syzbot

 sign-in | mailing list | source | docs
🐞 Open [817]
🐞 Fixed [136]
🐞 Invalid [937]
Missing Backports [79]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

WARNING: refcount bug in tipc_crypto_xmit

Status: upstream: reported syz repro on 2025/06/04 16:45
Bug presence: origin:lts-only
[Documentation on labels]
Reported-by: syzbot+4b0296c76b665a755187@syzkaller.appspotmail.com
First crash: 169d, last: 147d
Fix bisection: failed (error log)
  
Bug presence (2)
Date Name Commit Repro Result
2025/06/07 linux-6.1.y (ToT) 58485ff1a74f syz [report] WARNING: refcount bug in tipc_crypto_xmit
2025/06/07 upstream (ToT) 8630c59e9936 syz Didn't crash
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-5.15 WARNING: refcount bug in tipc_crypto_xmit origin:upstream 13 syz 294 147d 169d 0/3 auto-obsoleted due to no activity on 2025/09/05 09:21
linux-6.6 WARNING: refcount bug in tipc_crypto_xmit 13 20 155d 157d 0/2 auto-obsoleted due to no activity on 2025/08/27 14:47
upstream WARNING: refcount bug in tipc_crypto_xmit tipc 13 C done 4968 168d 179d 29/29 fixed on 2025/07/08 00:33

Sample crash report:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 0 at lib/refcount.c:25 refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
lr : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
sp : ffff8000080078c0
x29: ffff8000080078c0 x28: ffff0000db6c7400 x27: ffff0000c3505808
x26: ffff0000d9244af0 x25: dfff800000000000 x24: 1fffe000186a0b01
x23: ffff0000dbe91c00 x22: ffff0000efc89d94 x21: ffff0000c2d5e080
x20: ffff0000efc89d94 x19: ffff800017a32000 x18: ffff800011a7bce0
x17: 0000000000000000 x16: ffff8000082d1c00 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff0080000819149c x10: 0000000000000000 x9 : 51ede113c267dc00
x8 : 51ede113c267dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800008007358 x4 : ffff800015154700 x3 : ffff80000852da40
x2 : 0000000000000001 x1 : 0000000000000101 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:250 [inline]
 refcount_inc include/linux/refcount.h:267 [inline]
 get_net include/net/net_namespace.h:257 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:821 [inline]
 tipc_crypto_xmit+0x1518/0x2014 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x1f0/0x384 net/tipc/bearer.c:574
 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338
 call_timer_fn+0x1b8/0x964 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1549 [inline]
 __run_timers+0x460/0x6bc kernel/time/timer.c:1820
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
 handle_softirqs+0x318/0xc6c kernel/softirq.c:596
 __do_softirq+0x14/0x20 kernel/softirq.c:630
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
 invoke_softirq kernel/softirq.c:477 [inline]
 __irq_exit_rcu+0x23c/0x43c kernel/softirq.c:679
 irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
 default_idle_call+0x68/0xdc kernel/sched/idle.c:109
 cpuidle_idle_call kernel/sched/idle.c:191 [inline]
 do_idle+0x1d8/0x4bc kernel/sched/idle.c:303
 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:401
 rest_init+0x2d4/0x2f0 init/main.c:733
 start_kernel+0x0/0x554 init/main.c:893
 start_kernel+0x4a4/0x554 init/main.c:1140
 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:468
irq event stamp: 342435
hardirqs last  enabled at (342434): [<ffff800008307d18>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (342435): [<ffff80001191c930>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (342392): [<ffff8000081a8e70>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last  enabled at (342392): [<ffff8000081a8e70>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (342405): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 0 at lib/refcount.c:28 refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G        W          6.1.141-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
lr : refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
sp : ffff8000080078c0
x29: ffff8000080078c0 x28: ffff0000db6c7400 x27: 0000000000000000
x26: ffff0000d9244af0 x25: dfff800000000000 x24: 1fffe0001b248968
x23: 1ffff00002a12901 x22: ffff0000c3505800 x21: 00000000c0000000
x20: ffff0000efc89d94 x19: ffff800017a32000 x18: ffff800011a7bce0
x17: 0000000000000000 x16: ffff8000082d1c00 x15: 0000000000000000
x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000ff0100
x11: ff0080000819149c x10: 0000000000000000 x9 : 51ede113c267dc00
x8 : 51ede113c267dc00 x7 : 0000000000000001 x6 : 0000000000000001
x5 : ffff800008007358 x4 : ffff800015154700 x3 : ffff8000083115f4
x2 : 0000000000000001 x1 : 0000000000000101 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x154/0x1f8 lib/refcount.c:28
 __refcount_sub_and_test include/linux/refcount.h:283 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 put_net include/net/net_namespace.h:276 [inline]
 tipc_aead_encrypt net/tipc/crypto.c:829 [inline]
 tipc_crypto_xmit+0x1664/0x2014 net/tipc/crypto.c:1761
 tipc_bearer_xmit_skb+0x1f0/0x384 net/tipc/bearer.c:574
 tipc_disc_timeout+0x4c8/0x608 net/tipc/discover.c:338
 call_timer_fn+0x1b8/0x964 kernel/time/timer.c:1504
 expire_timers kernel/time/timer.c:1549 [inline]
 __run_timers+0x460/0x6bc kernel/time/timer.c:1820
 run_timer_softirq+0x7c/0x114 kernel/time/timer.c:1833
 handle_softirqs+0x318/0xc6c kernel/softirq.c:596
 __do_softirq+0x14/0x20 kernel/softirq.c:630
 ____do_softirq+0x14/0x20 arch/arm64/kernel/irq.c:80
 call_on_irq_stack+0x24/0x4c arch/arm64/kernel/entry.S:893
 do_softirq_own_stack+0x20/0x2c arch/arm64/kernel/irq.c:85
 invoke_softirq kernel/softirq.c:477 [inline]
 __irq_exit_rcu+0x23c/0x43c kernel/softirq.c:679
 irq_exit_rcu+0x14/0x84 kernel/softirq.c:691
 __el1_irq arch/arm64/kernel/entry-common.c:472 [inline]
 el1_interrupt+0x38/0x54 arch/arm64/kernel/entry-common.c:486
 el1h_64_irq_handler+0x18/0x24 arch/arm64/kernel/entry-common.c:491
 el1h_64_irq+0x64/0x68 arch/arm64/kernel/entry.S:581
 arch_local_irq_enable+0xc/0x18 arch/arm64/include/asm/irqflags.h:35
 default_idle_call+0x68/0xdc kernel/sched/idle.c:109
 cpuidle_idle_call kernel/sched/idle.c:191 [inline]
 do_idle+0x1d8/0x4bc kernel/sched/idle.c:303
 cpu_startup_entry+0x5c/0x74 kernel/sched/idle.c:401
 rest_init+0x2d4/0x2f0 init/main.c:733
 start_kernel+0x0/0x554 init/main.c:893
 start_kernel+0x4a4/0x554 init/main.c:1140
 __primary_switched+0xb8/0xc0 arch/arm64/kernel/head.S:468
irq event stamp: 342469
hardirqs last  enabled at (342468): [<ffff800008307d18>] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261
hardirqs last disabled at (342469): [<ffff80001191c930>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405
softirqs last  enabled at (342392): [<ffff8000081a8e70>] softirq_handle_end kernel/softirq.c:439 [inline]
softirqs last  enabled at (342392): [<ffff8000081a8e70>] handle_softirqs+0xaf8/0xc6c kernel/softirq.c:624
softirqs last disabled at (342405): [<ffff800008020164>] __do_softirq+0x14/0x20 kernel/softirq.c:630
---[ end trace 0000000000000000 ]---

Crashes (241):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/12 06:52 linux-6.1.y 58485ff1a74f 98683f8f .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/05 20:28 linux-6.1.y 58485ff1a74f 6b6b5f21 .config console log report syz / log [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 11:27 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 06:52 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 00:57 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/25 15:46 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/25 14:24 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/25 01:36 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/24 20:25 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/24 18:40 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/24 01:17 linux-6.1.y 58485ff1a74f e2f27c35 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/23 09:21 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 19:33 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 12:20 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 10:49 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 04:40 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 03:30 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 16:12 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 06:57 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 04:42 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 00:51 linux-6.1.y 58485ff1a74f 804b3919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/20 18:03 linux-6.1.y 58485ff1a74f 804b3919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/20 10:27 linux-6.1.y 58485ff1a74f ed3e87f7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/04 16:45 linux-6.1.y 58485ff1a74f e565f08d .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan WARNING: refcount bug in tipc_crypto_xmit
2025/06/27 07:16 linux-6.1.y 58485ff1a74f 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/27 05:25 linux-6.1.y 58485ff1a74f 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/27 01:10 linux-6.1.y 58485ff1a74f 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 22:53 linux-6.1.y 58485ff1a74f 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 19:24 linux-6.1.y 58485ff1a74f 803ce19b .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 11:24 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/26 02:16 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/25 21:16 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/25 09:27 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/24 23:44 linux-6.1.y 58485ff1a74f 26d77996 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/23 04:40 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 22:32 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 13:52 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/22 01:33 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 19:59 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 18:47 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 11:16 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/21 11:14 linux-6.1.y 58485ff1a74f d6cdfb8a .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/20 21:12 linux-6.1.y 58485ff1a74f 804b3919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/20 14:40 linux-6.1.y 58485ff1a74f 804b3919 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/20 09:29 linux-6.1.y 58485ff1a74f ed3e87f7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
2025/06/19 17:46 linux-6.1.y 58485ff1a74f ed3e87f7 .config console log report info [disk image] [vmlinux] [kernel image] ci2-linux-6-1-kasan-arm64 WARNING: refcount bug in tipc_crypto_xmit
* Struck through repros no longer work on HEAD.