[PATCH v2 0/2] of: Fix interrupt-map for fw_devlink

[PATCH v2 0/2] of: Fix interrupt-map for fw_devlink

[Rob Herring (Arm)]

The duplicated parsing continued to bother me, so I've refactored things 
to avoid that for parsing the interrupt parent and args in the 
interrupt-map.

It passes testing with unittests on QEMU virt platform, but I don't 
think that catches the problematic cases. So please test.

v1: https://lore.kernel.org/all/20240528164132.2451685-1-maz@kernel.org/
 - Refactor existing interrupt-map parsing code and use it for 
   fw_devlink

Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
---
Marc Zyngier (1):
      of: property: Fix fw_devlink handling of interrupt-map

Rob Herring (Arm) (1):
      of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()

 drivers/of/irq.c        | 127 +++++++++++++++++++++++++++++-------------------
 drivers/of/of_private.h |   3 ++
 drivers/of/property.c   |  30 ++++--------
 3 files changed, 89 insertions(+), 71 deletions(-)
---
base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0
change-id: 20240529-dt-interrupt-map-fix-a37b9aff5ca0

Best regards,
-- 
Rob Herring (Arm) <robh@kernel.org>

[PATCH v2 1/2] of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()

[Rob Herring (Arm)]

Factor out the parsing of interrupt-map interrupt parent phandle and its
arg cells to a separate function, of_irq_parse_imap_parent(), so that it
can be used in other parsing scenarios (e.g. fw_devlink).

There was a refcount leak on non-matching entries when iterating thru
"interrupt-map" which is fixed.

Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
---
 drivers/of/irq.c        | 127 +++++++++++++++++++++++++++++-------------------
 drivers/of/of_private.h |   3 ++
 2 files changed, 79 insertions(+), 51 deletions(-)

diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 174900072c18..a7cdb892991e 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -25,6 +25,8 @@
 #include <linux/string.h>
 #include <linux/slab.h>
 
+#include "of_private.h"
+
 /**
  * irq_of_parse_and_map - Parse and map an interrupt into linux virq space
  * @dev: Device node of the device whose interrupt is to be mapped
@@ -96,6 +98,59 @@ static const char * const of_irq_imap_abusers[] = {
 	NULL,
 };
 
+const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len, struct of_phandle_args *out_irq)
+{
+	u32 intsize, addrsize;
+	struct device_node *np;
+
+	/* Get the interrupt parent */
+	if (of_irq_workarounds & OF_IMAP_NO_PHANDLE)
+		np = of_node_get(of_irq_dflt_pic);
+	else
+		np = of_find_node_by_phandle(be32_to_cpup(imap));
+	imap++;
+
+	/* Check if not found */
+	if (!np) {
+		pr_debug(" -> imap parent not found !\n");
+		return NULL;
+	}
+
+	/* Get #interrupt-cells and #address-cells of new
+		* parent
+		*/
+	if (of_property_read_u32(np, "#interrupt-cells",
+					&intsize)) {
+		pr_debug(" -> parent lacks #interrupt-cells!\n");
+		of_node_put(np);
+		return NULL;
+	}
+	if (of_property_read_u32(np, "#address-cells",
+					&addrsize))
+		addrsize = 0;
+
+	pr_debug(" -> intsize=%d, addrsize=%d\n",
+		intsize, addrsize);
+
+	/* Check for malformed properties */
+	if (WARN_ON(addrsize + intsize > MAX_PHANDLE_ARGS)
+		|| (len < (addrsize + intsize))) {
+		of_node_put(np);
+		return NULL;
+	}
+
+	pr_debug(" -> imaplen=%d\n", len);
+
+	imap += addrsize + intsize;
+
+	out_irq->np = np;
+	for (int i = 0; i < intsize; i++)
+		out_irq->args[i] = be32_to_cpup(imap - intsize + i);
+	out_irq->args_count = intsize;
+
+	return imap;
+}
+
 /**
  * of_irq_parse_raw - Low level interrupt tree parsing
  * @addr:	address specifier (start of "reg" property of the device) in be32 format
@@ -112,12 +167,12 @@ static const char * const of_irq_imap_abusers[] = {
  */
 int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 {
-	struct device_node *ipar, *tnode, *old = NULL, *newpar = NULL;
+	struct device_node *ipar, *tnode, *old = NULL;
 	__be32 initial_match_array[MAX_PHANDLE_ARGS];
 	const __be32 *match_array = initial_match_array;
-	const __be32 *tmp, *imap, *imask, dummy_imask[] = { [0 ... MAX_PHANDLE_ARGS] = cpu_to_be32(~0) };
-	u32 intsize = 1, addrsize, newintsize = 0, newaddrsize = 0;
-	int imaplen, match, i, rc = -EINVAL;
+	const __be32 *tmp, dummy_imask[] = { [0 ... MAX_PHANDLE_ARGS] = cpu_to_be32(~0) };
+	u32 intsize = 1, addrsize;
+	int i, rc = -EINVAL;
 
 #ifdef DEBUG
 	of_print_phandle_args("of_irq_parse_raw: ", out_irq);
@@ -176,6 +231,9 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 
 	/* Now start the actual "proper" walk of the interrupt tree */
 	while (ipar != NULL) {
+		int imaplen, match;
+		const __be32 *imap, *oldimap, *imask;
+		struct device_node *newpar;
 		/*
 		 * Now check if cursor is an interrupt-controller and
 		 * if it is then we are done, unless there is an
@@ -216,7 +274,7 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 
 		/* Parse interrupt-map */
 		match = 0;
-		while (imaplen > (addrsize + intsize + 1) && !match) {
+		while (imaplen > (addrsize + intsize + 1)) {
 			/* Compare specifiers */
 			match = 1;
 			for (i = 0; i < (addrsize + intsize); i++, imaplen--)
@@ -224,48 +282,17 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 
 			pr_debug(" -> match=%d (imaplen=%d)\n", match, imaplen);
 
-			/* Get the interrupt parent */
-			if (of_irq_workarounds & OF_IMAP_NO_PHANDLE)
-				newpar = of_node_get(of_irq_dflt_pic);
-			else
-				newpar = of_find_node_by_phandle(be32_to_cpup(imap));
-			imap++;
-			--imaplen;
-
-			/* Check if not found */
-			if (newpar == NULL) {
-				pr_debug(" -> imap parent not found !\n");
-				goto fail;
-			}
-
-			if (!of_device_is_available(newpar))
-				match = 0;
-
-			/* Get #interrupt-cells and #address-cells of new
-			 * parent
-			 */
-			if (of_property_read_u32(newpar, "#interrupt-cells",
-						 &newintsize)) {
-				pr_debug(" -> parent lacks #interrupt-cells!\n");
-				goto fail;
-			}
-			if (of_property_read_u32(newpar, "#address-cells",
-						 &newaddrsize))
-				newaddrsize = 0;
-
-			pr_debug(" -> newintsize=%d, newaddrsize=%d\n",
-			    newintsize, newaddrsize);
-
-			/* Check for malformed properties */
-			if (WARN_ON(newaddrsize + newintsize > MAX_PHANDLE_ARGS)
-			    || (imaplen < (newaddrsize + newintsize))) {
-				rc = -EFAULT;
+			oldimap = imap;
+			imap = of_irq_parse_imap_parent(oldimap, imaplen, out_irq);
+			if (!imap)
 				goto fail;
-			}
 
-			imap += newaddrsize + newintsize;
-			imaplen -= newaddrsize + newintsize;
+			match &= of_device_is_available(out_irq->np);
+			if (match)
+				break;
 
+			of_node_put(out_irq->np);
+			imaplen -= imap - oldimap;
 			pr_debug(" -> imaplen=%d\n", imaplen);
 		}
 		if (!match) {
@@ -287,11 +314,11 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 		 * Successfully parsed an interrupt-map translation; copy new
 		 * interrupt specifier into the out_irq structure
 		 */
-		match_array = imap - newaddrsize - newintsize;
-		for (i = 0; i < newintsize; i++)
-			out_irq->args[i] = be32_to_cpup(imap - newintsize + i);
-		out_irq->args_count = intsize = newintsize;
-		addrsize = newaddrsize;
+		match_array = oldimap + 1;
+
+		newpar = out_irq->np;
+		intsize = out_irq->args_count;
+		addrsize = (imap - match_array) - intsize;
 
 		if (ipar == newpar) {
 			pr_debug("%pOF interrupt-map entry to self\n", ipar);
@@ -300,7 +327,6 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 
 	skiplevel:
 		/* Iterate again with new parent */
-		out_irq->np = newpar;
 		pr_debug(" -> new parent: %pOF\n", newpar);
 		of_node_put(ipar);
 		ipar = newpar;
@@ -310,7 +336,6 @@ int of_irq_parse_raw(const __be32 *addr, struct of_phandle_args *out_irq)
 
  fail:
 	of_node_put(ipar);
-	of_node_put(newpar);
 
 	return rc;
 }
diff --git a/drivers/of/of_private.h b/drivers/of/of_private.h
index 94fc0aa07af9..04aa2a91f851 100644
--- a/drivers/of/of_private.h
+++ b/drivers/of/of_private.h
@@ -159,6 +159,9 @@ extern void __of_sysfs_remove_bin_file(struct device_node *np,
 extern int of_bus_n_addr_cells(struct device_node *np);
 extern int of_bus_n_size_cells(struct device_node *np);
 
+const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len,
+				       struct of_phandle_args *out_irq);
+
 struct bus_dma_region;
 #if defined(CONFIG_OF_ADDRESS) && defined(CONFIG_HAS_DMA)
 int of_dma_get_range(struct device_node *np,

-- 
2.43.0

Re: [PATCH v2 1/2] of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()

[Marc Zyngier]

On Wed, 29 May 2024 20:59:20 +0100,
"Rob Herring (Arm)" <robh@kernel.org> wrote:
> 
> Factor out the parsing of interrupt-map interrupt parent phandle and its
> arg cells to a separate function, of_irq_parse_imap_parent(), so that it
> can be used in other parsing scenarios (e.g. fw_devlink).
> 
> There was a refcount leak on non-matching entries when iterating thru
> "interrupt-map" which is fixed.
> 
> Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
> ---
>  drivers/of/irq.c        | 127 +++++++++++++++++++++++++++++-------------------
>  drivers/of/of_private.h |   3 ++
>  2 files changed, 79 insertions(+), 51 deletions(-)
> 
> diff --git a/drivers/of/irq.c b/drivers/of/irq.c
> index 174900072c18..a7cdb892991e 100644
> --- a/drivers/of/irq.c
> +++ b/drivers/of/irq.c
> @@ -25,6 +25,8 @@
>  #include <linux/string.h>
>  #include <linux/slab.h>
>  
> +#include "of_private.h"
> +
>  /**
>   * irq_of_parse_and_map - Parse and map an interrupt into linux virq space
>   * @dev: Device node of the device whose interrupt is to be mapped
> @@ -96,6 +98,59 @@ static const char * const of_irq_imap_abusers[] = {
>  	NULL,
>  };
>  
> +const __be32 *of_irq_parse_imap_parent(const __be32 *imap, int len, struct of_phandle_args *out_irq)
> +{
> +	u32 intsize, addrsize;
> +	struct device_node *np;
> +
> +	/* Get the interrupt parent */
> +	if (of_irq_workarounds & OF_IMAP_NO_PHANDLE)
> +		np = of_node_get(of_irq_dflt_pic);
> +	else
> +		np = of_find_node_by_phandle(be32_to_cpup(imap));
> +	imap++;
> +
> +	/* Check if not found */
> +	if (!np) {
> +		pr_debug(" -> imap parent not found !\n");
> +		return NULL;
> +	}
> +
> +	/* Get #interrupt-cells and #address-cells of new
> +		* parent
> +		*/

nit: funky formatting.

	M.

-- 
Without deviation from the norm, progress is not possible.

[PATCH v2 2/2] of: property: Fix fw_devlink handling of interrupt-map

[Rob Herring (Arm)]

From: Marc Zyngier <maz@kernel.org>

Commit d976c6f4b32c ("of: property: Add fw_devlink support for
interrupt-map property") tried to do what it says on the tin,
but failed on a couple of points:

- it confuses bytes and cells. Not a huge deal, except when it
  comes to pointer arithmetic

- it doesn't really handle anything but interrupt-maps that have
  their parent #address-cells set to 0

The combinations of the two leads to some serious fun on my M1
box, with plenty of WARN-ON() firing all over the shop, and
amusing values being generated for interrupt specifiers.

Having 2 versions of parsing code for "interrupt-map" was a bad
idea. Now that the common parsing parts have been refactored
into of_irq_parse_imap_parent(), rework the code here to use it
instead and fix the pointer arithmetic.

Note that the dependency will be a bit different than the original code
when the interrupt-map points to another interrupt-map. In this case,
the original code would resolve to the final interrupt controller. Now
the dependency is the parent interrupt-map (which itself should have a
dependency to the parent). It is possible that a node with an
interrupt-map has no driver.

Fixes: d976c6f4b32c ("of: property: Add fw_devlink support for interrupt-map property")
Signed-off-by: Marc Zyngier <maz@kernel.org>
Co-developed-by: Rob Herring (Arm) <robh@kernel.org>
Cc: Anup Patel <apatel@ventanamicro.com>
Cc: Saravana Kannan <saravanak@google.com>
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
---
 drivers/of/property.c | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/drivers/of/property.c b/drivers/of/property.c
index 1c83e68f805b..164d77cb9445 100644
--- a/drivers/of/property.c
+++ b/drivers/of/property.c
@@ -1306,10 +1306,10 @@ static struct device_node *parse_interrupts(struct device_node *np,
 static struct device_node *parse_interrupt_map(struct device_node *np,
 					       const char *prop_name, int index)
 {
-	const __be32 *imap, *imap_end, *addr;
+	const __be32 *imap, *imap_end;
 	struct of_phandle_args sup_args;
 	u32 addrcells, intcells;
-	int i, imaplen;
+	int imaplen;
 
 	if (!IS_ENABLED(CONFIG_OF_IRQ))
 		return NULL;
@@ -1322,33 +1322,23 @@ static struct device_node *parse_interrupt_map(struct device_node *np,
 	addrcells = of_bus_n_addr_cells(np);
 
 	imap = of_get_property(np, "interrupt-map", &imaplen);
-	if (!imap || imaplen <= (addrcells + intcells))
+	imaplen /= sizeof(*imap);
+	if (!imap)
 		return NULL;
-	imap_end = imap + imaplen;
 
-	while (imap < imap_end) {
-		addr = imap;
-		imap += addrcells;
+	imap_end = imap + imaplen;
 
-		sup_args.np = np;
-		sup_args.args_count = intcells;
-		for (i = 0; i < intcells; i++)
-			sup_args.args[i] = be32_to_cpu(imap[i]);
-		imap += intcells;
+	for (int i = 0; imap + addrcells + intcells + 1 < imap_end; i++) {
+		imap += addrcells + intcells;
 
-		/*
-		 * Upon success, the function of_irq_parse_raw() returns
-		 * interrupt controller DT node pointer in sup_args.np.
-		 */
-		if (of_irq_parse_raw(addr, &sup_args))
+		imap = of_irq_parse_imap_parent(imap, imap_end - imap, &sup_args);
+		if (!imap)
 			return NULL;
 
-		if (!index)
+		if (i == index)
 			return sup_args.np;
 
 		of_node_put(sup_args.np);
-		imap += sup_args.args_count + 1;
-		index--;
 	}
 
 	return NULL;

-- 
2.43.0

Re: [PATCH v2 0/2] of: Fix interrupt-map for fw_devlink

[Marc Zyngier]

On Wed, 29 May 2024 20:59:19 +0100,
"Rob Herring (Arm)" <robh@kernel.org> wrote:
> 
> The duplicated parsing continued to bother me, so I've refactored things 
> to avoid that for parsing the interrupt parent and args in the 
> interrupt-map.
> 
> It passes testing with unittests on QEMU virt platform, but I don't 
> think that catches the problematic cases. So please test.
> 
> v1: https://lore.kernel.org/all/20240528164132.2451685-1-maz@kernel.org/
>  - Refactor existing interrupt-map parsing code and use it for 
>    fw_devlink
> 
> Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
> ---
> Marc Zyngier (1):
>       of: property: Fix fw_devlink handling of interrupt-map
> 
> Rob Herring (Arm) (1):
>       of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()
> 
>  drivers/of/irq.c        | 127 +++++++++++++++++++++++++++++-------------------
>  drivers/of/of_private.h |   3 ++
>  drivers/of/property.c   |  30 ++++--------
>  3 files changed, 89 insertions(+), 71 deletions(-)

I've just gave it a go on an M1 and as a kvmtool guest, and nothing
caught fire. Must be perfect.

Tested-by: Marc Zyngier <maz@kernel.org>

	M.

-- 
Without deviation from the norm, progress is not possible.

Re: [PATCH v2 0/2] of: Fix interrupt-map for fw_devlink

[Anup Patel]

On Thu, May 30, 2024 at 1:29 AM Rob Herring (Arm) <robh@kernel.org> wrote:
>
> The duplicated parsing continued to bother me, so I've refactored things
> to avoid that for parsing the interrupt parent and args in the
> interrupt-map.
>
> It passes testing with unittests on QEMU virt platform, but I don't
> think that catches the problematic cases. So please test.
>
> v1: https://lore.kernel.org/all/20240528164132.2451685-1-maz@kernel.org/
>  - Refactor existing interrupt-map parsing code and use it for
>    fw_devlink
>
> Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
> ---
> Marc Zyngier (1):
>       of: property: Fix fw_devlink handling of interrupt-map
>
> Rob Herring (Arm) (1):
>       of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()
>
>  drivers/of/irq.c        | 127 +++++++++++++++++++++++++++++-------------------
>  drivers/of/of_private.h |   3 ++
>  drivers/of/property.c   |  30 ++++--------
>  3 files changed, 89 insertions(+), 71 deletions(-)
> ---
> base-commit: 1613e604df0cd359cf2a7fbd9be7a0bcfacfabd0
> change-id: 20240529-dt-interrupt-map-fix-a37b9aff5ca0
>
> Best regards,
> --
> Rob Herring (Arm) <robh@kernel.org>
>

Works well for RISC-V, Thanks!

Tested-by: Anup Patel <apatel@ventanamicro.com>

Regards,
Anup

Re: [PATCH v2 1/2] of/irq: Factor out parsing of interrupt-map parent phandle+args from of_irq_parse_raw()

[WHR]

[-- Attachment #1: Type: text/plain, Size: 1874 bytes --]


Hello Rob.

I'm debugging a device-tree-related issue with latest stable Linux release on
my RISC-V board. After extensive debugging I traced the issue into your recent
patch:

of/irq: Factor out parsing of interrupt-map parent phandle+args from
of_irq_parse_raw()

Specifically this change:

@@ -300,7 +327,6 @@ int of_irq_parse_raw(const __be32 *addr, struct
of_phandle_args *out_irq)
 
 	skiplevel:
 		/* Iterate again with new parent */
-		out_irq->np = newpar;
 		pr_debug(" -> new parent: %pOF\n", newpar);
 		of_node_put(ipar);
 		ipar = newpar;

I couldn't finger out exactly why this line of code was removed, but
apparently under some conditions, this change causes 'out_irq->np' never being
updated to correct node, which is its interrupt parent.

The problematic code flow go through the following code:

		/* No interrupt map, check for an interrupt parent */
			if (imap == NULL) {
			pr_debug(" -> no map, getting parent\n");
			newpar = of_irq_find_parent(ipar);
			goto skiplevel;
		}

after jumping to 'skiplevel', I think 'out_irq->np' is supposed to be updated
to the new parent.

Becasue 'out_irq->np' is never updated in function 'of_irq_parse_raw', and
'out_irq->np' is expected to have its reference count increased after a
successful return from 'of_irq_parse_raw', caller will later calling
'of_node_put' for the wrong 'out_irq->np', corrupting its reference count;
also the reference count for 'newpar' will be leaked.

When populating device tree on bootup, one particular device node of my board
triggered this issue repeatly, eventually causing an underflow of the
reference count of that node.

A fragment of kernel message log is attached showing node 'usbdrd' with
corrupted reference count (I added some pr_debug calls to print the reference
count), and other issues caused by that.

The device tree blob for my board is attached as well.

[-- Attachment #2: kmsg --]
[-- Type: application/octet-stream, Size: 34698 bytes --]

[    2.235812] OF: next: usbdrd, reference count 4
[    2.240791] function: fw_devlink_parse_fwtree(ffffffd9ffdc5fa0)
[    2.247292] ffffffd9ffdc5f88 usbdrd, reference count 4
[    2.252937] parent ffffffd9ffdbddc8 soc, reference count 79
[    2.259069] usbdrd Linked as a fwnode consumer to clock-controller
[    2.265904] usbdrd Linked as a fwnode consumer to reset-controller
[    2.272744] ffffffd9ffdc5f88 usbdrd, reference count 4
[    2.278388] parent ffffffd9ffdbddc8 soc, reference count 79
[    2.284511] OF: ffffffd9ffdc5f88 usbdrd, reference count 4
[    2.290537] OF: of_get_next_available_child: "usbdrd", "usbdrd"
[    2.297038] OF: parent: usbdrd, reference count 4
[    2.302208] OF: parent: usbdrd, reference count 4
[    2.307368] OF: next: usb@10100000, reference count 3
[    2.312918] function: fw_devlink_parse_fwtree(ffffffd9ffdc6700)
[    2.319420] ffffffd9ffdc66e8 usb, reference count 3
[    2.324778] parent ffffffd9ffdc5f88 usbdrd, reference count 4
[    2.331118] usb@10100000 Linked as a fwnode consumer to usbdrd
[    2.337572] ffffffd9ffdc66e8 usb, reference count 3
[    2.342931] parent ffffffd9ffdc5f88 usbdrd, reference count 1
[    2.349244] OF: ffffffd9ffdc66e8 usb, reference count 3
[    2.354984] OF: of_get_next_available_child: "usb", "usb@10100000"
[    2.361772] OF: parentparent: usbdrd, reference count 1
[    2.367513] OF: parent: usb@10100000, reference count 3
[    2.373254] OF: parentparent: usbdrd, reference count 1
[    2.378985] OF: parent: usb@10100000, reference count 3
[    2.384726] OF: ffffffd9ffdc5f88 usbdrd, reference count 1
[    2.390752] OF: of_get_next_available_child: "usbdrd", "usbdrd"
[    2.397253] OF: parent: usbdrd, reference count 1
[    2.402422] OF: parent: usbdrd, reference count 1
[    2.407581] OF: prev: usb@10100000, reference count 3
[    2.413131] OF: of_get_next_available_child: "soc", "soc"
[    2.419061] OF: parent: soc, reference count 79
[    2.424041] OF: parent: soc, reference count 79
[    2.429010] OF: prev: usbdrd, reference count 1
[    2.433977] OF: next: multi-phyctrl@10210000, reference count 3
[    2.440527] OF: of_node_release: usbdrd
[    2.444731] OF: ERROR: Bad of_node_put() on usbdrd
[    2.449986] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.101-rivoreo-starfive #14
[    2.458294] Hardware name: StarFive VisionFive V2 (DT)
[    2.463928] Call Trace:
[    2.466606] [<ffffffff80003db2>] dump_backtrace+0x1c/0x24
[    2.472539] [<ffffffff804c94ee>] show_stack+0x2e/0x38
[    2.478086] [<ffffffff804d3dd8>] dump_stack_lvl+0x3c/0x54
[    2.484013] [<ffffffff804d3e04>] dump_stack+0x14/0x1c
[    2.489557] [<ffffffff804d2610>] of_node_release+0x40/0xf2
[    2.495578] [<ffffffff804b6090>] kobject_put+0x76/0xac
[    2.501220] [<ffffffff803763ae>] of_node_put+0x16/0x20
[    2.506860] [<ffffffff803725fe>] of_get_next_available_child+0x12a/0x152
[    2.514218] [<ffffffff80375430>] of_fwnode_get_next_child_node+0x86/0x9a
[    2.521577] [<ffffffff802c7b0a>] fwnode_get_next_child_node+0x28/0x36
[    2.528652] [<ffffffff802c7c64>] fwnode_get_next_available_child_node+0x1e/0x3a
[    2.536677] [<ffffffff802bebf0>] fw_devlink_parse_fwtree+0x10c/0x130
[    2.543653] [<ffffffff802bf936>] device_add+0x42e/0x562
[    2.549388] [<ffffffff80373b44>] of_device_add+0x22/0x2a
[    2.555219] [<ffffffff80374090>] of_platform_device_create_pdata+0x76/0x9a
[    2.562766] [<ffffffff8037445e>] of_platform_bus_create+0x218/0x288
[    2.569646] [<ffffffff803745c4>] of_platform_populate+0x58/0x90
[    2.576145] [<ffffffff80374614>] of_platform_default_populate+0x18/0x20
[    2.583407] [<ffffffff806246fe>] of_platform_default_populate_init+0xac/0xda
[    2.591149] [<ffffffff80001112>] do_one_initcall+0x5c/0x154
[    2.597264] [<ffffffff806010ca>] kernel_init_freeable+0x21e/0x222
[    2.603953] [<ffffffff804d4358>] kernel_init+0x1e/0x10a
[    2.609689] [<ffffffff800022b8>] ret_from_exception+0x0/0x16
[    2.615915] function: fw_devlink_parse_fwtree(ffffffd9ffdc6b90)
[    2.622429] OF: of_get_next_available_child: "multi-phyctrl", "multi-phyctrl@10210000"
[    2.631125] OF: parent: multi-phyctrl@10210000, reference count 3
[    2.637819] OF: parent: multi-phyctrl@10210000, reference count 3
[    2.644514] OF: of_get_next_available_child: "soc", "soc"
[    2.650444] OF: parent: soc, reference count 78
[    2.655423] OF: parent: soc, reference count 78
[    2.660392] OF: prev: multi-phyctrl@10210000, reference count 3
[    2.666885] OF: next: pcie1-phyctrl@10220000, reference count 3
[    2.673416] clock-controller Linked as a fwnode consumer to osc
[    2.679925] clock-controller Linked as a fwnode consumer to gmac1_rmii_refin
[    2.687674] clock-controller Linked as a fwnode consumer to gmac1_rgmii_rxin
[    2.695423] clock-controller Linked as a fwnode consumer to i2stx_bclk_ext
[    2.702983] clock-controller Linked as a fwnode consumer to i2stx_lrck_ext
[    2.710544] clock-controller Linked as a fwnode consumer to i2srx_bclk_ext
[    2.718105] clock-controller Linked as a fwnode consumer to i2srx_lrck_ext
[    2.725667] clock-controller Linked as a fwnode consumer to tdm_ext
[    2.732562] clock-controller Linked as a fwnode consumer to mclk_ext
[    2.739553] clock-controller Linked as a fwnode consumer to jtag_tck_inner
[    2.747124] clock-controller Linked as a fwnode consumer to bist_apb
[    2.754118] clock-controller Linked as a fwnode consumer to clk_rtc
[    2.761016] clock-controller Linked as a fwnode consumer to gmac0_rmii_refin
[    2.768773] clock-controller Linked as a fwnode consumer to gmac0_rgmii_rxin
[    2.776579] xrp Linked as a fwnode consumer to clock-controller
[    2.783094] xrp Linked as a fwnode consumer to reset-controller
[    2.789666] i2c@12050000 Linked as a fwnode consumer to clock-controller
[    2.797044] i2c@12050000 Linked as a fwnode consumer to reset-controller
[    2.804421] i2c@12050000 Linked as a fwnode consumer to plic@c000000
[    2.811441] i2c@12050000 Linked as a fwnode consumer to i2c5-pins
[    2.818317] i2c@12060000 Linked as a fwnode consumer to clock-controller
[    2.825695] i2c@12060000 Linked as a fwnode consumer to reset-controller
[    2.833072] i2c@12060000 Linked as a fwnode consumer to plic@c000000
[    2.840091] i2c@12060000 Linked as a fwnode consumer to i2c6-pins
[    2.846801] imx219@10 Linked as a fwnode consumer to clk-ext-camera
[    2.853699] imx219@10 Linked as a fwnode consumer to gpio@13040000
[    2.860515] imx219@10 Linked as a fwnode consumer to vin_sysctl@19800000
[    2.867911] imx708@1a Linked as a fwnode consumer to clk-ext-camera
[    2.874805] imx708@1a Linked as a fwnode consumer to gpio@13040000
[    2.881614] imx708@1a Linked as a fwnode consumer to vin_sysctl@19800000
[    2.889006] ov4689@36 Linked as a fwnode consumer to clk-ext-camera
[    2.895915] ov4689@36 Linked as a fwnode consumer to vin_sysctl@19800000
[    2.903313] i2stx_4ch0@120b0000 Linked as a fwnode consumer to clock-controller
[    2.911383] i2stx_4ch0@120b0000 Linked as a fwnode consumer to mclk_ext
[    2.918665] i2stx_4ch0@120b0000 Linked as a fwnode consumer to reset-controller
[    2.926723] i2stx_4ch0@120b0000 Linked as a fwnode consumer to mclk_ext_pins
[    2.934493] pwm@120d0000 Linked as a fwnode consumer to clock-controller
[    2.941862] pwm@120d0000 Linked as a fwnode consumer to reset-controller
[    2.949247] pwm@120d0000 Linked as a fwnode consumer to pwm-pins
[    2.955873] tmon@120e0000 Linked as a fwnode consumer to plic@c000000
[    2.962959] tmon@120e0000 Linked as a fwnode consumer to clock-controller
[    2.970438] tmon@120e0000 Linked as a fwnode consumer to reset-controller
[    2.977944] spi@13010000 Linked as a fwnode consumer to plic@c000000
[    2.984934] spi@13010000 Linked as a fwnode consumer to clock-controller
[    2.992327] spi@13010000 Linked as a fwnode consumer to reset-controller
[    2.999815] gpio@13040000 Linked as a fwnode consumer to clock-controller
[    3.007280] gpio@13040000 Linked as a fwnode consumer to reset-controller
[    3.014752] gpio@13040000 Linked as a fwnode consumer to plic@c000000
[    3.023112] timer@13050000 Linked as a fwnode consumer to plic@c000000
[    3.030322] timer@13050000 Linked as a fwnode consumer to clock-controller
[    3.037906] timer@13050000 Linked as a fwnode consumer to reset-controller
[    3.045502] mailbox@13060000 Linked as a fwnode consumer to clock-controller
[    3.053256] mailbox@13060000 Linked as a fwnode consumer to reset-controller
[    3.061017] mailbox@13060000 Linked as a fwnode consumer to plic@c000000
[    3.068424] wdog@13070000 Linked as a fwnode consumer to plic@c000000
[    3.075514] wdog@13070000 Linked as a fwnode consumer to clock-controller
[    3.082986] wdog@13070000 Linked as a fwnode consumer to reset-controller
[    3.090484] jpu@13090000 Linked as a fwnode consumer to plic@c000000
[    3.097473] jpu@13090000 Linked as a fwnode consumer to clock-controller
[    3.104860] jpu@13090000 Linked as a fwnode consumer to reset-controller
[    3.112241] jpu@13090000 Linked as a fwnode consumer to power-controller@17030000
[    3.120494] vpu_dec@130A0000 Linked as a fwnode consumer to plic@c000000
[    3.127866] vpu_dec@130A0000 Linked as a fwnode consumer to clock-controller
[    3.135640] vpu_dec@130A0000 Linked as a fwnode consumer to reset-controller
[    3.143415] vpu_dec@130A0000 Linked as a fwnode consumer to power-controller@17030000
[    3.152049] vpu_enc@130B0000 Linked as a fwnode consumer to plic@c000000
[    3.159421] vpu_enc@130B0000 Linked as a fwnode consumer to clock-controller
[    3.167196] vpu_enc@130B0000 Linked as a fwnode consumer to reset-controller
[    3.174972] vpu_enc@130B0000 Linked as a fwnode consumer to power-controller@17030000
[    3.183613] crypto@16000000 Linked as a fwnode consumer to plic@c000000
[    3.190902] crypto@16000000 Linked as a fwnode consumer to clock-controller
[    3.198566] crypto@16000000 Linked as a fwnode consumer to reset-controller
[    3.206276] sec_dma@16008000 Linked as a fwnode consumer to plic@c000000
[    3.213648] sec_dma@16008000 Linked as a fwnode consumer to clock-controller
[    3.221406] sec_dma@16008000 Linked as a fwnode consumer to reset-controller
[    3.229191] trng@1600C000 Linked as a fwnode consumer to clock-controller
[    3.236663] trng@1600C000 Linked as a fwnode consumer to reset-controller
[    3.244135] trng@1600C000 Linked as a fwnode consumer to plic@c000000
[    3.251238] mmc@16010000 Linked as a fwnode consumer to clock-controller
[    3.258615] mmc@16010000 Linked as a fwnode consumer to reset-controller
[    3.265997] mmc@16010000 Linked as a fwnode consumer to plic@c000000
[    3.273044] mmc@16010000 Linked as a fwnode consumer to DCDC1
[    3.279369] mmc@16010000 Linked as a fwnode consumer to ALDO4
[    3.285693] mmc@16010000 Linked as a fwnode consumer to mmc0-pins
[    3.292411] mmc@16020000 Linked as a fwnode consumer to clock-controller
[    3.299788] mmc@16020000 Linked as a fwnode consumer to reset-controller
[    3.307168] mmc@16020000 Linked as a fwnode consumer to plic@c000000
[    3.314205] mmc@16020000 Linked as a fwnode consumer to sdcard1-pins
[    3.321214] ethernet@16030000 Linked as a fwnode consumer to clock-controller
[    3.329097] ethernet@16030000 Linked as a fwnode consumer to reset-controller
[    3.336959] ethernet@16030000 Linked as a fwnode consumer to plic@c000000
[    3.344552] ethernet@16040000 Linked as a fwnode consumer to clock-controller
[    3.352433] ethernet@16040000 Linked as a fwnode consumer to reset-controller
[    3.360295] ethernet@16040000 Linked as a fwnode consumer to plic@c000000
[    3.367881] dma-controller@16050000 Linked as a fwnode consumer to clock-controller
[    3.376312] dma-controller@16050000 Linked as a fwnode consumer to reset-controller
[    3.384746] dma-controller@16050000 Linked as a fwnode consumer to plic@c000000
[    3.392840] gpio@17020000 Linked as a fwnode consumer to reset-controller
[    3.400312] gpio@17020000 Linked as a fwnode consumer to plic@c000000
[    3.407427] power-controller@17030000 Linked as a fwnode consumer to plic@c000000
[    3.415683] rtc@17040000 Linked as a fwnode consumer to plic@c000000
[    3.422692] rtc@17040000 Linked as a fwnode consumer to clock-controller
[    3.430070] rtc@17040000 Linked as a fwnode consumer to reset-controller
[    3.437471] gpu@18000000 Linked as a fwnode consumer to clock-controller
[    3.444871] gpu@18000000 Linked as a fwnode consumer to reset-controller
[    3.452247] gpu@18000000 Linked as a fwnode consumer to power-controller@17030000
[    3.460482] gpu@18000000 Linked as a fwnode consumer to plic@c000000
[    3.467493] vin_sysctl@19800000 Linked as a fwnode consumer to clock-controller@19810000
[    3.476491] vin_sysctl@19800000 Linked as a fwnode consumer to clock-controller
[    3.484556] vin_sysctl@19800000 Linked as a fwnode consumer to reset-controller
[    3.492704] vin_sysctl@19800000 Linked as a fwnode consumer to power-controller@17030000
[    3.501607] vin_sysctl@19800000 Linked as a fwnode consumer to plic@c000000
[    3.509335] vin_sysctl@19800000 Linked as a fwnode consumer to imx219@10
[    3.516734] vin_sysctl@19800000 Linked as a fwnode consumer to imx708@1a
[    3.524132] vin_sysctl@19800000 Linked as a fwnode consumer to ov4689@36
[    3.531531] clock-controller@19810000 Linked as a fwnode consumer to clock-controller
[    3.540158] clock-controller@19810000 Linked as a fwnode consumer to reset-controller
[    3.548778] clock-controller@19810000 Linked as a fwnode consumer to power-controller@17030000
[    3.558271] dc8200@29400000 Linked as a fwnode consumer to plic@c000000
[    3.565547] dc8200@29400000 Linked as a fwnode consumer to clock-controller
[    3.573215] dc8200@29400000 Linked as a fwnode consumer to clock-controller@295C0000
[    3.581783] dc8200@29400000 Linked as a fwnode consumer to hdmitx0_pixelclk
[    3.589490] dc8200@29400000 Linked as a fwnode consumer to reset-controller
[    3.597210] dc8200@29400000 Linked as a fwnode consumer to hdmi@29590000
[    3.604592] dc8200@29400000 Linked as a fwnode consumer to dsi-output
[    3.611697] hdmi@29590000 Linked as a fwnode consumer to plic@c000000
[    3.618781] hdmi@29590000 Linked as a fwnode consumer to clock-controller@295C0000
[    3.627110] hdmi@29590000 Linked as a fwnode consumer to hdmitx0_pixelclk
[    3.634581] hdmi@29590000 Linked as a fwnode consumer to reset-controller
[    3.642059] hdmi@29590000 Linked as a fwnode consumer to inno_hdmi-pins
[    3.649334] hdmi@29590000 Linked as a fwnode consumer to gpio@13040000
[    3.656535] hdmi@29590000 Linked as a fwnode consumer to dc8200@29400000
[    3.663933] clock-controller@295C0000 Linked as a fwnode consumer to hdmitx0_pixelclk
[    3.672539] clock-controller@295C0000 Linked as a fwnode consumer to mipitx_dphy_rxesc
[    3.681249] clock-controller@295C0000 Linked as a fwnode consumer to mipitx_dphy_txbytehs
[    3.690239] clock-controller@295C0000 Linked as a fwnode consumer to clock-controller
[    3.698860] clock-controller@295C0000 Linked as a fwnode consumer to reset-controller
[    3.707475] clock-controller@295C0000 Linked as a fwnode consumer to power-controller@17030000
[    3.716965] mipi@295d0000 Linked as a fwnode consumer to plic@c000000
[    3.724053] mipi@295d0000 Linked as a fwnode consumer to clock-controller@295C0000
[    3.732394] mipi@295d0000 Linked as a fwnode consumer to reset-controller
[    3.739889] mipi@295d0000 Linked as a fwnode consumer to mipi-dphy@295e0000
[    3.747585] mipi@295d0000 Linked as a fwnode consumer to seeed_plane_i2c@45
[    3.755255] mipi@295d0000 Linked as a fwnode consumer to panel_radxa@19
[    3.762546] mipi@295d0000 Linked as a fwnode consumer to dsi-output
[    3.769459] mipi-dphy@295e0000 Linked as a fwnode consumer to clock-controller@295C0000
[    3.778265] mipi-dphy@295e0000 Linked as a fwnode consumer to reset-controller
[    3.786276] pcie@2B000000 Linked as a fwnode consumer to plic@c000000
[    3.793383] pcie@2B000000 Linked as a fwnode consumer to reset-controller
[    3.800878] pcie@2B000000 Linked as a fwnode consumer to clock-controller
[    3.808368] pcie@2B000000 Linked as a fwnode consumer to pcie0_wake_default
[    3.816020] pcie@2B000000 Linked as a fwnode consumer to pcie0_clkreq_default
[    3.823868] pcie@2B000000 Linked as a fwnode consumer to gpio@13040000
[    3.831103] pcie@2C000000 Linked as a fwnode consumer to plic@c000000
[    3.838210] pcie@2C000000 Linked as a fwnode consumer to reset-controller
[    3.845706] pcie@2C000000 Linked as a fwnode consumer to clock-controller
[    3.853195] pcie@2C000000 Linked as a fwnode consumer to pcie1_wake_default
[    3.860861] pcie@2C000000 Linked as a fwnode consumer to pcie1_clkreq_default
[    3.868712] pcie@2C000000 Linked as a fwnode consumer to gpio@13040000
[    3.875910] e24 Linked as a fwnode consumer to clock-controller
[    3.882435] e24 Linked as a fwnode consumer to reset-controller
[    3.888952] e24 Linked as a fwnode consumer to plic@c000000
[    3.895090] e24 Linked as a fwnode consumer to mailbox@13060000
[    3.901632] /soc: Relaxing link with /soc/plic@c000000
[    3.907291] platform soc: Fixed dependency cycle(s) with /soc/plic@c000000
[    3.914859] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    3.922992] soc Dropping the fwnode link to plic@c000000
[    3.928832] platform soc: Not linking /cpus/cpu@4/interrupt-controller - might never become dev
[    3.938399] platform soc: Not linking /cpus/cpu@3/interrupt-controller - might never become dev
[    3.947966] platform soc: Not linking /cpus/cpu@2/interrupt-controller - might never become dev
[    3.957532] platform soc: Not linking /cpus/cpu@1/interrupt-controller - might never become dev
[    3.967102] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    3.975237] platform soc: Not linking /cpus/cpu@4/interrupt-controller - might never become dev
[    3.984804] platform soc: Not linking /cpus/cpu@3/interrupt-controller - might never become dev
[    3.994370] platform soc: Not linking /cpus/cpu@2/interrupt-controller - might never become dev
[    4.003937] platform soc: Not linking /cpus/cpu@1/interrupt-controller - might never become dev
[    4.013507] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.021647] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.029786] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.037925] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.046081] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.054229] ------------[ cut here ]------------
[    4.059290] refcount_t: addition on 0; use-after-free.
[    4.064953] WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x90/0xf4
[    4.073844] Modules linked in:
[    4.077192] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.101-rivoreo-starfive #14
[    4.085499] Hardware name: StarFive VisionFive V2 (DT)
[    4.091132] epc : refcount_warn_saturate+0x90/0xf4
[    4.096391]  ra : refcount_warn_saturate+0x90/0xf4
[    4.101650] epc : ffffffff801d0a04 ra : ffffffff801d0a04 sp : ffffffc80400ba80
[    4.109574]  gp : ffffffff810e26c0 tp : ffffffd8bff50000 t0 : 746e756f63666572
[    4.117497]  t1 : 0000000000000072 t2 : 5f746e756f636665 s0 : ffffffc80400ba90
[    4.125420]  s1 : ffffffd9ffdc6008 a0 : 000000000000002a a1 : ffffffff8108f948
[    4.133343]  a2 : 0000000000000010 a3 : 00000000000002b3 a4 : 0000000000000000
[    4.141266]  a5 : 0000000000000000 a6 : ffffffc80400b878 a7 : ffffffc80400b868
[    4.149189]  s2 : ffffffd9ffdc5f88 s3 : ffffffd9ffdc47e0 s4 : ffffffff810e2634
[    4.157112]  s5 : 0000000200000022 s6 : ffffffd9ffdbdde0 s7 : fffffffffffffff5
[    4.165035]  s8 : 0000000000000000 s9 : 0000000000000000 s10: 0000000000000000
[    4.172957]  s11: 0000000000000000 t3 : ffffffff810f5697 t4 : ffffffff810f5697
[    4.180880]  t5 : ffffffff810f5698 t6 : ffffffff810f56c0
[    4.186705] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
[    4.195391] [<ffffffff801d0a04>] refcount_warn_saturate+0x90/0xf4
[    4.202081] [<ffffffff804b5f56>] kobject_get+0x54/0x60
[    4.207722] [<ffffffff8037638c>] of_node_get+0x1a/0x26
[    4.213360] [<ffffffff8037257c>] of_get_next_available_child+0xa8/0x152
[    4.220622] [<ffffffff80375430>] of_fwnode_get_next_child_node+0x86/0x9a
[    4.227981] [<ffffffff802c7b0a>] fwnode_get_next_child_node+0x28/0x36
[    4.235053] [<ffffffff802c7c64>] fwnode_get_next_available_child_node+0x1e/0x3a
[    4.243077] [<ffffffff802bffa8>] __fw_devlink_link_to_suppliers+0x40/0x94
[    4.250529] [<ffffffff802bf958>] device_add+0x450/0x562
[    4.256264] [<ffffffff80373b44>] of_device_add+0x22/0x2a
[    4.262094] [<ffffffff80374090>] of_platform_device_create_pdata+0x76/0x9a
[    4.269642] [<ffffffff8037445e>] of_platform_bus_create+0x218/0x288
[    4.276523] [<ffffffff803745c4>] of_platform_populate+0x58/0x90
[    4.283022] [<ffffffff80374614>] of_platform_default_populate+0x18/0x20
[    4.290283] [<ffffffff806246fe>] of_platform_default_populate_init+0xac/0xda
[    4.298023] [<ffffffff80001112>] do_one_initcall+0x5c/0x154
[    4.304138] [<ffffffff806010ca>] kernel_init_freeable+0x21e/0x222
[    4.310826] [<ffffffff804d4358>] kernel_init+0x1e/0x10a
[    4.316562] [<ffffffff800022b8>] ret_from_exception+0x0/0x16
[    4.322773] ---[ end trace 0000000000000000 ]---
[    4.327852] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    4.334741] OF: ffffffd9ffdc66e8 usb, reference count 3
[    4.340482] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    4.347368] ------------[ cut here ]------------
[    4.352428] refcount_t: underflow; use-after-free.
[    4.357697] WARNING: CPU: 0 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0xb0/0xf4
[    4.366584] Modules linked in:
[    4.369932] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W          6.1.101-rivoreo-starfive #14
[    4.379860] Hardware name: StarFive VisionFive V2 (DT)
[    4.385492] epc : refcount_warn_saturate+0xb0/0xf4
[    4.390751]  ra : refcount_warn_saturate+0xb0/0xf4
[    4.396010] epc : ffffffff801d0a24 ra : ffffffff801d0a24 sp : ffffffc80400ba80
[    4.403934]  gp : ffffffff810e26c0 tp : ffffffd8bff50000 t0 : 5f00000000000000
[    4.411857]  t1 : 0000000000000072 t2 : 5f746e756f636665 s0 : ffffffc80400ba90
[    4.419780]  s1 : ffffffd9ffdc6008 a0 : 0000000000000026 a1 : ffffffff8108f948
[    4.427703]  a2 : 0000000000000010 a3 : 00000000000002de a4 : 0000000000000000
[    4.435625]  a5 : 0000000000000000 a6 : ffffffc80400b878 a7 : ffffffc80400b868
[    4.443548]  s2 : ffffffd9ffdc6b78 s3 : ffffffd9ffdc5f88 s4 : ffffffff810e2634
[    4.451471]  s5 : 0000000200000022 s6 : ffffffd9ffdbdde0 s7 : fffffffffffffff5
[    4.459394]  s8 : 0000000000000000 s9 : 0000000000000000 s10: 0000000000000000
[    4.467317]  s11: 0000000000000000 t3 : ffffffff810f5697 t4 : ffffffff810f5697
[    4.475239]  t5 : ffffffff810f5698 t6 : ffffffff810f56b8
[    4.481063] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
[    4.489748] [<ffffffff801d0a24>] refcount_warn_saturate+0xb0/0xf4
[    4.496438] [<ffffffff804b60b4>] kobject_put+0x9a/0xac
[    4.502080] [<ffffffff803763ae>] of_node_put+0x16/0x20
[    4.507717] [<ffffffff803725fe>] of_get_next_available_child+0x12a/0x152
[    4.515074] [<ffffffff80375430>] of_fwnode_get_next_child_node+0x86/0x9a
[    4.522433] [<ffffffff802c7b0a>] fwnode_get_next_child_node+0x28/0x36
[    4.529505] [<ffffffff802c7c64>] fwnode_get_next_available_child_node+0x1e/0x3a
[    4.537530] [<ffffffff802bffa8>] __fw_devlink_link_to_suppliers+0x40/0x94
[    4.544982] [<ffffffff802bf958>] device_add+0x450/0x562
[    4.550716] [<ffffffff80373b44>] of_device_add+0x22/0x2a
[    4.556547] [<ffffffff80374090>] of_platform_device_create_pdata+0x76/0x9a
[    4.564094] [<ffffffff8037445e>] of_platform_bus_create+0x218/0x288
[    4.570974] [<ffffffff803745c4>] of_platform_populate+0x58/0x90
[    4.577473] [<ffffffff80374614>] of_platform_default_populate+0x18/0x20
[    4.584735] [<ffffffff806246fe>] of_platform_default_populate_init+0xac/0xda
[    4.592475] [<ffffffff80001112>] do_one_initcall+0x5c/0x154
[    4.598589] [<ffffffff806010ca>] kernel_init_freeable+0x21e/0x222
[    4.605278] [<ffffffff804d4358>] kernel_init+0x1e/0x10a
[    4.611013] [<ffffffff800022b8>] ret_from_exception+0x0/0x16
[    4.617224] ---[ end trace 0000000000000000 ]---
[    4.622303] platform soc: Not linking /gmac0_rgmii_rxin - might never become dev
[    4.630434] platform soc: Not linking /gmac0_rmii_refin - might never become dev
[    4.638564] platform soc: Not linking /clk_rtc - might never become dev
[    4.645827] platform soc: Not linking /bist_apb - might never become dev
[    4.653194] platform soc: Not linking /jtag_tck_inner - might never become dev
[    4.661132] platform soc: Not linking /mclk_ext - might never become dev
[    4.668499] platform soc: Not linking /tdm_ext - might never become dev
[    4.675770] platform soc: Not linking /i2srx_lrck_ext - might never become dev
[    4.683709] platform soc: Not linking /i2srx_bclk_ext - might never become dev
[    4.691648] platform soc: Not linking /i2stx_lrck_ext - might never become dev
[    4.699594] platform soc: Not linking /i2stx_bclk_ext - might never become dev
[    4.707532] platform soc: Not linking /gmac1_rgmii_rxin - might never become dev
[    4.715662] platform soc: Not linking /gmac1_rmii_refin - might never become dev
[    4.723791] platform soc: Not linking /osc - might never become dev
[    4.730698] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.738852] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.746991] platform soc: Not linking /clk-ext-camera - might never become dev
[    4.754938] platform soc: Not linking /clk-ext-camera - might never become dev
[    4.762883] platform soc: Not linking /clk-ext-camera - might never become dev
[    4.770833] platform soc: Not linking /mclk_ext - might never become dev
[    4.778214] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.786351] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.794488] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.802770] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.810907] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.819047] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.827185] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.835323] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.843462] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.851601] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.859739] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.867874] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.876017] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.884156] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.892295] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.900435] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.908575] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.916714] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.924850] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.932986] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.941121] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.949271] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.957493] platform soc: Linked as a sync state only consumer to dsi-output
[    4.965243] platform soc: Not linking /hdmitx0_pixelclk - might never become dev
[    4.973375] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.981521] platform soc: Not linking /hdmitx0_pixelclk - might never become dev
[    4.989652] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    4.997795] platform soc: Not linking /mipitx_dphy_txbytehs - might never become dev
[    5.006306] platform soc: Not linking /mipitx_dphy_rxesc - might never become dev
[    5.014531] platform soc: Not linking /hdmitx0_pixelclk - might never become dev
[    5.022670] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    5.030824] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    5.038966] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    5.047104] platform soc: Not linking /soc/plic@c000000 - might never become dev
[    5.055382] platform 2000000.clint: Not linking /cpus/cpu@4/interrupt-controller - might never become dev
[    5.065905] clint@2000000 Dropping the fwnode link to interrupt-controller
[    5.073461] platform 2000000.clint: Not linking /cpus/cpu@3/interrupt-controller - might never become dev
[    5.083979] clint@2000000 Dropping the fwnode link to interrupt-controller
[    5.091535] platform 2000000.clint: Not linking /cpus/cpu@2/interrupt-controller - might never become dev
[    5.102054] clint@2000000 Dropping the fwnode link to interrupt-controller
[    5.109611] platform 2000000.clint: Not linking /cpus/cpu@1/interrupt-controller - might never become dev
[    5.120129] clint@2000000 Dropping the fwnode link to interrupt-controller
[    5.127866] platform 2010000.cache-controller: Not linking /soc/plic@c000000 - might never become dev
[    5.138003] cache-controller@2010000 Dropping the fwnode link to plic@c000000
[    5.145996] platform 10000000.serial: Not linking /soc/plic@c000000 - might never become dev
[    5.155274] serial@10000000 Dropping the fwnode link to plic@c000000
[    5.162410] platform 10010000.serial: Not linking /soc/plic@c000000 - might never become dev
[    5.171688] serial@10010000 Dropping the fwnode link to plic@c000000
[    5.178832] platform 10030000.i2c: Not linking /soc/plic@c000000 - might never become dev
[    5.187825] i2c@10030000 Dropping the fwnode link to plic@c000000
[    5.194688] platform 10050000.i2c: Not linking /soc/plic@c000000 - might never become dev
[    5.203680] i2c@10050000 Dropping the fwnode link to plic@c000000
[    5.210551] amba 10060000.spi: Not linking /soc/plic@c000000 - might never become dev
[    5.219163] spi@10060000 Dropping the fwnode link to plic@c000000
[    5.226052] ------------[ cut here ]------------
[    5.231114] refcount_t: saturated; leaking memory.
[    5.236383] WARNING: CPU: 0 PID: 1 at lib/refcount.c:22 refcount_warn_saturate+0x70/0xf4
[    5.245271] Modules linked in:
[    5.248619] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W          6.1.101-rivoreo-starfive #14
[    5.258547] Hardware name: StarFive VisionFive V2 (DT)
[    5.264180] epc : refcount_warn_saturate+0x70/0xf4
[    5.269440]  ra : refcount_warn_saturate+0x70/0xf4
[    5.274699] epc : ffffffff801d09e4 ra : ffffffff801d09e4 sp : ffffffc80400bc30
[    5.282623]  gp : ffffffff810e26c0 tp : ffffffd8bff50000 t0 : 5f00000000000000
[    5.290547]  t1 : 0000000000000072 t2 : 5f746e756f636665 s0 : ffffffc80400bc40
[    5.298469]  s1 : ffffffd9ffdc6008 a0 : 0000000000000026 a1 : ffffffff8108f948
[    5.306393]  a2 : 0000000000000010 a3 : 0000000000000350 a4 : 0000000000000000
[    5.314316]  a5 : 0000000000000000 a6 : ffffffc80400ba28 a7 : ffffffc80400ba18
[    5.322239]  s2 : ffffffd9ffdc5948 s3 : ffffffd8bfef4410 s4 : 0000000000000000
[    5.330162]  s5 : 0000000000000000 s6 : ffffffff80acbfb8 s7 : 0000000000000001
[    5.338084]  s8 : 0000000000000000 s9 : 0000000000000000 s10: 0000000000000000
[    5.346007]  s11: 0000000000000000 t3 : ffffffff810f5697 t4 : ffffffff810f5697
[    5.353929]  t5 : ffffffff810f5698 t6 : ffffffff810f56b8
[    5.359754] status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003
[    5.368440] [<ffffffff801d09e4>] refcount_warn_saturate+0x70/0xf4
[    5.375130] [<ffffffff804b5f56>] kobject_get+0x54/0x60
[    5.380771] [<ffffffff8037638c>] of_node_get+0x1a/0x26
[    5.386410] [<ffffffff8037163a>] of_get_next_child+0x36/0x62
[    5.392623] [<ffffffff803744ae>] of_platform_bus_create+0x268/0x288
[    5.399503] [<ffffffff803745c4>] of_platform_populate+0x58/0x90
[    5.406002] [<ffffffff80374614>] of_platform_default_populate+0x18/0x20
[    5.413263] [<ffffffff806246fe>] of_platform_default_populate_init+0xac/0xda
[    5.421004] [<ffffffff80001112>] do_one_initcall+0x5c/0x154
[    5.427118] [<ffffffff806010ca>] kernel_init_freeable+0x21e/0x222
[    5.433806] [<ffffffff804d4358>] kernel_init+0x1e/0x10a
[    5.439542] [<ffffffff800022b8>] ret_from_exception+0x0/0x16
[    5.445753] ---[ end trace 0000000000000000 ]---
[    5.450912] platform 10210000.usbdrd: Error -2 creating of_node link
[    5.457955] ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.464460] parent ffffffd9ffdbddc8 soc, reference count 78
[    5.470582] ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.477085] parent ffffffd9ffdbddc8 soc, reference count 78
[    5.483206] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.490092] ffffffd9ffdc66e8 usb, reference count 3
[    5.495450] parent ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.502621] ffffffd9ffdc66e8 usb, reference count 3
[    5.507979] parent ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.515149] OF: ffffffd9ffdc66e8 usb, reference count 3
[    5.520890] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.527791] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.534678] OF: ffffffd9ffdc66e8 usb, reference count 3
[    5.540419] OF: ffffffd9ffdc5f88 usbdrd, reference count 3221225472
[    5.547835] devices_kset: Moving 10210000.usbdrd to end of list
[    5.554345] platform 10210000.usbdrd: Linked as a consumer to 13020000.clock-controller
[    5.563137] usbdrd Dropping the fwnode link to clock-controller
[    5.569715] devices_kset: Moving 100b0000.pwmdac to end of list
[    5.576223] platform 100b0000.pwmdac: Linked as a consumer to 13020000.clock-controller
[    5.585014] pwmdac@100b0000 Dropping the fwnode link to clock-controller
[    5.592450] devices_kset: Moving 10060000.spi to end of list
[    5.598671] amba 10060000.spi: Linked as a consumer to 13020000.clock-controller

[-- Attachment #3: jh7110-visionfive-v2.dtb --]
[-- Type: application/octet-stream, Size: 49473 bytes --]