syzbot

 sign-in | mailing list | source | docs
🐞 Open [1476]
Subsystems
🐞 Fixed [6702]
🐞 Invalid [17193]
Missing Backports [217]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

WARNING: refcount bug in p9_req_put (3)

Status: upstream: reported C repro on 2024/01/26 09:05
Subsystems: v9fs
[Documentation on labels]
Reported-by: syzbot+d99d2414db66171fccbb@syzkaller.appspotmail.com
First crash: 652d, last: 13d
Discussions (11)
Title Replies (including bot) Last reply
[syzbot] Monthly v9fs report (Oct 2025) 0 (1) 2025/10/20 11:38
[syzbot] Monthly v9fs report (Sep 2025) 0 (1) 2025/09/17 08:29
[syzbot] Monthly v9fs report (Jul 2025) 0 (1) 2025/07/16 13:32
[syzbot] Monthly v9fs report (Jun 2025) 0 (1) 2025/06/16 09:59
[syzbot] Monthly v9fs report (May 2025) 0 (1) 2025/05/15 07:46
[syzbot] Monthly v9fs report (Apr 2025) 0 (1) 2025/04/14 10:17
[syzbot] Monthly v9fs report (Mar 2025) 0 (1) 2025/03/04 15:15
[syzbot] Monthly v9fs report (Jan 2025) 0 (1) 2025/01/02 13:21
[syzbot] Monthly v9fs report (Aug 2024) 0 (1) 2024/08/29 13:20
[syzbot] [net?] [v9fs?] WARNING: refcount bug in p9_req_put (3) 2 (4) 2024/07/22 06:14
[syzbot] Monthly v9fs report (Apr 2024) 0 (1) 2024/04/30 07:12
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 WARNING: refcount bug in p9_req_put 13 2 2195d 2236d 0/1 auto-closed as invalid on 2020/02/28 21:29
upstream WARNING: refcount bug in p9_req_put v9fs 13 syz inconclusive done 6 1992d 2545d 15/29 fixed on 2020/11/16 12:12
upstream WARNING: refcount bug in p9_req_put (2) v9fs 13 9 796d 1142d 0/29 auto-obsoleted due to no activity on 2023/12/09 05:29
Last patch testing requests (8)
Created Duration User Patch Repo Result
2025/08/25 12:30 18m retest repro upstream OK log
2025/08/25 12:30 19m retest repro upstream OK log
2025/06/05 14:36 18m retest repro upstream OK log
2025/06/05 14:36 18m retest repro upstream OK log
2025/06/05 14:36 18m retest repro upstream OK log
2025/01/24 14:02 11m retest repro upstream error
2024/11/24 01:46 29m retest repro upstream OK log
2024/09/23 13:53 19m retest repro upstream OK log

Sample crash report:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 40 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 40 Comm: kauditd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 18 ef 10 fd 84 db 0f 85 66 ff ff ff e8 2b f4 10 fd c6 05 08 80 bf 0b 01 90 48 c7 c7 20 38 f1 8b e8 b7 28 cf fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 08 f4 10 fd 0f b6 1d e3 7f bf 0b 31
RSP: 0018:ffffc900006f8bd8 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817b6ee8
RDX: ffff88801cb30000 RSI: ffffffff817b6ef5 RDI: 0000000000000001
RBP: ffff88803a07c778 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88803a07c778
R13: ffff88804657b000 R14: 0000000000000015 R15: 1ffff11003a7d80c
FS:  0000000000000000(0000) GS:ffff8880d6cd6000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fd264c61d58 CR3: 000000004cfc5000 CR4: 0000000000352ef0
Call Trace:
 <IRQ>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 p9_req_put+0x1ec/0x250 net/9p/client.c:404
 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147
 vring_interrupt drivers/virtio/virtio_ring.c:2718 [inline]
 vring_interrupt+0x31e/0x400 drivers/virtio/virtio_ring.c:2693
 __handle_irq_event_percpu+0x236/0x920 kernel/irq/handle.c:203
 handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
 handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:257
 handle_edge_irq+0x3ca/0x9e0 kernel/irq/chip.c:855
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:310 [inline]
 __common_interrupt+0xd0/0x2f0 arch/x86/kernel/irq.c:325
 common_interrupt+0x61/0xe0 arch/x86/kernel/irq.c:318
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
RIP: 0010:handle_softirqs+0x1dd/0x8e0 kernel/softirq.c:608
Code: 88 6c 24 26 4c 89 7c 24 18 48 c7 c7 20 ce 8b 8b e8 b8 29 e9 09 65 66 c7 05 96 2e 27 12 00 00 e8 b9 c8 47 00 fb bb ff ff ff ff <49> c7 c7 c0 c0 00 8e 41 0f bc dc 83 c3 01 0f 85 a4 00 00 00 e9 b1
RSP: 0018:ffffc900006f8f28 EFLAGS: 00000202
RAX: 000000000000a5f8 RBX: 00000000ffffffff RCX: 0000000000000002
RDX: 0000000000000000 RSI: ffffffff8db03f74 RDI: ffffffff8bf1ea40
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff908339d7 R11: 0000000000000001 R12: 0000000000000280
R13: 000000000000000a R14: 1ffff920000df1ed R15: ffffed1003966000
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3200
Code: 00 e8 d2 4c 29 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 80 46 21 00 48 85 db 0f 85 55 01 00 00 e8 02 4b 21 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 27 d2 89
RSP: 0018:ffffc9000078f9b8 EFLAGS: 00000293
RAX: ffffffff8f073db8 RBX: 0000000000000000 RCX: ffffffff819beda0
RDX: ffff88801cb30000 RSI: ffffffff819bedae RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8f073db8
R13: ffffffff8f073d60 R14: ffffc9000078fa48 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3258 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3298
 vprintk_emit+0x3d7/0x680 kernel/printk/printk.c:2423
 _printk+0xc7/0x100 kernel/printk/printk.c:2448
 kauditd_printk_skb kernel/audit.c:583 [inline]
 kauditd_hold_skb+0x205/0x250 kernel/audit.c:618
 kauditd_send_queue+0x239/0x290 kernel/audit.c:803
 kauditd_thread+0x623/0xa70 kernel/audit.c:927
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x675/0x7d0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	88 6c 24 26          	mov    %ch,0x26(%rsp)
   4:	4c 89 7c 24 18       	mov    %r15,0x18(%rsp)
   9:	48 c7 c7 20 ce 8b 8b 	mov    $0xffffffff8b8bce20,%rdi
  10:	e8 b8 29 e9 09       	call   0x9e929cd
  15:	65 66 c7 05 96 2e 27 	movw   $0x0,%gs:0x12272e96(%rip)        # 0x12272eb5
  1c:	12 00 00
  1f:	e8 b9 c8 47 00       	call   0x47c8dd
  24:	fb                   	sti
  25:	bb ff ff ff ff       	mov    $0xffffffff,%ebx
* 2a:	49 c7 c7 c0 c0 00 8e 	mov    $0xffffffff8e00c0c0,%r15 <-- trapping instruction
  31:	41 0f bc dc          	bsf    %r12d,%ebx
  35:	83 c3 01             	add    $0x1,%ebx
  38:	0f 85 a4 00 00 00    	jne    0xe2
  3e:	e9                   	.byte 0xe9
  3f:	b1                   	.byte 0xb1

Crashes (97):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/10/18 11:08 upstream f406055cb18c 1c8c8cd8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/10/01 07:29 upstream 4b81e2eb9e4d 65a0eece .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/09/20 09:15 upstream 1522b530ac3e 67c37560 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/09/19 00:32 upstream cbf658dd0941 e2beed91 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/09/09 02:33 upstream f777d1112ee5 d291dd2d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/09/07 10:56 upstream b236920731dd d291dd2d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/09/03 09:58 upstream e6b9dce0aeeb 96a211bc .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/29 11:23 upstream ced1b9e0392d c4a95487 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/22 13:25 upstream 89be9a83ccf1 8e9d1dc1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/12 09:55 upstream 379f604cc3dc 3cda49cf .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/09 14:52 upstream 733923397fd9 956bd956 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/09 05:09 upstream 733923397fd9 f4e5e155 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/07/08 16:21 upstream d7b8f8e20813 4d9fdfa4 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/26 21:52 upstream ee88bddf7f2f 1ae8177e .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/19 01:19 upstream 74b4cc9b8780 ed3e87f7 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/18 06:41 upstream 4663747812d1 74c9d252 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/18 05:31 upstream 4663747812d1 74c9d252 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/16 18:13 upstream e04c78d86a96 d1716036 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/16 17:28 upstream e04c78d86a96 d1716036 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/15 14:23 upstream 8c6bc74c7f89 5f4b362d .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/12 15:29 upstream 2c4a1f3fe03e 98683f8f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/11 12:54 upstream aef17cb3d3c4 5d7e17ca .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/06/06 09:02 upstream e271ed52b344 3d899f2c .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/05/22 14:04 upstream d608703fcdd9 0919b50b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/05/22 14:03 upstream d608703fcdd9 0919b50b .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/05/12 16:50 upstream 82f2b0b97b36 f6671af7 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/05/10 07:32 upstream 0e1329d4045c 77908e5f .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/04/21 04:47 upstream 6fea5fabd332 2a20f901 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/04/11 18:22 upstream 900241a5cc15 12ba9c21 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/04/11 17:06 upstream 900241a5cc15 12ba9c21 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/04/05 10:03 upstream 9f867ba24d36 c53ea9c9 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/03/21 15:04 upstream b3ee1e460951 62330552 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/03/21 14:26 upstream b3ee1e460951 62330552 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/03/07 05:51 upstream f315296c92fd 831e3629 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/02/24 13:44 upstream d082ecbc71e9 d34966d1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/02/21 05:22 upstream e9a8cac0bf89 0808a665 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/02/19 12:47 upstream 6537cfb395f3 cbd8edab .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/02/18 15:50 upstream 2408a807bfc3 c37c7249 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2024/12/20 16:15 upstream 8faabc041a00 49cfeac8 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2024/11/10 01:22 upstream da4373fbcf00 6b856513 .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2024/07/22 06:13 upstream 7846b618e0a4 b88348e9 .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream WARNING: refcount bug in p9_req_put
2025/10/21 08:08 upstream 6548d364a3e8 9832ed61 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/10/07 05:26 upstream c746c3b51698 8ef35d49 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/09/18 19:30 upstream 8b789f2b7602 e2beed91 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/08/11 12:21 upstream 8f5ae30d69d7 32a0e5ed .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/07/20 00:39 upstream 4871b7cb27f4 7117feec .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/05/16 23:18 upstream 3c21441eeffc f41472b0 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/05/14 22:05 upstream 9f35e33144ae a4fa04ef .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/05/05 15:55 upstream 92a09c47464d 6ca47dd8 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/05/03 09:23 upstream 00b827f0cffa b0714e37 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/05/03 06:59 upstream 00b827f0cffa b0714e37 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/03/24 08:23 upstream 586de92313fc 875573af .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/03/11 11:26 upstream 4d872d51bc9d 16256247 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/02/26 01:19 upstream 2a1944bff549 d34966d1 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2025/02/18 10:10 upstream 2408a807bfc3 c37c7249 .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
2024/01/21 21:11 upstream 4fbbed787267 9bd8dcda .config console log report info [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream-386 WARNING: refcount bug in p9_req_put
* Struck through repros no longer work on HEAD.