syzbot

 sign-in | mailing list | source | docs | 🏰
🐞 Open [1327]
Subsystems
🐞 Fixed [7155]
🐞 Invalid [18915]
Missing Backports [220]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
✨ AI
💬 Send us feedback

WARNING: refcount bug in nsim_fib_event_nb (3)

Status: upstream: reported on 2026/06/10 06:11
Subsystems: net
Labels: prio:normal
[Documentation on labels]
Reported-by: syzbot+cb2aa2390ac024e25f5c@syzkaller.appspotmail.com
Fix commit: ipv4: fib: Don't dump dying fib_info in fib_leaf_notify().
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-net-this-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-rust-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 97d, last: 10d
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
8c83dff5-a620-4d2f-a439-4a772e71856f assessment-security DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ WARNING: refcount bug in nsim_fib_event_nb (3) 2026/05/26 14:08 2026/05/26 14:08 2026/05/26 14:44 76d4b4b1b168407cf701ec594f642e93a00ce699
Discussions (2)
Title Replies (including bot) Last reply
[PATCH v1 net 1/2] ipv4: fib: Don't dump dying fib_info in fib_leaf_notify(). 3 (3) 2026/06/11 14:30
[syzbot] [net?] WARNING: refcount bug in nsim_fib_event_nb (3) 0 (1) 2026/06/10 06:11
Similar bugs (3)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-6.1 WARNING: refcount bug in nsim_fib_event_nb 13 1 569d 569d 0/3 auto-obsoleted due to no activity on 2025/02/28 08:27
upstream WARNING: refcount bug in nsim_fib_event_nb (2) net 13 3 234d 324d 0/29 auto-obsoleted due to no activity on 2026/01/29 22:11
upstream WARNING: refcount bug in nsim_fib_event_nb net 13 5 584d 624d 0/29 auto-obsoleted due to no activity on 2025/02/13 14:42

Sample crash report:
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25, CPU#1: kworker/u8:8/1044
Modules linked in:
CPU: 1 UID: 0 PID: 1044 Comm: kworker/u8:8 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Workqueue: netns cleanup_net
RIP: 0010:refcount_warn_saturate+0x9f/0x110 lib/refcount.c:25
Code: eb 66 85 db 74 3e 83 fb 01 75 4c e8 4b 36 23 fd 48 8d 3d 14 85 f1 0a 67 48 0f b9 3a eb 4a e8 38 36 23 fd 48 8d 3d 11 85 f1 0a <67> 48 0f b9 3a eb 37 e8 25 36 23 fd 48 8d 3d 0e 85 f1 0a 67 48 0f
RSP: 0018:ffffc90005e4f270 EFLAGS: 00010293
RAX: ffffffff84a135d8 RBX: 0000000000000002 RCX: ffff888027863d80
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8f92baf0
RBP: 0000000000000000 R08: ffff888027863d80 R09: 0000000000000005
R10: 0000000000000100 R11: 0000000000000004 R12: ffff8880117bd000
R13: dffffc0000000000 R14: ffff88803392903c R15: ffff8880117bd000
FS:  0000000000000000(0000) GS:ffff888126283000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557b57a3d220 CR3: 00000000352b4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 fib_info_hold include/net/ip_fib.h:629 [inline]
 nsim_fib4_prepare_event drivers/net/netdevsim/fib.c:930 [inline]
 nsim_fib_event_schedule_work drivers/net/netdevsim/fib.c:1000 [inline]
 nsim_fib_event_nb+0x1055/0x1240 drivers/net/netdevsim/fib.c:1043
 call_fib_notifier+0x45/0x80 net/core/fib_notifier.c:25
 call_fib_entry_notifier net/ipv4/fib_trie.c:90 [inline]
 fib_leaf_notify net/ipv4/fib_trie.c:2176 [inline]
 fib_table_notify net/ipv4/fib_trie.c:2194 [inline]
 fib_notify+0x36b/0x5e0 net/ipv4/fib_trie.c:2217
 fib_net_dump net/core/fib_notifier.c:70 [inline]
 register_fib_notifier+0x184/0x360 net/core/fib_notifier.c:108
 nsim_fib_create+0x85d/0x9f0 drivers/net/netdevsim/fib.c:1596
 nsim_dev_reload_create drivers/net/netdevsim/dev.c:1604 [inline]
 nsim_dev_reload_up+0x374/0x7c0 drivers/net/netdevsim/dev.c:1058
 devlink_reload+0x501/0x8d0 net/devlink/dev.c:475
 devlink_pernet_pre_exit+0x1ff/0x420 net/devlink/core.c:558
 ops_pre_exit_list net/core/net_namespace.c:161 [inline]
 ops_undo_list+0x187/0x940 net/core/net_namespace.c:234
 cleanup_net+0x56e/0x800 net/core/net_namespace.c:702
 process_one_work kernel/workqueue.c:3314 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3397
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3478
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	eb 66                	jmp    0x68
   2:	85 db                	test   %ebx,%ebx
   4:	74 3e                	je     0x44
   6:	83 fb 01             	cmp    $0x1,%ebx
   9:	75 4c                	jne    0x57
   b:	e8 4b 36 23 fd       	call   0xfd23365b
  10:	48 8d 3d 14 85 f1 0a 	lea    0xaf18514(%rip),%rdi        # 0xaf1852b
  17:	67 48 0f b9 3a       	ud1    (%edx),%rdi
  1c:	eb 4a                	jmp    0x68
  1e:	e8 38 36 23 fd       	call   0xfd23365b
  23:	48 8d 3d 11 85 f1 0a 	lea    0xaf18511(%rip),%rdi        # 0xaf1853b
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	eb 37                	jmp    0x68
  31:	e8 25 36 23 fd       	call   0xfd23365b
  36:	48 8d 3d 0e 85 f1 0a 	lea    0xaf1850e(%rip),%rdi        # 0xaf1854b
  3d:	67                   	addr32
  3e:	48                   	rex.W
  3f:	0f                   	.byte 0xf

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/02 16:16 upstream 6f3ed7fec72f 62fe1528 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs WARNING: refcount bug in nsim_fib_event_nb
2026/05/17 12:52 upstream 6916d5703ddf de5aae85 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs WARNING: refcount bug in nsim_fib_event_nb
2026/04/23 18:24 upstream 2e6803928193 4c3406dc .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-selinux-root WARNING: refcount bug in nsim_fib_event_nb
2026/04/16 17:00 upstream 1d51b370a0f8 321ae225 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root WARNING: refcount bug in nsim_fib_event_nb
2026/04/15 02:16 upstream 508fed679541 e2e976a8 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs WARNING: refcount bug in nsim_fib_event_nb
2026/03/23 23:14 upstream c369299895a5 4933dba2 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-fs WARNING: refcount bug in nsim_fib_event_nb
2026/03/07 19:39 upstream 4ae12d8bd9a8 5cb44a80 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-badwrites-root WARNING: refcount bug in nsim_fib_event_nb
2026/05/22 11:50 upstream 6779b50faa56 e16cf9f3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-386 WARNING: refcount bug in nsim_fib_event_nb
2026/05/21 13:00 bpf 49b18315be4e e195359d .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-bpf-kasan-gce WARNING: refcount bug in nsim_fib_event_nb
* Struck through repros no longer work on HEAD.