| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <KL1PR03MB88003FA66C7BFA4BD7F392D7A184A@KL1PR03MB8800.apcprd03.prod.outlook.com> Date: Wed, 7 Jan 2026 05:35:29 +0000 From: "WangzXD0325@...look.com" <WangzXD0325@...look.com> To: "netdev@...r.kernel.org" <netdev@...r.kernel.org> CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "syzkaller-bugs@...glegroups.com" <syzkaller-bugs@...glegroups.com>, "davem@...emloft.net" <davem@...emloft.net>, "edumazet@...gle.com" <edumazet@...gle.com>, "kuba@...nel.org" <kuba@...nel.org>, "pabeni@...hat.com" <pabeni@...hat.com> Subject: Subject: [BUG] qrtr: refcount saturation in qrtr_bind() leads to panic_on_warn Hello, I am reporting a refcount-related WARN_ON() triggered in the QRTR (AF_QIPCRTR) subsystem, which leads to a kernel panic when panic_on_warn is enabled. The issue was observed during syzkaller-style fuzz testing. === Summary === The kernel triggers a refcount saturation warning: refcount_t: saturated; leaking memory. at: lib/refcount.c:22 refcount_warn_saturate() The warning is triggered during initialization of the QRTR protocol family. With panic_on_warn enabled, this results in a kernel panic. === Environment === Kernel: 6.18.0 (locally built) Config: PREEMPT(none), panic_on_warn=1 Arch: x86_64 Hardware: QEMU Standard PC (i440FX + PIIX) Workload: syzkaller (syz-executor) Modules: qrtr (loaded via modprobe) === Triggering context === The warning is triggered during module initialization of the QRTR protocol, in process context while loading the qrtr module: modprobe do_init_module load_module do_one_initcall qrtr_proto_init qrtr_ns_init kernel_bind qrtr_bind __qrtr_bind === Warning details === The kernel reports: WARNING: refcount_t: saturated; leaking memory. WARNING: CPU: 0 PID: 556 at lib/refcount.c:22 refcount_warn_saturate+0x94/0x170 RIP points directly at refcount_warn_saturate(): RIP: refcount_warn_saturate+0x94/0x170 The warning is followed by a kernel panic due to panic_on_warn=1. === Call trace === refcount_warn_saturate __refcount_add __refcount_inc refcount_inc sock_hold qrtr_port_assign __qrtr_bind qrtr_bind kernel_bind qrtr_ns_init qrtr_proto_init do_one_initcall do_init_module load_module __x64_sys_finit_module === Observations === The refcount saturation occurs in sock_hold() while assigning a QRTR port during bind, suggesting that the socket refcount may already be in an invalid or saturated state. This indicates a possible refcount imbalance in the QRTR socket lifecycle, such as: - refcount_inc() being called on an already-saturated refcount, - missing refcount_dec() on an error or teardown path, or - repeated binding or namespace initialization without proper cleanup. The issue is reliably detected by syzkaller, although no minimized standalone reproducer is currently available. === Reproducer === No standalone reproducer is available. The issue was observed during syzkaller-style fuzzing. === Expected behavior === Initializing or binding QRTR sockets should not trigger refcount saturation warnings, even under malformed or adversarial userspace inputs. === Actual behavior === A refcount saturation WARN_ON() is triggered in refcount_warn_saturate(), and the kernel panics when panic_on_warn is enabled. === Notes === Additional logs, full kernel configuration, or syzkaller artifacts can be provided if needed. Reported-by: Zhi Wang
Powered by blists - more mailing lists