[v6.6] WARNING: ODEBUG bug in handle_softirqs
0 views
Skip to first unread message
syzbot
Jan 26, 2026, 11:28:38 AMJan 26
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cbb31f77b879 Linux 6.6.121
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=127aa93a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=474a0f95923afb446ae8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6436cbae3604/disk-cbb31f77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8f3a3d318f99/vmlinux-cbb31f77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84920a2a012f/bzImage-cbb31f77.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+474a0f...@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888030560278 object type: timer_list hint: br_ip6_multicast_port_query_expired+0x0/0x20
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 debug_print_object lib/debugobjects.c:515 [inline]
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 __debug_check_no_obj_freed lib/debugobjects.c:990 [inline]
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 debug_check_no_obj_freed+0x446/0x540 lib/debugobjects.c:1020
Modules linked in:
CPU: 0 PID: 12657 Comm: kworker/u4:8 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: bat_events batadv_nc_worker
RIP: 0010:debug_print_object lib/debugobjects.c:515 [inline]
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:990 [inline]
RIP: 0010:debug_check_no_obj_freed+0x446/0x540 lib/debugobjects.c:1020
Code: 4c 8b 4d 00 48 c7 c7 a0 8a 1c 8b 48 c7 c6 00 87 1c 8b 48 c7 c2 20 8c 1c 8b 8b 0c 24 4d 89 f8 41 55 e8 3e 56 20 fd 48 83 c4 08 <0f> 0b 4c 8b 6c 24 18 48 b9 00 00 00 00 00 fc ff df ff 05 73 8d 5a
RSP: 0018:ffffc90000007af8 EFLAGS: 00010282
RAX: 0aa892bc0321b200 RBX: ffffffff97561fd0 RCX: ffff88802b470000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffffff8accab20 R08: ffffc900000076e7 R09: 1ffff92000000edc
R10: dffffc0000000000 R11: fffff52000000edd R12: ffff888030560400
R13: ffffffff89613390 R14: ffff888030560000 R15: ffff888030560278
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0993be8600 CR3: 0000000066e17000 CR4: 00000000003506f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
slab_free_hook mm/slub.c:1786 [inline]
slab_free_freelist_hook+0xd2/0x1a0 mm/slub.c:1837
slab_free mm/slub.c:3830 [inline]
__kmem_cache_free+0xba/0x1e0 mm/slub.c:3843
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x221/0x460 lib/kobject.c:737
rcu_do_batch kernel/rcu/tree.c:2194 [inline]
rcu_core+0xcfb/0x1770 kernel/rcu/tree.c:2467
handle_softirqs+0x280/0x820 kernel/softirq.c:578
do_softirq+0xfa/0x1a0 kernel/softirq.c:479
</IRQ>
<TASK>
__local_bh_enable_ip+0x184/0x1c0 kernel/softirq.c:406
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_nc_purge_paths+0x311/0x3a0 net/batman-adv/network-coding.c:471
batadv_nc_worker+0x328/0x610 net/batman-adv/network-coding.c:720
process_one_work kernel/workqueue.c:2634 [inline]
process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2711
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: cbb31f77b879 Linux 6.6.121
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=127aa93a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2a950bf7c0bff9f9
dashboard link: https://syzkaller.appspot.com/bug?extid=474a0f95923afb446ae8
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6436cbae3604/disk-cbb31f77.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8f3a3d318f99/vmlinux-cbb31f77.xz
kernel image: https://storage.googleapis.com/syzbot-assets/84920a2a012f/bzImage-cbb31f77.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+474a0f...@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888030560278 object type: timer_list hint: br_ip6_multicast_port_query_expired+0x0/0x20
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 debug_print_object lib/debugobjects.c:515 [inline]
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 __debug_check_no_obj_freed lib/debugobjects.c:990 [inline]
WARNING: CPU: 0 PID: 12657 at lib/debugobjects.c:518 debug_check_no_obj_freed+0x446/0x540 lib/debugobjects.c:1020
Modules linked in:
CPU: 0 PID: 12657 Comm: kworker/u4:8 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: bat_events batadv_nc_worker
RIP: 0010:debug_print_object lib/debugobjects.c:515 [inline]
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:990 [inline]
RIP: 0010:debug_check_no_obj_freed+0x446/0x540 lib/debugobjects.c:1020
Code: 4c 8b 4d 00 48 c7 c7 a0 8a 1c 8b 48 c7 c6 00 87 1c 8b 48 c7 c2 20 8c 1c 8b 8b 0c 24 4d 89 f8 41 55 e8 3e 56 20 fd 48 83 c4 08 <0f> 0b 4c 8b 6c 24 18 48 b9 00 00 00 00 00 fc ff df ff 05 73 8d 5a
RSP: 0018:ffffc90000007af8 EFLAGS: 00010282
RAX: 0aa892bc0321b200 RBX: ffffffff97561fd0 RCX: ffff88802b470000
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffffff8accab20 R08: ffffc900000076e7 R09: 1ffff92000000edc
R10: dffffc0000000000 R11: fffff52000000edd R12: ffff888030560400
R13: ffffffff89613390 R14: ffff888030560000 R15: ffff888030560278
FS: 0000000000000000(0000) GS:ffff8880b8e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0993be8600 CR3: 0000000066e17000 CR4: 00000000003506f0
DR0: ffffffffffffffff DR1: 00000000000001f8 DR2: 0000000000000083
DR3: ffffffffefffff15 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
slab_free_hook mm/slub.c:1786 [inline]
slab_free_freelist_hook+0xd2/0x1a0 mm/slub.c:1837
slab_free mm/slub.c:3830 [inline]
__kmem_cache_free+0xba/0x1e0 mm/slub.c:3843
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x221/0x460 lib/kobject.c:737
rcu_do_batch kernel/rcu/tree.c:2194 [inline]
rcu_core+0xcfb/0x1770 kernel/rcu/tree.c:2467
handle_softirqs+0x280/0x820 kernel/softirq.c:578
do_softirq+0xfa/0x1a0 kernel/softirq.c:479
</IRQ>
<TASK>
__local_bh_enable_ip+0x184/0x1c0 kernel/softirq.c:406
spin_unlock_bh include/linux/spinlock.h:396 [inline]
batadv_nc_purge_paths+0x311/0x3a0 net/batman-adv/network-coding.c:471
batadv_nc_worker+0x328/0x610 net/batman-adv/network-coding.c:720
process_one_work kernel/workqueue.c:2634 [inline]
process_scheduled_works+0xa5d/0x15d0 kernel/workqueue.c:2711
worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792
kthread+0x2fa/0x390 kernel/kthread.c:388
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Feb 4, 2026, 12:13:26 PM (9 days ago) Feb 4
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: cd9b81672742 Linux 6.1.161
syzbot found the following issue on:
git tree: linux-6.1.y
console output: https://syzkaller.appspot.com/x/log.txt?x=1408a402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f0605c5af04d7603
dashboard link: https://syzkaller.appspot.com/bug?extid=84f4fd5aada92779a9f1
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7c7d6fd2ef9f/disk-cd9b8167.raw.xz
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
vmlinux: https://storage.googleapis.com/syzbot-assets/544b7fd5d4e0/vmlinux-cd9b8167.xz
kernel image: https://storage.googleapis.com/syzbot-assets/3454f19d3753/bzImage-cd9b8167.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: br_ip6_multicast_port_query_expired+0x0/0x20
WARNING: CPU: 1 PID: 10428 at lib/debugobjects.c:518 debug_print_object lib/debugobjects.c:515 [inline]
WARNING: CPU: 1 PID: 10428 at lib/debugobjects.c:518 __debug_check_no_obj_freed lib/debugobjects.c:979 [inline]
WARNING: CPU: 1 PID: 10428 at lib/debugobjects.c:518 debug_check_no_obj_freed+0x43c/0x530 lib/debugobjects.c:1009
Modules linked in:
CPU: 1 PID: 10428 Comm: syz.4.2090 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
RIP: 0010:debug_print_object lib/debugobjects.c:515 [inline]
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:979 [inline]
RIP: 0010:debug_check_no_obj_freed+0x43c/0x530 lib/debugobjects.c:1009
Code: ef e8 18 00 be fd 4c 8b 45 00 48 c7 c7 80 15 df 8a 48 c7 c6 40 12 df 8a 48 c7 c2 e0 16 df 8a 8b 0c 24 4d 89 e9 e8 54 87 38 fd <0f> 0b 4c 8b 6c 24 18 48 b9 00 00 00 00 00 fc ff df ff 05 85 9a 0a
RSP: 0018:ffffc900001e0a18 EFLAGS: 00010246
RAX: 5ae2bc2632dc3a00 RBX: ffffffff96e086c0 RCX: ffff88802ea11dc0
RDX: 0000000000000100 RSI: 0000000000000000 RDI: 0000000000000002
RBP: ffffffff8a8def40 R08: ffffc900001e06a7 R09: 1ffff9200003c0d4
R10: dffffc0000000000 R11: fffff5200003c0d5 R12: ffff888078016400
R13: ffffffff8913ce30 R14: ffff888078016000 R15: ffff888078016278
FS: 0000000000000000(0000) GS:ffff8880b8f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88e00780e7 CR3: 00000000729f7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
slab_free_hook mm/slub.c:1704 [inline]
slab_free_freelist_hook+0xd2/0x1a0 mm/slub.c:1755
slab_free mm/slub.c:3687 [inline]
__kmem_cache_free+0xb6/0x1f0 mm/slub.c:3700
kobject_cleanup lib/kobject.c:681 [inline]
kobject_release lib/kobject.c:712 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x21d/0x460 lib/kobject.c:729
rcu_do_batch kernel/rcu/tree.c:2297 [inline]
rcu_core+0xa99/0x1740 kernel/rcu/tree.c:2557
handle_softirqs+0x2a1/0x930 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x13b/0x230 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1118
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691
RIP: 0010:lock_acquire+0x225/0x4a0 kernel/locking/lockdep.c:5666
Code: f7 84 24 80 00 00 00 00 02 00 00 43 c6 44 3d 04 f8 0f 85 f0 00 00 00 41 f7 c6 00 02 00 00 74 01 fb 48 c7 44 24 60 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 43 c7 44 3d 08 00 00 00 00 65 48 8b 04
RSP: 0018:ffffc90004fa7620 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 5ae2bc2632dc3a00
RDX: 0000000000000000 RSI: ffffffff8a8c23a0 RDI: ffffffff8adf0c20
RBP: ffffc90004fa7730 R08: dffffc0000000000 R09: 1ffffffff215e648
R10: dffffc0000000000 R11: fffffbfff215e649 R12: 0000000000000001
R13: 1ffff920009f4ed0 R14: 0000000000000246 R15: dffffc0000000000
rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
rcu_read_lock include/linux/rcupdate.h:791 [inline]
page_ext_get+0x3a/0x2a0 mm/page_ext.c:157
page_table_check_clear+0x4a/0x6b0 mm/page_table_check.c:71
ptep_get_and_clear_full arch/x86/include/asm/jump_label.h:-1 [inline]
zap_pte_range mm/memory.c:1433 [inline]
zap_pmd_range mm/memory.c:1572 [inline]
zap_pud_range mm/memory.c:1601 [inline]
zap_p4d_range mm/memory.c:1622 [inline]
unmap_page_range+0x192d/0x2500 mm/memory.c:1643
unmap_vmas+0x260/0x390 mm/memory.c:1728
exit_mmap+0x20d/0x960 mm/mmap.c:3250
__mmput+0x118/0x3c0 kernel/fork.c:1205
exit_mm+0x1fe/0x2d0 kernel/exit.c:565
do_exit+0x905/0x2480 kernel/exit.c:867
do_group_exit+0x217/0x2d0 kernel/exit.c:1022
__do_sys_exit_group kernel/exit.c:1033 [inline]
__se_sys_exit_group kernel/exit.c:1031 [inline]
__x64_sys_exit_group+0x3b/0x40 kernel/exit.c:1031
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f3417f9aeb9
Code: Unable to access opcode bytes at 0x7f3417f9ae8f.
RSP: 002b:00007ffd87e66d98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3417f9aeb9
RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007ffd87e66dfc R08: 0000000000000000 R09: 00000000000927c0
R10: 00007f3418216128 R11: 0000000000000246 R12: 000000000000016d
R13: 00000000000927c0 R14: 000000000004931b R15: 00007ffd87e66e50
</TASK>
----------------
Code disassembly (best guess):
0: f7 84 24 80 00 00 00 testl $0x200,0x80(%rsp)
7: 00 02 00 00
b: 43 c6 44 3d 04 f8 movb $0xf8,0x4(%r13,%r15,1)
11: 0f 85 f0 00 00 00 jne 0x107
17: 41 f7 c6 00 02 00 00 test $0x200,%r14d
1e: 74 01 je 0x21
20: fb sti
21: 48 c7 44 24 60 0e 36 movq $0x45e0360e,0x60(%rsp)
28: e0 45
* 2a: 4b c7 44 3d 00 00 00 movq $0x0,0x0(%r13,%r15,1) <-- trapping instruction
31: 00 00
33: 43 c7 44 3d 08 00 00 movl $0x0,0x8(%r13,%r15,1)
3a: 00 00
3c: 65 gs
3d: 48 rex.W
3e: 8b .byte 0x8b
3f: 04 .byte 0x4
Reply all
Reply to author
Forward
0 new messages