[v6.6] possible deadlock in snd_usb_endpoint_close
3 views
Skip to first unread message
syzbot
Nov 24, 2025, 5:41:41 AM11/24/25
to syzkaller...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: 1e89a1be4fe9 Linux 6.6.117
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16fb0f42580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12606d4b8832c7e4
dashboard link: https://syzkaller.appspot.com/bug?extid=3a59b93860ca0394db9a
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad3647e47b66/disk-1e89a1be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6f7ba94aea7/vmlinux-1e89a1be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e08af2290355/bzImage-1e89a1be.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3a59b9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.0.4625/15744 is trying to acquire lock:
ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
but task is already holding lock:
ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&chip->mutex);
lock(&chip->mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syz.0.4625/15744:
#0: ffff88807e28e4e0 (&runtime->oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_sync+0x2a7/0xc20 sound/core/oss/pcm_oss.c:1675
#1: ffff88807e28e238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_buffer_access_lock sound/core/pcm_native.c:696 [inline]
#1: ffff88807e28e238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_hw_params+0x15a/0x1c50 sound/core/pcm_native.c:735
#2: ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
stack backtrace:
CPU: 1 PID: 15744 Comm: syz.0.4625 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
close_endpoints sound/usb/pcm.c:454 [inline]
snd_usb_hw_params+0x1357/0x19c0 sound/usb/pcm.c:573
snd_pcm_hw_params+0x835/0x1c50 sound/core/pcm_native.c:779
snd_pcm_oss_change_params_locked+0x2144/0x3d30 sound/core/oss/pcm_oss.c:976
snd_pcm_oss_make_ready_locked sound/core/oss/pcm_oss.c:1197 [inline]
snd_pcm_oss_sync+0x363/0xc20 sound/core/oss/pcm_oss.c:1679
snd_pcm_oss_release+0x102/0x240 sound/core/oss/pcm_oss.c:2589
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xf6/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4b5898f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe80be4188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000005d716 RCX: 00007f4b5898f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f4b58be7da0 R08: 0000000000000001 R09: 0000000280be447f
R10: 0000001b2d320000 R11: 0000000000000246 R12: 00007f4b58be5fac
R13: 00007f4b58be5fa0 R14: ffffffffffffffff R15: 00007ffe80be42a0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 1e89a1be4fe9 Linux 6.6.117
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=16fb0f42580000
kernel config: https://syzkaller.appspot.com/x/.config?x=12606d4b8832c7e4
dashboard link: https://syzkaller.appspot.com/bug?extid=3a59b93860ca0394db9a
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad3647e47b66/disk-1e89a1be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6f7ba94aea7/vmlinux-1e89a1be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e08af2290355/bzImage-1e89a1be.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3a59b9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.0.4625/15744 is trying to acquire lock:
ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
but task is already holding lock:
ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&chip->mutex);
lock(&chip->mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syz.0.4625/15744:
#0: ffff88807e28e4e0 (&runtime->oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_sync+0x2a7/0xc20 sound/core/oss/pcm_oss.c:1675
#1: ffff88807e28e238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_buffer_access_lock sound/core/pcm_native.c:696 [inline]
#1: ffff88807e28e238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_hw_params+0x15a/0x1c50 sound/core/pcm_native.c:735
#2: ffff88807e718b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
stack backtrace:
CPU: 1 PID: 15744 Comm: syz.0.4625 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
<TASK>
dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5d40/0x7c80 kernel/locking/lockdep.c:5137
lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754
__mutex_lock_common kernel/locking/mutex.c:603 [inline]
__mutex_lock+0x129/0xcc0 kernel/locking/mutex.c:747
snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
close_endpoints sound/usb/pcm.c:454 [inline]
snd_usb_hw_params+0x1357/0x19c0 sound/usb/pcm.c:573
snd_pcm_hw_params+0x835/0x1c50 sound/core/pcm_native.c:779
snd_pcm_oss_change_params_locked+0x2144/0x3d30 sound/core/oss/pcm_oss.c:976
snd_pcm_oss_make_ready_locked sound/core/oss/pcm_oss.c:1197 [inline]
snd_pcm_oss_sync+0x363/0xc20 sound/core/oss/pcm_oss.c:1679
snd_pcm_oss_release+0x102/0x240 sound/core/oss/pcm_oss.c:2589
__fput+0x234/0x970 fs/file_table.c:384
task_work_run+0x1ce/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop+0xe6/0x110 kernel/entry/common.c:177
exit_to_user_mode_prepare+0xf6/0x180 kernel/entry/common.c:210
__syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
syscall_exit_to_user_mode+0x1a/0x50 kernel/entry/common.c:302
do_syscall_64+0x61/0xb0 arch/x86/entry/common.c:87
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f4b5898f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe80be4188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 000000000005d716 RCX: 00007f4b5898f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f4b58be7da0 R08: 0000000000000001 R09: 0000000280be447f
R10: 0000001b2d320000 R11: 0000000000000246 R12: 00007f4b58be5fac
R13: 00007f4b58be5fa0 R14: ffffffffffffffff R15: 00007ffe80be42a0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Nov 25, 2025, 11:29:32 AM11/25/25
to syzkaller...@googlegroups.com
syzbot has found a reproducer for the following issue on:
HEAD commit: 1e89a1be4fe9 Linux 6.6.117
git tree: linux-6.6.y
console output: https://syzkaller.appspot.com/x/log.txt?x=107378b4580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1066a612580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad3647e47b66/disk-1e89a1be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6f7ba94aea7/vmlinux-1e89a1be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e08af2290355/bzImage-1e89a1be.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3a59b9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.0.17/5943 is trying to acquire lock:
ffff88802cb04b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
but task is already holding lock:
ffff88802cb04b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&chip->mutex);
lock(&chip->mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
3 locks held by syz.0.17/5943:
#0: ffff88802383b4e0 (&runtime->oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_sync+0x2a7/0xc20 sound/core/oss/pcm_oss.c:1675
#1: ffff88802383b238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_buffer_access_lock sound/core/pcm_native.c:696 [inline]
#1: ffff88802383b238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_hw_params+0x15a/0x1c50 sound/core/pcm_native.c:735
#2: ffff88802cb04b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
stack backtrace:
CPU: 0 PID: 5943 Comm: syz.0.17 Not tainted syzkaller #0
RIP: 0033:0x7fd25f18f749
RAX: 0000000000000000 RBX: 00000000000194ff RCX: 00007fd25f18f749
R10: 0000001b2c620000 R11: 0000000000000246 R12: 00007fd25f3e5fac
R13: 00007fd25f3e5fa0 R14: ffffffffffffffff R15: 0000000000000003
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 1e89a1be4fe9 Linux 6.6.117
git tree: linux-6.6.y
kernel config: https://syzkaller.appspot.com/x/.config?x=12606d4b8832c7e4
dashboard link: https://syzkaller.appspot.com/bug?extid=3a59b93860ca0394db9a
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12c77612580000
dashboard link: https://syzkaller.appspot.com/bug?extid=3a59b93860ca0394db9a
compiler: Debian clang version 20.1.8 (++20250708063551+0c9f909b7976-1~exp1~20250708183702.136), Debian LLD 20.1.8
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1066a612580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/ad3647e47b66/disk-1e89a1be.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d6f7ba94aea7/vmlinux-1e89a1be.xz
kernel image: https://storage.googleapis.com/syzbot-assets/e08af2290355/bzImage-1e89a1be.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+3a59b9...@syzkaller.appspotmail.com
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
ffff88802cb04b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_close+0x3c/0x4c0 sound/usb/endpoint.c:964
but task is already holding lock:
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&chip->mutex);
lock(&chip->mutex);
*** DEADLOCK ***
May be due to missing lock nesting notation
#0: ffff88802383b4e0 (&runtime->oss.params_lock){+.+.}-{3:3}, at: snd_pcm_oss_sync+0x2a7/0xc20 sound/core/oss/pcm_oss.c:1675
#1: ffff88802383b238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_buffer_access_lock sound/core/pcm_native.c:696 [inline]
#1: ffff88802383b238 (&runtime->buffer_mutex){+.+.}-{3:3}, at: snd_pcm_hw_params+0x15a/0x1c50 sound/core/pcm_native.c:735
#2: ffff88802cb04b30 (&chip->mutex){+.+.}-{3:3}, at: snd_usb_endpoint_set_params+0x6d/0x2b50 sound/usb/endpoint.c:1362
stack backtrace:
CPU: 0 PID: 5943 Comm: syz.0.17 Not tainted syzkaller #0
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc9d0a8818 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00000000000194ff RCX: 00007fd25f18f749
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000029d0a8b0f
R10: 0000001b2c620000 R11: 0000000000000246 R12: 00007fd25f3e5fac
R13: 00007fd25f3e5fa0 R14: ffffffffffffffff R15: 0000000000000003
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages