WARNING: refcount bug in __inet_csk_reqsk_queue

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
35b41830-0cd3-4d89-81b5-d82aaa0f9206	assessment-security	DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ✅ PeripheralTrigger: ❌ RemoteTrigger: ✅ Unprivileged: ✅ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌	❓	WARNING: refcount bug in __inet_csk_reqsk_queue_drop	2026/05/30 12:40	2026/05/30 12:40	2026/05/30 13:37	6b4a844333e83556da95d61d7f207e7ef5cd4bc6
55f8b41e-b9fa-4b02-b4fe-599d8333cdc8	assessment-security		💥	WARNING: refcount bug in __inet_csk_reqsk_queue_drop	2026/05/14 10:12	2026/05/14 10:12	2026/05/14 10:13	6ccb967e465e832a7bfd7a116ad00d52a0923a5d	failed to run ["git" "pull" "origin" "HEAD" "--depth=1" "--allow-unrelated-histories"]: exit status 128 From /app/workdir/repo/linux * branch HEAD -> FETCH_HEAD Updating files: 27% (26110/93697) Updating files: 28% (26236/93697) Updating files: 29% (27173/93697) Updating files: 30% (28110/93697) Updating files: 31% (29047/93697) Updating files: 32% (29984/93697) Updating files: 33% (30921/93697) Updating files: 34% (31857/93697) Updating files: 35% (32794/93697) Updating files: 36% (33731/93697) Updating files: 36% (34163/93697) Updating files: 37% (34668/93697) Updating files: 38% (35605/93697) Updating files: 39% (36542/93697) Updating files: 39% (37243/93697) Updating files: 39% (37353/93697) error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_11_0_0_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_11_0_3_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_11_0_3_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_11_5_0_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_11_5_0_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_12_0_0_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_12_0_0_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_12_1_0_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_12_1_0_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_0_default.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_0_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_0_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_1_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_1_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_2_1_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_2_1_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_1_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_1_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_2_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_2_sh_mask.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_3_offset.h error: unable to write file drivers/gpu/drm/amd/include/asic_reg/gc/gc_9_4_3_sh_mask.h fatal: cannot create directory at 'drivers/gpu/drm/amd/include/asic_reg/gca': No space left on device
2ee7a339-fb22-403a-8ae1-b36899fc0e3a	repro		💥	WARNING: refcount bug in __inet_csk_reqsk_queue_drop	2026/03/27 12:52	2026/03/27 12:52	2026/03/27 12:53	911b9cd2ff48815a822e9767728aa015c33a892a	failed to parse '-threaded': error splitting options token -threaded
ed8ab7cd-4abe-42a7-a1da-ed1fd73ad9d0	repro		💥	WARNING: refcount bug in __inet_csk_reqsk_queue_drop	2026/03/27 12:01	2026/03/27 12:01	2026/03/27 12:52	911b9cd2ff48815a822e9767728aa015c33a892a	failed to parse '-threaded': error splitting options token -threaded
98e88454-1b9d-4537-b290-d4a0b7dbfec9	repro		❓	WARNING: refcount bug in __inet_csk_reqsk_queue_drop	2026/03/06 10:25	2026/03/06 10:25	2026/03/06 10:28	31e9c887f7dc24e04b3ca70d0d54fc34141844b0

Title	Replies (including bot)	Last reply
[PATCH v2 net] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().	2 (2)	2026/06/01 18:46
[PATCH v1 net] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().	4 (4)	2026/06/01 18:10
[syzbot] [net?] WARNING: refcount bug in __inet_csk_reqsk_queue_drop	0 (1)	2026/05/30 05:55

Title

Replies (including bot)

Last reply

[PATCH v2 net] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().

2 (2)

2026/06/01 18:46

[PATCH v1 net] tcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().

4 (4)

2026/06/01 18:10

[syzbot] [net?] WARNING: refcount bug in __inet_csk_reqsk_queue_drop

0 (1)

2026/05/30 05:55

------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: lib/refcount.c:28 at refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28, CPU#0: ktimers/0/16 Modules linked in: CPU: 0 UID: 0 PID: 16 Comm: ktimers/0 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 RIP: 0010:refcount_warn_saturate+0xb2/0x110 lib/refcount.c:28 Code: e4 7d d1 0a 67 48 0f b9 3a eb 4a e8 38 3d 23 fd 48 8d 3d e1 7d d1 0a 67 48 0f b9 3a eb 37 e8 25 3d 23 fd 48 8d 3d de 7d d1 0a <67> 48 0f b9 3a eb 24 e8 12 3d 23 fd 48 8d 3d db 7d d1 0a 67 48 0f RSP: 0000:ffffc90000157948 EFLAGS: 00010246 RAX: ffffffff84a1301b RBX: 0000000000000003 RCX: ffff88801ca98000 RDX: 0000000000000100 RSI: 0000000000000000 RDI: ffffffff8f72ae00 RBP: ffffffff99ae3b01 R08: ffff88801ca98000 R09: 0000000000000005 R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880425ef568 R13: ffff8880425ef4f8 R14: ffff8880425ef578 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff888126386000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7b46710e9c CR3: 000000000dbb6000 CR4: 00000000003526f0 Call Trace: <TASK> __refcount_sub_and_test include/linux/refcount.h:400 [inline] __refcount_dec_and_test include/linux/refcount.h:432 [inline] refcount_dec_and_test include/linux/refcount.h:450 [inline] reqsk_put include/net/request_sock.h:136 [inline] __inet_csk_reqsk_queue_drop+0x3ce/0x440 net/ipv4/inet_connection_sock.c:1007 reqsk_timer_handler+0x651/0xdf0 net/ipv4/inet_connection_sock.c:1137 call_timer_fn+0x192/0x5e0 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1799 [inline] __run_timers kernel/time/timer.c:2374 [inline] __run_timer_base+0x6a3/0x9f0 kernel/time/timer.c:2386 run_timer_base kernel/time/timer.c:2395 [inline] run_timer_softirq+0x67/0x170 kernel/time/timer.c:2403 handle_softirqs+0x1de/0x6d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] run_ktimerd+0x69/0x100 kernel/softirq.c:1151 smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> ---------------- Code disassembly (best guess): 0: e4 7d in $0x7d,%al 2: d1 0a rorl $1,(%rdx) 4: 67 48 0f b9 3a ud1 (%edx),%rdi 9: eb 4a jmp 0x55 b: e8 38 3d 23 fd call 0xfd233d48 10: 48 8d 3d e1 7d d1 0a lea 0xad17de1(%rip),%rdi # 0xad17df8 17: 67 48 0f b9 3a ud1 (%edx),%rdi 1c: eb 37 jmp 0x55 1e: e8 25 3d 23 fd call 0xfd233d48 23: 48 8d 3d de 7d d1 0a lea 0xad17dde(%rip),%rdi # 0xad17e08 * 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction 2f: eb 24 jmp 0x55 31: e8 12 3d 23 fd call 0xfd233d48 36: 48 8d 3d db 7d d1 0a lea 0xad17ddb(%rip),%rdi # 0xad17e18 3d: 67 addr32 3e: 48 rex.W 3f: 0f .byte 0xf

Time	Kernel	Commit	Syzkaller	Config	Log	Report	VM info	Assets (help?)	Manager	Title
2026/05/28 06:12	upstream	eb3f4b7426cf	4c36e7e5	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/05/13 01:20	upstream	c21b90f77687	a0949470	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/04/28 13:41	upstream	3b3bea6d4b9c	b4209743	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/02/27 16:57	upstream	a75cb869a8cc	2cf092b8	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/02/18 12:34	upstream	c22e26bd0906	39751c21	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/01/23 01:29	upstream	a66191c590b3	82c9c083	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2025/12/16 06:54	upstream	8f0b4cce4481	d6526ea3	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2025/11/14 20:10	upstream	d4f8cccc6230	f7988ea4	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-kasan-gce-smack-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop
2026/05/10 20:37	linux-next	e98d21c170b0	29233ece	.config	console log	report	info	[disk image] [vmlinux] [kernel image]	ci-upstream-linux-next-kasan-gce-root	WARNING: refcount bug in __inet_csk_reqsk_queue_drop