[syzbot] [usb?] INFO: task hung in usb_bulk_msg (2)
1 view
Skip to first unread message
syzbot
1:34 AM (10 hours ago) 1:34 AM
to anna-...@linutronix.de, fred...@kernel.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com, tg...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/36cc3979cfa9/disk-da87d45b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b9c4e01e1ee/vmlinux-da87d45b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/071303491de6/bzImage-da87d45b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+25ba18...@syzkaller.appspotmail.com
INFO: task syz.3.17:3963 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.17 state:D stack:27256 pid:3963 tgid:3963 ppid:3514 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
usbtmc_read+0x5f4/0x10b0 drivers/usb/class/usbtmc.c:1409
vfs_read+0x1e4/0xb30 fs/read_write.c:570
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2b159faeb9
RSP: 002b:00007ffc49719d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f2b15c75fa0 RCX: 00007f2b159faeb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f2b15a68c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2b15c75fac R14: 00007f2b15c75fa0 R15: 00007f2b15c75fa0
</TASK>
Showing all locks held in the system:
6 locks held by kworker/0:0/9:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000009fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88810ca9f198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88810ca9f198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810ca9c160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810ca9c160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by khungtaskd/30:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
6 locks held by kworker/1:1/38:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90000287ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888103eaf198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888103eaf198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888103eab160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888103eab160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
2 locks held by kworker/u8:10/1609:
#0: ffff888100089148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900022dfca8 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
2 locks held by kworker/u8:13/2771:
#0: ffff888100089148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000406fca8 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
3 locks held by kworker/0:2/2820:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900041afca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
2 locks held by getty/2925:
#0: ffff88811277a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000452f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
1 lock held by syz.3.17/3963:
#0: ffff88811b42ccd8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_read+0x154/0x10b0 drivers/usb/class/usbtmc.c:1395
2 locks held by syz.4.18/4418:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
#1: ffff88811b42ccd8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_open+0x4c8/0x950 drivers/usb/class/usbtmc.c:189
1 lock held by syz.5.19/4873:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
3 locks held by kworker/1:3/4877:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006717ca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.6.20/5329:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
6 locks held by kworker/0:3/5332:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006e57ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888103ea8198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888103ea8198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810b6c3160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810b6c3160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
3 locks held by kworker/1:4/5738:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90005bafca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.7.21/5786:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
2 locks held by modprobe/5990:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 5991 Comm: modprobe Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:229 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4879 [inline]
RIP: 0010:__lock_acquire+0x341/0x2630 kernel/locking/lockdep.c:5187
Code: 38 c7 44 0f 47 f8 80 be c6 00 00 00 02 44 0f 44 f8 41 83 c6 01 48 83 c3 28 44 3b b5 a0 0a 00 00 0f 8d b2 00 00 00 0f b7 43 20 <66> 25 ff 1f 0f b7 c0 48 0f a3 05 10 d5 42 0d 72 a9 44 8b 1d 27 81
RSP: 0000:ffffc9000411f8a0 EFLAGS: 00000006
RAX: 00000000000083c5 RBX: ffff888116cc6268 RCX: 0000000000000005
RDX: 0000000000000001 RSI: ffff888116cc6240 RDI: 0000000000000000
RBP: ffff888116cc57c0 R08: 0000000000000000 R09: 0000000000000007
R10: 0000000000000005 R11: 0000000000000000 R12: ffff888116cc6330
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005
FS: 00007feb72295c80(0000) GS:ffff88826896a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feb724d4b45 CR3: 0000000122c10000 CR4: 00000000003506f0
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x17c/0x330 kernel/locking/lockdep.c:5825
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
page_table_check_set+0x2d3/0xa10 mm/page_table_check.c:112
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:212
page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
set_ptes include/linux/pgtable.h:292 [inline]
set_pte_range+0x54f/0x630 mm/memory.c:5483
filemap_map_order0_folio mm/filemap.c:3856 [inline]
filemap_map_pages+0x91f/0x1df0 mm/filemap.c:3921
do_fault_around mm/memory.c:5713 [inline]
do_read_fault mm/memory.c:5746 [inline]
do_fault mm/memory.c:5889 [inline]
do_pte_missing mm/memory.c:4401 [inline]
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault+0x1e8c/0x2d30 mm/memory.c:6411
handle_mm_fault+0x36d/0xa20 mm/memory.c:6580
do_user_addr_fault+0x5ae/0x11d0 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x66/0xc0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7feb723976c0
Code: 48 89 ef e8 b2 ec fe ff 85 c0 75 de 49 8b 47 08 80 38 2f 48 89 44 24 08 0f 85 8c 01 00 00 48 63 44 24 30 48 8d 15 80 d4 13 00 <0f> b6 1c 02 48 89 c7 48 8d 05 92 d4 13 00 48 01 c3 e8 ea e4 ff ff
RSP: 002b:00007ffc4877cef0 EFLAGS: 00010246
RAX: 0000000000000005 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00007feb724d4b40 RSI: 0000000000000000 RDI: 00007feb725309e0
RBP: 00007feb724eec96 R08: 00007feb725309e0 R09: 0000000000000000
R10: 000000000000006c R11: 0000000000000217 R12: 00007feb724ef1e4
R13: ffffffffffffff88 R14: 0000000000000002 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/36cc3979cfa9/disk-da87d45b.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8b9c4e01e1ee/vmlinux-da87d45b.xz
kernel image: https://storage.googleapis.com/syzbot-assets/071303491de6/bzImage-da87d45b.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+25ba18...@syzkaller.appspotmail.com
INFO: task syz.3.17:3963 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.17 state:D stack:27256 pid:3963 tgid:3963 ppid:3514 task_flags:0x400040 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
usbtmc_read+0x5f4/0x10b0 drivers/usb/class/usbtmc.c:1409
vfs_read+0x1e4/0xb30 fs/read_write.c:570
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2b159faeb9
RSP: 002b:00007ffc49719d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f2b15c75fa0 RCX: 00007f2b159faeb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f2b15a68c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2b15c75fac R14: 00007f2b15c75fa0 R15: 00007f2b15c75fa0
</TASK>
Showing all locks held in the system:
6 locks held by kworker/0:0/9:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000009fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88810ca9f198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88810ca9f198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810ca9c160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810ca9c160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by khungtaskd/30:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
6 locks held by kworker/1:1/38:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90000287ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888103eaf198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888103eaf198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888103eab160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888103eab160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
2 locks held by kworker/u8:10/1609:
#0: ffff888100089148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900022dfca8 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
2 locks held by kworker/u8:13/2771:
#0: ffff888100089148 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000406fca8 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
3 locks held by kworker/0:2/2820:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900041afca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7ae198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
2 locks held by getty/2925:
#0: ffff88811277a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000452f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
1 lock held by syz.3.17/3963:
#0: ffff88811b42ccd8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_read+0x154/0x10b0 drivers/usb/class/usbtmc.c:1395
2 locks held by syz.4.18/4418:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
#1: ffff88811b42ccd8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_open+0x4c8/0x950 drivers/usb/class/usbtmc.c:189
1 lock held by syz.5.19/4873:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
3 locks held by kworker/1:3/4877:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006717ca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7c6198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.6.20/5329:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
6 locks held by kworker/0:3/5332:
#0: ffff88810569bd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006e57ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888103ea8198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888103ea8198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810b6c3160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810b6c3160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
3 locks held by kworker/1:4/5738:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90005bafca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810ab4e198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.7.21/5786:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
2 locks held by modprobe/5990:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 5991 Comm: modprobe Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:229 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4879 [inline]
RIP: 0010:__lock_acquire+0x341/0x2630 kernel/locking/lockdep.c:5187
Code: 38 c7 44 0f 47 f8 80 be c6 00 00 00 02 44 0f 44 f8 41 83 c6 01 48 83 c3 28 44 3b b5 a0 0a 00 00 0f 8d b2 00 00 00 0f b7 43 20 <66> 25 ff 1f 0f b7 c0 48 0f a3 05 10 d5 42 0d 72 a9 44 8b 1d 27 81
RSP: 0000:ffffc9000411f8a0 EFLAGS: 00000006
RAX: 00000000000083c5 RBX: ffff888116cc6268 RCX: 0000000000000005
RDX: 0000000000000001 RSI: ffff888116cc6240 RDI: 0000000000000000
RBP: ffff888116cc57c0 R08: 0000000000000000 R09: 0000000000000007
R10: 0000000000000005 R11: 0000000000000000 R12: ffff888116cc6330
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000005
FS: 00007feb72295c80(0000) GS:ffff88826896a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007feb724d4b45 CR3: 0000000122c10000 CR4: 00000000003506f0
Call Trace:
<TASK>
lock_acquire kernel/locking/lockdep.c:5868 [inline]
lock_acquire+0x17c/0x330 kernel/locking/lockdep.c:5825
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:867 [inline]
page_table_check_set+0x2d3/0xa10 mm/page_table_check.c:112
__page_table_check_ptes_set+0x1db/0x230 mm/page_table_check.c:212
page_table_check_ptes_set include/linux/page_table_check.h:76 [inline]
set_ptes include/linux/pgtable.h:292 [inline]
set_pte_range+0x54f/0x630 mm/memory.c:5483
filemap_map_order0_folio mm/filemap.c:3856 [inline]
filemap_map_pages+0x91f/0x1df0 mm/filemap.c:3921
do_fault_around mm/memory.c:5713 [inline]
do_read_fault mm/memory.c:5746 [inline]
do_fault mm/memory.c:5889 [inline]
do_pte_missing mm/memory.c:4401 [inline]
handle_pte_fault mm/memory.c:6273 [inline]
__handle_mm_fault+0x1e8c/0x2d30 mm/memory.c:6411
handle_mm_fault+0x36d/0xa20 mm/memory.c:6580
do_user_addr_fault+0x5ae/0x11d0 arch/x86/mm/fault.c:1336
handle_page_fault arch/x86/mm/fault.c:1476 [inline]
exc_page_fault+0x66/0xc0 arch/x86/mm/fault.c:1532
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:618
RIP: 0033:0x7feb723976c0
Code: 48 89 ef e8 b2 ec fe ff 85 c0 75 de 49 8b 47 08 80 38 2f 48 89 44 24 08 0f 85 8c 01 00 00 48 63 44 24 30 48 8d 15 80 d4 13 00 <0f> b6 1c 02 48 89 c7 48 8d 05 92 d4 13 00 48 01 c3 e8 ea e4 ff ff
RSP: 002b:00007ffc4877cef0 EFLAGS: 00010246
RAX: 0000000000000005 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 00007feb724d4b40 RSI: 0000000000000000 RDI: 00007feb725309e0
RBP: 00007feb724eec96 R08: 00007feb725309e0 R09: 0000000000000000
R10: 000000000000006c R11: 0000000000000217 R12: 00007feb724ef1e4
R13: ffffffffffffff88 R14: 0000000000000002 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Hillf Danton
3:55 AM (7 hours ago) 3:55 AM
to syzbot, Michal Pecio, Ben Greear, Oliver Neukum, Alan Stern, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sat, 07 Feb 2026 22:34:31 -0800
a better case for spotting the reason why the underlying hardware failed to
response within two minutes.
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
> dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
>
If the hung can be reproduced with PREEMPT(full) instead of (voluntary), this is
>
> syzbot found the following issue on:
>
> HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
> dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
> compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
>
a better case for spotting the reason why the underlying hardware failed to
response within two minutes.
Alan Stern
9:47 AM (2 hours ago) 9:47 AM
to Hillf Danton, syzbot, Michal Pecio, Ben Greear, Oliver Neukum, linux-...@vger.kernel.org, linu...@vger.kernel.org, syzkall...@googlegroups.com
On Sun, Feb 08, 2026 at 04:55:30PM +0800, Hillf Danton wrote:
> > Date: Sat, 07 Feb 2026 22:34:31 -0800
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
> > dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
> > compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
> >
> If the hung can be reproduced with PREEMPT(full) instead of (voluntary), this is
> a better case for spotting the reason why the underlying hardware failed to
> response within two minutes.
What hardware are you talking about? This test doesn't involve any
> > Date: Sat, 07 Feb 2026 22:34:31 -0800
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: da87d45b1951 usb: typec: ucsi: Add Thunderbolt alternate m..
> > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15ee9402580000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
> > dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
> > compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=137967fa580000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=142fab22580000
> >
> If the hung can be reproduced with PREEMPT(full) instead of (voluntary), this is
> a better case for spotting the reason why the underlying hardware failed to
> response within two minutes.
specific hardware.
Let's get some diagnostics.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
Index: usb-devel/drivers/usb/class/usbtmc.c
===================================================================
--- usb-devel.orig/drivers/usb/class/usbtmc.c
+++ usb-devel/drivers/usb/class/usbtmc.c
@@ -1362,7 +1362,6 @@ static int send_request_dev_dep_msg_in(s
data->bTag++;
kfree(buffer);
- if (retval < 0)
dev_err(&data->intf->dev, "%s returned %d\n",
__func__, retval);
@@ -1404,7 +1403,7 @@ static ssize_t usbtmc_read(struct file *
if (count > INT_MAX)
count = INT_MAX;
- dev_dbg(dev, "%s(count:%zu)\n", __func__, count);
+ dev_info(dev, "%s(count:%zu)\n", __func__, count);
retval = send_request_dev_dep_msg_in(file_data, count);
@@ -1425,7 +1424,7 @@ static ssize_t usbtmc_read(struct file *
buffer, bufsize, &actual,
file_data->timeout);
- dev_dbg(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
+ dev_info(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
__func__, retval, actual);
/* Store bTag (in case we need to abort) */
@@ -1470,7 +1469,7 @@ static ssize_t usbtmc_read(struct file *
file_data->bmTransferAttributes = buffer[8];
- dev_dbg(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
+ dev_info(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
n_characters, buffer[8]);
if (n_characters > remaining) {
syzbot
10:03 AM (1 hour ago) 10:03 AM
to gre...@candelatech.com, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, michal...@gmail.com, one...@suse.com, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usb_bulk_msg
INFO: task syz.3.17:4972 blocked for more than 143 seconds.
RSP: 002b:00007f8ae729f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f8ae76b5fa0 RCX: 00007f8ae743aeb9
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
3 locks held by kworker/0:1/10:
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90000277ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88811ffd8198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88811ffd8198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888117964160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888117964160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90001c3fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88811e01c198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88811e01c198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810cac4160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810cac4160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000415fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888113946198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888113946198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888113be7160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888113be7160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#0: ffff888115caa0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#0: ffff88810bf5e4d8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_read+0x14a/0x270 drivers/usb/class/usbtmc.c:1394
3 locks held by kworker/0:3/4975:
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
2 locks held by syz.4.18/5429:
3 locks held by kworker/1:3/5432:
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.5.19/5886:
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006c5fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888117210198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888117210198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888117211160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888117211160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
Code: 04 24 e8 69 fa a0 ff 4c 8b 04 24 e9 76 f9 ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 ba 00 00 00 00 00 fc ff df <41> 57 41 56 49 89 fe 41 55 41 54 55 53 48 81 ec a0 01 00 00 48 8d
RSP: 0018:ffffc90000007968 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc90000007c30 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffffc900000079b8 RDI: ffffc90000007c30
RBP: 1ffff92000000f31 R08: 0000000000000000 R09: ffffed103eac485c
R10: ffff8881f56242e7 R11: ffff888100ecd400 R12: ffff8881f56242d0
R13: ffffc90000007da8 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88826896a000(0000) knlGS:0000000000000000
Call Trace:
<IRQ>
sched_balance_find_src_group+0x99/0xc70 kernel/sched/fair.c:11365
sched_balance_rq+0x7f0/0x33a0 kernel/sched/fair.c:11851
sched_balance_domains+0x46d/0xd40 kernel/sched/fair.c:12311
_nohz_idle_balance.isra.0+0x654/0x860 kernel/sched/fair.c:12743
handle_softirqs+0x1dd/0x8f0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
sysvec_call_function_single+0x8f/0xb0 arch/x86/kernel/smp.c:266
</IRQ>
<TASK>
asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:704
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 3a a3 01 e9 53 e3 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 53 b3 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff89207e10 EFLAGS: 00000242
RAX: 0000000000161aa1 RBX: ffffffff8922eac0 RCX: ffffffff8753acd5
RDX: 0000000000000000 RSI: ffffffff88dec902 RDI: ffffffff878e97a0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed103eac66c5
R10: ffff8881f563362b R11: 0000000000000000 R12: fffffbfff1245d58
R13: 0000000000000000 R14: ffffffff8accd4d0 R15: 0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x35b/0x4b0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
rest_init+0x251/0x260 init/main.c:757
start_kernel+0x475/0x480 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x122/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
</TASK>
Tested on:
commit: da87d45b usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1099b65a580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usb_bulk_msg
INFO: task syz.3.17:4972 blocked for more than 143 seconds.
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.17 state:D stack:28120 pid:4972 tgid:4971 ppid:4522 task_flags:0x400040 flags:0x00080002
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
usbtmc_read.cold+0x48d/0xfe7 drivers/usb/class/usbtmc.c:1408
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
vfs_read+0x1e4/0xb30 fs/read_write.c:570
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8ae743aeb9
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007f8ae729f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007f8ae76b5fa0 RCX: 00007f8ae743aeb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f8ae74a8c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f8ae76b6038 R14: 00007f8ae76b5fa0 R15: 00007ffff317e338
</TASK>
Showing all locks held in the system:
3 locks held by kworker/0:0/9:
Showing all locks held in the system:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000009fca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
3 locks held by kworker/0:1/10:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900000afca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by khungtaskd/30:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
6 locks held by kworker/1:1/37:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90000277ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88811ffd8198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88811ffd8198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888117964160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888117964160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
6 locks held by kworker/1:2/1121:
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90001c3fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a745198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88811e01c198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88811e01c198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810cac4160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810cac4160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
6 locks held by kworker/0:2/2808:
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000415fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a75d198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888113946198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888113946198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888113be7160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888113be7160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
2 locks held by getty/2922:
#0: ffff888115caa0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000452f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
1 lock held by syz.3.17/4972:
#0: ffff88810bf5e4d8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_read+0x14a/0x270 drivers/usb/class/usbtmc.c:1394
3 locks held by kworker/0:3/4975:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90001dffca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
2 locks held by syz.4.18/5429:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
#1: ffff88810bf5e4d8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_open+0x4c8/0x950 drivers/usb/class/usbtmc.c:189
3 locks held by kworker/1:3/5432:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000424fca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810a7fd198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.5.19/5886:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
1 lock held by syz.6.20/6344:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
6 locks held by kworker/0:4/6347:
#0: ffff888100ed2148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006c5fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810a7ed198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888117210198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888117210198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888117211160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888117211160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by syz.7.21/6802:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
1 lock held by syz.8.22/7261:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(voluntary)
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:update_sd_lb_stats.constprop.0+0xa/0x3630 kernel/sched/fair.c:11084
Code: 04 24 e8 69 fa a0 ff 4c 8b 04 24 e9 76 f9 ff ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 48 ba 00 00 00 00 00 fc ff df <41> 57 41 56 49 89 fe 41 55 41 54 55 53 48 81 ec a0 01 00 00 48 8d
RSP: 0018:ffffc90000007968 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc90000007c30 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: ffffc900000079b8 RDI: ffffc90000007c30
RBP: 1ffff92000000f31 R08: 0000000000000000 R09: ffffed103eac485c
R10: ffff8881f56242e7 R11: ffff888100ecd400 R12: ffff8881f56242d0
R13: ffffc90000007da8 R14: dffffc0000000000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88826896a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000561ec5730d28 CR3: 00000001174aa000 CR4: 00000000003506f0
Call Trace:
<IRQ>
sched_balance_find_src_group+0x99/0xc70 kernel/sched/fair.c:11365
sched_balance_rq+0x7f0/0x33a0 kernel/sched/fair.c:11851
sched_balance_domains+0x46d/0xd40 kernel/sched/fair.c:12311
_nohz_idle_balance.isra.0+0x654/0x860 kernel/sched/fair.c:12743
handle_softirqs+0x1dd/0x8f0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_call_function_single arch/x86/kernel/smp.c:266 [inline]
sysvec_call_function_single+0x8f/0xb0 arch/x86/kernel/smp.c:266
</IRQ>
<TASK>
asm_sysvec_call_function_single+0x1a/0x20 arch/x86/include/asm/idtentry.h:704
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 3a a3 01 e9 53 e3 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 53 b3 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff89207e10 EFLAGS: 00000242
RAX: 0000000000161aa1 RBX: ffffffff8922eac0 RCX: ffffffff8753acd5
RDX: 0000000000000000 RSI: ffffffff88dec902 RDI: ffffffff878e97a0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed103eac66c5
R10: ffff8881f563362b R11: 0000000000000000 R12: fffffbfff1245d58
R13: 0000000000000000 R14: ffffffff8accd4d0 R15: 0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x35b/0x4b0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
rest_init+0x251/0x260 init/main.c:757
start_kernel+0x475/0x480 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x122/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
</TASK>
Tested on:
commit: da87d45b usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
console output: https://syzkaller.appspot.com/x/log.txt?x=1099b65a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=13ac5402580000
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syzbot
10:17 AM (1 hour ago) 10:17 AM
to st...@rowland.harvard.edu, gre...@candelatech.com, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, michal...@gmail.com, one...@suse.com, st...@rowland.harvard.edu, syzkall...@googlegroups.com
> On Sun, Feb 08, 2026 at 07:03:03AM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> INFO: task hung in usb_bulk_msg
>
> Okay, most likely the reason for the hang is that the count is 0. But
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> INFO: task hung in usb_bulk_msg
>
> that doesn't explain everything. Let's get more info.
>
> Alan Stern
>
> #syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
"#https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git" does not look like a valid git repo address.
>
> ---
> drivers/usb/class/usbtmc.c | 7 +++----
> drivers/usb/gadget/udc/dummy_hcd.c | 11 +++++++++--
> 2 files changed, 12 insertions(+), 6 deletions(-)
> ===================================================================
> --- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c
> +++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -762,8 +762,13 @@ static int dummy_dequeue(struct usb_ep *
> ep = usb_ep_to_dummy_ep(_ep);
> dum = ep_to_dummy(ep);
>
> - if (!dum->driver)
> + if (!dum->driver) {
> + dev_info(udc_dev(dum), "Got dequeue, no driver\n");
> return -ESHUTDOWN;
> + }
> + dev_info(udc_dev(dum),
> + "dequeuing req %p from %s, len %d buf %p\n",
> + req, _ep->name, _req->length, _req->buf);
>
> spin_lock_irqsave(&dum->lock, flags);
> list_for_each_entry(iter, &ep->queue, queue) {
> @@ -777,12 +782,14 @@ static int dummy_dequeue(struct usb_ep *
> }
>
> if (retval == 0) {
> - dev_dbg(udc_dev(dum),
> + dev_info(udc_dev(dum),
> "dequeued req %p from %s, len %d buf %p\n",
> req, _ep->name, _req->length, _req->buf);
> spin_unlock(&dum->lock);
> usb_gadget_giveback_request(_ep, _req);
> spin_lock(&dum->lock);
> + } else {
> + dev_info(udc_dev(dum), "request not found\n");
> }
> spin_unlock_irqrestore(&dum->lock, flags);
> return retval;
Alan Stern
10:17 AM (1 hour ago) 10:17 AM
to syzbot, gre...@candelatech.com, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, michal...@gmail.com, one...@suse.com, syzkall...@googlegroups.com
On Sun, Feb 08, 2026 at 07:03:03AM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in usb_bulk_msg
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> INFO: task hung in usb_bulk_msg
Okay, most likely the reason for the hang is that the count is 0. But
that doesn't explain everything. Let's get more info.
Alan Stern
#syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
that doesn't explain everything. Let's get more info.
Alan Stern
#syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
---
drivers/usb/class/usbtmc.c | 7 +++----
drivers/usb/gadget/udc/dummy_hcd.c | 11 +++++++++--
2 files changed, 12 insertions(+), 6 deletions(-)
drivers/usb/class/usbtmc.c | 7 +++----
drivers/usb/gadget/udc/dummy_hcd.c | 11 +++++++++--
2 files changed, 12 insertions(+), 6 deletions(-)
Alan Stern
10:20 AM (1 hour ago) 10:20 AM
to syzbot, gre...@candelatech.com, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, michal...@gmail.com, one...@suse.com, syzkall...@googlegroups.com
On Sun, Feb 08, 2026 at 07:17:53AM -0800, syzbot wrote:
> > On Sun, Feb 08, 2026 at 07:03:03AM -0800, syzbot wrote:
> >> Hello,
> >>
> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> >> INFO: task hung in usb_bulk_msg
> >
> > Okay, most likely the reason for the hang is that the count is 0. But
> > that doesn't explain everything. Let's get more info.
> >
> > Alan Stern
> >
> > #syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
>
> "#https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git" does not look like a valid git repo address.
Fix the typo...
> > On Sun, Feb 08, 2026 at 07:03:03AM -0800, syzbot wrote:
> >> Hello,
> >>
> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> >> INFO: task hung in usb_bulk_msg
> >
> > Okay, most likely the reason for the hang is that the count is 0. But
> > that doesn't explain everything. Let's get more info.
> >
> > Alan Stern
> >
> > #syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
>
> "#https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git" does not look like a valid git repo address.
syzbot
10:50 AM (29 minutes ago) 10:50 AM
to gre...@candelatech.com, hda...@sina.com, linux-...@vger.kernel.org, linu...@vger.kernel.org, michal...@gmail.com, one...@suse.com, st...@rowland.harvard.edu, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usb_bulk_msg
INFO: task syz.3.17:4981 blocked for more than 143 seconds.
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usb_bulk_msg
Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.17 state:D stack:26904 pid:4981 tgid:4980 ppid:4531 task_flags:0x400040 flags:0x00080002
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
usbtmc_read.cold+0x48d/0xfe7 drivers/usb/class/usbtmc.c:1408
vfs_read+0x1e4/0xb30 fs/read_write.c:570
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab75baaeb9
<TASK>
context_switch kernel/sched/core.c:5260 [inline]
__schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
__schedule_loop kernel/sched/core.c:6949 [inline]
schedule+0xdd/0x390 kernel/sched/core.c:6964
schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
usbtmc_read.cold+0x48d/0xfe7 drivers/usb/class/usbtmc.c:1408
vfs_read+0x1e4/0xb30 fs/read_write.c:570
ksys_read+0x12a/0x250 fs/read_write.c:715
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xc9/0x570 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RSP: 002b:00007fab75a0f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007fab75e25fa0 RCX: 00007fab75baaeb9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007fab75c18c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fab75e26038 R14: 00007fab75e25fa0 R15: 00007ffcbc60e758
</TASK>
Showing all locks held in the system:
3 locks held by kworker/1:0/23:
Showing all locks held in the system:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000018fca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab98198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab98198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810ab98198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by khungtaskd/30:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
6 locks held by kworker/1:1/38:
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff894da3a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
#0: ffff888103e88548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90000287ca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810abb0198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810abb0198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88810529f198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88810529f198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff88810529e160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff88810529e160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
6 locks held by kworker/0:2/1069:
#0: ffff888103e88548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90001d6fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810ab98198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810ab98198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff888117f24198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff888117f24198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888117f21160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888117f21160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by klogd/2853:
#0: ffff8881f56390d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested kernel/sched/core.c:639 [inline]
#0: ffff8881f56390d8 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock kernel/sched/sched.h:1580 [inline]
#0: ffff8881f56390d8 (&rq->__lock){-.-.}-{2:2}, at: rq_lock kernel/sched/sched.h:1907 [inline]
#0: ffff8881f56390d8 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0x2c5/0x3e50 kernel/sched/core.c:6772
2 locks held by getty/2928:
#0: ffff8881163f10a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000452f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211
1 lock held by syz.3.17/4981:
#0: ffff888120d3a0d8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_read+0x14a/0x270 drivers/usb/class/usbtmc.c:1394
2 locks held by syz.4.18/5437:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
#1: ffff888120d3a0d8 (&data->io_mutex){+.+.}-{4:4}, at: usbtmc_open+0x4c8/0x950 drivers/usb/class/usbtmc.c:189
6 locks held by kworker/1:3/5441:
#0: ffff888103e88548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000197fca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810af38198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810af38198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff8881076c0198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff8881076c0198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888104af0160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888104af0160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by syz.5.19/5896:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
3 locks held by kworker/0:3/5899:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90003dafca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810abb0198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810abb0198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810abb0198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
1 lock held by syz.6.20/6352:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
1 lock held by syz.7.21/6809:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
3 locks held by kworker/0:4/6813:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc90006557ca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810af38198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810af38198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810af38198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
3 locks held by kworker/0:5/6814:
#0: ffff888100071948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc9000659fca8 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810af50198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810af50198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
#2: ffff88810af50198 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x3b2/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
6 locks held by kworker/1:4/6815:
#0: ffff888103e88548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x11ae/0x1840 kernel/workqueue.c:3232
#1: ffffc900065afca8 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x927/0x1840 kernel/workqueue.c:3233
#2: ffff88810af50198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#2: ffff88810af50198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
#3: ffff88810529d198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#3: ffff88810529d198 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#4: ffff888105285160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline]
#4: ffff888105285160 (&dev->mutex){....}-{4:4}, at: __device_attach+0x7e/0x4d0 drivers/base/dd.c:1006
#5: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_register_dev+0x11d/0x570 drivers/usb/core/file.c:134
1 lock held by syz.8.22/7270:
#0: ffffffff8a0d7bb0 (minor_rwsem){++++}-{4:4}, at: usb_open+0x23/0x220 drivers/usb/core/file.c:38
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x141/0x190 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xcc3/0xfe0 kernel/hung_task.c:515
kthread+0x3b3/0x730 kernel/kthread.c:463
ret_from_fork+0x6c3/0xa20 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(voluntary)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 3a a3 01 e9 53 e3 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 53 b3 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff89207e10 EFLAGS: 00000246
Code: 3a a3 01 e9 53 e3 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 53 b3 12 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RAX: 000000000015142d RBX: ffffffff8922eac0 RCX: ffffffff8753acd5
RDX: 0000000000000000 RSI: ffffffff88dec96c RDI: ffffffff878e97a0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed103eac66c5
R10: ffff8881f563362b R11: 0000000000000000 R12: fffffbfff1245d58
R13: 0000000000000000 R14: ffffffff8accd4d0 R15: 0000000000000000
R10: ffff8881f563362b R11: 0000000000000000 R12: fffffbfff1245d58
R13: 0000000000000000 R14: ffffffff8accd4d0 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff88826896a000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff97c59ce80 CR3: 000000011e9b8000 CR4: 00000000003506f0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Call Trace:
<TASK>
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x35b/0x4b0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
rest_init+0x251/0x260 init/main.c:757
start_kernel+0x475/0x480 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x122/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
</TASK>
Tested on:
commit: da87d45b usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
console output: https://syzkaller.appspot.com/x/log.txt?x=172f065a580000
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x35b/0x4b0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
rest_init+0x251/0x260 init/main.c:757
start_kernel+0x475/0x480 init/main.c:1206
x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
x86_64_start_kernel+0x122/0x130 arch/x86/kernel/head64.c:291
common_startup_64+0x13e/0x148
</TASK>
Tested on:
commit: da87d45b usb: typec: ucsi: Add Thunderbolt alternate m..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git
kernel config: https://syzkaller.appspot.com/x/.config?x=a04e768f944f1aa0
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch: https://syzkaller.appspot.com/x/patch.diff?x=1481e7fa580000
dashboard link: https://syzkaller.appspot.com/bug?extid=25ba18e2c5040447585d
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
Reply all
Reply to author
Forward
0 new messages