[syzbot] [usb?] INFO: task hung in uevent_show (2)

13 views
Skip to first unread message

syzbot

unread,
Nov 9, 2024, 9:37:28 AM11/9/24
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
Hello,

syzbot found the following issue on:

HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13459e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fd60c0580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e48f2af8afd7/disk-226ff2e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76328e28b54c/vmlinux-226ff2e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab9f75a466a2/bzImage-226ff2e6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com

INFO: task udevd:5791 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:26960 pid:5791 tgid:5791 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d00f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000010000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5796 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27904 pid:5796 tgid:5796 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d00f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5798 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27600 pid:5798 tgid:5798 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13fed80 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000100
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5837 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5837 tgid:5837 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13bf2d0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5838 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5838 tgid:5838 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d61f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5840 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5840 tgid:5840 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a1345640 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>

Showing all locks held in the system:
7 locks held by kworker/0:1/9:
2 locks held by kworker/u8:0/11:
6 locks held by kworker/1:0/24:
#0: ffff8881062c7548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000019fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1be/0x4f40 drivers/usb/core/hub.c:5849
#3: ffff888112a29190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888112a29190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff89bd82a8 (input_mutex){+.+.}-{3:3}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2272
1 lock held by khungtaskd/30:
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
3 locks held by kworker/u8:8/2240:
#0: ffff888100abb148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003fafd80 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8a18d750 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xbb/0xb40 net/core/net_namespace.c:580
1 lock held by acpid/2846:
#0: ffffffff88ec6a38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
2 locks held by getty/2921:
#0: ffff8881121220a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000432f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
4 locks held by udevd/5791:
#0: ffff8881115fb0a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811769e088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f5b878 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5796:
#0: ffff88810db8dd58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811df55488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f5b878 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5798:
#0: ffff888131f13668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811769f488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af37008 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b349190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b349190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/0:3/5806:
#0: ffff8881062c7548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90001ac7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1be/0x4f40 drivers/usb/core/hub.c:5849
#3: ffff88811f7f3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88811f7f3190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff89bd82a8 (input_mutex){+.+.}-{3:3}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2272
4 locks held by udevd/5819:
#0: ffff888112ca6e80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198cac88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f58a58 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5837:
#0: ffff88811529ae80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198cb088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f58a58 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5838:
#0: ffff88811529ad58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198c8088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af46d28 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by udevd/5840:
#0: ffffffff88ec6a38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
4 locks held by udevd/5842:
#0: ffff888112ca6668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811adac488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af46d28 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
2 locks held by kworker/u8:7/6505:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000203fd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:13/6524:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002ccfd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:14/6526:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002cefd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:16/6530:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002d2fd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
1 lock held by modprobe/6557:
1 lock held by modprobe/6559:
1 lock held by modprobe/6560:

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6561 Comm: modprobe Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:check_kcov_mode kernel/kcov.c:183 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x13/0x70 kernel/kcov.c:217
Code: 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 15 e4 d0 ad 7e 65 8b 05 e5 d0 ad 7e <a9> 00 01 ff 00 48 8b 34 24 74 1d f6 c4 01 74 43 a9 00 00 0f 00 75
RSP: 0000:ffffc90002d1fad0 EFLAGS: 00000293
RAX: 0000000080000001 RBX: ffffc90002d1fc68 RCX: ffffffff81885d98
RDX: ffff888133113a80 RSI: 0000000000000002 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0008ff9480
R13: 000000000000002d R14: ffff8881110d3440 R15: dffffc0000000000
FS: 00007f43362ce380(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43362fc991 CR3: 0000000112e72000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
xas_next_entry+0x213/0x3c0 include/linux/xarray.h:1715
next_uptodate_folio+0x29/0x4b0 mm/filemap.c:3493
filemap_map_pages+0x5cb/0x13d0 mm/filemap.c:3686
do_fault_around mm/memory.c:5255 [inline]
do_read_fault mm/memory.c:5288 [inline]
do_fault mm/memory.c:5431 [inline]
do_pte_missing mm/memory.c:3965 [inline]
handle_pte_fault mm/memory.c:5766 [inline]
__handle_mm_fault+0x1e12/0x33b0 mm/memory.c:5909
handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
do_user_addr_fault+0x613/0x12c0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f43362fc991
Code: Unable to access opcode bytes at 0x7f43362fc967.
RSP: 002b:00007ffc553f3418 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007f43365d0570 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f4336323178
RBP: 0000000000000003 R08: 0000000000000000 R09: 000000000000000d
R10: 00007ffc553f30f0 R11: 0000000000000246 R12: 0000000000000004
R13: 00007ffc553f34b8 R14: 00007ffc553f34e0 R15: 0000000000000000
</TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

syzbot

unread,
Nov 9, 2024, 7:59:28 PM11/9/24
to gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, raf...@kernel.org, syzkall...@googlegroups.com
syzbot has found a reproducer for the following issue on:

HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e48f2af8afd7/disk-226ff2e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76328e28b54c/vmlinux-226ff2e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab9f75a466a2/bzImage-226ff2e6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com

INFO: task udevd:5169 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:27904 pid:5169 tgid:5169 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e4a253b6a
RSP: 002b:00007ffc471c56a8 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b598d2b6f0 RCX: 00007f9e4a253b6a
RDX: 0000000000001000 RSI: 000055b598e72930 RDI: 0000000000000008
RBP: 000055b598d2b6f0 R08: 0000000000000008 R09: 0000000000000000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffc471c5b88 R15: 000000000000000a
</TASK>
INFO: task udevd:5198 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:27136 pid:5198 tgid:5198 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e4a253b6a
RSP: 002b:00007ffc471c56a8 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b598d2b6f0 RCX: 00007f9e4a253b6a
RDX: 0000000000001000 RSI: 000055b598e72930 RDI: 0000000000000008
RBP: 000055b598d2b6f0 R08: 0000000000000008 R09: 0000000000008000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffc471c5b88 R15: 000000000000000a
</TASK>

Showing all locks held in the system:
7 locks held by kworker/1:0/24:
1 lock held by khungtaskd/30:
#0:
ffffffff88ebb140
(
rcu_read_lock
){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
5 locks held by kworker/1:2/1080:
2 locks held by getty/2919:
#0:
ffff888115b080a0
(
&tty->ldisc_sem
){++++}-{0:0}
, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1:
ffffc900000432f0
(
&ldata->atomic_read_lock
){+.+.}-{3:3}
, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
6 locks held by kworker/1:1/5068:
1 lock held by udevd/5168:
4 locks held by udevd/5169:
#0:
ffff888114560b08
(
&p->lock
){+.+.}-{3:3}
, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1:
ffff88811ea2c088
(
&of->mutex
#2
){+.+.}-{3:3}
, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2:
ffff8881133e90f8
(
kn->active
#5
){.+.+}-{0:0}
, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3:
ffff88811e7e9190
(
&dev->mutex
){....}-{3:3}
, at: device_lock include/linux/device.h:1014 [inline]
, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
5 locks held by kworker/1:3/5180:
4 locks held by udevd/5187:
5 locks held by kworker/1:4/5188:
3 locks held by kworker/1:5/5193:
4 locks held by udevd/5198:
#0: ffff888114560418
(
&p->lock
){+.+.}-{3:3}
, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1:
ffff88810e326488
(
&of->mutex
#2
){+.+.}-{3:3}
, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2:
ffff888113ce13c8
(
kn->active
#5
){.+.+}-{0:0}
, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3:
ffff888105eee190
(
&dev->mutex
){....}-{3:3}
, at: device_lock include/linux/device.h:1014 [inline]
, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
imon 2-1:0.0: imon usb_rx_callback_intf0: status(-71): ignored
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5187 Comm: udevd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:io_serial_out+0x8f/0xb0 drivers/tty/serial/8250/8250_port.c:413
Code: 48 8d 7d 40 44 89 e1 48 b8 00 00 00 00 00 fc ff df 48 89 fa d3 e3 48 c1 ea 03 80 3c 02 00 75 1c 66 03 5d 40 44 89 e8 89 da ee <5b> 5d 41 5c 41 5d c3 cc cc cc cc e8 11 e5 0d ff eb a0 e8 9a e5 0d
RSP: 0000:ffffc900001b8500 EFLAGS: 00000002
RAX: 000000000000005b RBX: 00000000000003f8 RCX: 0000000000000000
RDX: 00000000000003f8 RSI: ffffffff82a096d5 RDI: ffffffff936396a0
RBP: ffffffff93639660 R08: 0000000000000001 R09: 000000000000001f
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000000000005b R14: ffffffff82a09670 R15: 0000000000000000
FS: 00007f9e4a128c80(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9e49821038 CR3: 000000011f1f6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
serial_out drivers/tty/serial/8250/8250.h:142 [inline]
serial8250_console_fifo_write drivers/tty/serial/8250/8250_port.c:3322 [inline]
serial8250_console_write+0xf9e/0x17c0 drivers/tty/serial/8250/8250_port.c:3393
console_emit_next_record kernel/printk/printk.c:3092 [inline]
console_flush_all+0x800/0xc60 kernel/printk/printk.c:3180
__console_flush_and_unlock kernel/printk/printk.c:3239 [inline]
console_unlock+0xd9/0x210 kernel/printk/printk.c:3279
vprintk_emit+0x424/0x6f0 kernel/printk/printk.c:2407
dev_vprintk_emit drivers/base/core.c:4942 [inline]
dev_printk_emit+0xfb/0x140 drivers/base/core.c:4953
__dev_printk+0xf5/0x270 drivers/base/core.c:4965
_dev_warn+0xe5/0x120 drivers/base/core.c:5009
usb_rx_callback_intf0+0x11c/0x1a0 drivers/media/rc/imon.c:1768
__usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
dummy_timer+0x17f0/0x3930 drivers/usb/gadget/udc/dummy_hcd.c:1993
__run_hrtimer kernel/time/hrtimer.c:1691 [inline]
__hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1755
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1772
handle_softirqs+0x206/0x8d0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xac/0x110 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:___slab_alloc+0x388/0x1760 mm/slub.c:3887
Code: 44 24 28 00 00 00 00 4c 89 e7 48 8d 35 00 00 00 00 e8 9c 9f 8c ff 80 e7 02 0f 85 f1 04 00 00 9c 58 f6 c4 02 0f 85 76 07 00 00 <48> 8b 45 c8 65 48 2b 04 25 28 00 00 00 0f 85 34 11 00 00 48 8d 65
RSP: 0000:ffffc90001e3fb50 EFLAGS: 00000246
RAX: 0000000000000006 RBX: 0000000000000246 RCX: 1ffffffff1f5bc7f
RDX: 0000000000000000 RSI: ffffffff8727f220 RDI: ffffffff8746ec80
RBP: ffffc90001e3fc30 R08: 0000000000000001 R09: fffffbfff1f565c1
R10: ffffffff8fab2e0f R11: 0000000000000000 R12: ffff8881f59420d0
R13: 0000000000000000 R14: 00000000000420d0 R15: ffff888108329240
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x270/0x2b0 mm/slub.c:4141
ptlock_alloc+0x1f/0x70 mm/memory.c:6918
ptlock_init include/linux/mm.h:2958 [inline]
pagetable_pte_ctor include/linux/mm.h:2985 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline]
pte_alloc_one+0x74/0x390 arch/x86/mm/pgtable.c:33
do_fault_around mm/memory.c:5249 [inline]
do_read_fault mm/memory.c:5288 [inline]
do_fault mm/memory.c:5431 [inline]
do_pte_missing mm/memory.c:3965 [inline]
handle_pte_fault mm/memory.c:5766 [inline]
__handle_mm_fault+0x1d49/0x33b0 mm/memory.c:5909
handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
do_user_addr_fault+0x613/0x12c0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x55b56813c77c
Code: 48 8b 04 25 28 00 00 00 48 89 84 24 18 08 00 00 31 c0 48 c7 84 24 08 08 00 00 00 00 00 00 48 c7 84 24 10 08 00 00 00 00 00 00 <48> 03 6d 38 48 8b 45 00 48 85 c0 74 6c 49 03 84 24 a8 00 00 00 4d
RSP: 002b:00007ffc471c85a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00007ffc471c8e98 RDI: 000055b598d587e0
RBP: 00007f9e49821000 R08: 0000000000000001 R09: 00007ffc471c87e8
R10: 0000000000000058 R11: 0000000000000000 R12: 000055b598d587e0
R13: 00007ffc471c8e98 R14: 000055b598d61170 R15: 00007ffc471c9309
</TASK>


---

syzbot

unread,
Jul 9, 2025, 12:39:30 AM7/9/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..10124a26ffde 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1765,7 +1765,7 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;

default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
@@ -1806,7 +1806,7 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;

default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 92c752f5446f..baf536c56c21 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
static inline unsigned int __create_pipe(struct usb_device *dev,
unsigned int endpoint)
{
+ BUG_ON(dev->devnum < 0);
+ BUG_ON(dev->devnum > 0x7F);
+ BUG_ON(endpoint > 0xF);
return (dev->devnum << 8) | (endpoint << 15);
}


syzbot

unread,
Jul 9, 2025, 10:03:21 AM7/9/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot tried to test the proposed patch but the build/boot failed:

T1] usbcore: registered new interface driver ssu100
[ 12.803467][ T1] usbserial: USB Serial support registered for Quatech SSU-100 USB to Serial Driver
[ 12.813847][ T1] usbcore: registered new interface driver symbolserial
[ 12.822971][ T1] usbserial: USB Serial support registered for symbol
[ 12.830470][ T1] usbcore: registered new interface driver ti_usb_3410_5052
[ 12.838383][ T1] usbserial: USB Serial support registered for TI USB 3410 1 port adapter
[ 12.847393][ T1] usbserial: USB Serial support registered for TI USB 5052 2 port adapter
[ 12.856857][ T1] usbcore: registered new interface driver upd78f0730
[ 12.864214][ T1] usbserial: USB Serial support registered for upd78f0730
[ 12.872005][ T1] usbcore: registered new interface driver visor
[ 12.878832][ T1] usbserial: USB Serial support registered for Handspring Visor / Palm OS
[ 12.888619][ T1] usbserial: USB Serial support registered for Sony Clie 5.0
[ 12.897025][ T1] usbserial: USB Serial support registered for Sony Clie 3.5
[ 12.905181][ T1] usbcore: registered new interface driver wishbone_serial
[ 12.912848][ T1] usbserial: USB Serial support registered for wishbone_serial
[ 12.921084][ T1] usbcore: registered new interface driver whiteheat
[ 12.928135][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT - (prerenumeration)
[ 12.939389][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT
[ 12.948619][ T1] usbcore: registered new interface driver xr_serial
[ 12.955889][ T1] usbserial: USB Serial support registered for xr_serial
[ 12.963719][ T1] usbcore: registered new interface driver xsens_mt
[ 12.972185][ T1] usbserial: USB Serial support registered for xsens_mt
[ 12.980323][ T1] usbcore: registered new interface driver adutux
[ 12.987512][ T1] usbcore: registered new interface driver appledisplay
[ 12.995415][ T1] usbcore: registered new interface driver cypress_cy7c63
[ 13.003293][ T1] usbcore: registered new interface driver cytherm
[ 13.010571][ T1] usbcore: registered new interface driver emi26 - firmware loader
[ 13.019440][ T1] usbcore: registered new interface driver emi62 - firmware loader
[ 13.027806][ T1] usbcore: registered new device driver apple-mfi-fastcharge
[ 13.036824][ T1] usbcore: registered new interface driver ljca
[ 13.044111][ T1] usbcore: registered new interface driver idmouse
[ 13.052002][ T1] usbcore: registered new interface driver iowarrior
[ 13.059704][ T1] usbcore: registered new interface driver isight_firmware
[ 13.067642][ T1] usbcore: registered new interface driver usblcd
[ 13.074816][ T1] usbcore: registered new interface driver ldusb
[ 13.082081][ T1] usbcore: registered new interface driver legousbtower
[ 13.089958][ T1] usbcore: registered new interface driver usbtest
[ 13.097300][ T1] usbcore: registered new interface driver usb_ehset_test
[ 13.105262][ T1] usbcore: registered new interface driver trancevibrator
[ 13.113543][ T1] usbcore: registered new interface driver uss720
[ 13.120280][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 13.130535][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 13.138957][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 13.147209][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 13.156564][ T1] usbcore: registered new interface driver usbsevseg
[ 13.164290][ T1] usbcore: registered new interface driver yurex
[ 13.172561][ T1] usbcore: registered new interface driver chaoskey
[ 13.180124][ T1] usbcore: registered new interface driver sisusb
[ 13.187445][ T1] usbcore: registered new interface driver lvs
[ 13.194534][ T1] usbcore: registered new interface driver cxacru
[ 13.201660][ T1] usbcore: registered new interface driver speedtch
[ 13.209706][ T1] usbcore: registered new interface driver ueagle-atm
[ 13.217258][ T1] xusbatm: malformed module parameters
[ 13.236709][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 13.245196][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 13.257875][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 13.277863][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.16
[ 13.288670][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 13.296864][ T1] usb usb1: Product: Dummy host controller
[ 13.303515][ T1] usb usb1: Manufacturer: Linux 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty dummy_hcd
[ 13.313553][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 13.333561][ T1] hub 1-0:1.0: USB hub found
[ 13.342305][ T1] hub 1-0:1.0: 1 port detected
[ 13.350916][ T1] ------------[ cut here ]------------
[ 13.356580][ T1] kernel BUG at ./include/linux/usb.h:1990!
[ 13.362686][ T1] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
[ 13.368994][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0 PREEMPT(full)
[ 13.372565][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 13.372565][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
[ 13.372565][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
[ 13.372565][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
[ 13.372565][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
[ 13.372565][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
[ 13.372565][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
[ 13.372565][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
[ 13.372565][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
[ 13.372565][ T1] FS: 0000000000000000(0000) GS:ffff8881261a1000(0000) knlGS:0000000000000000
[ 13.372565][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.372565][ T1] CR2: 0000000000000000 CR3: 000000000dd38000 CR4: 00000000003526f0
[ 13.372565][ T1] Call Trace:
[ 13.372565][ T1] <TASK>
[ 13.372565][ T1] hub_probe+0x2300/0x3840
[ 13.372565][ T1] ? __pfx_hub_probe+0x10/0x10
[ 13.372565][ T1] ? _raw_spin_unlock_irqrestore+0xad/0x110
[ 13.372565][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 13.372565][ T1] ? ktime_get_mono_fast_ns+0x2af/0x2d0
[ 13.372565][ T1] ? pm_runtime_enable+0x1f3/0x340
[ 13.372565][ T1] usb_probe_interface+0x644/0xbc0
[ 13.372565][ T1] ? __pfx_usb_probe_interface+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] usb_set_configuration+0x1ab9/0x2120
[ 13.372565][ T1] usb_generic_driver_probe+0x8d/0x150
[ 13.372565][ T1] usb_probe_device+0x1c1/0x390
[ 13.372565][ T1] ? __pfx_usb_probe_device+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] usb_new_device+0x9fd/0x1610
[ 13.372565][ T1] ? __pfx_usb_new_device+0x10/0x10
[ 13.372565][ T1] ? register_root_hub+0x153/0x590
[ 13.372565][ T1] ? kfree+0x18e/0x440
[ 13.372565][ T1] register_root_hub+0x275/0x590
[ 13.372565][ T1] ? usb_add_hcd+0xb90/0x1050
[ 13.372565][ T1] usb_add_hcd+0xba1/0x1050
[ 13.372565][ T1] dummy_hcd_probe+0x134/0x270
[ 13.372565][ T1] platform_probe+0x148/0x1d0
[ 13.372565][ T1] ? __pfx_platform_probe+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] platform_device_add+0x4b4/0x820
[ 13.372565][ T1] ? deferred_probe_extend_timeout+0x79/0xb0
[ 13.372565][ T1] dummy_hcd_init+0x293/0x1070
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 13.372565][ T1] ? configfs_register_subsystem+0x4ca/0x520
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] do_one_initcall+0x233/0x820
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
[ 13.372565][ T1] ? trace_irq_disable+0x37/0x110
[ 13.372565][ T1] ? preempt_schedule_irq+0xde/0x150
[ 13.372565][ T1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 13.372565][ T1] ? irqentry_exit+0x74/0x90
[ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
[ 13.372565][ T1] ? irqentry_exit+0x74/0x90
[ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
[ 13.372565][ T1] ? next_arg+0x498/0x5e0
[ 13.372565][ T1] ? parameq+0x14d/0x170
[ 13.372565][ T1] ? parse_args+0x993/0xa70
[ 13.372565][ T1] ? __pfx_parse_args+0x10/0x10
[ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
[ 13.372565][ T1] do_initcall_level+0x137/0x1f0
[ 13.372565][ T1] do_initcalls+0x69/0xd0
[ 13.372565][ T1] kernel_init_freeable+0x3d9/0x570
[ 13.372565][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 13.372565][ T1] ? _raw_spin_unlock_irq+0x23/0x50
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] kernel_init+0x1d/0x1d0
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] ret_from_fork+0x3fc/0x770
[ 13.372565][ T1] ? __pfx_ret_from_fork+0x10/0x10
[ 13.372565][ T1] ? __switch_to_asm+0x39/0x70
[ 13.372565][ T1] ? __switch_to_asm+0x33/0x70
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] ret_from_fork_asm+0x1a/0x30
[ 13.372565][ T1] </TASK>
[ 13.372565][ T1] Modules linked in:
[ 13.372565][ C1] vkms_vblank_simulate: vblank timer overrun
[ 13.995865][ T1] ---[ end trace 0000000000000000 ]---
[ 14.001889][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
[ 14.007135][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
[ 14.026940][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
[ 14.033310][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
[ 14.041768][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
[ 14.049904][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
[ 14.058174][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
[ 14.066824][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
[ 14.074933][ T1] FS: 0000000000000000(0000) GS:ffff8881260a1000(0000) knlGS:0000000000000000
[ 14.084097][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 14.090767][ T1] CR2: ffff88823ffff000 CR3: 000000000dd38000 CR4: 00000000003526f0
[ 14.098809][ T1] Kernel panic - not syncing: Fatal exception
[ 14.100723][ T1] Kernel Offset: disabled
[ 14.100723][ T1] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4116787073=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 6a8fcbc4a6
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6a8fcbc4a6172c831c89c507007f59fba13408aa -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250226-150939'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6a8fcbc4a6172c831c89c507007f59fba13408aa\"
/usr/bin/ld: /tmp/ccrMQnbM.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=148c1a8c580000


Tested on:

commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=13f27f70580000

Tetsuo Handa

unread,
Jul 9, 2025, 10:13:35 AM7/9/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
Hello.

I tried below change (in case somebody is by error passing
out-of-range values) and hit this BUG_ON().

Did I use wrong boundary condition?
Are there exceptions where out-of-range values make sense?

diff --git a/include/linux/usb.h b/include/linux/usb.h
index 92c752f5446f..baf536c56c21 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
static inline unsigned int __create_pipe(struct usb_device *dev,
unsigned int endpoint)
{
+ BUG_ON(dev->devnum < 0);
+ BUG_ON(dev->devnum > 0x7F);
+ BUG_ON(endpoint > 0xF);
return (dev->devnum << 8) | (endpoint << 15);
}



syzbot

unread,
Jul 9, 2025, 10:15:33 AM7/9/25
to syzkall...@googlegroups.com

Alan Stern

unread,
Jul 9, 2025, 10:27:26 AM7/9/25
to Tetsuo Handa, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On Wed, Jul 09, 2025 at 11:13:29PM +0900, Tetsuo Handa wrote:
> Hello.
>
> I tried below change (in case somebody is by error passing
> out-of-range values) and hit this BUG_ON().
>
> Did I use wrong boundary condition?
> Are there exceptions where out-of-range values make sense?
>
> diff --git a/include/linux/usb.h b/include/linux/usb.h
> index 92c752f5446f..baf536c56c21 100644
> --- a/include/linux/usb.h
> +++ b/include/linux/usb.h
> @@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
> static inline unsigned int __create_pipe(struct usb_device *dev,
> unsigned int endpoint)
> {
> + BUG_ON(dev->devnum < 0);
> + BUG_ON(dev->devnum > 0x7F);
> + BUG_ON(endpoint > 0xF);
> return (dev->devnum << 8) | (endpoint << 15);
> }

Which of these three BUG_ON's did you hit, and where did you hit it?

Alan Stern

syzbot

unread,
Jul 9, 2025, 10:44:04 AM7/9/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl

INFO: task syz.0.16:6824 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.16 state:D stack:26072 pid:6824 tgid:6823 ppid:6626 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e6ed8d169
RSP: 002b:00007f3e6fc82038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3e6efa5fa0 RCX: 00007f3e6ed8d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007f3e6ee0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3e6efa5fa0 R15: 00007fff8d808c58
</TASK>
INFO: task syz.0.16:6824 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.2.18:6836 blocked for more than 146 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:27304 pid:6836 tgid:6835 ppid:6633 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6a198d169
RSP: 002b:00007fc6a2819038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc6a1ba5fa0 RCX: 00007fc6a198d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fc6a1a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc6a1ba5fa0 R15: 00007ffca85e32a8
</TASK>
INFO: task syz.2.18:6836 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.3.19:6847 blocked for more than 147 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.19 state:D stack:28328 pid:6847 tgid:6846 ppid:6634 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f221d98bad0
RSP: 002b:00007f221e739b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f221d98bad0
RDX: 0000000000000002 RSI: 00007f221e739c10 RDI: 00000000ffffff9c
RBP: 00007f221e739c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f221dba5fa0 R15: 00007fff3a314ce8
</TASK>
INFO: task syz.3.19:6847 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.1.17:6856 blocked for more than 149 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17 state:D stack:28248 pid:6856 tgid:6854 ppid:6632 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bae78bad0
RSP: 002b:00007f6baf6d2b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f6bae78bad0
RDX: 0000000000000002 RSI: 00007f6baf6d2c10 RDI: 00000000ffffff9c
RBP: 00007f6baf6d2c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f6bae9a5fa0 R15: 00007ffcc18baff8
</TASK>
INFO: task syz.1.17:6856 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.4.20:6865 blocked for more than 151 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.20 state:D stack:28328 pid:6865 tgid:6864 ppid:6635 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdc69d8bad0
RSP: 002b:00007fdc6ab85b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fdc69d8bad0
RDX: 0000000000000002 RSI: 00007fdc6ab85c10 RDI: 00000000ffffff9c
RBP: 00007fdc6ab85c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fdc69fa5fa0 R15: 00007fffcbd9c4f8
</TASK>
INFO: task syz.4.20:6865 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

Showing all locks held in the system:
2 locks held by kworker/u8:1/13:
6 locks held by kworker/1:0/24:


Tested on:

commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f6b582580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=141c1a8c580000

Tetsuo Handa

unread,
Jul 9, 2025, 10:44:53 AM7/9/25
to Alan Stern, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On 2025/07/09 23:27, Alan Stern wrote:
> Which of these three BUG_ON's did you hit, and where did you hit it?

kernel BUG at ./include/linux/usb.h:1990!

matches the BUG_ON(endpoint > 0xF) line. The location is shown below.

Call Trace:
<TASK>
hub_configure drivers/usb/core/hub.c:1717 [inline]
hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
usb_probe_interface+0x644/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1ab9/0x2120 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0x9fd/0x1610 drivers/usb/core/hub.c:2694
register_root_hub+0x275/0x590 drivers/usb/core/hcd.c:994
usb_add_hcd+0xba1/0x1050 drivers/usb/core/hcd.c:2976
dummy_hcd_probe+0x134/0x270 drivers/usb/gadget/udc/dummy_hcd.c:2694
platform_probe+0x148/0x1d0 drivers/base/platform.c:1404
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
platform_device_add+0x4b4/0x820 drivers/base/platform.c:716
dummy_hcd_init+0x293/0x1070 drivers/usb/gadget/udc/dummy_hcd.c:2845
do_one_initcall+0x233/0x820 init/main.c:1274
do_initcall_level+0x137/0x1f0 init/main.c:1336
do_initcalls+0x69/0xd0 init/main.c:1352
kernel_init_freeable+0x3d9/0x570 init/main.c:1584
kernel_init+0x1d/0x1d0 init/main.c:1474

Tetsuo Handa

unread,
Jul 9, 2025, 11:01:28 AM7/9/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hmm, mitigating stalls caused by printk() flooding is not sufficient.

Anyway, this hung task problem was addressed by

#syz fix: Revert "drivers: core: synchronize really_probe() and dev_uevent()"

but we would again see https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
in near future?

Alan Stern

unread,
Jul 9, 2025, 11:19:08 AM7/9/25
to Tetsuo Handa, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
> On 2025/07/09 23:27, Alan Stern wrote:
> > Which of these three BUG_ON's did you hit, and where did you hit it?
>
> kernel BUG at ./include/linux/usb.h:1990!
>
> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
>
> Call Trace:
> <TASK>
> hub_configure drivers/usb/core/hub.c:1717 [inline]
> hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005

Those line numbers are completely different from the code I have. For
example, line 2005 in hub.c is part of the hub_ioctl() function, not
hub_probe().

Exactly what version of the kernel source are you using for your test?

Alan Stern

Tetsuo Handa

unread,
Jul 9, 2025, 11:33:09 AM7/9/25
to Alan Stern, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
It is current linux.git tree.

https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L1717
https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L2005

Alan Stern

unread,
Jul 9, 2025, 11:41:32 AM7/9/25
to Tetsuo Handa, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On Thu, Jul 10, 2025 at 12:33:00AM +0900, Tetsuo Handa wrote:
> On 2025/07/10 0:19, Alan Stern wrote:
> > On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
> >> On 2025/07/09 23:27, Alan Stern wrote:
> >>> Which of these three BUG_ON's did you hit, and where did you hit it?
> >>
> >> kernel BUG at ./include/linux/usb.h:1990!
> >>
> >> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
> >>
> >> Call Trace:
> >> <TASK>
> >> hub_configure drivers/usb/core/hub.c:1717 [inline]
> >> hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
> >
> > Those line numbers are completely different from the code I have. For
> > example, line 2005 in hub.c is part of the hub_ioctl() function, not
> > hub_probe().
> >
> > Exactly what version of the kernel source are you using for your test?
>
> It is current linux.git tree.
>
> https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L1717
> https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L2005

Okay, I see what your problem is.

The bEndpointAddress field of the endpoint descriptor is not just the
endpoint's number. It also includes the endpoint's direction in bit 7
(0 for OUT, 1 for IN).

__create_pipe() doesn't bother to mask out the direction bit because bit
22 of the pipe value (where the direction bit ends up after it has been
shifted left by 15) isn't used for anything.

Alan Stern

Tetsuo Handa

unread,
Jul 10, 2025, 6:17:22 AM7/10/25
to Alan Stern, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On 2025/07/10 0:41, Alan Stern wrote:
> Okay, I see what your problem is.
>
> The bEndpointAddress field of the endpoint descriptor is not just the
> endpoint's number. It also includes the endpoint's direction in bit 7
> (0 for OUT, 1 for IN).

I see, but I couldn't figure out whether BUG_ON(endpoint > 0xF) is bad.

I came up to try these BUG_ON() lines in case some of hung task reports (e.g.
https://lkml.kernel.org/r/686e8032.050a022...@google.com ) are
caused by use of unintended pipes created by out-of-range values being passed
to __create_pipe().

Should I give up BUG_ON(endpoint > 0xF) line?
Or should I try to update callers which trigger BUG_ON(endpoint > 0xF) line?

Hillf Danton

unread,
Jul 10, 2025, 7:05:28 AM7/10/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sat, 09 Nov 2024 16:59:25 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
> dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

--- x/drivers/media/rc/imon.c
+++ y/drivers/media/rc/imon.c
@@ -1765,6 +1765,7 @@ static void usb_rx_callback_intf0(struct
break;

default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
@@ -1806,6 +1807,7 @@ static void usb_rx_callback_intf1(struct
break;

default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
--

syzbot

unread,
Jul 10, 2025, 7:59:05 AM7/10/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl

INFO: task syz.1.17:6837 blocked for more than 143 seconds.
Not tainted 6.16.0-rc4-syzkaller-00314-gb4b4dbfa96de-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17 state:D stack:24088 pid:6837 tgid:6836 ppid:6635 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5396 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
__schedule_loop kernel/sched/core.c:6863 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6878
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6935
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fddcf58d169
RSP: 002b:00007fddd03af038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fddcf7a5fa0 RCX: 00007fddcf58d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fddcf60e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fddcf7a5fa0 R15: 00007fff1a55f668
</TASK>
INFO: task syz.1.17:6837 is blocked on a mutex likely owned by task kworker/1:4:5945.
task:kworker/1:4 state:S stack:22472 pid:5945 tgid:5945 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5396 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
__schedule_loop kernel/sched/core.c:6863 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6878
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3d7/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1990 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2279 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2436
usb_probe_interface+0x644/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537


Tested on:

commit: b4b4dbfa media: stk1160: use usb_alloc_noncoherent/usb..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=170c9bd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b49da22b2184ad70
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=152f5a8c580000

Hillf Danton

unread,
Jul 10, 2025, 8:59:21 AM7/10/25
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sat, 09 Nov 2024 16:59:25 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
> dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing

--- x/drivers/media/rc/imon.c
+++ y/drivers/media/rc/imon.c
@@ -646,15 +646,15 @@ static int send_packet(struct imon_conte
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
/* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ long rc = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 60*HZ);
+ if (rc <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
- }
+ retval = rc ? -EINTR : -ETIMEDOUT;
+ } else
+ retval = ictx->tx.status;

ictx->tx.busy = false;
- retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);

syzbot

unread,
Jul 10, 2025, 9:25:03 AM7/10/25
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com
Tested-by: syzbot+592e2a...@syzkaller.appspotmail.com

Tested on:

commit: b4b4dbfa media: stk1160: use usb_alloc_noncoherent/usb..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=14529bd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b49da22b2184ad70
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=123540f0580000

Note: testing is done by a robot and is best-effort only.

Alan Stern

unread,
Jul 10, 2025, 10:13:23 AM7/10/25
to Tetsuo Handa, syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com, USB list, Greg Kroah-Hartman
On Thu, Jul 10, 2025 at 07:17:19PM +0900, Tetsuo Handa wrote:
> On 2025/07/10 0:41, Alan Stern wrote:
> > Okay, I see what your problem is.
> >
> > The bEndpointAddress field of the endpoint descriptor is not just the
> > endpoint's number. It also includes the endpoint's direction in bit 7
> > (0 for OUT, 1 for IN).
>
> I see, but I couldn't figure out whether BUG_ON(endpoint > 0xF) is bad.
>
> I came up to try these BUG_ON() lines in case some of hung task reports (e.g.
> https://lkml.kernel.org/r/686e8032.050a022...@google.com ) are
> caused by use of unintended pipes created by out-of-range values being passed
> to __create_pipe().

I think this is unlikely to be the cause of those BUG_ON()s, but go
ahead and see what happens.

> Should I give up BUG_ON(endpoint > 0xF) line?
> Or should I try to update callers which trigger BUG_ON(endpoint > 0xF) line?

You can change the test to BUG_ON(endpoint & ~0x8F). That will mask
away the endpoint number and direction bit, leaving everything else
alone.

Alan Stern

syzbot

unread,
Jul 11, 2025, 7:10:07 AM7/11/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..423e04328b86 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:

syzbot

unread,
Jul 11, 2025, 7:44:04 AM7/11/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl

INFO: task syz.1.21:6983 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.21 state:D stack:26472 pid:6983 tgid:6981 ppid:6661 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fef2f78d169
RSP: 002b:00007fef3062b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fef2f9a5fa0 RCX: 00007fef2f78d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fef2f80e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fef2f9a5fa0 R15: 00007ffeecb80378
</TASK>
INFO: task syz.1.21:6983 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.3.22:6985 blocked for more than 146 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.22 state:D stack:27240 pid:6985 tgid:6984 ppid:6674 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f773418d169
RSP: 002b:00007f7734f45038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f77343a5fa0 RCX: 00007f773418d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007f773420e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f77343a5fa0 R15: 00007ffe3cb895f8
</TASK>
INFO: task syz.3.22:6985 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.2.18:6991 blocked for more than 149 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:28328 pid:6991 tgid:6989 ppid:6663 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff9ef58d169
RSP: 002b:00007ff9f036c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff9ef7a5fa0 RCX: 00007ff9ef58d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007ff9ef60e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff9ef7a5fa0 R15: 00007ffe967044c8
</TASK>
INFO: task syz.2.18:6991 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.0.23:6996 blocked for more than 151 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.23 state:D stack:28328 pid:6996 tgid:6994 ppid:6662 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe51f78bad0
RSP: 002b:00007fe52063cb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe51f78bad0
RDX: 0000000000000002 RSI: 00007fe52063cc10 RDI: 00000000ffffff9c
RBP: 00007fe52063cc10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fe51f9a5fa0 R15: 00007ffdc4dade08
</TASK>
INFO: task syz.0.23:6996 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.4.20:7000 blocked for more than 152 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.20 state:D stack:28328 pid:7000 tgid:6999 ppid:6676 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2d0878bad0
RSP: 002b:00007f2d09519b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f2d0878bad0
RDX: 0000000000000002 RSI: 00007f2d09519c10 RDI: 00000000ffffff9c
RBP: 00007f2d09519c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f2d089a5fa0 R15: 00007ffd788db068
</TASK>
INFO: task syz.4.20:7000 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116


Tested on:

commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b5ba8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f2668c580000

syzbot

unread,
Jul 11, 2025, 7:52:38 AM7/11/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..423e04328b86 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ //usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ //usb_unlink_urb(urb);

syzbot

unread,
Jul 11, 2025, 8:13:03 AM7/11/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl

INFO: task syz.2.18:6951 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:26472 pid:6951 tgid:6949 ppid:6668 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8b3f58d169
RSP: 002b:00007f8b3f3f7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8b3f7a5fa0 RCX: 00007f8b3f58d169


Tested on:

commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10a8dbd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1166668c580000

syzbot

unread,
Jul 11, 2025, 9:34:30 AM7/11/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..e130dc9db1b4 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -645,16 +645,16 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
}

ictx->tx.busy = false;
- retval = ictx->tx.status;
+ if (retval > 0)
+ retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);
}
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);

syzbot

unread,
Jul 11, 2025, 10:09:03 AM7/11/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com
Tested-by: syzbot+592e2a...@syzkaller.appspotmail.com

Tested on:

commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=115fa0f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1650c68c580000

syzbot

unread,
Jul 11, 2025, 11:01:54 AM7/11/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..ea702e3a83dc 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -645,12 +645,16 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ dump_stack();
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}

ictx->tx.busy = false;
@@ -1125,6 +1129,11 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };

+ if (mutex_get_owner(&ictx->lock) != (unsigned long) current) {
+ unlock = true;
+ mutex_lock(&ictx->lock);
+ }
+
if (*rc_proto && !(*rc_proto & rc->allowed_protocols))
dev_warn(dev, "Looks like you're trying to use an IR protocol this device does not support\n");

@@ -1148,8 +1157,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)

memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));

- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1764,6 +1771,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1821,15 @@ static void usb_rx_callback_intf1(struct urb *urb)

syzbot

unread,
Jul 11, 2025, 11:46:06 AM7/11/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com
Tested-by: syzbot+592e2a...@syzkaller.appspotmail.com

Tested on:

commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15604d82580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e860f0580000

syzbot

unread,
Jul 12, 2025, 10:40:16 AM7/12/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..f8e3e87cf1a3 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,8 +598,11 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;

+ BUG_ON(mutex_get_owner(&ictx->lock) != (unsigned long) current);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
+ printk(KERN_INFO "int %px %d\n", ictx, ictx->tx_endpoint->bEndpointAddress);
pipe = usb_sndintpipe(ictx->usbdev_intf0,
ictx->tx_endpoint->bEndpointAddress);
interval = ictx->tx_endpoint->bInterval;
@@ -623,6 +626,7 @@ static int send_packet(struct imon_context *ictx)
control_req->wIndex = cpu_to_le16(0x0001);
control_req->wLength = cpu_to_le16(0x0008);

+ printk(KERN_INFO "control %px\n", ictx);
/* control pipe is endpoint 0x00 */
pipe = usb_sndctrlpipe(ictx->usbdev_intf0, 0);

@@ -645,12 +649,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}

ictx->tx.busy = false;
@@ -1125,6 +1132,11 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };

+ if (mutex_get_owner(&ictx->lock) != (unsigned long) current) {
+ unlock = true;
+ mutex_lock(&ictx->lock);
+ }
+
if (*rc_proto && !(*rc_proto & rc->allowed_protocols))
dev_warn(dev, "Looks like you're trying to use an IR protocol this device does not support\n");

@@ -1148,8 +1160,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)

memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));

- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1744,14 +1754,17 @@ static void usb_rx_callback_intf0(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);

/*
* if we get a callback before we're done configuring the hardware, we
* can't yet process the data, as there's nowhere to send it, but we
* still need to submit a new rx URB to avoid wedging the hardware
*/
- if (!ictx->dev_present_intf0)
+ if (!ictx->dev_present_intf0) {
+ printk(KERN_INFO "%s %px %d\n", __func__, ictx, urb->status);
goto out;
+ }

switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1764,6 +1777,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1785,14 +1807,17 @@ static void usb_rx_callback_intf1(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);

/*
* if we get a callback before we're done configuring the hardware, we
* can't yet process the data, as there's nowhere to send it, but we
* still need to submit a new rx URB to avoid wedging the hardware
*/
- if (!ictx->dev_present_intf1)
+ if (!ictx->dev_present_intf1) {
+ printk(KERN_INFO "%s %px %d\n", __func__, ictx, urb->status);
goto out;
+ }

switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1805,6 +1830,15 @@ static void usb_rx_callback_intf1(struct urb *urb)

syzbot

unread,
Jul 12, 2025, 11:18:05 AM7/12/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in corrupted

INFO: task syz.2.18:6947 blocked for more than 140 seconds.
Not tainted 6.16.0-rc5-syzkaller-00224-g379f604cc3dc-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D


Tested on:

commit: 379f604c Merge tag 'pci-v6.16-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10a310f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=166b6d82580000

syzbot

unread,
Jul 12, 2025, 11:41:19 AM7/12/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
Author: penguin...@i-love.sakura.ne.jp

#syz test

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..82403887bdda 100644
@@ -1744,14 +1754,7 @@ static void usb_rx_callback_intf0(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
-
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);

switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1761,16 +1764,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;

case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf0)
+ imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}

-out:
usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
}

@@ -1785,14 +1802,7 @@ static void usb_rx_callback_intf1(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
-
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);

switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1802,16 +1812,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;

case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf1)
+ imon_incoming_packet(ictx, urb, intfnum);
break;

+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}

-out:
usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
}


syzbot

unread,
Jul 12, 2025, 1:43:05 PM7/12/25
to linux-...@vger.kernel.org, penguin...@i-love.sakura.ne.jp, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com
Tested-by: syzbot+592e2a...@syzkaller.appspotmail.com

Tested on:

commit: 379f604c Merge tag 'pci-v6.16-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a2fbd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bc8e8c580000

syzbot

unread,
Jul 13, 2025, 3:50:29 AM7/13/25
to syzkall...@googlegroups.com
For archival purposes, forwarding an incoming command email to
syzkall...@googlegroups.com.

***

Subject: [PATCH] media: imon: make send_packet() more robust
Author: penguin...@i-love.sakura.ne.jp

syzbot is reporting that imon has three problems which result in hung tasks
due to forever holding device lock.

First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).

Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
We should do similar thing for imon.

Basically, I think that imon should refrain from resubmitting urb when
callback function got an error. But since I don't know which error codes
should retry resubmitting urb, this patch handles only union of error codes
chosen from modules in drivers/media/rc/ directory which handles -EPROTO
error (i.e. ir_toy, mceusb and igorplugusb).

We need to decide whether to call usb_unlink_urb() when we got -EPROTO
error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
of usb_unlink_urb() suggests that it is OK to call.

Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). If some errors should stop resubmitting
urb regardless of whether configuring the hardware has completed or not,
what that commit is doing is wrong. The ictx->dev_present_intf0 test was
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured"), but that commit did not call usb_unlink_urb()
when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
test to immediately before imon_incoming_packet() so that we can call
usb_unlink_urb() as needed, or the first problem explained above happens
without printk() flooding (i.e. hung task).

Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with 10 seconds of timeout.

Also, move mutex_trylock() in imon_ir_change_protocol() to the beginning,
for memcpy() which modifies ictx->usb_tx_buf should be protected by
ictx->lock.

Also, verify at the beginning of send_packet() that ictx->lock is held
in case send_packet() is by error called from imon_ir_change_protocol()
when mutex_trylock() failed due to concurrent requests.

Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
Signed-off-by: Tetsuo Handa <penguin...@I-love.SAKURA.ne.jp>
---
#syz test

drivers/media/rc/imon.c | 69 +++++++++++++++++++++++++----------------
1 file changed, 42 insertions(+), 27 deletions(-)

diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..3469a401a572 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,6 +598,8 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;

+ lockdep_assert_held(&ictx->lock);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
pipe = usb_sndintpipe(ictx->usbdev_intf0,
@@ -645,12 +647,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}

ictx->tx.busy = false;
@@ -1121,7 +1126,7 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
int retval;
struct imon_context *ictx = rc->priv;
struct device *dev = ictx->dev;
- bool unlock = false;
+ const bool unlock = mutex_trylock(&ictx->lock);
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };

@@ -1148,8 +1153,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)

memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));

- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1745,14 +1748,6 @@ static void usb_rx_callback_intf0(struct urb *urb)
if (!ictx)
return;

- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1761,16 +1756,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
@@ -1786,14 +1795,6 @@ static void usb_rx_callback_intf1(struct urb *urb)
if (!ictx)
return;

- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1802,16 +1803,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
--
2.50.1


syzbot

unread,
Jul 13, 2025, 4:29:04 AM7/13/25
to linux-...@vger.kernel.org, mch...@kernel.org, penguin...@i-love.sakura.ne.jp, se...@mess.org, syzkall...@googlegroups.com
Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+592e2a...@syzkaller.appspotmail.com
Tested-by: syzbot+592e2a...@syzkaller.appspotmail.com

Tested on:

commit: 3f31a806 Merge tag 'mm-hotfixes-stable-2025-07-11-16-1..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a150f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=15fa07d4580000
Reply all
Reply to author
Forward
0 new messages