bisecting cause commit starting from a3b22b9f11d9fbc48b0291ea92259a5a810e9438
building syzkaller on 59f36113ee97b3d2d2c872e23841eda592a4201d
testing commit a3b22b9f11d9fbc48b0291ea92259a5a810e9438 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in addr_handler
run #1: crashed: KASAN: use-after-free Read in addr_handler
run #2: crashed: KASAN: use-after-free Read in addr_handler
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in addr_handler
run #1: crashed: KASAN: use-after-free Read in addr_handler
run #2: crashed: KASAN: use-after-free Read in addr_handler
run #3: crashed: KASAN: use-after-free Read in addr_handler
run #4: crashed: KASAN: use-after-free Read in addr_handler
run #5: crashed: KASAN: use-after-free Read in addr_handler
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: OK
# git bisect start v4.20 v4.19
Bisecting: 7499 revisions left to test after this (roughly 13 steps)
[ec9c166434595382be3babf266febf876327774d] Merge tag 'mips_fixes_4.20_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux
testing commit ec9c166434595382be3babf266febf876327774d with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in addr_handler
run #1: crashed: KASAN: use-after-free Read in addr_handler
run #2: crashed: KASAN: use-after-free Read in addr_handler
run #3: crashed: KASAN: use-after-free Read in addr_handler
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ec9c166434595382be3babf266febf876327774d
Bisecting: 3252 revisions left to test after this (roughly 12 steps)
[50b825d7e87f4cff7070df6eb26390152bb29537] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
testing commit 50b825d7e87f4cff7070df6eb26390152bb29537 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 50b825d7e87f4cff7070df6eb26390152bb29537
Bisecting: 1617 revisions left to test after this (roughly 11 steps)
[62606c224d72a98c35d21a849f95cccf95b0a252] Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
testing commit 62606c224d72a98c35d21a849f95cccf95b0a252 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: ODEBUG bug in netdev_freemem
run #1: crashed: WARNING: ODEBUG bug in netdev_freemem
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 62606c224d72a98c35d21a849f95cccf95b0a252
Bisecting: 782 revisions left to test after this (roughly 10 steps)
[bd6bf7c10484f026505814b690104cdef27ed460] Merge tag 'pci-v4.20-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
testing commit bd6bf7c10484f026505814b690104cdef27ed460 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good bd6bf7c10484f026505814b690104cdef27ed460
Bisecting: 469 revisions left to test after this (roughly 9 steps)
[de7d83da84bdf0b5ec50b3b09249e608c0e4b81d] Merge tag 'asoc-v5.0-2' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
testing commit de7d83da84bdf0b5ec50b3b09249e608c0e4b81d with gcc (GCC) 8.1.0
all runs: OK
# git bisect good de7d83da84bdf0b5ec50b3b09249e608c0e4b81d
Bisecting: 234 revisions left to test after this (roughly 8 steps)
[f4445bb93d82a984657b469e63118c2794a4c3d3] scsi: hisi_sas: Fix NULL pointer dereference
testing commit f4445bb93d82a984657b469e63118c2794a4c3d3 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good f4445bb93d82a984657b469e63118c2794a4c3d3
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[68138b5d583a8dd8b88570caed46e3efab219797] crypto: axis - fix platform_no_drv_owner.cocci warnings
testing commit 68138b5d583a8dd8b88570caed46e3efab219797 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 68138b5d583a8dd8b88570caed46e3efab219797
Bisecting: 46 revisions left to test after this (roughly 6 steps)
[5947a64a7e0c70cc16d5d1e5af3cf3b44535047a] Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
testing commit 5947a64a7e0c70cc16d5d1e5af3cf3b44535047a with gcc (GCC) 8.1.0
run #0: crashed: WARNING: ODEBUG bug in netdev_freemem
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 5947a64a7e0c70cc16d5d1e5af3cf3b44535047a
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[d59e0ba19481c0046d2ea2bd0e5344eeaf45aace] tick/sched : Remove redundant cpu_online() check
testing commit d59e0ba19481c0046d2ea2bd0e5344eeaf45aace with gcc (GCC) 8.1.0
all runs: OK
# git bisect good d59e0ba19481c0046d2ea2bd0e5344eeaf45aace
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2] irqchip/irq-mvebu-icu: Support ICU subnodes
testing commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 with gcc (GCC) 8.1.0
run #0: crashed: WARNING: ODEBUG bug in netdev_freemem
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[3fb68faee8676900f896d1615442aeca36e5f940] irqchip/gic-v3-its: Register LPI tables with EFI config table
testing commit 3fb68faee8676900f896d1615442aeca36e5f940 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 3fb68faee8676900f896d1615442aeca36e5f940
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[1f83515bebc236d2acda59976a8e852f1a6d50b7] genirq/msi: Allow creation of a tree-based irqdomain for platform-msi
testing commit 1f83515bebc236d2acda59976a8e852f1a6d50b7 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 1f83515bebc236d2acda59976a8e852f1a6d50b7
Bisecting: 2 revisions left to test after this (roughly 1 step)
[2b4dab69dcca13c5be2ddaf1337ae4accd087de6] irqchip/irq-mvebu-icu: Fix wrong private data retrieval
testing commit 2b4dab69dcca13c5be2ddaf1337ae4accd087de6 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 2b4dab69dcca13c5be2ddaf1337ae4accd087de6
Bisecting: 0 revisions left to test after this (roughly 1 step)
[00885a77c8ffbeee58a9662c92d6a60a9b49f120] irqchip/irq-mvebu-icu: Disociate ICU and NSR
testing commit 00885a77c8ffbeee58a9662c92d6a60a9b49f120 with gcc (GCC) 8.1.0
all runs: OK
# git bisect good 00885a77c8ffbeee58a9662c92d6a60a9b49f120
4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 is the first bad commit
commit 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2
Author: Miquel Raynal <miquel.raynal@bootlin.com>
Date:   Tue Oct 2 10:54:16 2018 +0200

    irqchip/irq-mvebu-icu: Support ICU subnodes
    
    The ICU can handle several type of interrupt, each of them being handled
    differently on AP side. On CP side, the ICU should be able to make the
    distinction between each interrupt group by pointing to the right parent.
    
    This is done through the introduction of new bindings, presenting the ICU
    node as the parent of multiple ICU sub-nodes, each of them being an
    interrupt type with a different interrupt parent. ICU interrupt 'clients'
    now directly point to the right sub-node, avoiding the need for the extra
    ICU_GRP_* parameter.
    
    ICU subnodes are probed automatically with devm_platform_populate(). If
    the node as no child, the probe function for NSRs will still be called
    'manually' in order to preserve backward compatibility with DT using the
    old binding.
    
    Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
    Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>

 drivers/irqchip/irq-mvebu-icu.c | 73 ++++++++++++++++++++++++++++++++---------
 1 file changed, 57 insertions(+), 16 deletions(-)
revisions tested: 17, total time: 3h59m53.900667112s (build: 1h15m17.329599593s, test: 2h40m52.492805974s)
first bad commit: 4f4c867c91e644fc9d461c8c5cf2f09d6d5bcac2 irqchip/irq-mvebu-icu: Support ICU subnodes
cc: ["andrew@lunn.ch" "gregory.clement@bootlin.com" "jason@lakedaemon.net" "linux-arm-kernel@lists.infradead.org" "linux-kernel@vger.kernel.org" "marc.zyngier@arm.com" "miquel.raynal@bootlin.com" "sebastian.hesselbarth@gmail.com" "tglx@linutronix.de"]
crash: WARNING: ODEBUG bug in netdev_freemem
IPVS: ftp: loaded support on port[0] = 21
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4916
WARNING: CPU: 1 PID: 8 at lib/debugobjects.c:329 debug_print_object+0x16a/0x210 lib/debugobjects.c:326
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 4.19.0-rc3+ #1
kobject: 'team0' (00000000266d3d17): kobject_add_internal: parent: 'net', set: 'devices'
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
kobject: 'team0' (00000000266d3d17): kobject_uevent_env
Workqueue: netns cleanup_net
kobject: 'team0' (00000000266d3d17): fill_kobj_path: path = '/devices/virtual/net/team0'
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x109/0x15a lib/dump_stack.c:113
 panic+0x1c6/0x37d kernel/panic.c:184
kobject: 'queues' (0000000072114499): kobject_add_internal: parent: 'team0', set: '<NULL>'
kobject: 'queues' (0000000072114499): kobject_uevent_env
kobject: 'queues' (0000000072114499): kobject_uevent_env: filter function caused the event to drop!
 __warn.cold.8+0x120/0x166 kernel/panic.c:536
kobject: 'rx-0' (000000002322b922): kobject_add_internal: parent: 'queues', set: 'queues'
 report_bug+0x1a4/0x200 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296
kobject: 'rx-0' (000000002322b922): kobject_uevent_env
kobject: 'rx-0' (000000002322b922): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-0'
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
kobject: 'rx-1' (000000005f8d2429): kobject_add_internal: parent: 'queues', set: 'queues'
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
RIP: 0010:debug_print_object+0x16a/0x210 lib/debugobjects.c:326
kobject: 'rx-1' (000000005f8d2429): kobject_uevent_env
Code: fe 86 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 20 5d fe 86 4c 89 fe 48 c7 c7 c0 52 fe 86 e8 49 7d 49 fe <0f> 0b 83 05 39 9f c0 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffff88002d7d7840 EFLAGS: 00010082
kobject: 'rx-1' (000000005f8d2429): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-1'
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
kobject: 'rx-2' (00000000032b1963): kobject_add_internal: parent: 'queues', set: 'queues'
RDX: 0000000000000002 RSI: 0000000000000008 RDI: ffffffff89a4b620
RBP: ffff88002d7d7880 R08: ffffed000fd43ee3 R09: ffffed000fd43ee2
kobject: 'rx-2' (00000000032b1963): kobject_uevent_env
R10: ffffed000fd43ee2 R11: ffff88007ea1f717 R12: 0000000000000001
kobject: 'rx-2' (00000000032b1963): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-2'
R13: ffffffff87f9e8e0 R14: ffffffff8152f290 R15: ffffffff86fe5940
 __debug_check_no_obj_freed lib/debugobjects.c:786 [inline]
 debug_check_no_obj_freed+0x264/0x472 lib/debugobjects.c:818
 kfree+0xbd/0x230 mm/slab.c:3812
kobject: 'rx-3' (00000000638dd5ef): kobject_add_internal: parent: 'queues', set: 'queues'
 kvfree+0x2c/0x30 mm/util.c:452
kobject: 'rx-3' (00000000638dd5ef): kobject_uevent_env
 netdev_freemem+0x47/0x60 net/core/dev.c:8841
 netdev_release+0x6c/0x90 net/core/net-sysfs.c:1640
kobject: 'rx-3' (00000000638dd5ef): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-3'
 device_release+0x74/0x1d0 drivers/base/core.c:891
 kobject_cleanup lib/kobject.c:662 [inline]
 kobject_release lib/kobject.c:691 [inline]
 kref_put include/linux/kref.h:70 [inline]
 kobject_put.cold.9+0x22e/0x281 lib/kobject.c:708
kobject: 'rx-4' (000000003254067b): kobject_add_internal: parent: 'queues', set: 'queues'
 netdev_run_todo+0x4c4/0x6b0 net/core/dev.c:8746
kobject: 'rx-4' (000000003254067b): kobject_uevent_env
 rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:117
 default_device_exit_batch+0x2ec/0x3d0 net/core/dev.c:9527
kobject: 'rx-4' (000000003254067b): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-4'
kobject: 'rx-5' (0000000071bd918a): kobject_add_internal: parent: 'queues', set: 'queues'
kobject: 'rx-5' (0000000071bd918a): kobject_uevent_env
 ops_exit_list.isra.7+0xd9/0x130 net/core/net_namespace.c:156
kobject: 'rx-5' (0000000071bd918a): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-5'
 cleanup_net+0x363/0x840 net/core/net_namespace.c:551
kobject: 'rx-6' (000000006e7fffd7): kobject_add_internal: parent: 'queues', set: 'queues'
kobject: 'rx-6' (000000006e7fffd7): kobject_uevent_env
kobject: 'rx-6' (000000006e7fffd7): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-6'
 process_one_work+0x835/0x15c0 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
kobject: 'rx-7' (00000000ec013293): kobject_add_internal: parent: 'queues', set: 'queues'
 kthread+0x327/0x3f0 kernel/kthread.c:246
kobject: 'rx-7' (00000000ec013293): kobject_uevent_env
kobject: 'rx-7' (00000000ec013293): fill_kobj_path: path = '/devices/virtual/net/team0/queues/rx-7'
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
kobject: 'rx-8' (00000000f596b0be): kobject_add_internal: parent: 'queues', set: 'queues'

======================================================