Subject: [BUG] qrtr: refcount saturation in qrtr_bind() leads to panic_on_warn

[WangzXD0325@xxxxxxxxxxx]

Hello,

I am reporting a refcount-related WARN_ON() triggered in the QRTR
(AF_QIPCRTR) subsystem, which leads to a kernel panic when
panic_on_warn is enabled. The issue was observed during syzkaller-style
fuzz testing.

=== Summary ===
The kernel triggers a refcount saturation warning:

  refcount_t: saturated; leaking memory.

at:
  lib/refcount.c:22
  refcount_warn_saturate()

The warning is triggered during initialization of the QRTR protocol
family. With panic_on_warn enabled, this results in a kernel panic.

=== Environment ===
Kernel: 6.18.0 (locally built)
Config: PREEMPT(none), panic_on_warn=1
Arch: x86_64
Hardware: QEMU Standard PC (i440FX + PIIX)
Workload: syzkaller (syz-executor)
Modules: qrtr (loaded via modprobe)

=== Triggering context ===
The warning is triggered during module initialization of the QRTR
protocol, in process context while loading the qrtr module:

  modprobe
  do_init_module
  load_module
  do_one_initcall
  qrtr_proto_init
  qrtr_ns_init
  kernel_bind
  qrtr_bind
  __qrtr_bind

=== Warning details ===
The kernel reports:

  WARNING: refcount_t: saturated; leaking memory.
  WARNING: CPU: 0 PID: 556 at lib/refcount.c:22
           refcount_warn_saturate+0x94/0x170

RIP points directly at refcount_warn_saturate():

  RIP: refcount_warn_saturate+0x94/0x170

The warning is followed by a kernel panic due to panic_on_warn=1.

=== Call trace ===
  refcount_warn_saturate
  __refcount_add
  __refcount_inc
  refcount_inc
  sock_hold
  qrtr_port_assign
  __qrtr_bind
  qrtr_bind
  kernel_bind
  qrtr_ns_init
  qrtr_proto_init
  do_one_initcall
  do_init_module
  load_module
  __x64_sys_finit_module

=== Observations ===
The refcount saturation occurs in sock_hold() while assigning a QRTR
port during bind, suggesting that the socket refcount may already be
in an invalid or saturated state.

This indicates a possible refcount imbalance in the QRTR socket
lifecycle, such as:
- refcount_inc() being called on an already-saturated refcount,
- missing refcount_dec() on an error or teardown path, or
- repeated binding or namespace initialization without proper cleanup.

The issue is reliably detected by syzkaller, although no minimized
standalone reproducer is currently available.

=== Reproducer ===
No standalone reproducer is available.
The issue was observed during syzkaller-style fuzzing.

=== Expected behavior ===
Initializing or binding QRTR sockets should not trigger refcount
saturation warnings, even under malformed or adversarial userspace
inputs.

=== Actual behavior ===
A refcount saturation WARN_ON() is triggered in refcount_warn_saturate(),
and the kernel panics when panic_on_warn is enabled.

=== Notes ===
Additional logs, full kernel configuration, or syzkaller artifacts
can be provided if needed.

Reported-by:
Zhi Wang