bisecting fixing commit since 93556fb211fa7f1e18f869bdce0c225c25594942
building syzkaller on 0a96a13cb96316b8374bb7d8dd0793bcaff166a0
testing commit 93556fb211fa7f1e18f869bdce0c225c25594942 with gcc (GCC) 8.4.1 20210217
kernel signature: 298174b35e9c56016a466afcfdd0794958bd337346bbc5813586168060a29342
run #0: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #1: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #2: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #3: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #4: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #5: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #6: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #7: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #8: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #9: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #10: OK
run #11: OK
run #12: OK
run #13: OK
run #14: OK
run #15: OK
run #16: OK
run #17: OK
run #18: OK
run #19: OK
testing current HEAD 3c8c23092588a23bf1856a64f58c37f477a413be
testing commit 3c8c23092588a23bf1856a64f58c37f477a413be with gcc (GCC) 8.4.1 20210217
kernel signature: 598bfe8e5d6c6f465684f5b37b59bedfa94708d6f7e963e02eb50e64613afa36
run #0: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #1: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #2: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #3: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #4: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #5: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 42m48.794395831s (build: 19m7.242462606s, test: 22m42.911212722s)
the crash still happens on HEAD
commit msg: Linux 4.19.190
crash: WARNING: ODEBUG bug in tcindex_destroy_work
batman_adv: batadv0: Interface activated: batadv_slave_1
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: work_struct hint: tcindex_destroy_rexts_work+0x0/0x20 net/sched/cls_tcindex.c:142
WARNING: CPU: 0 PID: 23 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325
Modules linked in:
CPU: 0 PID: 23 Comm: kworker/u4:1 Not tainted 4.19.190-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325
Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 40 bd 67 87 4c 89 fe 48 c7 c7 80 b2 67 87 e8 3f 40 98 03 <0f> 0b 83 05 4b cb f7 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffff8881f511fc38 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a1899a0
RBP: ffff8881f511fc78 R08: ffffed103ed03ee3 R09: ffffed103ed03ee2
R10: ffffed103ed03ee2 R11: ffff8881f681f717 R12: 0000000000000001
R13: ffffffff8855ab00 R14: ffffffff813d9420 R15: ffffffff8767b960
FS:  0000000000000000(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000482360 CR3: 000000000846d003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
 debug_check_no_obj_freed+0x264/0x480 lib/debugobjects.c:817
 kfree+0xbd/0x220 mm/slab.c:3821
 tcindex_destroy_work+0x2f/0x80 net/sched/cls_tcindex.c:230
 process_one_work+0x830/0x1670 kernel/workqueue.c:2152
 worker_thread+0x85/0xb60 kernel/workqueue.c:2295
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415
irq event stamp: 29850270
hardirqs last  enabled at (29850269): [<ffffffff86dd8807>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last  enabled at (29850269): [<ffffffff86dd8807>] _raw_spin_unlock_irq+0x27/0x80 kernel/locking/spinlock.c:192
hardirqs last disabled at (29850270): [<ffffffff818fb443>] kfree+0x73/0x220 mm/slab.c:3816
softirqs last  enabled at (29849816): [<ffffffff86ab02dd>] spin_unlock_bh include/linux/spinlock.h:374 [inline]
softirqs last  enabled at (29849816): [<ffffffff86ab02dd>] batadv_nc_purge_paths+0x1ed/0x310 net/batman-adv/network-coding.c:482
softirqs last disabled at (29849814): [<ffffffff86ab01b0>] spin_lock_bh include/linux/spinlock.h:334 [inline]
softirqs last disabled at (29849814): [<ffffffff86ab01b0>] batadv_nc_purge_paths+0xc0/0x310 net/batman-adv/network-coding.c:453
---[ end trace b4ac66d0c090514f ]---
BUG: sleeping function called from invalid context at kernel/workqueue.c:2861
in_atomic(): 0, irqs_disabled(): 1, pid: 23, name: kworker/u4:1
INFO: lockdep is turned off.
irq event stamp: 29850270
hardirqs last  enabled at (29850269): [<ffffffff86dd8807>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
hardirqs last  enabled at (29850269): [<ffffffff86dd8807>] _raw_spin_unlock_irq+0x27/0x80 kernel/locking/spinlock.c:192
hardirqs last disabled at (29850270): [<ffffffff818fb443>] kfree+0x73/0x220 mm/slab.c:3816
softirqs last  enabled at (29849816): [<ffffffff86ab02dd>] spin_unlock_bh include/linux/spinlock.h:374 [inline]
softirqs last  enabled at (29849816): [<ffffffff86ab02dd>] batadv_nc_purge_paths+0x1ed/0x310 net/batman-adv/network-coding.c:482
softirqs last disabled at (29849814): [<ffffffff86ab01b0>] spin_lock_bh include/linux/spinlock.h:334 [inline]
softirqs last disabled at (29849814): [<ffffffff86ab01b0>] batadv_nc_purge_paths+0xc0/0x310 net/batman-adv/network-coding.c:453
CPU: 0 PID: 23 Comm: kworker/u4:1 Tainted: G        W         4.19.190-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x171 lib/dump_stack.c:118
 ___might_sleep.cold.87+0x1bb/0x1f4 kernel/sched/core.c:6192
 __might_sleep+0x95/0x190 kernel/sched/core.c:6145
 start_flush_work kernel/workqueue.c:2861 [inline]
 __flush_work+0xc7/0x800 kernel/workqueue.c:2924
 __cancel_work_timer+0x2f1/0x430 kernel/workqueue.c:3012
 cancel_work_sync kernel/workqueue.c:3048 [inline]
 work_fixup_free kernel/workqueue.c:473 [inline]
 work_fixup_free+0x17/0x30 kernel/workqueue.c:467
 debug_object_fixup+0x13/0x30 lib/debugobjects.c:341
 __debug_check_no_obj_freed lib/debugobjects.c:789 [inline]
 debug_check_no_obj_freed+0x2d6/0x480 lib/debugobjects.c:817
 kfree+0xbd/0x220 mm/slab.c:3821
 tcindex_destroy_work+0x2f/0x80 net/sched/cls_tcindex.c:230
 process_one_work+0x830/0x1670 kernel/workqueue.c:2152
 worker_thread+0x85/0xb60 kernel/workqueue.c:2295
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

======================================================