syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1332]
Subsystems
🐞 Fixed [7147]
🐞 Invalid [18899]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

KASAN: null-ptr-deref Write in rcuref_put (5)

Status: closed as invalid on 2026/05/30 06:16
Subsystems: net
Labels: prio:high
[Documentation on labels]
First crash: 50d, last: 50d
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
5c58ae5c-0176-42ba-9829-018a755a588e assessment-security DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ✅ VMGuestTrigger: ❌ VMHostTrigger: ❌ KASAN: null-ptr-deref Write in rcuref_put (5) 2026/05/23 07:56 2026/05/23 07:56 2026/05/23 08:08 c69befb30ac10e158cc9d1557b508ee3f0eca1de
Similar bugs (4)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Write in rcuref_put (4) net 12 C done 7 308d 426d 29/29 fixed on 2025/09/04 16:56
upstream KASAN: null-ptr-deref Write in rcuref_put net 12 1 742d 742d 0/29 closed as invalid on 2024/06/25 17:44
upstream KASAN: null-ptr-deref Write in rcuref_put (3) net 12 1 493d 493d 0/29 closed as invalid on 2025/03/17 11:18
upstream KASAN: null-ptr-deref Write in rcuref_put (2) net 12 1 607d 607d 0/29 closed as invalid on 2024/11/27 19:42

Sample crash report:
bond0 (unregistering): (slave bond_slave_0): Releasing backup interface
bond0 (unregistering): (slave bond_slave_1): Releasing backup interface
bond0 (unregistering): Released all slaves
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
BUG: KASAN: null-ptr-deref in atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
BUG: KASAN: null-ptr-deref in __rcuref_put include/linux/rcuref.h:109 [inline]
BUG: KASAN: null-ptr-deref in rcuref_put+0xf7/0x170 include/linux/rcuref.h:173
Write of size 4 at addr 0000000000000060 by task kworker/u8:4/57

CPU: 1 UID: 0 PID: 57 Comm: kworker/u8:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
 atomic_sub_return_release include/linux/atomic/atomic-instrumented.h:326 [inline]
 __rcuref_put include/linux/rcuref.h:109 [inline]
 rcuref_put+0xf7/0x170 include/linux/rcuref.h:173
 dst_release+0x24/0x1b0 net/core/dst.c:168
 dst_cache_destroy+0x118/0x190 net/core/dst_cache.c:187
 netdev_run_todo+0xc1f/0xde0 net/core/dev.c:11770
 ops_exit_rtnl_list net/core/net_namespace.c:189 [inline]
 ops_undo_list+0x3d8/0x940 net/core/net_namespace.c:248
 cleanup_net+0x56b/0x800 net/core/net_namespace.c:702
 process_one_work kernel/workqueue.c:3288 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3371
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3452
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/04/20 14:24 net 0cf004ffb61c 303e2802 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-net-this-kasan-gce KASAN: null-ptr-deref Write in rcuref_put
* Struck through repros no longer work on HEAD.