: exit status 2 * * Restart config... * * * General architecture-dependent options * SMT (Hyperthreading) scheduler support (SCHED_SMT) [Y/?] y Cluster scheduler support (SCHED_CLUSTER) [Y/n/?] y Multi-Core Cache (MC) scheduler support (SCHED_MC) [Y/n/?] y Kprobes (KPROBES) [N/y/?] n Optimize very unlikely/likely branches (JUMP_LABEL) [Y/n/?] y Static key selftest (STATIC_KEYS_SELFTEST) [N/y/?] n Static call selftest (STATIC_CALL_SELFTEST) [N/y/?] n Enable seccomp to safely execute untrusted bytecode (SECCOMP) [Y/n/?] y Show seccomp filter cache status in /proc/pid/seccomp_cache (SECCOMP_CACHE_DEBUG) [N/y/?] n Stack Protector buffer overflow detection (STACKPROTECTOR) [Y/n/?] y Strong Stack Protector (STACKPROTECTOR_STRONG) [Y/n/?] y Link Time Optimization (LTO) > 1. None (LTO_NONE) choice[1]: 1 Enable Clang's AutoFDO build (EXPERIMENTAL) (AUTOFDO_CLANG) [N/y/?] (NEW) Error in reading or end of file. Enable Clang's Propeller build (PROPELLER_CLANG) [N/y/?] (NEW) Error in reading or end of file. Use Kernel Control Flow Integrity (kCFI) (CFI) [N/y/?] (NEW) Error in reading or end of file. Number of bits to use for ASLR of mmap base address (ARCH_MMAP_RND_BITS) [28] 28 Number of bits to use for ASLR of mmap base address for compatible applications (ARCH_MMAP_RND_COMPAT_BITS) [8] 8 MMU page size > 1. 4KiB pages (PAGE_SIZE_4KB) choice[1]: 1 Provide system calls for 32-bit time_t (COMPAT_32BIT_TIME) [Y/n/?] y Use a virtually-mapped stack (VMAP_STACK) [Y/n/?] y Support for randomizing kernel stack offset on syscall entry (RANDOMIZE_KSTACK_OFFSET) [Y/n/?] y Default state of kernel stack offset randomization (RANDOMIZE_KSTACK_OFFSET_DEFAULT) [N/y/?] n Locking event counts collection (LOCK_EVENT_COUNTS) [N/y/?] n * * Memory initialization * Initialize kernel stack variables at function entry 1. no automatic stack variable initialization (weakest) (INIT_STACK_NONE) 2. pattern-init everything (strongest) (INIT_STACK_ALL_PATTERN) > 3. zero-init everything (strongest and safest) (INIT_STACK_ALL_ZERO) choice[1-3?]: 3 Poison kernel stack before returning from syscalls (KSTACK_ERASE) [N/y/?] (NEW) Error in reading or end of file. Enable heap memory zeroing on allocation by default (INIT_ON_ALLOC_DEFAULT_ON) [Y/n/?] y Enable heap memory zeroing on free by default (INIT_ON_FREE_DEFAULT_ON) [N/y/?] n Enable register zeroing on function exit (ZERO_CALL_USED_REGS) [N/y/?] n * * Kernel hardening options * Randomize layout of sensitive kernel structures > 1. Disable structure layout randomization (RANDSTRUCT_NONE) 2. Fully randomize structure layout (RANDSTRUCT_FULL) (NEW) choice[1-2?]: Error in reading or end of file. /app/workdir/cache/src/2e6c93e91a2d626bf15a702572d6fb7684f3cbc2/lib/maple_tree.c:3514:20: warning: stack frame size (2424) exceeds limit (2048) in 'mas_wr_store_entry' [-Wframe-larger-than] 3514 \| static inline void mas_wr_store_entry(struct ma_wr_state wr_mas) \| ^ 1 warning generated. /app/workdir/cache/src/2e6c93e91a2d626bf15a702572d6fb7684f3cbc2/security/apparmor/apparmorfs.c:177:28: warning: unused function 'get_loaddata_common_ref' [-Wunused-function] 177 \| static struct aa_loaddata get_loaddata_common_ref(struct aa_common_ref ref) \| ^~~~~~~~~~~~~~~~~~~~~~~ 1 warning generated. /app/workdir/cache/src/2e6c93e91a2d626bf15a702572d6fb7684f3cbc2/sound/usb/mixer_s1810c.c:634:5: warning: stack frame size (2360) exceeds limit (2048) in 'snd_sc1810_init_mixer' [-Wframe-larger-than] 634 \| int snd_sc1810_init_mixer(struct usb_mixer_interface mixer) \| ^ 1 warning generated. fixdep: not all data was written to the output make[5]: * [/app/workdir/cache/src/2e6c93e91a2d626bf15a702572d6fb7684f3cbc2/scripts/Makefile.build:289: drivers/virtio/virtio_anchor.o] Error 1 make[5]: * Dele

Title	Replies (including bot)	Last reply
[syzbot] [sctp?] WARNING: refcount bug in sctp_association_hold	0 (1)	2026/04/21 15:34

Title

Replies (including bot)

Last reply

[syzbot] [sctp?] WARNING: refcount bug in sctp_association_hold

0 (1)

2026/04/21 15:34

------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x111/0x130 lib/refcount.c:25, CPU#0: swapper/0/0 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:refcount_warn_saturate+0x111/0x130 lib/refcount.c:25 Code: 06 e8 e3 e8 11 fd 48 8d 3d 8c d6 ef 0b 67 48 0f b9 3a e8 d2 e8 11 fd 5b 5d c3 cc cc cc cc e8 c6 e8 11 fd 48 8d 3d 7f d6 ef 0b <67> 48 0f b9 3a e8 b5 e8 11 fd 5b 5d e9 0e de a2 06 48 89 df e8 a6 RSP: 0000:ffffc90000007bd8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888075d2e004 RCX: ffffffff84f6dc0b RDX: ffffffff8e4955c0 RSI: ffffffff84f6dcba RDI: ffffffff90e6b340 RBP: 0000000000000002 R08: 0000000000000005 R09: 0000000000000004 R10: 0000000000000002 R11: 0000000000000000 R12: ffff888075d2e004 R13: 0000000000000002 R14: ffff88804fd3cbd0 R15: ffff888050620000 FS: 0000000000000000(0000) GS:ffff8880970ee000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000080066018 CR3: 000000004c3cc000 CR4: 0000000000352ef0 Call Trace: <IRQ> __refcount_add include/linux/refcount.h:289 [inline] __refcount_inc include/linux/refcount.h:366 [inline] refcount_inc include/linux/refcount.h:383 [inline] sctp_association_hold+0x9f/0xb0 net/sctp/associola.c:843 sctp_generate_timeout_event+0x292/0x3f0 net/sctp/sm_sideeffect.c:284 call_timer_fn+0x19a/0x640 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers+0x75f/0xaf0 kernel/time/timer.c:2374 __run_timer_base kernel/time/timer.c:2386 [inline] __run_timer_base kernel/time/timer.c:2378 [inline] run_timer_base+0x114/0x190 kernel/time/timer.c:2395 run_timer_softirq+0x1a/0x50 kernel/time/timer.c:2405 handle_softirqs+0x1ea/0xa00 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0x162/0x210 kernel/softirq.c:735 irq_exit_rcu+0x9/0x30 kernel/softirq.c:752 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1061 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:steal_cookie_task kernel/sched/core.c:6401 [inline] RIP: 0010:sched_core_balance+0x3fd/0xea0 kernel/sched/core.c:6422 Code: 7e 48 48 89 4c 24 40 e8 61 df c2 09 48 8b 4c 24 40 e9 3a 01 00 00 49 8d 7f 48 e8 4e df c2 09 e8 79 76 3a 00 fb 80 7c 24 30 00 <0f> 85 92 00 00 00 8d 4d 01 48 63 d1 49 39 d4 73 48 83 f9 08 74 41 RSP: 0000:ffffffff8e407b80 EFLAGS: 00000246 RAX: 000000000046d04f RBX: ffff88802b23b3c8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff8df51613 RDI: ffffffff8c1c0200 RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88802b33b380 R15: ffff88802b23b380 do_balance_callbacks kernel/sched/core.c:5017 [inline] __balance_callbacks+0x21d/0x6e0 kernel/sched/core.c:5073 __schedule+0x31b9/0x6820 kernel/sched/core.c:7191 schedule_idle+0x54/0x80 kernel/sched/core.c:7308 do_idle+0x2dd/0x590 kernel/sched/idle.c:381 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:451 rest_init+0x251/0x260 init/main.c:762 start_kernel+0x484/0x490 init/main.c:1220 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310 x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291 common_startup_64+0x13e/0x148 </TASK> ---------------- Code disassembly (best guess), 1 bytes skipped: 0: e8 e3 e8 11 fd call 0xfd11e8e8 5: 48 8d 3d 8c d6 ef 0b lea 0xbefd68c(%rip),%rdi # 0xbefd698 c: 67 48 0f b9 3a ud1 (%edx),%rdi 11: e8 d2 e8 11 fd call 0xfd11e8e8 16: 5b pop %rbx 17: 5d pop %rbp 18: c3 ret 19: cc int3 1a: cc int3 1b: cc int3 1c: cc int3 1d: e8 c6 e8 11 fd call 0xfd11e8e8 22: 48 8d 3d 7f d6 ef 0b lea 0xbefd67f(%rip),%rdi # 0xbefd6a8 * 29: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2e: e8 b5 e8 11 fd call 0xfd11e8e8 33: 5b pop %rbx 34: 5d pop %rbp 35: e9 0e de a2 06 jmp 0x6a2de48 3a: 48 89 df mov %rbx,%rdi 3d: e8 .byte 0xe8 3e: a6 cmpsb %es:(%rdi),%ds:(%rsi)

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/04/20 10:45	upstream	c1f49dea2b8f	303e2802	.config	console log	report			info	[disk image (non-bootable)] [vmlinux] [kernel image]	ci-qemu-upstream-386	WARNING: refcount bug in sctp_association_hold

Crashes (1):

Assets (help?)