The following warning is seen when a CPU is hot unplugged on a PowerKVM guest:
refcount_t: underflow; use-after-free. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 53 at lib/refcount.c:128 refcount_sub_and_test+0xd8/0xf0 Modules linked in: CPU: 0 PID: 53 Comm: kworker/u510:1 Not tainted 4.11.0-rc1 #3 Workqueue: pseries hotplug workque pseries_hp_work_fn task: c0000000fb475000 task.stack: c0000000fb81c000 NIP: c0000000006f0808 LR: c0000000006f0804 CTR: c0000000007b98c0 REGS: c0000000fb81f710 TRAP: 0700 Not tainted (4.11.0-rc1) MSR: 800000000282b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48002222 XER: 20000000 CFAR: c000000000c438e0 SOFTE: 1 GPR00: c0000000006f0804 c0000000fb81f990 c000000001573b00 0000000000000026 GPR04: 0000000000000000 000000000000016c 667265652e0d0a73 652d61667465722d GPR08: 0000000000000007 0000000000000007 0000000000000001 0000000000000006 GPR12: 0000000000002200 c00000000ff40000 c00000000010c578 c0000001f11b9f40 GPR16: c0000001fe0312a8 c0000001fe031078 c0000001fe031020 0000000000000001 GPR20: 0000000000000000 0000000000000000 c000000001454808 fffffffffffffef7 GPR24: 0000000000000000 c0000001f1677648 0000000000000000 0000000000000000 GPR28: 0000000010000008 c000000000e4d3d8 0000000000000000 c0000001eaae07d8 NIP [c0000000006f0808] refcount_sub_and_test+0xd8/0xf0 LR [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0 Call Trace: [c0000000fb81f990] [c0000000006f0804] refcount_sub_and_test+0xd4/0xf0 (unreliable) [c0000000fb81f9f0] [c0000000006d04b4] kobject_put+0x44/0x2a0 [c0000000fb81fa70] [c0000000009d5284] of_node_put+0x34/0x50 [c0000000fb81faa0] [c0000000000aceb8] dlpar_cpu_remove_by_index+0x108/0x130 [c0000000fb81fb30] [c0000000000ae128] dlpar_cpu+0x78/0x550 [c0000000fb81fbe0] [c0000000000a7b40] handle_dlpar_errorlog+0xc0/0x160 [c0000000fb81fc50] [c0000000000a7c74] pseries_hp_work_fn+0x94/0xa0 [c0000000fb81fc80] [c000000000102cec] process_one_work+0x23c/0x540 [c0000000fb81fd20] [c00000000010309c] worker_thread+0xac/0x620 [c0000000fb81fdc0] [c00000000010c6c4] kthread+0x154/0x1a0 [c0000000fb81fe30] [c00000000000bbe0] ret_from_kernel_thread+0x5c/0x7c Fix this by ensuring that of_node_put() is called only from the error path in dlpar_cpu_remove_by_index(). In the normal path, of_node_put() happens as part of dlpar_detach_node(). Signed-off-by: Bharata B Rao <bhar...@linux.vnet.ibm.com> Cc: Nathan Fontenot <nf...@linux.vnet.ibm.com> --- arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c index 7bc0e91..b5eff35 100644 --- a/arch/powerpc/platforms/pseries/hotplug-cpu.c +++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c @@ -619,7 +619,8 @@ static int dlpar_cpu_remove_by_index(u32 drc_index) } rc = dlpar_cpu_remove(dn, drc_index); - of_node_put(dn); + if (rc) + of_node_put(dn); return rc; } -- 2.7.4