[syzbot] [fuse?] WARNING: refcount bug in process_one_work

[syzbot] [fuse?] WARNING: refcount bug in process_one_work

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    ced1b9e0392d Merge tag 'ata-6.17-rc1' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12219034580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=52c12ce9080f644c
dashboard link: https://syzkaller.appspot.com/bug?extid=a638ae70fa7b6a1353b4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15e784a2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=154d94a2580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-ced1b9e0.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/c709b0d9538c/vmlinux-ced1b9e0.xz
kernel image: https://storage.googleapis.com/syzbot-assets/129af0799fa3/bzImage-ced1b9e0.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a638ae70fa7b6a1353b4@syzkaller.appspotmail.com

------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 3 PID: 34 at lib/refcount.c:28 refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Modules linked in:
CPU: 3 UID: 0 PID: 34 Comm: kworker/3:0 Not tainted 6.16.0-syzkaller-00857-gced1b9e0392d #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: md_misc mddev_delayed_delete
RIP: 0010:refcount_warn_saturate+0x14a/0x210 lib/refcount.c:28
Code: ff 89 de e8 d8 7f da fc 84 db 0f 85 66 ff ff ff e8 eb 84 da fc c6 05 19 50 b0 0b 01 90 48 c7 c7 e0 6a 15 8c e8 d7 8b 99 fc 90 <0f> 0b 90 90 e9 43 ff ff ff e8 c8 84 da fc 0f b6 1d f4 4f b0 0b 31
RSP: 0018:ffffc900006dfc10 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817b01b8
RDX: ffff88801eaac880 RSI: ffffffff817b01c5 RDI: 0000000000000001
RBP: ffff88802a5f4130 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88802a5f4134
R13: dffffc0000000000 R14: ffff88802a5f4130 R15: ffffc900006dfd10
FS:  0000000000000000(0000) GS:ffff8880d69f9000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43c9dddd58 CR3: 0000000032cdc000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 __refcount_sub_and_test include/linux/refcount.h:400 [inline]
 __refcount_dec_and_test include/linux/refcount.h:432 [inline]
 refcount_dec_and_test include/linux/refcount.h:450 [inline]
 kref_put include/linux/kref.h:64 [inline]
 kobject_put+0x230/0x5a0 lib/kobject.c:737
 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c5/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work
Author: penguin-kernel@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/md/md.c b/drivers/md/md.c
index ac85ec73a409..2362397b0808 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -646,6 +646,15 @@ static void __mddev_put(struct mddev *mddev)
 	 * Call queue_work inside the spinlock so that flush_workqueue() after
 	 * mddev_find will succeed in waiting for the work to be done.
 	 */
+	{
+		const int ref = refcount_read(&mddev->kobj.kref.refcount);
+
+		pr_warn("%s %s (%px) %d\n", __func__, mddev->kobj.name, &mddev->kobj, ref);
+		if (!ref)
+			BUG();
+		else
+			dump_stack();
+	}
 	queue_work(md_misc_wq, &mddev->del_work);
 }
 
diff --git a/lib/kobject.c b/lib/kobject.c
index abe5f5b856ce..028909882389 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -641,6 +641,13 @@ struct kobject *kobject_get(struct kobject *kobj)
 				"kobject: '%s' (%p): is not initialized, yet kobject_get() is being called.\n",
 			     kobject_name(kobj), kobj);
 		kref_get(&kobj->kref);
+		if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+		    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+			const int ref = refcount_read(&kobj->kref.refcount);
+
+			pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+			dump_stack();
+		}
 	}
 	return kobj;
 }
@@ -652,6 +659,13 @@ struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
 		return NULL;
 	if (!kref_get_unless_zero(&kobj->kref))
 		kobj = NULL;
+	if (kobj && kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+	    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+		const int ref = refcount_read(&kobj->kref.refcount);
+
+		pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+		dump_stack();
+	}
 	return kobj;
 }
 EXPORT_SYMBOL(kobject_get_unless_zero);
@@ -734,6 +748,13 @@ void kobject_put(struct kobject *kobj)
 			WARN(1, KERN_WARNING
 				"kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n",
 			     kobject_name(kobj), kobj);
+		if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+		    kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+			const int ref = refcount_read(&kobj->kref.refcount);
+
+			pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref, ref - 1);
+			dump_stack();
+		}
 		kref_put(&kobj->kref, kobject_release);
 	}
 }

Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+a638ae70fa7b6a1353b4@syzkaller.appspotmail.com
Tested-by: syzbot+a638ae70fa7b6a1353b4@syzkaller.appspotmail.com

Tested on:

commit:         c30a1353 Merge tag 'bpf-fixes' of git://git.kernel.org..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11aef1a2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e163e02b14cf5481
dashboard link: https://syzkaller.appspot.com/bug?extid=a638ae70fa7b6a1353b4
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=14075434580000

Note: testing is done by a robot and is best-effort only.