Forwarded: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work

From: syzbot
Date: Sat Aug 09 2025 - 09:31:48 EST

For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.

***

Subject: Re: [syzbot] [fuse?] WARNING: refcount bug in process_one_work
Author: penguin-kernel@xxxxxxxxxxxxxxxxxxx

#syz test

diff --git a/drivers/md/md.c b/drivers/md/md.c
index ac85ec73a409..2362397b0808 100644
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -646,6 +646,15 @@ static void __mddev_put(struct mddev *mddev)
* Call queue_work inside the spinlock so that flush_workqueue() after
* mddev_find will succeed in waiting for the work to be done.
*/
+ {
+ const int ref = refcount_read(&mddev->kobj.kref.refcount);
+
+ pr_warn("%s %s (%px) %d\n", __func__, mddev->kobj.name, &mddev->kobj, ref);
+ if (!ref)
+ BUG();
+ else
+ dump_stack();
+ }
queue_work(md_misc_wq, &mddev->del_work);
}

diff --git a/lib/kobject.c b/lib/kobject.c
index abe5f5b856ce..028909882389 100644
--- a/lib/kobject.c
+++ b/lib/kobject.c
@@ -641,6 +641,13 @@ struct kobject *kobject_get(struct kobject *kobj)
"kobject: '%s' (%p): is not initialized, yet kobject_get() is being called.\n",
kobject_name(kobj), kobj);
kref_get(&kobj->kref);
+ if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+ kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+ const int ref = refcount_read(&kobj->kref.refcount);
+
+ pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+ dump_stack();
+ }
}
return kobj;
}
@@ -652,6 +659,13 @@ struct kobject * __must_check kobject_get_unless_zero(struct kobject *kobj)
return NULL;
if (!kref_get_unless_zero(&kobj->kref))
kobj = NULL;
+ if (kobj && kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+ kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+ const int ref = refcount_read(&kobj->kref.refcount);
+
+ pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref - 1, ref);
+ dump_stack();
+ }
return kobj;
}
EXPORT_SYMBOL(kobject_get_unless_zero);
@@ -734,6 +748,13 @@ void kobject_put(struct kobject *kobj)
WARN(1, KERN_WARNING
"kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n",
kobject_name(kobj), kobj);
+ if (kobj->name && kobj->name[0] == 'm' && kobj->name[1] == 'd' &&
+ kobj->name[2] >= '0' && kobj->name[2] <= '9') {
+ const int ref = refcount_read(&kobj->kref.refcount);
+
+ pr_warn("%s %s (%px) %d->%d\n", __func__, kobj->name, kobj, ref, ref - 1);
+ dump_stack();
+ }
kref_put(&kobj->kref, kobject_release);
}
}