linux-kernel - 'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' at fetching files via nfs (Talos II, kernel 6.13.8)

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20250327234607.2bc4aaea@yea>
Date: Thu, 27 Mar 2025 23:46:07 +0100
From: Erhard Furtner <erhard_f@...lbox.org>
To: linux-nfs@...r.kernel.org
Cc: linux-kernel@...r.kernel.org
Subject: 'refcount_t: addition on 0; use-after-free.' and 'refcount_t:
 underflow; use-after-free.' at fetching files via nfs (Talos II, kernel
 6.13.8)

Greetings!

Noticed that nfs 'refcount_t: addition on 0; use-after-free.' and 'refcount_t: underflow; use-after-free.' after some hours of building packages on my Talos II. It fetches the source tarballs from my other system via a shared nfs 4 partition. 

[...]
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 33 PID: 50221 at lib/refcount.c:25 refcount_warn_saturate+0x194/0x230
Modules linked in: md5 md5_ppc sha512_generic cmac cifs cifs_arc4 nls_ucs2_utils cifs_md4 rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc af_packet input_leds evdev cfg80211 rfkill hid_generic usbhid hid radeon xhci_pci drm_suballoc_helper xhci_hcd i2c_algo_bit backlight drm_ttm_helper ctr ofpart ttm xts cbc aes_generic libaes usbcore powernv_flash vmx_crypto drm_display_helper gf128mul ibmpowernv mtd at24 usb_common hwmon regmap_i2c opal_prd zram powernv_cpufreq loop fuse dm_mod configfs
CPU: 33 UID: 250 PID: 50221 Comm: emerge Tainted: G                T  6.13.8-gentoo-P9 #1
Tainted: [T]=RANDSTRUCT
Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
NIP:  c000000000818de4 LR: c000000000818de0 CTR: 0000000000000000
REGS: c0000000c5d4b770 TRAP: 0700   Tainted: G                T   (6.13.8-gentoo-P9)
MSR:  900000000082b032 <SF,HV,VSX,EE,FP,ME,IR,DR,RI>  CR: 44044222  XER: 0000000a
CFAR: c000000000134398 IRQMASK: 0 
GPR00: c000000000818de0 c0000000c5d4ba10 c00000000112f100 000000000000002a 
GPR04: 00000000fffeffff c0000000c5d4b7b8 c0000000c5d4b7b0 00000007fd0b8000 
GPR08: 0000000000000027 c0000007ff1bc210 0000000000000001 0000000044044222 
GPR12: c0002007fae88228 c0000007fffe9600 ffffffffffffffff 0000000000000001 
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38 
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7 
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 c000000581df4878 
GPR28: c000000021935088 c0000000cbb2f7a0 c0000004c0c374e8 c0000000cbb2f740 
NIP [c000000000818de4] refcount_warn_saturate+0x194/0x230
LR [c000000000818de0] refcount_warn_saturate+0x190/0x230
Call Trace:
[c0000000c5d4ba10] [c000000000818de0] refcount_warn_saturate+0x190/0x230 (unreliable)
[c0000000c5d4ba70] [c00800000e1ec578] nfs_start_delegation_return_locked+0x140/0x160 [nfsv4]
[c0000000c5d4bab0] [c00800000e1ee20c] nfs4_inode_return_delegation+0x24/0xf0 [nfsv4]
[c0000000c5d4bae0] [c00800000c9ad088] nfs_complete_unlink+0x80/0x250 [nfs]
[c0000000c5d4bb30] [c00800000c9955bc] nfs_dentry_iput+0x54/0xe0 [nfs]
[c0000000c5d4bb60] [c000000000488a98] dentry_unlink_inode+0xe8/0x1e0
[c0000000c5d4bb90] [c0000000004898f0] __dentry_kill+0xb0/0x280
[c0000000c5d4bbd0] [c000000000489bf8] dput+0x138/0x290
[c0000000c5d4bc10] [c00000000045efe0] __fput+0x170/0x3c0
[c0000000c5d4bc60] [c000000000458c28] sys_close+0x48/0xa0
[c0000000c5d4bc90] [c000000000029204] system_call_exception+0x1a4/0x370
[c0000000c5d4be50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
--- interrupt: 3000 at 0x3fff8e4f8ac0
NIP:  00003fff8e4f8ac0 LR: 00003fff8e4f8ac0 CTR: 0000000000000000
REGS: c0000000c5d4be80 TRAP: 3000   Tainted: G                T   (6.13.8-gentoo-P9)
MSR:  900000000000f032 <SF,HV,EE,PR,FP,ME,IR,DR,RI>  CR: 44044822  XER: 00000000
IRQMASK: 0 
GPR00: 0000000000000006 00003fffcd085180 00003fff8e617100 000000000000000e 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 00003fff8ed837e0 ffffffffffffffff 0000000000000001 
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38 
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7 
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 00003fff8ec25f28 
GPR28: 00003fff8ec8eb68 00003fff8ed79be8 00003fff8ec8eb68 000000000000000e 
NIP [00003fff8e4f8ac0] 0x3fff8e4f8ac0
LR [00003fff8e4f8ac0] 0x3fff8e4f8ac0
--- interrupt: 3000
Code: 8929ae77 2c090000 4082fef4 7c0802a6 3c62ffef 39200001 3d420125 386350c0 992aae77 f8010070 4b91b4dd 60000000 <0fe00000> e8010070 7c0803a6 4bfffec0 
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 33 PID: 50221 at lib/refcount.c:28 refcount_warn_saturate+0x214/0x230
Modules linked in: md5 md5_ppc sha512_generic cmac cifs cifs_arc4 nls_ucs2_utils cifs_md4 rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc af_packet input_leds evdev cfg80211 rfkill hid_generic usbhid hid radeon xhci_pci drm_suballoc_helper xhci_hcd i2c_algo_bit backlight drm_ttm_helper ctr ofpart ttm xts cbc aes_generic libaes usbcore powernv_flash vmx_crypto drm_display_helper gf128mul ibmpowernv mtd at24 usb_common hwmon regmap_i2c opal_prd zram powernv_cpufreq loop fuse dm_mod configfs
CPU: 33 UID: 250 PID: 50221 Comm: emerge Tainted: G        W       T  6.13.8-gentoo-P9 #1
Tainted: [W]=WARN, [T]=RANDSTRUCT
Hardware name: T2P9D01 REV 1.01 POWER9 0x4e1202 opal:skiboot-bc106a0 PowerNV
NIP:  c000000000818e64 LR: c000000000818e60 CTR: 0000000000000000
REGS: c0000000c5d4b710 TRAP: 0700   Tainted: G        W       T   (6.13.8-gentoo-P9)
MSR:  900000000082b032 <SF,HV,VSX,EE,FP,ME,IR,DR,RI>  CR: 44044222  XER: 0000000a
CFAR: c000000000134398 IRQMASK: 0 
GPR00: c000000000818e60 c0000000c5d4b9b0 c00000000112f100 0000000000000026 
GPR04: 00000000fffeffff c0000000c5d4b758 c0000000c5d4b750 00000007fd0b8000 
GPR08: 0000000000000027 c0000007ff1bc210 0000000000000001 0000000044044222 
GPR12: c0002007fae88228 c0000007fffe9600 ffffffffffffffff 0000000000000001 
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38 
GPR20: 00003fff8ed79c40 00003fff8eb92840 0000000000000001 c00000008ea94000 
GPR24: c0000004c0c376e0 c0000000cbb2f740 0000000000000001 c000000581df4878 
GPR28: 0000000000000000 c00000000dc75600 c0000004c0c376e0 c000000581df4878 
NIP [c000000000818e64] refcount_warn_saturate+0x214/0x230
LR [c000000000818e60] refcount_warn_saturate+0x210/0x230
Call Trace:
[c0000000c5d4b9b0] [c000000000818e60] refcount_warn_saturate+0x210/0x230 (unreliable)
[c0000000c5d4ba10] [c00800000e1ec660] nfs_put_delegation+0xc8/0x120 [nfsv4]
[c0000000c5d4ba40] [c00800000e1ecb60] nfs_end_delegation_return+0x198/0x450 [nfsv4]
[c0000000c5d4bae0] [c00800000c9ad088] nfs_complete_unlink+0x80/0x250 [nfs]
[c0000000c5d4bb30] [c00800000c9955bc] nfs_dentry_iput+0x54/0xe0 [nfs]
[c0000000c5d4bb60] [c000000000488a98] dentry_unlink_inode+0xe8/0x1e0
[c0000000c5d4bb90] [c0000000004898f0] __dentry_kill+0xb0/0x280
[c0000000c5d4bbd0] [c000000000489bf8] dput+0x138/0x290
[c0000000c5d4bc10] [c00000000045efe0] __fput+0x170/0x3c0
[c0000000c5d4bc60] [c000000000458c28] sys_close+0x48/0xa0
[c0000000c5d4bc90] [c000000000029204] system_call_exception+0x1a4/0x370
[c0000000c5d4be50] [c00000000000c270] system_call_vectored_common+0xf0/0x280
--- interrupt: 3000 at 0x3fff8e4f8ac0
NIP:  00003fff8e4f8ac0 LR: 00003fff8e4f8ac0 CTR: 0000000000000000
REGS: c0000000c5d4be80 TRAP: 3000   Tainted: G        W       T   (6.13.8-gentoo-P9)
MSR:  900000000000f032 <SF,HV,EE,PR,FP,ME,IR,DR,RI>  CR: 44044822  XER: 00000000
IRQMASK: 0 
GPR00: 0000000000000006 00003fffcd085180 00003fff8e617100 000000000000000e 
GPR04: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR08: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
GPR12: 0000000000000000 00003fff8ed837e0 ffffffffffffffff 0000000000000001 
GPR16: 00003fff8ed79c40 0000000000000000 00003fff8ddf4bd0 00003fff8ed79c38 
GPR20: 00003fff8ed79c40 00003fff8eb92840 00003fff8ed79c48 00000000000000a7 
GPR24: 00003fff8ea50f20 00003fffcd0853b8 0000000000000001 00003fff8ec25f28 
GPR28: 00003fff8ec8eb68 00003fff8ed79be8 00003fff8ec8eb68 000000000000000e 
NIP [00003fff8e4f8ac0] 0x3fff8e4f8ac0
LR [00003fff8e4f8ac0] 0x3fff8e4f8ac0
--- interrupt: 3000
Code: 4bfffe7c 60000000 60000000 7c0802a6 3c62ffef 39200001 3d420125 386350f0 992aae78 f8010070 4b91b45d 60000000 <0fe00000> e8010070 7c0803a6 4bfffe40 
---[ end trace 0000000000000000 ]---


Apart from the dmesg output the machine kept running with seemingly no side effects.

Kernel .config attached.

Regards,
Erhard

Download attachment "config_6138_p9" of type "application/octet-stream" (130088 bytes)