'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' at fetching files via nfs (Talos II, kernel 6.13.8)

From: Erhard Furtner
Date: Thu Mar 27 2025 - 18:48:29 EST

Next message: Christian Marangi: "[net-next RFC PATCH v4 5/6] net: phy: Add support for Aeonsemi AS21xxx PHYs"
Previous message: Christian Marangi: "[net-next RFC PATCH v4 6/6] dt-bindings: net: Document support for Aeonsemi PHYs"
Next in thread: Trond Myklebust: "Re: 'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' at fetching files via nfs (Talos II, kernel 6.13.8)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings!

Noticed that nfs 'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' after some hours of building packages on my Talos II. It fetches the source tarballs from my other system via a shared nfs 4 partition.

[...]
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 33 PID: 50221 at lib/refcount.c:25 refcount_warn_saturate+0x194/0x230
Modules linked in: md5 md5_ppc sha512_generic cmac cifs cifs_arc4 nls_ucs2_utils cifs_md4 rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc af_packet input_leds evdev cfg80211 rfkill hid_generic usbhid hid radeon xhci_pci drm_suballoc_helper xhci_hcd i2c_algo_bit backlight drm_ttm_helper ctr ofpart ttm xts cbc aes_generic libaes usbcore powernv_flash vmx_crypto drm_display_helper gf128mul ibmpowernv mtd at24 usb_common hwmon regmap_i2c opal_prd zram powernv_cpufreq loop fuse dm_mod configfs
CPU: 33 UID: 250 PID: 50221 Comm: emerge Tainted: G T 6.13.8-gentoo-P9 #1
Tainted: [T]=RANDSTRUCT
Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
NIP: c000000000818de4 LR: c000000000818de0 CTR: 0000000000000000
REGS: c0000000c5d4b770 TRAP: 0700 Tainted: G T (6.13.8-gentoo-P9)
MSR: 900000000082b032 <SF,HV,VSX,EE,FP,ME,IR,DR,RI> CR: 44044222 XER: 0000000a
CFAR: c000000000134398 IRQMASK: 0
GPR00: c000000000818de0 c0000000c5d4ba10 c00000000112f100 000000000000002a
GPR04: 00000000fffeffff c0000000c5d4b7b8 c0000000c5d4b7b0 00000007fd0b8000
GPR08: 0000000000000027 c0000007ff1bc210 0000000000000001 0000000044044222
GPR12: c0002007fae88228 c0000007fffe9600 ffffffffffffffff 0000000000000001
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 c000000581df4878
GPR28: c000000021935088 c0000000cbb2f7a0 c0000004c0c374e8 c0000000cbb2f740
NIP [c000000000818de4] refcount_warn_saturate+0x194/0x230
LR [c000000000818de0] refcount_warn_saturate+0x190/0x230
Call Trace:
[c0000000c5d4ba10] [c000000000818de0] refcount_warn_saturate+0x190/0x230 (unreliable)
[c0000000c5d4ba70] [c00800000e1ec578] nfs_start_delegation_return_locked+0x140/0x160 [nfsv4]
[c0000000c5d4bab0] [c00800000e1ee20c] nfs4_inode_return_delegation+0x24/0xf0 [nfsv4]
[c0000000c5d4bae0] [c00800000c9ad088] nfs_complete_unlink+0x80/0x250 [nfs]
[c0000000c5d4bb30] [c00800000c9955bc] nfs_dentry_iput+0x54/0xe0 [nfs]
[c0000000c5d4bb60] [c000000000488a98] dentry_unlink_inode+0xe8/0x1e0
[c0000000c5d4bb90] [c0000000004898f0] __dentry_kill+0xb0/0x280
[c0000000c5d4bbd0] [c000000000489bf8] dput+0x138/0x290
[c0000000c5d4bc10] [c00000000045efe0] __fput+0x170/0x3c0
[c0000000c5d4bc60] [c000000000458c28] sys_close+0x48/0xa0
[c0000000c5d4bc90] [c000000000029204] system_call_exception+0x1a4/0x370
[c0000000c5d4be50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
--- interrupt: 3000 at 0x3fff8e4f8ac0
NIP: 00003fff8e4f8ac0 LR: 00003fff8e4f8ac0 CTR: 0000000000000000
REGS: c0000000c5d4be80 TRAP: 3000 Tainted: G T (6.13.8-gentoo-P9)
MSR: 900000000000f032 <SF,HV,EE,PR,FP,ME,IR,DR,RI> CR: 44044822 XER: 00000000
IRQMASK: 0
GPR00: 0000000000000006 00003fffcd085180 00003fff8e617100 000000000000000e
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 0000000000000000 00003fff8ed837e0 ffffffffffffffff 0000000000000001
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 00003fff8ec25f28
GPR28: 00003fff8ec8eb68 00003fff8ed79be8 00003fff8ec8eb68 000000000000000e
NIP [00003fff8e4f8ac0] 0x3fff8e4f8ac0
LR [00003fff8e4f8ac0] 0x3fff8e4f8ac0
--- interrupt: 3000
Code: 8929ae77 2c090000 4082fef4 7c0802a6 3c62ffef 39200001 3d420125 386350c0 992aae77 f8010070 4b91b4dd 60000000 <0fe00000> e8010070 7c0803a6 4bfffec0
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 33 PID: 50221 at lib/refcount.c:28 refcount_warn_saturate+0x214/0x230
Modules linked in: md5 md5_ppc sha512_generic cmac cifs cifs_arc4 nls_ucs2_utils cifs_md4 rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc af_packet input_leds evdev cfg80211 rfkill hid_generic usbhid hid radeon xhci_pci drm_suballoc_helper xhci_hcd i2c_algo_bit backlight drm_ttm_helper ctr ofpart ttm xts cbc aes_generic libaes usbcore powernv_flash vmx_crypto drm_display_helper gf128mul ibmpowernv mtd at24 usb_common hwmon regmap_i2c opal_prd zram powernv_cpufreq loop fuse dm_mod configfs
CPU: 33 UID: 250 PID: 50221 Comm: emerge Tainted: G W T 6.13.8-gentoo-P9 #1
Tainted: [W]=WARN, [T]=RANDSTRUCT
Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
NIP: c000000000818e64 LR: c000000000818e60 CTR: 0000000000000000
REGS: c0000000c5d4b710 TRAP: 0700 Tainted: G W T (6.13.8-gentoo-P9)
MSR: 900000000082b032 <SF,HV,VSX,EE,FP,ME,IR,DR,RI> CR: 44044222 XER: 0000000a
CFAR: c000000000134398 IRQMASK: 0
GPR00: c000000000818e60 c0000000c5d4b9b0 c00000000112f100 0000000000000026
GPR04: 00000000fffeffff c0000000c5d4b758 c0000000c5d4b750 00000007fd0b8000
GPR08: 0000000000000027 c0000007ff1bc210 0000000000000001 0000000044044222
GPR12: c0002007fae88228 c0000007fffe9600 ffffffffffffffff 0000000000000001
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38
GPR20: 00003fff8ed79c40 00003fff8eb92840 0000000000000001 c00000008ea94000
GPR24: c0000004c0c376e0 c0000000cbb2f740 0000000000000001 c000000581df4878
GPR28: 0000000000000000 c00000000dc75600 c0000004c0c376e0 c000000581df4878
NIP [c000000000818e64] refcount_warn_saturate+0x214/0x230
LR [c000000000818e60] refcount_warn_saturate+0x210/0x230
Call Trace:
[c0000000c5d4b9b0] [c000000000818e60] refcount_warn_saturate+0x210/0x230 (unreliable)
[c0000000c5d4ba10] [c00800000e1ec660] nfs_put_delegation+0xc8/0x120 [nfsv4]
[c0000000c5d4ba40] [c00800000e1ecb60] nfs_end_delegation_return+0x198/0x450 [nfsv4]
[c0000000c5d4bae0] [c00800000c9ad088] nfs_complete_unlink+0x80/0x250 [nfs]
[c0000000c5d4bb30] [c00800000c9955bc] nfs_dentry_iput+0x54/0xe0 [nfs]
[c0000000c5d4bb60] [c000000000488a98] dentry_unlink_inode+0xe8/0x1e0
[c0000000c5d4bb90] [c0000000004898f0] __dentry_kill+0xb0/0x280
[c0000000c5d4bbd0] [c000000000489bf8] dput+0x138/0x290
[c0000000c5d4bc10] [c00000000045efe0] __fput+0x170/0x3c0
[c0000000c5d4bc60] [c000000000458c28] sys_close+0x48/0xa0
[c0000000c5d4bc90] [c000000000029204] system_call_exception+0x1a4/0x370
[c0000000c5d4be50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
--- interrupt: 3000 at 0x3fff8e4f8ac0
NIP: 00003fff8e4f8ac0 LR: 00003fff8e4f8ac0 CTR: 0000000000000000
REGS: c0000000c5d4be80 TRAP: 3000 Tainted: G W T (6.13.8-gentoo-P9)
MSR: 900000000000f032 <SF,HV,EE,PR,FP,ME,IR,DR,RI> CR: 44044822 XER: 00000000
IRQMASK: 0
GPR00: 0000000000000006 00003fffcd085180 00003fff8e617100 000000000000000e
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR12: 0000000000000000 00003fff8ed837e0 ffffffffffffffff 0000000000000001
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 00003fff8ec25f28
GPR28: 00003fff8ec8eb68 00003fff8ed79be8 00003fff8ec8eb68 000000000000000e
NIP [00003fff8e4f8ac0] 0x3fff8e4f8ac0
LR [00003fff8e4f8ac0] 0x3fff8e4f8ac0
--- interrupt: 3000
Code: 4bfffe7c 60000000 60000000 7c0802a6 3c62ffef 39200001 3d420125 386350f0 992aae78 f8010070 4b91b45d 60000000 <0fe00000> e8010070 7c0803a6 4bfffe40
---[ end trace 0000000000000000 ]---

Apart from the dmesg output the machine kept running with seemingly no side effects.

Kernel .config attached.

Regards,
Erhard

Attachment: config_6138_p9
Description: Binary data

Next message: Christian Marangi: "[net-next RFC PATCH v4 5/6] net: phy: Add support for Aeonsemi AS21xxx PHYs"
Previous message: Christian Marangi: "[net-next RFC PATCH v4 6/6] dt-bindings: net: Document support for Aeonsemi PHYs"
Next in thread: Trond Myklebust: "Re: 'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' at fetching files via nfs (Talos II, kernel 6.13.8)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]