Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com>
To: abysamross@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)
Date: Sat, 21 Mar 2026 04:05:04 -0700	[thread overview]
Message-ID: <69be7b60.050a0220.3bf4de.004c.GAE@google.com> (raw)
In-Reply-To: <20260321104856.53049-1-abysamross@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in hci_release_dev

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff8880603c9460 object type: timer_list hint: hci_devcd_timeout+0x0/0x2e0 net/bluetooth/coredump.c:288
WARNING: lib/debugobjects.c:629 at debug_print_object+0x18e/0x2a0 lib/debugobjects.c:629, CPU#0: syz.2.21/6604
Modules linked in:
CPU: 0 UID: 0 PID: 6604 Comm: syz.2.21 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:debug_print_object+0x19b/0x2a0 lib/debugobjects.c:629
Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 48 8d 3d 82 9b b9 0b 41 56 48 8b 14 dd 80 c8 13 8c 4c 89 e6 <67> 48 0f b9 3a 58 83 05 ac 3d af 0b 01 48 83 c4 18 5b 5d 41 5c 41
RSP: 0018:ffffc90003147708 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffffffff8c13c7c0 RSI: ffffffff8c13c3e0 RDI: ffffffff90b575b0
RBP: 0000000000000001 R08: ffff8880603c9460 R09: ffffffff8bb07a00
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff8c13c3e0
R13: ffffffff8bb07a40 R14: ffffffff8a8eca20 R15: ffffc90003147808
FS:  0000000000000000(0000) GS:ffff888124680000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f871e8d1140 CR3: 000000002be6c000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __debug_check_no_obj_freed lib/debugobjects.c:1116 [inline]
 debug_check_no_obj_freed+0x4da/0x630 lib/debugobjects.c:1146
 __free_pages_prepare mm/page_alloc.c:1440 [inline]
 __free_frozen_pages+0x392/0x10d0 mm/page_alloc.c:2978
 hci_release_dev+0x4ef/0x630 net/bluetooth/hci_core.c:2777
 bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:87
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1f7/0x640 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 vhci_release+0x185/0x230 drivers/bluetooth/hci_vhci.c:691
 __fput+0x3ff/0xb40 fs/file_table.c:469
 task_work_run+0x150/0x240 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x8b8/0x2b60 kernel/exit.c:976
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x4a0 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x668/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcff159a379
Code: Unable to access opcode bytes at 0x7fcff159a34f.
RSP: 002b:00007fcff24b80e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fcff17e5fa8 RCX: 00007fcff159a379
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fcff17e5fac
RBP: 00007fcff17e5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007fcff17e6038 R14: 00007ffef3a4d530 R15: 00007ffef3a4d618
 </TASK>
----------------
Code disassembly (best guess):
   0:	b8 00 00 00 00       	mov    $0x0,%eax
   5:	00 fc                	add    %bh,%ah
   7:	ff                   	lcall  (bad)
   8:	df 48 89             	fisttps -0x77(%rax)
   b:	fa                   	cli
   c:	48 c1 ea 03          	shr    $0x3,%rdx
  10:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  14:	75 4f                	jne    0x65
  16:	48 8d 3d 82 9b b9 0b 	lea    0xbb99b82(%rip),%rdi        # 0xbb99b9f
  1d:	41 56                	push   %r14
  1f:	48 8b 14 dd 80 c8 13 	mov    -0x73ec3780(,%rbx,8),%rdx
  26:	8c
  27:	4c 89 e6             	mov    %r12,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	58                   	pop    %rax
  30:	83 05 ac 3d af 0b 01 	addl   $0x1,0xbaf3dac(%rip)        # 0xbaf3de3
  37:	48 83 c4 18          	add    $0x18,%rsp
  3b:	5b                   	pop    %rbx
  3c:	5d                   	pop    %rbp
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B


Tested on:

commit:         a0c83177 Merge tag 'drm-fixes-2026-03-21' of https://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f1d0ca580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6f764aea3bbb63e1
dashboard link: https://syzkaller.appspot.com/bug?extid=b170dbf55520ebf5969a
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Note: no patches were applied.

next      parent reply	other threads:[~2026-03-21 11:05 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260321104856.53049-1-abysamross@gmail.com>
2026-03-21 11:05 ` syzbot [this message]
     [not found] <20260321112739.139088-1-abysamross@gmail.com>
2026-03-21 11:50 ` [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2) syzbot
     [not found] <20260317151156.463873-1-abysamross@gmail.com>
2026-03-17 15:34 ` syzbot
     [not found] <20260316160751.297206-1-abysamross@gmail.com>
2026-03-16 16:24 ` syzbot
2024-07-24 13:25 syzbot
2024-10-14 23:11 ` syzbot
2024-12-21 14:19 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69be7b60.050a0220.3bf4de.004c.GAE@google.com \
    --to=syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com \
    --cc=abysamross@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.