[syzbot] [kernel?] INFO: task hung in devres_release_group (2)
3 views
Skip to first unread message
syzbot
2:03 AM (13 hours ago) 2:03 AM
to anna-...@linutronix.de, fred...@kernel.org, linux-...@vger.kernel.org, syzkall...@googlegroups.com, tg...@kernel.org
Hello,
syzbot found the following issue on:
HEAD commit: 0f0013213293 Merge tag 'vfs-7.1-rc1.integrity' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172f3036580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c5ea45f4cdebd8e
dashboard link: https://syzkaller.appspot.com/bug?extid=d789904ff97c2f3dac88
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7062a6575fdd/disk-0f001321.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b54e97a40fd3/vmlinux-0f001321.xz
kernel image: https://storage.googleapis.com/syzbot-assets/664c8fd5334d/bzImage-0f001321.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d78990...@syzkaller.appspotmail.com
INFO: task kworker/1:1:29 blocked for more than 143 seconds.
Tainted: G L syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1 state:D stack:19912 pid:29 tgid:29 ppid:2 task_flags:0x4288060 flags:0x00080000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_timeout+0xc3/0x2c0 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common kernel/sched/completion.c:121 [inline]
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion+0x2cc/0x5e0 kernel/sched/completion.c:153
i2c_del_adapter+0x5c0/0x790 drivers/i2c/i2c-core-base.c:1814
release_nodes drivers/base/devres.c:505 [inline]
devres_release_group+0x2fd/0x350 drivers/base/devres.c:692
hid_device_remove+0x250/0x370 drivers/hid/hid-core.c:2837
device_remove drivers/base/dd.c:631 [inline]
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x46f/0x870 drivers/base/dd.c:1367
bus_remove_device+0x455/0x570 drivers/base/bus.c:657
device_del+0x527/0x8f0 drivers/base/core.c:3879
hid_remove_device drivers/hid/hid-core.c:3009 [inline]
hid_destroy_device+0x6b/0x1b0 drivers/hid/hid-core.c:3031
usbhid_disconnect+0x9f/0xc0 drivers/hid/usbhid/hid-core.c:1477
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:633 [inline]
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x4d9/0x870 drivers/base/dd.c:1367
bus_remove_device+0x455/0x570 drivers/base/bus.c:657
device_del+0x527/0x8f0 drivers/base/core.c:3879
usb_disable_device+0x3d4/0x8d0 drivers/usb/core/message.c:1476
usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1cc9/0x4f30 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3371
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3452
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Showing all locks held in the system:
1 lock held by rcu_exp_gp_kthr/18:
6 locks held by kworker/1:1/29:
#0: ffff888022296548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3263 [inline]
#0: ffff888022296548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3371
#1: ffffc90000a47c40 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3264 [inline]
#1: ffffc90000a47c40 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3371
#2: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#2: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: hub_event+0x17f/0x4f30 drivers/usb/core/hub.c:5899
#3: ffff888036c551e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#3: ffff888036c551e0 (&dev->mutex){....}-{4:4}, at: usb_disconnect+0xf8/0x990 drivers/usb/core/hub.c:2336
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1166 [inline]
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xb6/0x870 drivers/base/dd.c:1364
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1166 [inline]
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xb6/0x870 drivers/base/dd.c:1364
1 lock held by khungtaskd/31:
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:309 [inline]
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:847 [inline]
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5580:
#0: ffff8880378c00a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13c0 drivers/tty/n_tty.c:2211
2 locks held by kworker/1:5/17649:
#0: ffff88813fe13148 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3263 [inline]
#0: ffff88813fe13148 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3371
#1: ffffc9000ffdfc40 (free_ipc_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3264 [inline]
#1: ffffc9000ffdfc40 (free_ipc_work){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3371
3 locks held by syz-executor/23076:
#0: ffff888028be8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff888028be8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff888028be80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:311 [inline]
#2: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2d0/0x770 kernel/rcu/tree_exp.h:961
1 lock held by syz-executor/23093:
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3436
4 locks held by syz-executor/32612:
#0: ffff88807e740ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff88807e740ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff88807e7400c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
#3: ffff8880303b6b00 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x92/0x570 net/bluetooth/l2cap_core.c:1777
2 locks held by syz-executor/32642:
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3436
#1: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
#1: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x38d/0x770 kernel/rcu/tree_exp.h:961
3 locks held by syz-executor/2275:
#0: ffff8880639f0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff8880639f0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff8880639f00c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
1 lock held by syz.3.3719/3256:
#0: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#0: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: usbdev_open+0x182/0x770 drivers/usb/core/devio.c:1054
3 locks held by syz-executor/3910:
#0: ffff88808db40ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff88808db40ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff88808db400c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x135/0x170 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xfd9/0x1030 kernel/hung_task.c:515
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 2034 Comm: syz.6.3648 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:seqcount_lockdep_reader_access+0x1e/0xc0 include/linux/seqlock.h:73
Code: 90 90 90 90 90 90 90 90 90 90 90 90 41 57 41 56 53 48 89 fb 9c 41 5f fa 41 f7 c7 00 02 00 00 75 36 48 83 c3 08 4c 8b 74 24 18 <48> 89 df 31 f6 31 d2 b9 02 00 00 00 41 b8 01 00 00 00 45 31 c9 41
RSP: 0018:ffffc90004c4f6a8 EFLAGS: 00000082
RAX: 1ffff11027fff784 RBX: ffff88813fffbc58 RCX: dffffc0000000000
RDX: ffff88813fffbb80 RSI: ffffea00023a4e80 RDI: ffff88813fffbc50
RBP: ffff88813fffbb80 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023c17 R12: 1ffff11027fff78a
R13: ffff88813fffbc20 R14: ffffffff82228ddb R15: 0000000000000806
FS: 0000000000000000(0000) GS:ffff888125451000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a8283580f0 CR3: 000000000e54c000 CR4: 00000000003526f0
Call Trace:
<TASK>
read_seqbegin include/linux/seqlock.h:838 [inline]
zone_span_seqbegin include/linux/memory_hotplug.h:87 [inline]
page_outside_zone_boundaries mm/page_alloc.c:612 [inline]
bad_range+0x8b/0x2c0 mm/page_alloc.c:631
__free_one_page+0xf3/0xbd0 mm/page_alloc.c:994
free_pcppages_bulk+0x2de/0x520 mm/page_alloc.c:1531
free_frozen_page_commit+0x62a/0x1220 mm/page_alloc.c:2915
__free_frozen_pages+0x6f0/0xdb0 mm/page_alloc.c:3005
vfree+0x25a/0x400 mm/vmalloc.c:3479
kcov_put kernel/kcov.c:442 [inline]
kcov_close+0x28/0x50 kernel/kcov.c:543
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x70f/0x23c0 kernel/exit.c:976
do_group_exit+0x21b/0x2d0 kernel/exit.c:1118
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 00fb:0x294e66b3c7c44cb4
Code: Unable to access opcode bytes at 0x294e66b3c7c44c8a.
RSP: 002b:0000000000000000 EFLAGS: 00000202 ORIG_RAX: ce3d5c200518e753
RAX: 6d02b596a6d6b2c6 RBX: 46b00e13ac8c17fa RCX: 1d6d567492f1521e
RDX: eb30e365dd53f3a0 RSI: c553273f825e1cf7 RDI: b331ef28487276fd
RBP: 9c8c87e20081ee76 R08: cf9d780a350b4549 R09: c7e58b697db8ef3d
R10: d68d02d45a22dc24 R11: 19b4d49ef33da9ed R12: 39cb75b6fa6cb3d1
R13: a8d7b5dbf29d588f R14: 9b8908dcbb4f02b4 R15: 107b9d1451766018
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 0f0013213293 Merge tag 'vfs-7.1-rc1.integrity' of git://gi..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=172f3036580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6c5ea45f4cdebd8e
dashboard link: https://syzkaller.appspot.com/bug?extid=d789904ff97c2f3dac88
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/7062a6575fdd/disk-0f001321.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b54e97a40fd3/vmlinux-0f001321.xz
kernel image: https://storage.googleapis.com/syzbot-assets/664c8fd5334d/bzImage-0f001321.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d78990...@syzkaller.appspotmail.com
INFO: task kworker/1:1:29 blocked for more than 143 seconds.
Tainted: G L syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:1 state:D stack:19912 pid:29 tgid:29 ppid:2 task_flags:0x4288060 flags:0x00080000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5298 [inline]
__schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
__schedule_loop kernel/sched/core.c:6993 [inline]
schedule+0x164/0x360 kernel/sched/core.c:7008
schedule_timeout+0xc3/0x2c0 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:100 [inline]
__wait_for_common kernel/sched/completion.c:121 [inline]
wait_for_common kernel/sched/completion.c:132 [inline]
wait_for_completion+0x2cc/0x5e0 kernel/sched/completion.c:153
i2c_del_adapter+0x5c0/0x790 drivers/i2c/i2c-core-base.c:1814
release_nodes drivers/base/devres.c:505 [inline]
devres_release_group+0x2fd/0x350 drivers/base/devres.c:692
hid_device_remove+0x250/0x370 drivers/hid/hid-core.c:2837
device_remove drivers/base/dd.c:631 [inline]
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x46f/0x870 drivers/base/dd.c:1367
bus_remove_device+0x455/0x570 drivers/base/bus.c:657
device_del+0x527/0x8f0 drivers/base/core.c:3879
hid_remove_device drivers/hid/hid-core.c:3009 [inline]
hid_destroy_device+0x6b/0x1b0 drivers/hid/hid-core.c:3031
usbhid_disconnect+0x9f/0xc0 drivers/hid/usbhid/hid-core.c:1477
usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
device_remove drivers/base/dd.c:633 [inline]
__device_release_driver drivers/base/dd.c:1344 [inline]
device_release_driver_internal+0x4d9/0x870 drivers/base/dd.c:1367
bus_remove_device+0x455/0x570 drivers/base/bus.c:657
device_del+0x527/0x8f0 drivers/base/core.c:3879
usb_disable_device+0x3d4/0x8d0 drivers/usb/core/message.c:1476
usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
hub_port_connect drivers/usb/core/hub.c:5407 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x1cc9/0x4f30 drivers/usb/core/hub.c:5953
process_one_work kernel/workqueue.c:3288 [inline]
process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3371
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3452
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Showing all locks held in the system:
1 lock held by rcu_exp_gp_kthr/18:
6 locks held by kworker/1:1/29:
#0: ffff888022296548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3263 [inline]
#0: ffff888022296548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3371
#1: ffffc90000a47c40 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3264 [inline]
#1: ffffc90000a47c40 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3371
#2: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#2: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: hub_event+0x17f/0x4f30 drivers/usb/core/hub.c:5899
#3: ffff888036c551e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#3: ffff888036c551e0 (&dev->mutex){....}-{4:4}, at: usb_disconnect+0xf8/0x990 drivers/usb/core/hub.c:2336
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1166 [inline]
#4: ffff88807aea21a8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xb6/0x870 drivers/base/dd.c:1364
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1166 [inline]
#5: ffff88807e695a68 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xb6/0x870 drivers/base/dd.c:1364
1 lock held by khungtaskd/31:
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:309 [inline]
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:847 [inline]
#0: ffffffff8e75e5e0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x2e/0x180 kernel/locking/lockdep.c:6775
2 locks held by getty/5580:
#0: ffff8880378c00a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
#1: ffffc9000332b2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x45c/0x13c0 drivers/tty/n_tty.c:2211
2 locks held by kworker/1:5/17649:
#0: ffff88813fe13148 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3263 [inline]
#0: ffff88813fe13148 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0xa52/0x18c0 kernel/workqueue.c:3371
#1: ffffc9000ffdfc40 (free_ipc_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3264 [inline]
#1: ffffc9000ffdfc40 (free_ipc_work){+.+.}-{0:0}, at: process_scheduled_works+0xa8d/0x18c0 kernel/workqueue.c:3371
3 locks held by syz-executor/23076:
#0: ffff888028be8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff888028be8ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff888028be80c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:311 [inline]
#2: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x2d0/0x770 kernel/rcu/tree_exp.h:961
1 lock held by syz-executor/23093:
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3436
4 locks held by syz-executor/32612:
#0: ffff88807e740ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff88807e740ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff88807e7400c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
#3: ffff8880303b6b00 (&conn->lock#2){+.+.}-{4:4}, at: l2cap_conn_del+0x92/0x570 net/bluetooth/l2cap_core.c:1777
2 locks held by syz-executor/32642:
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_detach drivers/net/tun.c:634 [inline]
#0: ffffffff8fbd1088 (rtnl_mutex){+.+.}-{4:4}, at: tun_chr_close+0x3e/0x1c0 drivers/net/tun.c:3436
#1: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:343 [inline]
#1: ffffffff8e7648f8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x38d/0x770 kernel/rcu/tree_exp.h:961
3 locks held by syz-executor/2275:
#0: ffff8880639f0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff8880639f0ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff8880639f00c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
1 lock held by syz.3.3719/3256:
#0: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
#0: ffff88802a4571e0 (&dev->mutex){....}-{4:4}, at: usbdev_open+0x182/0x770 drivers/usb/core/devio.c:1054
3 locks held by syz-executor/3910:
#0: ffff88808db40ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_dev_do_close net/bluetooth/hci_core.c:500 [inline]
#0: ffff88808db40ec0 (&hdev->req_lock){+.+.}-{4:4}, at: hci_unregister_dev+0x212/0x5a0 net/bluetooth/hci_core.c:2716
#1: ffff88808db400c0 (&hdev->lock){+.+.}-{4:4}, at: hci_dev_close_sync+0x640/0x10e0 net/bluetooth/hci_sync.c:5356
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:2151 [inline]
#2: ffffffff8fd5e528 (hci_cb_list_lock){+.+.}-{4:4}, at: hci_conn_hash_flush+0xa1/0x260 net/bluetooth/hci_conn.c:2650
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 31 Comm: khungtaskd Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
nmi_cpu_backtrace+0x274/0x2d0 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x17a/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
__sys_info lib/sys_info.c:157 [inline]
sys_info+0x135/0x170 lib/sys_info.c:165
check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
watchdog+0xfd9/0x1030 kernel/hung_task.c:515
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 2034 Comm: syz.6.3648 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:seqcount_lockdep_reader_access+0x1e/0xc0 include/linux/seqlock.h:73
Code: 90 90 90 90 90 90 90 90 90 90 90 90 41 57 41 56 53 48 89 fb 9c 41 5f fa 41 f7 c7 00 02 00 00 75 36 48 83 c3 08 4c 8b 74 24 18 <48> 89 df 31 f6 31 d2 b9 02 00 00 00 41 b8 01 00 00 00 45 31 c9 41
RSP: 0018:ffffc90004c4f6a8 EFLAGS: 00000082
RAX: 1ffff11027fff784 RBX: ffff88813fffbc58 RCX: dffffc0000000000
RDX: ffff88813fffbb80 RSI: ffffea00023a4e80 RDI: ffff88813fffbc50
RBP: ffff88813fffbb80 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff2023c17 R12: 1ffff11027fff78a
R13: ffff88813fffbc20 R14: ffffffff82228ddb R15: 0000000000000806
FS: 0000000000000000(0000) GS:ffff888125451000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a8283580f0 CR3: 000000000e54c000 CR4: 00000000003526f0
Call Trace:
<TASK>
read_seqbegin include/linux/seqlock.h:838 [inline]
zone_span_seqbegin include/linux/memory_hotplug.h:87 [inline]
page_outside_zone_boundaries mm/page_alloc.c:612 [inline]
bad_range+0x8b/0x2c0 mm/page_alloc.c:631
__free_one_page+0xf3/0xbd0 mm/page_alloc.c:994
free_pcppages_bulk+0x2de/0x520 mm/page_alloc.c:1531
free_frozen_page_commit+0x62a/0x1220 mm/page_alloc.c:2915
__free_frozen_pages+0x6f0/0xdb0 mm/page_alloc.c:3005
vfree+0x25a/0x400 mm/vmalloc.c:3479
kcov_put kernel/kcov.c:442 [inline]
kcov_close+0x28/0x50 kernel/kcov.c:543
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x70f/0x23c0 kernel/exit.c:976
do_group_exit+0x21b/0x2d0 kernel/exit.c:1118
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 00fb:0x294e66b3c7c44cb4
Code: Unable to access opcode bytes at 0x294e66b3c7c44c8a.
RSP: 002b:0000000000000000 EFLAGS: 00000202 ORIG_RAX: ce3d5c200518e753
RAX: 6d02b596a6d6b2c6 RBX: 46b00e13ac8c17fa RCX: 1d6d567492f1521e
RDX: eb30e365dd53f3a0 RSI: c553273f825e1cf7 RDI: b331ef28487276fd
RBP: 9c8c87e20081ee76 R08: cf9d780a350b4549 R09: c7e58b697db8ef3d
R10: d68d02d45a22dc24 R11: 19b4d49ef33da9ed R12: 39cb75b6fa6cb3d1
R13: a8d7b5dbf29d588f R14: 9b8908dcbb4f02b4 R15: 107b9d1451766018
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Reply all
Reply to author
Forward
0 new messages