bisecting fixing commit since 93556fb211fa7f1e18f869bdce0c225c25594942
building syzkaller on 0a96a13cb96316b8374bb7d8dd0793bcaff166a0
testing commit 93556fb211fa7f1e18f869bdce0c225c25594942 with gcc (GCC) 8.1.0
kernel signature: 9349224b454b6c83aaf6e39cda97406774e58584d934ab88a264289c6d5a0d3d
run #0: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #1: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #2: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #3: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
testing current HEAD f5d8eef067acee3fda37137f4a08c0d3f6427a8e
testing commit f5d8eef067acee3fda37137f4a08c0d3f6427a8e with gcc (GCC) 8.1.0
kernel signature: 06b016b7d8d2fe7ff7a6e4cce7ae022efb8d792bb5660022b3622c604397d2f5
run #0: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #1: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #2: crashed: WARNING: ODEBUG bug in tcindex_destroy_work
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
revisions tested: 2, total time: 39m38.071809003s (build: 17m14.496672194s, test: 21m20.724128328s)
the crash still happens on HEAD
commit msg: Linux 4.19.154
crash: WARNING: ODEBUG bug in tcindex_destroy_work
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: work_struct hint: tcindex_destroy_rexts_work+0x0/0x20 net/sched/cls_tcindex.c:142
WARNING: CPU: 0 PID: 29 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325
Kernel panic - not syncing: panic_on_warn set ...

CPU: 0 PID: 29 Comm: kworker/u4:2 Not tainted 4.19.154-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: tc_filter_workqueue tcindex_destroy_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x123/0x177 lib/dump_stack.c:118
 panic+0x1cd/0x375 kernel/panic.c:186
 __warn.cold.8+0x1b/0x3e kernel/panic.c:541
 report_bug+0x1a4/0x200 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 do_error_trap+0x200/0x350 arch/x86/kernel/traps.c:296
 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:1038
RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325
Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd a0 9d 67 87 4c 89 fe 48 c7 c7 e0 92 67 87 e8 2b 15 07 fe <0f> 0b 83 05 6b 2d f1 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffff8880b564fc38 EFLAGS: 00010086
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a185960
RBP: ffff8880b564fc78 R08: ffffed10174c3ee3 R09: ffffed10174c3ee2
R10: ffffed10174c3ee2 R11: ffff8880ba61f717 R12: 0000000000000001
R13: ffffffff8855a8e0 R14: ffffffff813e9a80 R15: ffffffff876799c0
 __debug_check_no_obj_freed lib/debugobjects.c:785 [inline]
 debug_check_no_obj_freed+0x264/0x472 lib/debugobjects.c:817
 kfree+0xbd/0x220 mm/slab.c:3821
 tcindex_destroy_work+0x2f/0x80 net/sched/cls_tcindex.c:230
 process_one_work+0x830/0x1670 kernel/workqueue.c:2155
 worker_thread+0x85/0xb60 kernel/workqueue.c:2298
 kthread+0x347/0x410 kernel/kthread.c:259
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415

======================================================