lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <68974dba.050a0220.51d73.007c.GAE@google.com>
Date: Sat, 09 Aug 2025 06:31:38 -0700
From: syzbot <syzbot+a638ae70fa7b6a1353b4@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Forwarded: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com.

***

Subject: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work
Author: penguin-kernel@...ove.sakura.ne.jp

#syz test

diff --git a/drivers/md/md.c b/drivers/md/md.c
index ac85ec73a409..2362397b0808 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -646,6 +646,15 @@ static void __mddev_put(struct mddev *mddev)
 	 * Call queue_work inside the spinlock so that flush_workqueue() after
 	 * mddev_find will succeed in waiting for the work to be done.
 	 */
+	{
+		const int ref = refcount_read(&mddev->kobj.kref.refcount);
+
+		pr_warn("%s %s (%px) %d\n", __func__, mddev->kobj.name, &mddev->kobj, ref);
+		if (!ref)
+			BUG();
+		else
+			dump_stack();
+	}
 	queue_work(md_misc_wq, &mddev->del_work);
 }
 
diff --git a/lib/kobject.c b/lib/kobject.c
index abe5f5b856ce..028909882389 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -641,6 +641,13 @@ struct kobject *kobject_get(struct kobject *kobj)
 				"kobject: '%s' (%p): is not initialized, yet kobject_get() is being called.\n",
 			     kobject_name(kobj), kobj);
 		kref_get(&kobj->kref);
+		if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+		    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+			const int ref = refcount_read(&kobj->kref.refcount);
+
+			pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+			dump_stack();
+		}
 	}
 	return kobj;
 }
@@ -652,6 +659,13 @@ struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
 		return NULL;
 	if (!kref_get_unless_zero(&kobj->kref))
 		kobj = NULL;
+	if (kobj && kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+	    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+		const int ref = refcount_read(&kobj->kref.refcount);
+
+		pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+		dump_stack();
+	}
 	return kobj;
 }
 EXPORT_SYMBOL(kobject_get_unless_zero);
@@ -734,6 +748,13 @@ void kobject_put(struct kobject *kobj)
 			WARN(1, KERN_WARNING
 				"kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n",
 			     kobject_name(kobj), kobj);
+		if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+		    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+			const int ref = refcount_read(&kobj->kref.refcount);
+
+			pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref, ref - 1);
+			dump_stack();
+		}
 		kref_put(&kobj->kref, kobject_release);
 	}
 }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ