syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [73]
🐞 Invalid [884]
Missing Backports [114]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING: refcount bug in nf_nat_masq_schedule

Status: upstream: reported on 2025/06/06 20:59
Reported-by: syzbot+6b8e560fa8bbc0478c55@syzkaller.appspotmail.com
First crash: 3d08h, last: 3d08h
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream WARNING: refcount bug in nf_nat_masq_schedule netfilter 2 5d00h 4d17h 0/28 moderation: reported on 2025/06/05 12:02

Sample crash report:
netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
------------[ cut here ]------------
refcount_t: saturated; leaking memory.
WARNING: CPU: 0 PID: 4106 at lib/refcount.c:19 refcount_warn_saturate+0x174/0x1f8 lib/refcount.c:19
Modules linked in:
CPU: 0 PID: 4106 Comm: kworker/u4:7 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: netns cleanup_net

pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x174/0x1f8 lib/refcount.c:19
lr : refcount_warn_saturate+0x174/0x1f8 lib/refcount.c:19
sp : ffff80001f657260
x29: ffff80001f657260
 x28: 1ffff00003ecae54
 x27: dfff800000000000

x26: 00000000c0000000
 x25: 00000000c0000000
 x24: 0000000000000cc0

x23: ffff0000c1ee0154
 x22: 0000000000000045
 x21: 000000007ffffffe

x20: ffff0000c1ee0154
 x19: ffff80001659e000
 x18: 0000000000000000

x17: 0000000000000000
 x16: ffff8000111a97c4
 x15: 0000000000000012

x14: 0000000000ff0100
 x13: 1ffff0000282c06b
 x12: 0000000000ff0100

x11: 0000000000000000
 x10: 0000000000000000
 x9 : 8401a9bd97eb5500

x8 : 8401a9bd97eb5500
 x7 : 0000000000000000
 x6 : 0000000000000000

x5 : 0000000000000080
 x4 : 0000000000000000
 x3 : ffff800008503958

x2 : 0000000000000001
 x1 : 0000000100000000
 x0 : 0000000000000026

Call trace:
 refcount_warn_saturate+0x174/0x1f8 lib/refcount.c:19
 __refcount_add_not_zero include/linux/refcount.h:163 [inline]
 __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
 refcount_inc_not_zero include/linux/refcount.h:245 [inline]
 maybe_get_net include/net/net_namespace.h:263 [inline]
 nf_nat_masq_schedule+0x48c/0x57c net/netfilter/nf_nat_masquerade.c:107
 masq_device_event+0x9c/0xe0 net/netfilter/nf_nat_masquerade.c:157
 notifier_call_chain kernel/notifier.c:83 [inline]
 raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
 call_netdevice_notifiers_info net/core/dev.c:2049 [inline]
 call_netdevice_notifiers_extack net/core/dev.c:2061 [inline]
 call_netdevice_notifiers net/core/dev.c:2075 [inline]
 dev_close_many+0x2cc/0x440 net/core/dev.c:1650
 unregister_netdevice_many+0x3d4/0x17d0 net/core/dev.c:11110
 unregister_netdevice_queue+0x2ac/0x2f8 net/core/dev.c:11067
 unregister_netdevice include/linux/netdevice.h:3020 [inline]
 nsim_destroy+0x58/0x164 drivers/net/netdevsim/netdev.c:382
 __nsim_dev_port_del+0x144/0x1a4 drivers/net/netdevsim/dev.c:1349
 nsim_dev_port_del_all drivers/net/netdevsim/dev.c:1362 [inline]
 nsim_dev_reload_destroy+0x144/0x204 drivers/net/netdevsim/dev.c:1561
 nsim_dev_reload_down+0xe8/0x154 drivers/net/netdevsim/dev.c:883
 devlink_reload+0x1e8/0x5c8 net/core/devlink.c:3963
 devlink_pernet_pre_exit+0x194/0x33c net/core/devlink.c:11543
 ops_pre_exit_list net/core/net_namespace.c:162 [inline]
 cleanup_net+0x470/0xa98 net/core/net_namespace.c:615
 process_one_work+0x79c/0x1140 kernel/workqueue.c:2310
 worker_thread+0x8f4/0x101c kernel/workqueue.c:2457
 kthread+0x374/0x454 kernel/kthread.c:334
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 774790
hardirqs last  enabled at (774789): [<ffff8000082f5888>] console_trylock_spinning+0x160/0x268 kernel/printk/printk.c:1891
hardirqs last disabled at (774790): [<ffff8000111a5098>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:396
softirqs last  enabled at (774776): [<ffff80000cc63a6c>] pppoe_flush_dev drivers/net/ppp/pppoe.c:327 [inline]
softirqs last  enabled at (774776): [<ffff80000cc63a6c>] pppoe_device_event+0x4a4/0x4d4 drivers/net/ppp/pppoe.c:346
softirqs last disabled at (774774): [<ffff80000cc636a4>] pppoe_flush_dev drivers/net/ppp/pppoe.c:279 [inline]
softirqs last disabled at (774774): [<ffff80000cc636a4>] pppoe_device_event+0xdc/0x4d4 drivers/net/ppp/pppoe.c:346
---[ end trace 49178d92ff58b61a ]---
netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
tipc: Disabling bearer <udp:syz2>
tipc: Disabling bearer <eth:team0>
tipc: Left network mode
device hsr_slave_0 left promiscuous mode
device hsr_slave_1 left promiscuous mode
batman_adv: batadv0: Interface deactivated: batadv_slave_0
batman_adv: batadv0: Removing interface: batadv_slave_0
batman_adv: batadv0: Interface deactivated: batadv_slave_1
batman_adv: batadv0: Removing interface: batadv_slave_1
device bridge_slave_1 left promiscuous mode
bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_0 left promiscuous mode
bridge0: port 1(bridge_slave_0) entered disabled state
device veth1_macvtap left promiscuous mode
device veth0_macvtap left promiscuous mode
device veth1_vlan left promiscuous mode
device veth0_vlan left promiscuous mode
bond0 (unregistering): (slave macvlan0): Releasing backup interface
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): Released all slaves
netdevsim netdevsim3 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim3 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim2 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/06 20:58 linux-5.15.y 1c700860e8bc 9fa58bba .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-5-15-kasan-arm64 WARNING: refcount bug in nf_nat_masq_schedule
* Struck through repros no longer work on HEAD.