Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com>
To: abysamross@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)
Date: Mon, 16 Mar 2026 09:24:01 -0700	[thread overview]
Message-ID: <69b82ea1.050a0220.12d28.0164.GAE@google.com> (raw)
In-Reply-To: <20260316160751.297206-1-abysamross@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in hci_release_dev

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88807ea79460 object type: timer_list hint: hci_devcd_timeout+0x0/0x2e0 net/bluetooth/coredump.c:288
WARNING: lib/debugobjects.c:629 at debug_print_object+0x18e/0x2a0 lib/debugobjects.c:629, CPU#0: syz.4.25/6752
Modules linked in:
CPU: 0 UID: 0 PID: 6752 Comm: syz.4.25 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:debug_print_object+0x19b/0x2a0 lib/debugobjects.c:629
Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 48 8d 3d 32 a5 b9 0b 41 56 48 8b 14 dd 00 c5 13 8c 4c 89 e6 <67> 48 0f b9 3a 58 83 05 2c 48 af 0b 01 48 83 c4 18 5b 5d 41 5c 41
RSP: 0018:ffffc90003877708 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffffffff8c13c440 RSI: ffffffff8c13c060 RDI: ffffffff90b567e0
RBP: 0000000000000001 R08: ffff88807ea79460 R09: ffffffff8bb07a00
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff8c13c060
R13: ffffffff8bb07a40 R14: ffffffff8a8eae60 R15: ffffc90003877808
FS:  0000000000000000(0000) GS:ffff888124683000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb9c7497d9 CR3: 00000000372c4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __debug_check_no_obj_freed lib/debugobjects.c:1116 [inline]
 debug_check_no_obj_freed+0x4da/0x630 lib/debugobjects.c:1146
 __free_pages_prepare mm/page_alloc.c:1440 [inline]
 __free_frozen_pages+0x392/0x10d0 mm/page_alloc.c:2978
 hci_release_dev+0x4ef/0x630 net/bluetooth/hci_core.c:2777
 bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:87
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1f7/0x640 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 vhci_release+0x185/0x230 drivers/bluetooth/hci_vhci.c:691
 __fput+0x3ff/0xb40 fs/file_table.c:469
 task_work_run+0x150/0x240 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x8b8/0x2b60 kernel/exit.c:976
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x4a0 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x668/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc71939a379
Code: Unable to access opcode bytes at 0x7fc71939a34f.
RSP: 002b:00007fc71a1760e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fc7195e5fa8 RCX: 00007fc71939a379
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fc7195e5fac
RBP: 00007fc7195e5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc7195e6038 R14: 00007ffef7196040 R15: 00007ffef7196128
 </TASK>
----------------
Code disassembly (best guess):
   0:	b8 00 00 00 00       	mov    $0x0,%eax
   5:	00 fc                	add    %bh,%ah
   7:	ff                   	lcall  (bad)
   8:	df 48 89             	fisttps -0x77(%rax)
   b:	fa                   	cli
   c:	48 c1 ea 03          	shr    $0x3,%rdx
  10:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  14:	75 4f                	jne    0x65
  16:	48 8d 3d 32 a5 b9 0b 	lea    0xbb9a532(%rip),%rdi        # 0xbb9a54f
  1d:	41 56                	push   %r14
  1f:	48 8b 14 dd 00 c5 13 	mov    -0x73ec3b00(,%rbx,8),%rdx
  26:	8c
  27:	4c 89 e6             	mov    %r12,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	58                   	pop    %rax
  30:	83 05 2c 48 af 0b 01 	addl   $0x1,0xbaf482c(%rip)        # 0xbaf4863
  37:	48 83 c4 18          	add    $0x18,%rsp
  3b:	5b                   	pop    %rbx
  3c:	5d                   	pop    %rbp
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B


Tested on:

commit:         f338e773 Linux 7.0-rc4
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16ce78da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6f764aea3bbb63e1
dashboard link: https://syzkaller.appspot.com/bug?extid=b170dbf55520ebf5969a
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Note: no patches were applied.

next      parent reply	other threads:[~2026-03-16 16:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260316160751.297206-1-abysamross@gmail.com>
2026-03-16 16:24 ` syzbot [this message]
     [not found] <20260321112739.139088-1-abysamross@gmail.com>
2026-03-21 11:50 ` [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2) syzbot
     [not found] <20260321104856.53049-1-abysamross@gmail.com>
2026-03-21 11:05 ` syzbot
     [not found] <20260317151156.463873-1-abysamross@gmail.com>
2026-03-17 15:34 ` syzbot
2024-07-24 13:25 syzbot
2024-10-14 23:11 ` syzbot
2024-12-21 14:19 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69b82ea1.050a0220.12d28.0164.GAE@google.com \
    --to=syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com \
    --cc=abysamross@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.