Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com>
To: abysamross@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2)
Date: Mon, 16 Mar 2026 09:24:01 -0700	[thread overview]
Message-ID: <69b82ea1.050a0220.12d28.0164.GAE@google.com> (raw)
In-Reply-To: <20260316160751.297206-1-abysamross@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: ODEBUG bug in hci_release_dev

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff88807ea79460 object type: timer_list hint: hci_devcd_timeout+0x0/0x2e0 net/bluetooth/coredump.c:288
WARNING: lib/debugobjects.c:629 at debug_print_object+0x18e/0x2a0 lib/debugobjects.c:629, CPU#0: syz.4.25/6752
Modules linked in:
CPU: 0 UID: 0 PID: 6752 Comm: syz.4.25 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:debug_print_object+0x19b/0x2a0 lib/debugobjects.c:629
Code: b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 4f 48 8d 3d 32 a5 b9 0b 41 56 48 8b 14 dd 00 c5 13 8c 4c 89 e6 <67> 48 0f b9 3a 58 83 05 2c 48 af 0b 01 48 83 c4 18 5b 5d 41 5c 41
RSP: 0018:ffffc90003877708 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffffffff8c13c440 RSI: ffffffff8c13c060 RDI: ffffffff90b567e0
RBP: 0000000000000001 R08: ffff88807ea79460 R09: ffffffff8bb07a00
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff8c13c060
R13: ffffffff8bb07a40 R14: ffffffff8a8eae60 R15: ffffc90003877808
FS:  0000000000000000(0000) GS:ffff888124683000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdb9c7497d9 CR3: 00000000372c4000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 __debug_check_no_obj_freed lib/debugobjects.c:1116 [inline]
 debug_check_no_obj_freed+0x4da/0x630 lib/debugobjects.c:1146
 __free_pages_prepare mm/page_alloc.c:1440 [inline]
 __free_frozen_pages+0x392/0x10d0 mm/page_alloc.c:2978
 hci_release_dev+0x4ef/0x630 net/bluetooth/hci_core.c:2777
 bt_host_release+0x6a/0xb0 net/bluetooth/hci_sysfs.c:87
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1f7/0x640 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 vhci_release+0x185/0x230 drivers/bluetooth/hci_vhci.c:691
 __fput+0x3ff/0xb40 fs/file_table.c:469
 task_work_run+0x150/0x240 kernel/task_work.c:233
 exit_task_work include/linux/task_work.h:40 [inline]
 do_exit+0x8b8/0x2b60 kernel/exit.c:976
 do_group_exit+0xd5/0x2a0 kernel/exit.c:1118
 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034
 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337
 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
 exit_to_user_mode_loop+0x86/0x4a0 kernel/entry/common.c:98
 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
 syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
 syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
 do_syscall_64+0x668/0xf80 arch/x86/entry/syscall_64.c:100
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc71939a379
Code: Unable to access opcode bytes at 0x7fc71939a34f.
RSP: 002b:00007fc71a1760e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fc7195e5fa8 RCX: 00007fc71939a379
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fc7195e5fac
RBP: 00007fc7195e5fa0 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc7195e6038 R14: 00007ffef7196040 R15: 00007ffef7196128
 </TASK>
----------------
Code disassembly (best guess):
   0:	b8 00 00 00 00       	mov    $0x0,%eax
   5:	00 fc                	add    %bh,%ah
   7:	ff                   	lcall  (bad)
   8:	df 48 89             	fisttps -0x77(%rax)
   b:	fa                   	cli
   c:	48 c1 ea 03          	shr    $0x3,%rdx
  10:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
  14:	75 4f                	jne    0x65
  16:	48 8d 3d 32 a5 b9 0b 	lea    0xbb9a532(%rip),%rdi        # 0xbb9a54f
  1d:	41 56                	push   %r14
  1f:	48 8b 14 dd 00 c5 13 	mov    -0x73ec3b00(,%rbx,8),%rdx
  26:	8c
  27:	4c 89 e6             	mov    %r12,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	58                   	pop    %rax
  30:	83 05 2c 48 af 0b 01 	addl   $0x1,0xbaf482c(%rip)        # 0xbaf4863
  37:	48 83 c4 18          	add    $0x18,%rsp
  3b:	5b                   	pop    %rbx
  3c:	5d                   	pop    %rbp
  3d:	41 5c                	pop    %r12
  3f:	41                   	rex.B


Tested on:

commit:         f338e773 Linux 7.0-rc4
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16ce78da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6f764aea3bbb63e1
dashboard link: https://syzkaller.appspot.com/bug?extid=b170dbf55520ebf5969a
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44

Note: no patches were applied.

next      parent reply	other threads:[~2026-03-16 16:24 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260316160751.297206-1-abysamross@gmail.com>
2026-03-16 16:24 ` syzbot [this message]
     [not found] <20260321112739.139088-1-abysamross@gmail.com>
2026-03-21 11:50 ` [syzbot] [bluetooth?] WARNING: ODEBUG bug in hci_release_dev (2) syzbot
     [not found] <20260321104856.53049-1-abysamross@gmail.com>
2026-03-21 11:05 ` syzbot
     [not found] <20260317151156.463873-1-abysamross@gmail.com>
2026-03-17 15:34 ` syzbot
2024-07-24 13:25 syzbot
2024-10-14 23:11 ` syzbot
2024-12-21 14:19 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69b82ea1.050a0220.12d28.0164.GAE@google.com \
    --to=syzbot+b170dbf55520ebf5969a@syzkaller.appspotmail.com \
    --cc=abysamross@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox