Greeting, FYI, we noticed the following commit (built with gcc-9): commit: 14c3c8a27f70d6d6b7c1d64a9af899eb80169495 ("[RFC PATCH v3 2/8] Add a reference to ucounts for each cred") url: https://github.com/0day-ci/linux/commits/Alexey-Gladkov/Count-rlimits-in-each-user-namespace/20210115-230051 base: https://git.kernel.org/cgit/linux/kernel/git/shuah/linux-kselftest.git next in testcase: trinity version: trinity-i386 with following parameters: runtime: 300s test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +---------------------------------------------------+------------+------------+ | | c25050162e | 14c3c8a27f | +---------------------------------------------------+------------+------------+ | boot_successes | 0 | 0 | | boot_failures | 8 | 8 | | WARNING:at_lib/refcount.c:#refcount_warn_saturate | 7 | 8 | | EIP:refcount_warn_saturate | 7 | 8 | | BUG:kernel_hang_in_boot_stage | 1 | | | kernel_BUG_at_kernel/cred.c | 0 | 3 | | invalid_opcode:#[##] | 0 | 3 | | EIP:__put_cred | 0 | 7 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 7 | | BUG:kernel_NULL_pointer_dereference,address | 0 | 4 | | Oops:#[##] | 0 | 4 | +---------------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 77.068709] kernel BUG at kernel/cred.c:150! [ 77.069392] invalid opcode: 0000 [#1] SMP [ 77.070035] CPU: 1 PID: 895 Comm: trinity-c7 Tainted: G W 5.11.0-rc2-00004-g14c3c8a27f70 #1 [ 77.071425] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 77.072871] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1)) [ 77.073493] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00 All code ======== 0: 66 90 xchg %ax,%ax 2: ba 90 b4 e7 c3 mov $0xc3e7b490,%edx 7: 89 c8 mov %ecx,%eax 9: e8 f4 6e 04 00 callq 0x46f02 e: 5d pop %rbp f: c3 retq 10: 66 90 xchg %ax,%ax 12: 0f 0b ud2 14: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 1a: 0f 0b ud2 1c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 22: 0f 0b ud2 24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 2a:* 0f 0b ud2 <-- trapping instruction 2c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 32: 89 c2 mov %eax,%edx 34: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e6707 3b: 8b .byte 0x8b 3c: 81 .byte 0x81 3d: a8 04 test $0x4,%al ... Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 8: 89 c2 mov %eax,%edx a: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e66dd 11: 8b .byte 0x8b 12: 81 .byte 0x81 13: a8 04 test $0x4,%al ... [ 77.076068] EAX: de3ef880 EBX: de2af080 ECX: 00000000 EDX: 00000000 [ 77.076997] ESI: de3ef880 EDI: 00000000 EBP: de349f74 ESP: de349f50 [ 77.077896] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010282 [ 77.078914] CR0: 80050033 CR2: b7cb2ff0 CR3: 030a4000 CR4: 000406d0 [ 77.079858] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 77.080745] DR6: fffe0ff0 DR7: 00000400 [ 77.081373] Call Trace: [ 77.081834] ? keyctl_session_to_parent (kbuild/src/consumer/security/keys/keyctl.c:1711) [ 77.082629] __ia32_sys_keyctl (kbuild/src/consumer/security/keys/keyctl.c:1951 kbuild/src/consumer/security/keys/keyctl.c:1869 kbuild/src/consumer/security/keys/keyctl.c:1869) [ 77.083320] __do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:78 kbuild/src/consumer/arch/x86/entry/common.c:137) [ 77.084032] do_fast_syscall_32 (kbuild/src/consumer/arch/x86/entry/common.c:160) [ 77.084704] do_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/common.c:204) [ 77.085316] entry_SYSENTER_32 (kbuild/src/consumer/arch/x86/entry/entry_32.S:953) [ 77.085973] EIP: 0xb7f04549 [ 77.086493] Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 All code ======== 0: 03 74 c0 01 add 0x1(%rax,%rax,8),%esi 4: 10 05 03 74 b8 01 adc %al,0x1b87403(%rip) # 0x1b8740d a: 10 06 adc %al,(%rsi) c: 03 74 b4 01 add 0x1(%rsp,%rsi,4),%esi 10: 10 07 adc %al,(%rdi) 12: 03 74 b0 01 add 0x1(%rax,%rsi,4),%esi 16: 10 08 adc %cl,(%rax) 18: 03 74 d8 01 add 0x1(%rax,%rbx,8),%esi 1c: 00 00 add %al,(%rax) 1e: 00 00 add %al,(%rax) 20: 00 51 52 add %dl,0x52(%rcx) 23: 55 push %rbp 24: 89 e5 mov %esp,%ebp 26: 0f 34 sysenter 28: cd 80 int $0x80 2a:* 5d pop %rbp <-- trapping instruction 2b: 5a pop %rdx 2c: 59 pop %rcx 2d: c3 retq 2e: 90 nop 2f: 90 nop 30: 90 nop 31: 90 nop 32: 8d 76 00 lea 0x0(%rsi),%esi 35: 58 pop %rax 36: b8 77 00 00 00 mov $0x77,%eax 3b: cd 80 int $0x80 3d: 90 nop 3e: 8d .byte 0x8d 3f: 76 .byte 0x76 Code starting with the faulting instruction =========================================== 0: 5d pop %rbp 1: 5a pop %rdx 2: 59 pop %rcx 3: c3 retq 4: 90 nop 5: 90 nop 6: 90 nop 7: 90 nop 8: 8d 76 00 lea 0x0(%rsi),%esi b: 58 pop %rax c: b8 77 00 00 00 mov $0x77,%eax 11: cd 80 int $0x80 13: 90 nop 14: 8d .byte 0x8d 15: 76 .byte 0x76 [ 77.089120] EAX: ffffffda EBX: 00000012 ECX: ffff8a8b EDX: ffffffff [ 77.090075] ESI: 7d7d7d7d EDI: 000000a3 EBP: 426bb44d ESP: bfaa6c8c [ 77.091007] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296 [ 77.092031] Modules linked in: [ 77.092629] ---[ end trace 66869751d0fb6313 ]--- [ 77.093388] EIP: __put_cred (kbuild/src/consumer/kernel/cred.c:150 (discriminator 1)) [ 77.094000] Code: 66 90 ba 90 b4 e7 c3 89 c8 e8 f4 6e 04 00 5d c3 66 90 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 0f 0b 8d b6 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 89 c2 64 8b 0d cc 66 0e c5 8b 81 a8 04 00 All code ======== 0: 66 90 xchg %ax,%ax 2: ba 90 b4 e7 c3 mov $0xc3e7b490,%edx 7: 89 c8 mov %ecx,%eax 9: e8 f4 6e 04 00 callq 0x46f02 e: 5d pop %rbp f: c3 retq 10: 66 90 xchg %ax,%ax 12: 0f 0b ud2 14: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 1a: 0f 0b ud2 1c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 22: 0f 0b ud2 24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 2a:* 0f 0b ud2 <-- trapping instruction 2c: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 32: 89 c2 mov %eax,%edx 34: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e6707 3b: 8b .byte 0x8b 3c: 81 .byte 0x81 3d: a8 04 test $0x4,%al ... Code starting with the faulting instruction =========================================== 0: 0f 0b ud2 2: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi 8: 89 c2 mov %eax,%edx a: 64 8b 0d cc 66 0e c5 mov %fs:-0x3af19934(%rip),%ecx # 0xffffffffc50e66dd 11: 8b .byte 0x8b 12: 81 .byte 0x81 13: a8 04 test $0x4,%al To reproduce: # build kernel cd linux cp config-5.11.0-rc2-00004-g14c3c8a27f70 .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k job-script # job-script is attached in this email Thanks, Oliver Sang