A patch introduced between v5.9.10 and v5.9.11 introduces a bug when unmounting the efivarfs filesystem. Thus far, the oops in 5.9.11 appears survivable and the system can be used afterwards. An analogous patch was introduced to v5.4.80, which produces almost the same dmesg output as 5.9.11; however, shortly afterwards, additional oopsen occur, first in memory management, then in btrfs, followed by kernel panic and reboot. Reproducing the bug, here in kernel 5.9.11: ~# umount /sys/firmware/efi/efivars segmentation fault ------------[ cut here ]------------ kernel BUG at mm/slub.c:4113! invalid opcode: 0000 [#1] SMP CPU: 2 PID: 6923 Comm: umount Not tainted 5.9.11 #1 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./X470 Taichi, BIOS P3.50 07/18/2019 RIP: 0010:kfree+0x29d/0x340 Code: 7d fe ff ff 48 8b 45 00 45 31 e4 a9 00 00 01 00 74 05 44 0f b6 65 51 48 8b 45 00 a9 00 00 01 00 75 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 c7 c7 40 cc RSP: 0018:ffffc900030cbe20 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8887f6553000 RCX: ffff8887f6553828 RDX: 0000000000000000 RSI: 0000000000000296 RDI: ffff8887f6553000 RBP: ffffea001fd954c0 R08: 0000000000000000 R09: 0000000000000001 R10: 00000000fffffffc R11: dead000000000100 R12: 0000000000000000 R13: 0000000000000000 R14: ffff888876553000 R15: 0000000000000000 FS: 00007faab34ff4c0(0000) GS:ffff8887fec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001be70c8 CR3: 00000007c3907000 CR4: 00000000003506e0 Call Trace: efivarfs_destroy+0x1d/0x30 ? efivarfs_kill_sb+0x20/0x20 __efivar_entry_iter+0xd0/0x110 deactivate_locked_super+0x36/0x90 cleanup_mnt+0xff/0x160 task_work_run+0x57/0x90 exit_to_user_mode_prepare+0x166/0x190 syscall_exit_to_user_mode+0x2c/0xd0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7faab36386c7 Code: 87 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 31 f6 e9 09 00 00 00 66 0f 1f 84 00 00 00 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 99 87 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe67d53aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007faab37b9f64 RCX: 00007faab36386c7 RDX: 000000000000001a RSI: 0000000000000000 RDI: 0000000001be3ea0 RBP: 0000000001be3c70 R08: 0000000000000000 R09: 0000000001be50d0 R10: fffffffffffffcf1 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000001be3ea0 R14: 0000000001be3d80 R15: 0000000001be7de0 Modules linked in: md4 cifs dns_resolver libdes nfs nfsd auth_rpcgss nfs_acl lockd grace sunrpc nfs_ssc amdgpu snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio iwlmvm snd_hda_intel snd_intel_dspcfg snd_hda_codec iwlwifi snd_hwdep snd_hda_core snd_pcm mfd_core gpu_sched ttm ---[ end trace 15bfb548a602d6f4 ]--- RIP: 0010:kfree+0x29d/0x340 Code: 7d fe ff ff 48 8b 45 00 45 31 e4 a9 00 00 01 00 74 05 44 0f b6 65 51 48 8b 45 00 a9 00 00 01 00 75 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 c7 c7 40 cc RSP: 0018:ffffc900030cbe20 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8887f6553000 RCX: ffff8887f6553828 RDX: 0000000000000000 RSI: 0000000000000296 RDI: ffff8887f6553000 RBP: ffffea001fd954c0 R08: 0000000000000000 R09: 0000000000000001 R10: 00000000fffffffc R11: dead000000000100 R12: 0000000000000000 R13: 0000000000000000 R14: ffff888876553000 R15: 0000000000000000 FS: 00007faab34ff4c0(0000) GS:ffff8887fec80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000001be70c8 CR3: 00000007c3907000 CR4: 00000000003506e0 ~#
This appears to have been fixed by 749f3d3aa05d789ced4265a20ae105655ac8e4ff, and upstream as ff04f3b6f2e27f8ae28a498416af2a8dd5072b43 Will mark as closed.