bisecting cause commit starting from a1281601f88e924a2e8c7572065d3e9fecf3c3fb building syzkaller on a8529b82fb3bb45832b08a099e7eb51707da9b37 testing commit a1281601f88e924a2e8c7572065d3e9fecf3c3fb with gcc (GCC) 10.2.1 20210217 kernel signature: 221799527ff33c1e74a06d9f56003a5e22868a3cae195fc8f052f65a23f3b270 run #0: crashed: WARNING: refcount bug in in_dev_finish_destroy run #1: crashed: WARNING: refcount bug in in_dev_finish_destroy run #2: crashed: WARNING: refcount bug in in_dev_finish_destroy run #3: crashed: WARNING: refcount bug in in_dev_finish_destroy run #4: crashed: WARNING: refcount bug in register_netdevice run #5: crashed: WARNING: refcount bug in in_dev_finish_destroy run #6: crashed: WARNING: refcount bug in in_dev_finish_destroy run #7: crashed: WARNING: refcount bug in in_dev_finish_destroy run #8: crashed: WARNING: refcount bug in in_dev_finish_destroy run #9: OK run #10: OK run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: crashed: WARNING: refcount bug in in_dev_finish_destroy run #19: OK testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: e99cd9f143ce9d9fcac692e506c1f42fd7bad007e669bcc2d658384620d3ab58 run #0: crashed: unregister_netdevice: waiting for DEV to become free run #1: crashed: unregister_netdevice: waiting for DEV to become free run #2: crashed: unregister_netdevice: waiting for DEV to become free run #3: crashed: unregister_netdevice: waiting for DEV to become free run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: a85323b0701dba111ac583b145ff31def09d195ee905600b53b701659a53318a all runs: OK # git bisect start f40ddce88593482919761f74910f42f4b84c004b 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7761 revisions left to test after this (roughly 13 steps) [538fcf57aaee6ad78a05f52b69a99baa22b33418] Merge branches 'acpi-scan', 'acpi-pnp' and 'acpi-sleep' testing commit 538fcf57aaee6ad78a05f52b69a99baa22b33418 with gcc (GCC) 10.2.1 20210217 kernel signature: 8287b7352ce225f287b0545315af4572a68c2db3782b1c6706269c19531bfbad all runs: OK # git bisect good 538fcf57aaee6ad78a05f52b69a99baa22b33418 Bisecting: 3868 revisions left to test after this (roughly 12 steps) [d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214] Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 with gcc (GCC) 10.2.1 20210217 kernel signature: 564fd10fcc174c4b31e575f44da5253bc49438cc9c2278071b23ceed45cd844c run #0: OK run #1: OK run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK run #10: crashed: WARNING: ODEBUG bug in netdev_run_todo run #11: OK run #12: OK run #13: OK run #14: OK run #15: OK run #16: OK run #17: OK run #18: OK run #19: OK # git bisect bad d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Bisecting: 1915 revisions left to test after this (roughly 11 steps) [f68e4041ef63f03091e44b4eebf1ab5c5d427e6f] Merge tag 'pinctrl-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit f68e4041ef63f03091e44b4eebf1ab5c5d427e6f with gcc (GCC) 10.2.1 20210217 kernel signature: f2ee9055187c34139e8920e2be04f84d37221fc29bb17ef34d7dae1f4f5087e9 all runs: OK # git bisect good f68e4041ef63f03091e44b4eebf1ab5c5d427e6f Bisecting: 1037 revisions left to test after this (roughly 10 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e with gcc (GCC) 10.2.1 20210217 kernel signature: 49132e2b51c6a6f1bb1e78f00ce946e8d0df48dbe918402638f0e5c3dd50dbfe all runs: OK # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 485 revisions left to test after this (roughly 9 steps) [74f602dc96dd854c7b2034947798c1e2a6b84066] Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 74f602dc96dd854c7b2034947798c1e2a6b84066 with gcc (GCC) 10.2.1 20210217 kernel signature: 942556da4379cefb7e2d4bac12e612b2a06ddb1d07c192c0dbf6349c195eec3e all runs: OK # git bisect good 74f602dc96dd854c7b2034947798c1e2a6b84066 Bisecting: 242 revisions left to test after this (roughly 8 steps) [a6a50d8495d098b6459166c3707ab251d3dc9e06] powerpc/32s: Remove CONFIG_PPC_BOOK3S_6xx testing commit a6a50d8495d098b6459166c3707ab251d3dc9e06 with gcc (GCC) 10.2.1 20210217 kernel signature: b9ff40b17f180860b80a83e9b6c58bb886d86c336cfb34b59d74cc876d5064d5 all runs: OK # git bisect good a6a50d8495d098b6459166c3707ab251d3dc9e06 Bisecting: 108 revisions left to test after this (roughly 7 steps) [09c0796adf0c793462fda1d7c8c43324551405c7] Merge tag 'trace-v5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace testing commit 09c0796adf0c793462fda1d7c8c43324551405c7 with gcc (GCC) 10.2.1 20210217 kernel signature: 160d1bbcefdc916572e2140c2c160bbfc50616e1a9d8d8802ee7dc998007c203 all runs: OK # git bisect good 09c0796adf0c793462fda1d7c8c43324551405c7 Bisecting: 54 revisions left to test after this (roughly 6 steps) [2198d4934ee8b81341a84c9ec8bb25b4b0d02522] powerpc/mm: Fix hugetlb_free_pmd_range() and hugetlb_free_pud_range() testing commit 2198d4934ee8b81341a84c9ec8bb25b4b0d02522 with gcc (GCC) 10.2.1 20210217 kernel signature: b9ff40b17f180860b80a83e9b6c58bb886d86c336cfb34b59d74cc876d5064d5 all runs: OK # git bisect good 2198d4934ee8b81341a84c9ec8bb25b4b0d02522 Bisecting: 27 revisions left to test after this (roughly 5 steps) [0c14846032f2c0a3b63234e1fc2759f4155b6067] mptcp: fix security context on server socket testing commit 0c14846032f2c0a3b63234e1fc2759f4155b6067 with gcc (GCC) 10.2.1 20210217 kernel signature: 1d18cff26afd058d1f9967740b14e37ffda97e245976cb92e27b9656402d4785 all runs: OK # git bisect good 0c14846032f2c0a3b63234e1fc2759f4155b6067 Bisecting: 9 revisions left to test after this (roughly 4 steps) [0c6c887835b59c10602add88057c9c06f265effe] Merge tag 'for-linus' of git://github.com/openrisc/linux testing commit 0c6c887835b59c10602add88057c9c06f265effe with gcc (GCC) 10.2.1 20210217 kernel signature: 03e275229a1931a021393de961fe3fa58a9a0d2a75a2d11c2c085fd096702182 all runs: OK # git bisect good 0c6c887835b59c10602add88057c9c06f265effe Bisecting: 4 revisions left to test after this (roughly 2 steps) [0d52848632a357948028eab67ff9b7cc0c12a0fb] qlcnic: Fix error code in probe testing commit 0d52848632a357948028eab67ff9b7cc0c12a0fb with gcc (GCC) 10.2.1 20210217 kernel signature: 231081ee9e03a98b723b54dab3b88dc78af2442ed8c73e4cf073e07cf7730e01 all runs: OK # git bisect good 0d52848632a357948028eab67ff9b7cc0c12a0fb Bisecting: 2 revisions left to test after this (roughly 1 step) [d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe] octeontx2-af: Fix undetected unmap PF error check testing commit d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe with gcc (GCC) 10.2.1 20210217 kernel signature: 231081ee9e03a98b723b54dab3b88dc78af2442ed8c73e4cf073e07cf7730e01 all runs: OK # git bisect good d8a4ea350f1fff71c9988ea3da3c913ec30bbfbe Bisecting: 0 revisions left to test after this (roughly 1 step) [44d4775ca51805b376a8db5b34f650434a08e556] net/sched: sch_taprio: reset child qdiscs before freeing them testing commit 44d4775ca51805b376a8db5b34f650434a08e556 with gcc (GCC) 10.2.1 20210217 kernel signature: c52300dba8e593cca241597d0422c6266288439b287ecb54ef7e85796de3898e all runs: OK # git bisect good 44d4775ca51805b376a8db5b34f650434a08e556 d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 is the first bad commit commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Merge: 0c6c887835b5 44d4775ca518 Author: Linus Torvalds Date: Thu Dec 17 13:45:24 2020 -0800 Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Current release - always broken: - net/smc: fix access to parent of an ib device - devlink: use _BITUL() macro instead of BIT() in the UAPI header - handful of mptcp fixes Previous release - regressions: - intel: AF_XDP: clear the status bits for the next_to_use descriptor - dpaa2-eth: fix the size of the mapped SGT buffer Previous release - always broken: - mptcp: fix security context on server socket - ethtool: fix string set id check - ethtool: fix error paths in ethnl_set_channels() - lan743x: fix rx_napi_poll/interrupt ping-pong - qca: ar9331: fix sleeping function called from invalid context bug" * tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (32 commits) net/sched: sch_taprio: reset child qdiscs before freeing them nfp: move indirect block cleanup to flower app stop callback octeontx2-af: Fix undetected unmap PF error check net: nixge: fix spelling mistake in Kconfig: "Instuments" -> "Instruments" qlcnic: Fix error code in probe mptcp: fix pending data accounting mptcp: push pending frames when subflow has free space mptcp: properly annotate nested lock mptcp: fix security context on server socket net/mlx5: Fix compilation warning for 32-bit platform mptcp: clear use_ack and use_map when dropping other suboptions devlink: use _BITUL() macro instead of BIT() in the UAPI header net: korina: fix return value net/smc: fix access to parent of an ib device ethtool: fix error paths in ethnl_set_channels() nfc: s3fwrn5: Remove unused NCI prop commands nfc: s3fwrn5: Remove the delay for NFC sleep phy: fix kdoc warning tipc: do sanity check payload of a netlink message use __netdev_notify_peers in hyperv ... Documentation/driver-api/connector.rst | 2 +- drivers/connector/cn_queue.c | 8 ++-- drivers/connector/connector.c | 4 +- drivers/net/dsa/qca/ar9331.c | 33 ++++++++++++----- drivers/net/ethernet/allwinner/sun4i-emac.c | 7 +++- drivers/net/ethernet/broadcom/genet/bcmgenet.c | 4 +- drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +- drivers/net/ethernet/ibm/ibmvnic.c | 9 ++--- drivers/net/ethernet/intel/i40e/i40e_xsk.c | 5 ++- drivers/net/ethernet/intel/ice/ice_xsk.c | 5 ++- drivers/net/ethernet/korina.c | 2 +- .../ethernet/marvell/octeontx2/af/rvu_devlink.c | 3 +- drivers/net/ethernet/microchip/lan743x_main.c | 43 ++++++++++++---------- drivers/net/ethernet/mscc/ocelot_vsc7514.c | 8 +++- drivers/net/ethernet/netronome/nfp/flower/main.c | 6 +-- drivers/net/ethernet/ni/Kconfig | 2 +- drivers/net/ethernet/qlogic/qlcnic/qlcnic_main.c | 1 + drivers/net/hyperv/netvsc_drv.c | 11 ++---- drivers/nfc/s3fwrn5/nci.c | 25 ------------- drivers/nfc/s3fwrn5/nci.h | 22 ----------- drivers/nfc/s3fwrn5/phy_common.c | 3 +- include/linux/connector.h | 10 ++--- include/linux/mlx5/mlx5_ifc.h | 6 +-- include/linux/netdevice.h | 1 + include/linux/phy.h | 3 +- include/uapi/linux/devlink.h | 2 +- net/core/dev.c | 22 ++++++++++- net/ethtool/channels.c | 6 ++- net/ethtool/strset.c | 2 +- net/mptcp/options.c | 15 +++++--- net/mptcp/protocol.c | 11 +++--- net/mptcp/protocol.h | 2 +- net/sched/sch_taprio.c | 17 ++++++++- net/smc/smc_ib.c | 36 +++++++++++------- net/tipc/netlink_compat.c | 12 +++--- tools/testing/selftests/net/mptcp/simult_flows.sh | 6 +-- 36 files changed, 198 insertions(+), 158 deletions(-) Reproducer flagged being flaky revisions tested: 16, total time: 5h4m8.067044014s (build: 1h52m6.374942058s, test: 3h9m51.071793065s) first bad commit: d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net recipients (to): ["torvalds@linux-foundation.org"] recipients (cc): [] crash: WARNING: ODEBUG bug in netdev_run_todo ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:1601 WARNING: CPU: 1 PID: 27 at lib/debugobjects.c:505 debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Modules linked in: CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:debug_print_object+0x16e/0x250 lib/debugobjects.c:505 Code: ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 af 00 00 00 48 8b 14 dd 60 8c dd 88 4c 89 ee 48 c7 c7 60 80 dd 88 e8 e9 4a 7d 04 <0f> 0b 83 05 b5 8a bd 08 01 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e c3 RSP: 0018:ffffc90000e2f888 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff88dd7c40 RDI: fffff520001c5f03 RBP: 0000000000000001 R08: 0000000000000001 R09: ffff8880b9f30827 R10: ffffed10173e6104 R11: 657461747320654f R12: ffffffff888cb4e0 R13: ffffffff88dd86a0 R14: ffffffff81584330 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b9f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000046deb0 CR3: 000000002e4e3000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __debug_check_no_obj_freed lib/debugobjects.c:987 [inline] debug_check_no_obj_freed+0x301/0x420 lib/debugobjects.c:1018 slab_free_hook mm/slub.c:1536 [inline] slab_free_freelist_hook+0x107/0x150 mm/slub.c:1577 slab_free mm/slub.c:3140 [inline] kfree+0xdb/0x3b0 mm/slub.c:4122 device_release+0x93/0x200 drivers/base/core.c:1962 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 netdev_run_todo+0x810/0xcd0 net/core/dev.c:10350 default_device_exit_batch+0x2ae/0x370 net/core/dev.c:11203 cleanup_net+0x423/0x990 net/core/net_namespace.c:604 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296