------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888056252490 object type: timer_list hint: rose_t0timer_expiry+0x0/0x150 include/linux/skbuff.h:2880
WARNING: CPU: 1 PID: 12071 at lib/debugobjects.c:612 debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Modules linked in:
CPU: 1 UID: 0 PID: 12071 Comm: syz.2.1523 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
RIP: 0010:debug_print_object+0x1a2/0x2b0 lib/debugobjects.c:612
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 54 41 56 48 8b 14 dd 60 3a 16 8c 4c 89 e6 48 c7 c7 e0 2e 16 8c e8 8f 6c 8f fc 90 <0f> 0b 90 90 58 83 05 26 bf c0 0b 01 48 83 c4 18 5b 5d 41 5c 41 5d
RSP: 0018:ffffc90000a08a28 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff817a3358
RDX: ffff88805312a440 RSI: ffffffff817a3365 RDI: 0000000000000001
RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff8c163580
R13: ffffffff8bafed40 R14: ffffffff8a817c30 R15: ffffc90000a08b28
FS: 00007fd1951b46c0(0000) GS:ffff8881247b8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c426a7f CR3: 0000000071b66000 CR4: 00000000003526f0
DR0: 0000000000000002 DR1: 0000000000000002 DR2: 0000000000000008
DR3: 1000000100000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
__debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
debug_check_no_obj_freed+0x4b7/0x600 lib/debugobjects.c:1129
slab_free_hook mm/slub.c:2348 [inline]
slab_free mm/slub.c:4680 [inline]
kfree+0x28f/0x4d0 mm/slub.c:4879
rose_neigh_put include/net/rose.h:166 [inline]
rose_timer_expiry+0x53f/0x630 net/rose/rose_timer.c:183
call_timer_fn+0x197/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x216/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:kasan_check_range+0x12/0x1b0 mm/kasan/generic.c:188
Code: 00 00 00 00 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 48 85 f6 0f 84 64 01 00 00 48 89 f8 41 54 <44> 0f b6 c2 48 01 f0 55 53 0f 82 d7 00 00 00 eb 0f cc cc cc 48 b8
RSP: 0018:ffffc9000ca97920 EFLAGS: 00000202
RAX: ffffea00010c8af4 RBX: ffffea00010c8ac0 RCX: ffffffff821e6d83
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffea00010c8af4
RBP: ffffea00010c8af4 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000000 R15: dffffc0000000000
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
page_ref_count include/linux/page_ref.h:67 [inline]
set_page_refcounted mm/internal.h:512 [inline]
alloc_pages_noprof+0x1b3/0x390 mm/mempolicy.c:2510
vm_area_alloc_pages mm/vmalloc.c:3642 [inline]
__vmalloc_area_node mm/vmalloc.c:3720 [inline]
__vmalloc_node_range_noprof+0x72f/0x14b0 mm/vmalloc.c:3893
__bpf_map_area_alloc+0x12e/0x200 kernel/bpf/syscall.c:399
bloom_map_alloc+0x302/0x4c0 kernel/bpf/bloom_filter.c:146
map_create+0x592/0x1f80 kernel/bpf/syscall.c:1480
__sys_bpf+0x44d2/0x4de0 kernel/bpf/syscall.c:6011
__do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
__x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:6137
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fd196f8ebe9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd1951b4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fd1971c6180 RCX: 00007fd196f8ebe9
RDX: 0000000000000048 RSI: 00002000000004c0 RDI: 0000000000000000
RBP: 00007fd197011e19 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fd1971c6218 R14: 00007fd1971c6180 R15: 00007ffd7bb5e518
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 0f 1f 40 00 nopl 0x0(%rax)
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 66 0f 1f 00 nopw (%rax)
1c: 48 85 f6 test %rsi,%rsi
1f: 0f 84 64 01 00 00 je 0x189
25: 48 89 f8 mov %rdi,%rax
28: 41 54 push %r12
* 2a: 44 0f b6 c2 movzbl %dl,%r8d <-- trapping instruction
2e: 48 01 f0 add %rsi,%rax
31: 55 push %rbp
32: 53 push %rbx
33: 0f 82 d7 00 00 00 jb 0x110
39: eb 0f jmp 0x4a
3b: cc int3
3c: cc int3
3d: cc int3
3e: 48 rex.W
3f: b8 .byte 0xb8