Several kmemleak reports + "refcount_t: underflow; use-after-free" at boot when OF_UNITTEST + OF_OVERLAY is set (Kernel v6.6-rc6, PowerMac G5 11,2)

Erhard Furtner erhard_f at mailbox.org
Thu Oct 19 08:38:15 AEDT 2023 

Greetings!

Getting this at every boot on my G5 with kernel v6.6-rc6 with OF_UNITTEST and OF_OVERLAY selected:

[...]
### dt-test ### EXPECT \ : OF: ERROR: of_node_release() detected bad
of_node_put() on /testcase-data/refcount-node ### dt-test ### pass
of_unittest_lifecycle():3189 OF: ERROR: of_node_release() detected bad
of_node_put() on /testcase-data/refcount-node ### dt-test ### EXPECT / : OF:
ERROR: of_node_release() detected bad of_node_put() on
/testcase-data/refcount-node ### dt-test ### EXPECT \ : ------------[ cut here
]------------ ### dt-test ### EXPECT \ : WARNING: <<all>> ### dt-test ###
EXPECT \ : refcount_t: underflow; use-after-free. ### dt-test ### EXPECT \ :
---[ end trace <<int>> ]--- ### dt-test ### pass of_unittest_lifecycle():3209
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x224/0x240
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Tainted: G                TN
6.6.0-rc6-PMacG5-dirty #4 Hardware name: PowerMac11,2 PPC970MP 0x440101
PowerMac NIP:  c000000000936f44 LR: c000000000936f40 CTR: 0000000000000000
REGS: c0000000052e3730 TRAP: 0700   Tainted: G                TN
(6.6.0-rc6-PMacG5-dirty) MSR:  9000000000029032 <SF,HV,EE,ME,IR,DR,RI>  CR:
24004242  XER: 000fffff IRQMASK: 0 
GPR00: 0000000000000000 c0000000052e39d0 c000000001484a00 0000000000000000 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 c00000000ffff700 0000000000000001 c00000000333c680 
GPR16: c000000002387228 fffffffffefefefe 0000000000000009 0000000000000000 
GPR20: 568d08990571b6b7 c00000000333c648 c0000000023fc360 d40980fcad19a643 
GPR24: c000000003344a00 c00000000139d770 c00000000114fc80 c00000000903b6d8 
GPR28: c000000001150c70 c00000000333c680 a86e8023071db365 c00000000903b758 
NIP [c000000000936f44] refcount_warn_saturate+0x224/0x240
LR [c000000000936f40] refcount_warn_saturate+0x220/0x240
Call Trace:
[c0000000052e39d0] [c000000000936f40] refcount_warn_saturate+0x220/0x240
(unreliable) [c0000000052e3a30] [c000000001057c40] kobject_put+0x180/0x240
[c0000000052e3ab0] [c000000000d25978] of_node_put+0x28/0x50
[c0000000052e3ad0] [c00000000209fd90] of_unittest+0x3e4c/0x54e0
[c0000000052e3c60] [c00000000000e688] do_one_initcall+0x98/0x4b0
[c0000000052e3d40] [c000000002005e04] kernel_init_freeable+0x5a0/0x6e0
[c0000000052e3df0] [c00000000000efc8] kernel_init+0x28/0x1a0
[c0000000052e3e50] [c00000000000bf94] ret_from_kernel_user_thread+0x14/0x1c
--- interrupt: 0 at 0x0
NIP:  0000000000000000 LR: 0000000000000000 CTR: 0000000000000000
REGS: c0000000052e3e80 TRAP: 0000   Tainted: G                TN
(6.6.0-rc6-PMacG5-dirty) MSR:  0000000000000000 <>  CR: 00000000  XER: 00000000
IRQMASK: 0 
GPR00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR24: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR28: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
NIP [0000000000000000] 0x0
LR [0000000000000000] 0x0
--- interrupt: 0
Code: 4bfffe6c 60000000 60000000 7c0802a6 3c62ffee 39200001 3d4200fa 3863c3f8
f8010070 992ad949 4b79ce7d 60000000 <0fe00000> e8010070 7c0803a6 4bfffe30 irq
event stamp: 482352 hardirqs last  enabled at (482351): [<c00000000019b4b8>]
console_unlock+0x218/0x2a0 hardirqs last disabled at (482352):
[<c000000000021fc4>] interrupt_enter_prepare+0x64/0x220 softirqs last  enabled
at (482346): [<c00000000109d6ac>] __do_softirq+0x54c/0x5bc softirqs last
disabled at (482341): [<c000000000013ec8>] do_softirq_own_stack+0x38/0x80 ---[
end trace 0000000000000000 ]--- ### dt-test ### EXPECT / : ---[ end trace
<<int>> ]--- ### dt-test ### EXPECT / : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT / : WARNING: <<all>>
### dt-test ### EXPECT / : ------------[ cut here ]------------
### dt-test ### EXPECT_NOT \ : ------------[ cut here ]------------
### dt-test ### EXPECT_NOT \ : WARNING: <<all>>
### dt-test ### EXPECT_NOT \ : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT_NOT \ : ---[ end trace <<int>> ]---
### dt-test ### pass of_unittest_lifecycle():3226
### dt-test ### EXPECT_NOT / : ---[ end trace <<int>> ]---
### dt-test ### EXPECT_NOT / : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT_NOT / : WARNING: <<all>>
### dt-test ### EXPECT_NOT / : ------------[ cut here ]------------
### dt-test ### pass of_unittest_lifecycle():3252
### dt-test ### pass of_unittest_lifecycle():3253
### dt-test ### pass of_unittest_pci_node():3953
### dt-test ### pass of_unittest_pci_node():3958
### dt-test ### FAIL of_unittest_pci_node():3970 No test PCI device been
found. Please run QEMU with '-device pci-testdev' ### dt-test ### pass
of_unittest_pci_node():3972 ### dt-test ### pass
of_unittest_check_tree_linkage():271 ### dt-test ### pass
of_unittest_check_tree_linkage():272
[...]

Also kmemleak lists several leaks which might be connected to the issue:
unreferenced object 0xc000000009050c90 (size 16):
  comm "swapper/0", pid 1, jiffies 4294879883 (age 790.054s)
  hex dump (first 16 bytes):
    65 6c 65 63 74 72 69 63 5f 31 00 6b 6b 6b 6b a5  electric_1.kkkk.
  backtrace:
    [<c0000000003d6840>] __kmalloc_node_track_caller+0x70/0x330
    [<c0000000003c0260>] kstrdup+0x50/0xc0
    [<c000000000d252a4>] safe_name+0xb4/0x110
    [<c000000000d253f0>] __of_add_property_sysfs+0xc0/0x1a0
    [<c000000000d1bfa8>] __of_add_property+0x148/0x1b0
    [<c0000000020a0c7c>] of_unittest+0x4d38/0x54e0
    [<c00000000000e688>] do_one_initcall+0x98/0x4b0
    [<c000000002005e04>] kernel_init_freeable+0x5a0/0x6e0
    [<c00000000000efc8>] kernel_init+0x28/0x1a0
    [<c00000000000bf94>] ret_from_kernel_user_thread+0x14/0x1c

Kernel dmesg, .config and kmemleak output attached.

Regards,
Erhard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kmemleak_66-rc6_g5
Type: application/octet-stream
Size: 6084 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20231018/926dd700/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dmesg_66-rc6_g5_01
Type: application/octet-stream
Size: 98436 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20231018/926dd700/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config_66-rc6_G5-v2
Type: application/octet-stream
Size: 117194 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20231018/926dd700/attachment-0005.obj>

More information about the Linuxppc-dev mailing list