assert "refs > NUM" failed in kern_synch.c
0 views
Skip to first unread message
syzbot
Sep 9, 2025, 3:41:33 PMSep 9
to syzkaller-o...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 3efab2192dd6 Log optional NOTIFICATION data for UPDATE err..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=15673562580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=e0d831b30701aaff71bd
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/649aa4d4b15b/disk-3efab219.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/d9357c07ce5e/bsd-3efab219.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a72c6119dbe/kernel-3efab219.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0d831...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "refs > 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 918
Starting stack trace...
panic(ffffffff8336e21b) at panic+0x1d0 sys/kern/subr_prf.c:229
__assert(ffffffff833aedf1,ffffffff833bf11c,396,ffffffff8337ac28) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_take(fffffd806456cef8) at refcnt_take+0x109 sys/kern/kern_synch.c:919
rtable_walk(0,18,ffff80002a3260b8,ffffffff82b396a0,0) at rtable_walk+0x156 sys/net/rtable.c:749
ip6_mrouter_done(ffff800010fd0028) at ip6_mrouter_done+0x115 sys/netinet6/ip6_mroute.c:572
rip6_detach(ffff800010fd0028) at rip6_detach+0x82 sys/netinet6/raw_ip6.c:633
soclose(ffff800010fd0028,80) at soclose+0xb0 pru_detach sys/sys/protosw.h:280 [inline]
soclose(ffff800010fd0028,80) at soclose+0xb0 sys/kern/uipc_socket.c:402
soo_close(fffffd806bdb9ca0,ffff80003c4187e8) at soo_close+0x56 sys/kern/sys_socket.c:-1
fdrop(fffffd806bdb9ca0,ffff80003c4187e8) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd806bdb9ca0,ffff80003c4187e8) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c4187e8) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c4187e8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c4187e8,ffff80002a326590,ffff80002a3264e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a326590) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a326590) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x782d04d19d10, count: 242
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 3efab2192dd6 Log optional NOTIFICATION data for UPDATE err..
git tree: openbsd
console output: https://syzkaller.appspot.com/x/log.txt?x=15673562580000
kernel config: https://syzkaller.appspot.com/x/.config?x=7058272de1526588
dashboard link: https://syzkaller.appspot.com/bug?extid=e0d831b30701aaff71bd
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/649aa4d4b15b/disk-3efab219.raw.xz
bsd.gdb: https://storage.googleapis.com/syzbot-assets/d9357c07ce5e/bsd-3efab219.gdb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5a72c6119dbe/kernel-3efab219.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e0d831...@syzkaller.appspotmail.com
panic: kernel diagnostic assertion "refs > 1" failed: file "/syzkaller/managers/multicore/kernel/sys/kern/kern_synch.c", line 918
Starting stack trace...
panic(ffffffff8336e21b) at panic+0x1d0 sys/kern/subr_prf.c:229
__assert(ffffffff833aedf1,ffffffff833bf11c,396,ffffffff8337ac28) at __assert+0x29 sys/kern/subr_prf.c:-1
refcnt_take(fffffd806456cef8) at refcnt_take+0x109 sys/kern/kern_synch.c:919
rtable_walk(0,18,ffff80002a3260b8,ffffffff82b396a0,0) at rtable_walk+0x156 sys/net/rtable.c:749
ip6_mrouter_done(ffff800010fd0028) at ip6_mrouter_done+0x115 sys/netinet6/ip6_mroute.c:572
rip6_detach(ffff800010fd0028) at rip6_detach+0x82 sys/netinet6/raw_ip6.c:633
soclose(ffff800010fd0028,80) at soclose+0xb0 pru_detach sys/sys/protosw.h:280 [inline]
soclose(ffff800010fd0028,80) at soclose+0xb0 sys/kern/uipc_socket.c:402
soo_close(fffffd806bdb9ca0,ffff80003c4187e8) at soo_close+0x56 sys/kern/sys_socket.c:-1
fdrop(fffffd806bdb9ca0,ffff80003c4187e8) at fdrop+0x121 sys/kern/kern_descrip.c:1280
closef(fffffd806bdb9ca0,ffff80003c4187e8) at closef+0x192 sys/kern/kern_descrip.c:1264
fdfree(ffff80003c4187e8) at fdfree+0x116 sys/kern/kern_descrip.c:1195
exit1(ffff80003c4187e8,0,0,1) at exit1+0x576 sys/kern/kern_exit.c:215
sys_exit(ffff80003c4187e8,ffff80002a326590,ffff80002a3264e0) at sys_exit+0x1a sys/kern/kern_exit.c:-1
syscall(ffff80002a326590) at syscall+0xb17 mi_syscall sys/sys/syscall_mi.h:176 [inline]
syscall(ffff80002a326590) at syscall+0xb17 sys/arch/amd64/amd64/trap.c:746
Xsyscall() at Xsyscall+0x128
end of kernel
end trace frame: 0x782d04d19d10, count: 242
End of stack trace.
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages