Several kmemleak reports + "refcount_t: underflow; use-after-free" at boot when OF_UNITTEST + OF_OVERLAY is set (Kernel v6.6-rc6, PowerMac G5 11,2)

Erhard Furtner erhard_f at mailbox.org
Mon Oct 30 02:40:39 AEDT 2023 

On Wed, 18 Oct 2023 23:38:15 +0200
Erhard Furtner <erhard_f at mailbox.org> wrote:

Same "refcount_t: underflow; use-after-free." on my Talos II running kernel v6.6-rc7:

[...]
### dt-test ### EXPECT \ : OF: ERROR: of_node_release() detected bad of_node_put() on /testcase-data/refcount-node
### dt-test ### pass of_unittest_lifecycle():3189
OF: ERROR: of_node_release() detected bad of_node_put() on /testcase-data/refcount-node
### dt-test ### EXPECT / : OF: ERROR: of_node_release() detected bad of_node_put() on /testcase-data/refcount-node
### dt-test ### EXPECT \ : ------------[ cut here ]------------
### dt-test ### EXPECT \ : WARNING: <<all>>
### dt-test ### EXPECT \ : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT \ : ---[ end trace <<int>> ]---
### dt-test ### pass of_unittest_lifecycle():3209
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 4 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x244/0x350
Modules linked in:
CPU: 4 PID: 1 Comm: swapper/0 Tainted: G                TN 6.6.0-rc7-P9 #2
Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
NIP:  c0000000008eef84 LR: c0000000008eef80 CTR: 0000000000000000
REGS: c000000005b5f6c0 TRAP: 0700   Tainted: G                TN  (6.6.0-rc7-P9)
MSR:  9000000000029032 <SF,HV,EE,ME,IR,DR,RI>  CR: 24004222  XER: 00000000
CFAR: c000000000174bec IRQMASK: 0 
GPR00: 0000000000000000 c000000005b5f960 c0000000012e8100 0000000000000000 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 c0000007fbfdc800 c000000002654360 4897f1cbffabee15 
GPR16: fa42cb6276761cd2 c0000000024b8ca8 7b950b248472c291 fffffffffefefefe 
GPR20: 0000000000000000 0000000000000009 c000000002654338 c0000000be49a040 
GPR24: c0000000025387e0 c000000001213460 c000000002658100 c00000000109d430 
GPR28: c00000000109e468 c000000002654360 a2e5ce93b6aae676 0000000000000000 
NIP [c0000000008eef84] refcount_warn_saturate+0x244/0x350
LR [c0000000008eef80] refcount_warn_saturate+0x240/0x350
Call Trace:
[c000000005b5f960] [c0000000008eef80] refcount_warn_saturate+0x240/0x350 (unreliable)
[c000000005b5f9d0] [c000000000faa1a0] kobject_put+0x180/0x240
[c000000005b5fa50] [c000000000cddee8] of_node_put+0x28/0x50
[c000000005b5fa70] [c0000000020c87b8] of_unittest+0x3bd4/0x5194
[c000000005b5fc10] [c00000000000ec60] do_one_initcall+0x90/0x3b0
[c000000005b5fcf0] [c000000002006400] kernel_init_freeable+0x570/0x6a0
[c000000005b5fde0] [c00000000000f27c] kernel_init+0x2c/0x1d0
[c000000005b5fe50] [c00000000000d014] ret_from_kernel_user_thread+0x14/0x1c
--- interrupt: 0 at 0x0
NIP:  0000000000000000 LR: 0000000000000000 CTR: 0000000000000000
REGS: c000000005b5fe80 TRAP: 0000   Tainted: G                TN  (6.6.0-rc7-P9)
MSR:  0000000000000000 <>  CR: 00000000  XER: 00000000
CFAR: 0000000000000000 IRQMASK: 0 
GPR00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR24: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR28: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
NIP [0000000000000000] 0x0
LR [0000000000000000] 0x0
--- interrupt: 0
Code: e8010080 7c0803a6 4bfffe50 7c0802a6 3c62ffef 39200001 3d420127 38637b20 992a2a6a f8010080 4b885b6d 60000000 <0fe00000> e8010080 7c0803a6 4bfffe1c 
---[ end trace 0000000000000000 ]---
### dt-test ### EXPECT / : ---[ end trace <<int>> ]---
### dt-test ### EXPECT / : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT / : WARNING: <<all>>
### dt-test ### EXPECT / : ------------[ cut here ]------------
### dt-test ### EXPECT_NOT \ : ------------[ cut here ]------------
### dt-test ### EXPECT_NOT \ : WARNING: <<all>>
### dt-test ### EXPECT_NOT \ : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT_NOT \ : ---[ end trace <<int>> ]---
### dt-test ### pass of_unittest_lifecycle():3226
### dt-test ### EXPECT_NOT / : ---[ end trace <<int>> ]---
### dt-test ### EXPECT_NOT / : refcount_t: underflow; use-after-free.
### dt-test ### EXPECT_NOT / : WARNING: <<all>>
### dt-test ### EXPECT_NOT / : ------------[ cut here ]------------
 
Kernel dmesg and .config attached.

Regards,
Erhard
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dmesg_66-rc7_p9.txt
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20231029/da83e1da/attachment-0001.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config_66-rc7_p9
Type: application/octet-stream
Size: 123879 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20231029/da83e1da/attachment-0001.obj>

More information about the Linuxppc-dev mailing list