From: Ido Schimmel <idosch@nvidia.com>
To: Thomas Gleixner <tglx@kernel.org>
Cc: syzbot <syzbot+ae231e0552fa77b26ea1@syzkaller.appspotmail.com>,
linux-kernel@vger.kernel.org, peterz@infradead.org,
syzkaller-bugs@googlegroups.com, bridge@lists.linux.dev,
Nikolay Aleksandrov <razor@blackwall.org>,
netdev@vger.kernel.org
Subject: Re: [syzbot] [kernel?] WARNING: ODEBUG bug in smpboot_thread_fn
Date: Thu, 7 May 2026 20:30:10 +0300 [thread overview]
Message-ID: <20260507173010.GA977556@shredder> (raw)
In-Reply-To: <87bjerwqan.ffs@tglx>
On Thu, May 07, 2026 at 10:57:04AM +0200, Thomas Gleixner wrote:
> On Wed, May 06 2026 at 18:29, Thomas Gleixner wrote:
> > On Mon, May 04 2026 at 05:23, syzbot wrote:
> >>
> >> ------------[ cut here ]------------
> >> ODEBUG: free active (active state 0) object: ffff888033a47278 object type: timer_list hint: br_ip6_multicast_port_query_expired+0x0/0x380 net/bridge/br_multicast.c:-1
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > An object which contains an active timer is RCU freed....
>
> Unlike the other timer in the same object, the own_query timer is not
> shut down in br_multicast_port_ctx_deinit()
>
> Something kike the below.
>
> Thanks,
>
> tglx
> ---
> --- a/net/bridge/br_multicast.c
> +++ b/net/bridge/br_multicast.c
> @@ -2030,8 +2030,10 @@ void br_multicast_port_ctx_deinit(struct
>
> #if IS_ENABLED(CONFIG_IPV6)
> timer_delete_sync(&pmctx->ip6_mc_router_timer);
> + timer_delete_sync(&pmctx->ip6_own_query_timer);
> #endif
> timer_delete_sync(&pmctx->ip4_mc_router_timer);
> + timer_delete_sync(&pmctx->ip4_own_query_timer);
>
> spin_lock_bh(&br->multicast_lock);
> del |= br_ip6_multicast_rport_del(pmctx);
Thanks for the report and the fix. It looks correct, but it's unclear to
me which commit to blame.
AFAICT, the trace tells us that the timer is pending (not executing)
when the object that contains it is RCU freed. However, it shouldn't be
possible for the timer to be pending at this stage since it is
deactivated when the port multicast context is disabled and it is only
reactivated if the context is not disabled.
So, I see two options:
1. We did not disable port multicast context.
2. We did disable the port multicast context, but the timer somehow got
reactivated.
I will look into it...
next prev parent reply other threads:[~2026-05-07 17:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <69f88fc0.050a0220.3460d5.0004.GAE@google.com>
2026-05-06 16:29 ` [syzbot] [kernel?] WARNING: ODEBUG bug in smpboot_thread_fn Thomas Gleixner
2026-05-07 8:57 ` Thomas Gleixner
2026-05-07 17:30 ` Ido Schimmel [this message]
2026-05-10 11:15 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260507173010.GA977556@shredder \
--to=idosch@nvidia.com \
--cc=bridge@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=razor@blackwall.org \
--cc=syzbot+ae231e0552fa77b26ea1@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tglx@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox