From: syzbot <syzbot+7287222a6d88bdb559a7@syzkaller.appspotmail.com>
To: davem@davemloft.net, edumazet@google.com, horms@kernel.org,
kuba@kernel.org, linux-hams@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, syzkaller-bugs@googlegroups.com
Subject: [syzbot] [hams?] WARNING: ODEBUG bug in __run_timers (3)
Date: Tue, 02 Sep 2025 10:24:31 -0700 [thread overview]
Message-ID: <68b7284f.050a0220.3db4df.01d7.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: b320789d6883 Linux 6.17-rc4
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1204ae62580000
kernel config: https://syzkaller.appspot.com/x/.config?x=da02162f945f3311
dashboard link: https://syzkaller.appspot.com/bug?extid=7287222a6d88bdb559a7
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7a46ec41bf8b/disk-b320789d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/876c0ffbc199/vmlinux-b320789d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa352d634f96/bzImage-b320789d.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+7287222a6d88bdb559a7@syzkaller.appspotmail.com
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88806ac3a490 object type: timer_list hint: rose_t0timer_expiry+0x0/0x150 include/linux/skbuff.h:2880
WARNING: CPU: 0 PID: 10082 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 0 UID: 0 PID: 10082 Comm: syz.1.930 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 41 56 48 8b 14 dd 60 41 16 8c 4c 89 e6 48 c7 c7 e0 35 16 8c e8 cf 43 91 fc 90 <0f> 0b 90 90 58 83 05 46 ce c2 0b 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc90000007a28 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff817a3358
RDX: ffff888030b6bc00 RSI: ffffffff817a3365 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8c163c80
R13: ffffffff8bafedc0 R14: ffffffff8a7fa4f0 R15: ffffc90000007b28
FS: 00007f4947a166c0(0000) GS:ffff8881246b9000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f49479f5d58 CR3: 0000000030c4f000 CR4: 0000000000350ef0
Call Trace:
<IRQ>
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2348 [inline]
slab_free mm/slub.c:4680 [inline]
kfree+0x28f/0x4d0 mm/slub.c:4879
rose_neigh_put include/net/rose.h:166 [inline]
rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 76 fe 02 f6 48 89 df e8 5e 52 03 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 <bf> 01 00 00 00 e8 05 4f f3 f5 65 8b 05 0e ac 41 08 85 c0 74 16 5b
RSP: 0018:ffffc9001fae7770 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffff888079171200 RCX: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff8de4eebc RDI: ffffffff8c163080
RBP: 0000000000000246 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90ab8a97 R11: 0000000000000000 R12: ffff888033eb78c0
R13: 0000000000000246 R14: ffff8880791711e8 R15: ffffc9001fae78f8
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
__skb_try_recv_datagram+0x172/0x4f0 net/core/datagram.c:267
__unix_dgram_recvmsg+0x1bc/0xc30 net/unix/af_unix.c:2601
unix_dgram_recvmsg+0xd0/0x110 net/unix/af_unix.c:2700
sock_recvmsg_nosec net/socket.c:1065 [inline]
____sys_recvmsg+0x5f9/0x6b0 net/socket.c:2832
___sys_recvmsg+0x114/0x1a0 net/socket.c:2876
do_recvmmsg+0x2fe/0x750 net/socket.c:2971
__sys_recvmmsg net/socket.c:3045 [inline]
__do_sys_recvmmsg net/socket.c:3068 [inline]
__se_sys_recvmmsg net/socket.c:3061 [inline]
__x64_sys_recvmmsg+0x22a/0x280 net/socket.c:3061
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4946b8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4947a16038 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00007f4946dc6090 RCX: 00007f4946b8ebe9
RDX: 0000000000010106 RSI: 00002000000000c0 RDI: 0000000000000003
RBP: 00007f4946c11e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4946dc6128 R14: 00007f4946dc6090 R15: 00007fff631b3388
</TASK>
----------------
Code disassembly (best guess):
0: f5 cmc
1: 53 push %rbx
2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
7: 48 89 fb mov %rdi,%rbx
a: 48 83 c7 18 add $0x18,%rdi
e: e8 76 fe 02 f6 call 0xf602fe89
13: 48 89 df mov %rbx,%rdi
16: e8 5e 52 03 f6 call 0xf6035279
1b: f7 c5 00 02 00 00 test $0x200,%ebp
21: 75 23 jne 0x46
23: 9c pushf
24: 58 pop %rax
25: f6 c4 02 test $0x2,%ah
28: 75 37 jne 0x61
* 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2f: e8 05 4f f3 f5 call 0xf5f34f39
34: 65 8b 05 0e ac 41 08 mov %gs:0x841ac0e(%rip),%eax # 0x841ac49
3b: 85 c0 test %eax,%eax
3d: 74 16 je 0x55
3f: 5b pop %rbx
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2025-09-02 17:24 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-02 17:24 syzbot [this message]
2026-02-13 22:17 ` [syzbot] [hams?] WARNING: ODEBUG bug in __run_timers (3) syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68b7284f.050a0220.3db4df.01d7.GAE@google.com \
--to=syzbot+7287222a6d88bdb559a7@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.