From: syzbot <syzbot+019ced393ab913002b75@syzkaller.appspotmail.com>
To: kartikey406@gmail.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [i2c?] [usb?] WARNING: ODEBUG bug in i2c_device_remove (2)
Date: Tue, 21 Apr 2026 23:22:03 -0700 [thread overview]
Message-ID: <69e8690b.a00a0220.9259.001a.GAE@google.com> (raw)
In-Reply-To: <20260422054544.21907-1-kartikey406@gmail.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in i2c_device_remove
rtl2832_remove: before kfree
------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888031bc06e8 object type: timer_list hint: rtl2832_i2c_gate_work+0x0/0x100 usercopy_64.c:-1
WARNING: lib/debugobjects.c:632 at debug_print_object lib/debugobjects.c:629 [inline], CPU#1: kworker/1:1/44
WARNING: lib/debugobjects.c:632 at __debug_check_no_obj_freed lib/debugobjects.c:1116 [inline], CPU#1: kworker/1:1/44
WARNING: lib/debugobjects.c:632 at debug_check_no_obj_freed+0x405/0x550 lib/debugobjects.c:1146, CPU#1: kworker/1:1/44
Modules linked in:
CPU: 1 UID: 0 PID: 44 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: usb_hub_wq hub_event
RIP: 0010:debug_print_object lib/debugobjects.c:629 [inline]
RIP: 0010:__debug_check_no_obj_freed lib/debugobjects.c:1116 [inline]
RIP: 0010:debug_check_no_obj_freed+0x44a/0x550 lib/debugobjects.c:1146
Code: 89 44 24 20 e8 47 27 6f fd 48 8b 44 24 20 4c 8b 4d 00 4c 89 ef 48 c7 c6 20 5e ca 8b 48 c7 c2 a0 63 ca 8b 8b 0c 24 4d 89 f8 50 <67> 48 0f b9 3a 48 83 c4 08 4c 8b 6c 24 18 48 b9 00 00 00 00 00 fc
RSP: 0018:ffffc90000b567b8 EFLAGS: 00010246
RAX: ffffffff87680800 RBX: ffffffff99f987a8 RCX: 0000000000000000
RDX: ffffffff8bca63a0 RSI: ffffffff8bca5e20 RDI: ffffffff8fd9e010
RBP: ffffffff8b6f5560 R08: ffff888031bc06e8 R09: ffffffff8b6f68e0
R10: dffffc0000000000 R11: ffffffff81b15280 R12: ffff888031bc0800
R13: ffffffff8fd9e010 R14: ffff888031bc0000 R15: ffff888031bc06e8
FS: 0000000000000000(0000) GS:ffff888125b5f000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5bf3cefe9c CR3: 00000000390cc000 CR4: 00000000003526f0
Call Trace:
<TASK>
slab_free_hook mm/slub.c:2620 [inline]
slab_free mm/slub.c:6246 [inline]
kfree+0x13e/0x6c0 mm/slub.c:6561
i2c_device_remove+0x88/0x220 drivers/i2c/i2c-core-base.c:631
device_remove drivers/base/dd.c:619 [inline]
__device_release_driver drivers/base/dd.c:1352 [inline]
device_release_driver_internal+0x46f/0x870 drivers/base/dd.c:1375
bus_remove_device+0x45a/0x570 drivers/base/bus.c:657
device_del+0x52b/0x900 drivers/base/core.c:3895
device_unregister+0x21/0xf0 drivers/base/core.c:3936
rtl28xxu_frontend_detach+0x168/0x210 drivers/media/usb/dvb-usb-v2/rtl28xxu.c:1105
dvb_usbv2_adapter_frontend_exit drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:733 [inline]
dvb_usbv2_adapter_exit drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:830 [inline]
dvb_usbv2_exit+0x44c/0xb80 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:844
dvb_usbv2_probe+0x4c0/0x3c20 drivers/media/usb/dvb-usb-v2/dvb_usb_core.c:994
usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2268
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:709
__driver_probe_device+0x1ef/0x380 drivers/base/dd.c:871
driver_probe_device+0x4f/0x240 drivers/base/dd.c:901
__device_attach_driver+0x279/0x430 drivers/base/dd.c:1029
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c8/0x450 drivers/base/dd.c:1101
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1156
bus_probe_device+0x12d/0x220 drivers/base/bus.c:613
device_add+0x7e9/0xbb0 drivers/base/core.c:3706
usb_new_device+0x9f8/0x16e0 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x2a49/0x4f60 drivers/usb/core/hub.c:5953
process_one_work+0x9a3/0x1710 kernel/workqueue.c:3312
process_scheduled_works kernel/workqueue.c:3403 [inline]
worker_thread+0xba8/0x11e0 kernel/workqueue.c:3489
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
----------------
Code disassembly (best guess):
0: 89 44 24 20 mov %eax,0x20(%rsp)
4: e8 47 27 6f fd call 0xfd6f2750
9: 48 8b 44 24 20 mov 0x20(%rsp),%rax
e: 4c 8b 4d 00 mov 0x0(%rbp),%r9
12: 4c 89 ef mov %r13,%rdi
15: 48 c7 c6 20 5e ca 8b mov $0xffffffff8bca5e20,%rsi
1c: 48 c7 c2 a0 63 ca 8b mov $0xffffffff8bca63a0,%rdx
23: 8b 0c 24 mov (%rsp),%ecx
26: 4d 89 f8 mov %r15,%r8
29: 50 push %rax
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 48 83 c4 08 add $0x8,%rsp
33: 4c 8b 6c 24 18 mov 0x18(%rsp),%r13
38: 48 rex.W
39: b9 00 00 00 00 mov $0x0,%ecx
3e: 00 fc add %bh,%ah
Tested on:
commit: bee6ea30 Add linux-next specific files for 20260421
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=173ca2d2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=354b135d724a721f
dashboard link: https://syzkaller.appspot.com/bug?extid=019ced393ab913002b75
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=150cd1ba580000
next parent reply other threads:[~2026-04-22 6:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20260422054544.21907-1-kartikey406@gmail.com>
2026-04-22 6:22 ` syzbot [this message]
[not found] <20260422044957.20929-1-kartikey406@gmail.com>
2026-04-22 5:23 ` [syzbot] [i2c?] [usb?] WARNING: ODEBUG bug in i2c_device_remove (2) syzbot
2026-04-20 21:36 syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69e8690b.a00a0220.9259.001a.GAE@google.com \
--to=syzbot+019ced393ab913002b75@syzkaller.appspotmail.com \
--cc=kartikey406@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.