Greeting, FYI, we noticed the following commit (built with gcc-9): commit: 46acf7bdbc72f10bb2e86d69c14189c5d45894f4 ("Revert "net: ipv4: handle DSA enabled master network devices"") https://github.com/alaahl/linux.git netdev-next in testcase: trinity version: trinity-i386 with following parameters: runtime: 300s test-description: Trinity is a linux system call fuzz tester. test-url: http://codemonkey.org.uk/projects/trinity/ on test machine: qemu-system-x86_64 -enable-kvm -cpu SandyBridge -smp 2 -m 8G caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace): +-------------------------------------------------------------------------+------------+------------+ | | ea92000d54 | 46acf7bdbc | +-------------------------------------------------------------------------+------------+------------+ | WARNING:suspicious_RCU_usage | 4 | 10 | | security/smack/smack_lsm.c:#RCU-list_traversed_in_non-reader_section | 4 | 10 | | security/smack/smack_access.c:#RCU-list_traversed_in_non-reader_section | 4 | 10 | | BUG:workqueue_lockup-pool | 2 | 2 | | WARNING:at_drivers/gpu/drm/vkms/vkms_crtc.c:#vkms_vblank_simulate | 2 | 6 | | RIP:vkms_vblank_simulate | 2 | 6 | | RIP:console_unlock | 2 | 3 | | net/mac80211/util.c:#RCU-list_traversed_in_non-reader_section | 2 | 6 | | WARNING:SOFTIRQ-safe->SOFTIRQ-unsafe_lock_order_detected | 2 | 5 | | RIP:lock_release | 0 | 1 | | BUG:kernel_hang_in_boot_stage | 0 | 2 | | WARNING:inconsistent_lock_state | 0 | 1 | | inconsistent{SOFTIRQ-ON-W}->{IN-SOFTIRQ-W}usage | 0 | 1 | | RIP:check_kcov_mode | 0 | 1 | | BUG:KASAN:use-after-free_in_ic_close_devs | 0 | 6 | | canonical_address#:#[##] | 0 | 6 | | RIP:ic_close_devs | 0 | 6 | | Kernel_panic-not_syncing:Fatal_exception | 0 | 6 | | RIP:__slab_alloc | 0 | 1 | | RIP:write_comp_data | 0 | 1 | +-------------------------------------------------------------------------+------------+------------+ If you fix the issue, kindly add following tag Reported-by: kernel test robot [ 499.309235] ================================================================== [ 499.319840] BUG: KASAN: use-after-free in ic_close_devs+0xaa/0x1b8 [ 499.329835] Read of size 8 at addr ffff8881124c8ec8 by task swapper/0/1 [ 499.340004] [ 499.349619] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 5.11.0-rc6-01042-g46acf7bdbc72 #2 [ 499.360361] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 499.371221] Call Trace: [ 499.381660] dump_stack+0x15f/0x1bf [ 499.392223] print_address_description.cold+0x82/0x326 [ 499.403206] ? ic_close_devs+0xaa/0x1b8 [ 499.414018] kasan_report.cold+0x7f/0x10e [ 499.424915] ? ic_close_devs+0xaa/0x1b8 [ 499.435723] ic_close_devs+0xaa/0x1b8 [ 499.446315] ? ic_setup_routes+0x18f/0x18f [ 499.456836] ip_auto_config+0x1115/0x1132 [ 499.468513] ? root_nfs_parse_addr+0x175/0x175 [ 499.479084] ? root_nfs_parse_addr+0x175/0x175 [ 499.489515] ? rcu_read_lock_sched_held+0xa1/0x100 [ 499.499976] ? trace_event_raw_event_rcu_quiescent_state_report+0x1e0/0x1e0 [ 499.510805] ? root_nfs_parse_addr+0x175/0x175 [ 499.521338] ? do_one_initcall+0x11b/0x660 [ 499.536486] ? root_nfs_parse_addr+0x175/0x175 [ 499.550299] do_one_initcall+0x11b/0x660 [ 499.563801] ? perf_trace_initcall_level+0x260/0x260 [ 499.577274] ? rcu_read_lock_sched_held+0xa1/0x100 [ 499.590825] ? trace_event_raw_event_rcu_quiescent_state_report+0x1e0/0x1e0 [ 499.604819] ? write_comp_data+0x2a/0xa0 [ 499.618489] ? write_comp_data+0x2a/0xa0 [ 499.632031] ? __sanitizer_cov_trace_pc+0x1d/0x60 [ 499.645795] kernel_init_freeable+0x467/0x525 [ 499.659558] ? console_on_rootfs+0x77/0x77 [ 499.673101] ? tracer_hardirqs_on+0x3b/0x3e0 [ 499.686406] ? mark_held_locks+0x23/0xa0 [ 499.705927] ? rest_init+0x350/0x350 [ 499.716056] kernel_init+0x12/0x1d0 [ 499.725835] ret_from_fork+0x22/0x30 [ 499.735295] [ 499.744344] Allocated by task 1: [ 499.753498] kasan_save_stack+0x1b/0x40 [ 499.762420] ____kasan_kmalloc+0x84/0xa0 [ 499.771317] kmem_cache_alloc_trace+0x199/0x340 [ 499.780155] ip_auto_config+0x2ef/0x1132 [ 499.788853] do_one_initcall+0x11b/0x660 [ 499.797343] kernel_init_freeable+0x467/0x525 [ 499.805758] kernel_init+0x12/0x1d0 [ 499.814266] ret_from_fork+0x22/0x30 [ 499.822277] [ 499.829818] Freed by task 1: [ 499.837230] kasan_save_stack+0x1b/0x40 [ 499.844577] kasan_set_track+0x1c/0x40 [ 499.851908] kasan_set_free_info+0x20/0x40 [ 499.859145] ____kasan_slab_free+0xd3/0x100 [ 499.866249] slab_free_freelist_hook+0xcb/0x1e0 [ 499.873406] kfree+0xdd/0x320 [ 499.880368] ic_close_devs+0x174/0x1b8 [ 499.887423] ip_auto_config+0x1115/0x1132 [ 499.894518] do_one_initcall+0x11b/0x660 [ 499.901560] kernel_init_freeable+0x467/0x525 [ 499.908658] kernel_init+0x12/0x1d0 [ 499.915750] ret_from_fork+0x22/0x30 [ 499.922787] [ 499.929410] The buggy address belongs to the object at ffff8881124c8ec0 [ 499.929410] which belongs to the cache kmalloc-32 of size 32 [ 499.943778] The buggy address is located 8 bytes inside of [ 499.943778] 32-byte region [ffff8881124c8ec0, ffff8881124c8ee0) [ 499.958356] The buggy address belongs to the page: [ 499.965687] page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1124c8 [ 499.973767] head:(____ptrval____) order:1 compound_mapcount:0 [ 499.981427] flags: 0x17ffffc0010200(slab|head) [ 499.988897] raw: 0017ffffc0010200 ffffea0005948208 ffff8881000419f0 ffff888100042540 [ 499.997041] raw: 0000000000000000 0000000000130013 00000001ffffffff 0000000000000000 [ 500.005250] page dumped because: kasan: bad access detected [ 500.013387] [ 500.021063] Memory state around the buggy address: [ 500.029178] ffff8881124c8d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 500.037737] ffff8881124c8e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 500.046191] >ffff8881124c8e80: fc fc fc fc fc fc fc fc fa fb fb fb fc fc fc fc [ 500.054607] ^ [ 500.062978] ffff8881124c8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 500.071820] ffff8881124c8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 500.080460] ================================================================== [ 500.089495] general protection fault, probably for non-canonical address 0xe5c0026400000001: 0000 [#1] SMP KASAN PTI [ 500.098984] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G B W 5.11.0-rc6-01042-g46acf7bdbc72 #2 [ 500.108609] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 500.118298] RIP: 0010:ic_close_devs+0xba/0x1b8 [ 500.127767] Code: 48 8d 7d 08 4c 8b 7d 00 e8 dd b9 f6 e5 49 8d 7e 08 4c 8b 6d 08 e8 d0 b9 f6 e5 49 8b 5e 08 48 8d bb b0 00 00 00 e8 c0 b9 f6 e5 <48> 8b 83 b0 00 00 00 48 89 df 48 8d 74 24 20 48 89 44 24 20 e8 07 [ 500.148838] RSP: 0000:ffffc9000006fb98 EFLAGS: 00010282 [ 500.159255] RAX: 0000000000000000 RBX: e5c0026400000001 RCX: ffffffffadb999a0 [ 500.170013] RDX: 0000000000000000 RSI: 0000000000000008 RDI: e5c00264000000b1 [ 500.180875] RBP: ffff8881124c9bc0 R08: 0000000000000000 R09: 0000000000000000 [ 500.191752] R10: ffffffffa705dd43 R11: fffffbfff4e0bba8 R12: 1ffff9200000df73 [ 500.202776] R13: ffff88810fe0c000 R14: ffff8881124c8ec0 R15: ffff8881124c9540 [ 500.213943] FS: 0000000000000000(0000) GS:ffff8881e5000000(0000) knlGS:0000000000000000 [ 500.225393] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 500.236610] CR2: 0000000000000000 CR3: 000000005a8ba000 CR4: 00000000000406e0 [ 500.248081] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 500.259500] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 500.270886] Call Trace: [ 500.281881] ? ic_setup_routes+0x18f/0x18f [ 500.293163] ip_auto_config+0x1115/0x1132 [ 500.304419] ? root_nfs_parse_addr+0x175/0x175 [ 500.316167] ? root_nfs_parse_addr+0x175/0x175 [ 500.327511] ? rcu_read_lock_sched_held+0xa1/0x100 [ 500.338789] ? trace_event_raw_event_rcu_quiescent_state_report+0x1e0/0x1e0 [ 500.350443] ? root_nfs_parse_addr+0x175/0x175 [ 500.361743] ? do_one_initcall+0x11b/0x660 [ 500.372836] ? root_nfs_parse_addr+0x175/0x175 [ 500.384033] do_one_initcall+0x11b/0x660 [ 500.395973] ? perf_trace_initcall_level+0x260/0x260 [ 500.406877] ? rcu_read_lock_sched_held+0xa1/0x100 [ 500.417681] ? trace_event_raw_event_rcu_quiescent_state_report+0x1e0/0x1e0 [ 500.428646] ? write_comp_data+0x2a/0xa0 [ 500.439260] ? write_comp_data+0x2a/0xa0 [ 500.449582] ? __sanitizer_cov_trace_pc+0x1d/0x60 [ 500.460052] kernel_init_freeable+0x467/0x525 [ 500.470440] ? console_on_rootfs+0x77/0x77 [ 500.483252] ? tracer_hardirqs_on+0x3b/0x3e0 [ 500.497020] ? mark_held_locks+0x23/0xa0 [ 500.510853] ? rest_init+0x350/0x350 [ 500.524227] kernel_init+0x12/0x1d0 [ 500.537390] ret_from_fork+0x22/0x30 [ 500.550723] Modules linked in: [ 500.563852] ---[ end trace e0359bb9ad323d4a ]--- [ 500.576421] RIP: 0010:ic_close_devs+0xba/0x1b8 [ 500.589911] Code: 48 8d 7d 08 4c 8b 7d 00 e8 dd b9 f6 e5 49 8d 7e 08 4c 8b 6d 08 e8 d0 b9 f6 e5 49 8b 5e 08 48 8d bb b0 00 00 00 e8 c0 b9 f6 e5 <48> 8b 83 b0 00 00 00 48 89 df 48 8d 74 24 20 48 89 44 24 20 e8 07 [ 500.618877] RSP: 0000:ffffc9000006fb98 EFLAGS: 00010282 [ 500.634470] RAX: 0000000000000000 RBX: e5c0026400000001 RCX: ffffffffadb999a0 [ 500.648167] RDX: 0000000000000000 RSI: 0000000000000008 RDI: e5c00264000000b1 [ 500.661672] RBP: ffff8881124c9bc0 R08: 0000000000000000 R09: 0000000000000000 [ 500.675323] R10: ffffffffa705dd43 R11: fffffbfff4e0bba8 R12: 1ffff9200000df73 [ 500.686352] R13: ffff88810fe0c000 R14: ffff8881124c8ec0 R15: ffff8881124c9540 [ 500.698361] FS: 0000000000000000(0000) GS:ffff8881e5000000(0000) knlGS:0000000000000000 [ 500.711007] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 500.723485] CR2: 0000000000000000 CR3: 000000005a8ba000 CR4: 00000000000406e0 [ 500.735946] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 500.748052] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 500.760074] Kernel panic - not syncing: Fatal exception [ 500.771956] Kernel Offset: 0x12200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) To reproduce: # build kernel cd linux cp config-5.11.0-rc6-01042-g46acf7bdbc72 .config make HOSTCC=gcc-9 CC=gcc-9 ARCH=x86_64 olddefconfig prepare modules_prepare bzImage git clone https://github.com/intel/lkp-tests.git cd lkp-tests bin/lkp qemu -k job-script # job-script is attached in this email Thanks, Oliver Sang