[syzbot] [sound?] INFO: task hung in snd_card_free

31 views

Skip to first unread message

syzbot

unread,

Nov 2, 2024, 8:09:27 PM11/2/24

to linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com

Hello,

syzbot found the following issue on:

HEAD commit: e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=114d615f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4340261e4e9f37fc
dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130d3687980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1274ca30580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d0782982165a/disk-e42b1a9a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f8ab91eac7df/vmlinux-e42b1a9a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/debece1170ee/bzImage-e42b1a9a.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73582d...@syzkaller.appspotmail.com

INFO: task kworker/0:2:965 blocked for more than 143 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:2 state:D stack:24576 pid:965 tgid:965 ppid:2 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116
snd_card_free+0x128/0x190 sound/core/init.c:653
snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3864
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/1:2:2143 blocked for more than 143 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2 state:D stack:23744 pid:2143 tgid:2143 ppid:2 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116
snd_card_free+0x128/0x190 sound/core/init.c:653
snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3864
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor413:5880 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26352 pid:5880 tgid:5880 ppid:5851 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00312e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044933
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5881 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26640 pid:5881 tgid:5881 ppid:5853 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00322e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 000000000004493f
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5882 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26912 pid:5882 tgid:5882 ppid:5856 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00332e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 000000000004494f
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5883 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:28176 pid:5883 tgid:5883 ppid:5850 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00302e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044927
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5884 blocked for more than 145 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:27200 pid:5884 tgid:5884 ppid:5857 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00342e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044952
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
5 locks held by kworker/0:2/965:
#0: ffff888022ef1d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004317d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144f04190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144f04190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888073193190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888073193190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/1:2/2143:
#0: ffff888022ef1d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000540fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888031f37190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888031f37190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
2 locks held by getty/5579:
#0: ffff8880357d80a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
1 lock held by syz-executor413/5880:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5881:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5882:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5883:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5884:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 63 Comm: kworker/u8:4 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:call_function_single_prep_ipi+0x12e/0x1b0 kernel/sched/core.c:3806
Code: be 08 00 00 00 4c 89 ef e8 6f b4 91 00 48 8b 44 24 20 48 89 c2 48 83 ca 08 f0 48 0f b1 13 75 c3 44 89 e7 e8 14 ca fe ff 31 d2 <48> b8 00 00 00 00 00 fc ff df 48 c7 44 05 00 00 00 00 00 48 8b 44
RSP: 0018:ffffc900015d7910 EFLAGS: 00000246
RAX: 0000000000004000 RBX: ffffffff8de957c0 RCX: ffffffff8181686a
RDX: 0000000000000001 RSI: ffffffff81816945 RDI: ffff8880b863f990
RBP: 1ffff920002baf22 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900015d7930 R14: ffff8880b8740110 R15: ffff8880b8740100
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5a4d87b580 CR3: 000000000df7c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
send_call_function_single_ipi kernel/smp.c:115 [inline]
smp_call_function_many_cond+0xcee/0x1300 kernel/smp.c:866
on_each_cpu_cond_mask+0x40/0x90 kernel/smp.c:1051
on_each_cpu include/linux/smp.h:71 [inline]
text_poke_sync arch/x86/kernel/alternative.c:2085 [inline]
text_poke_bp_batch+0x659/0x760 arch/x86/kernel/alternative.c:2295
text_poke_flush arch/x86/kernel/alternative.c:2486 [inline]
text_poke_flush arch/x86/kernel/alternative.c:2483 [inline]
text_poke_finish+0x30/0x40 arch/x86/kernel/alternative.c:2493
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
jump_label_update+0x1d7/0x400 kernel/jump_label.c:920
static_key_enable_cpuslocked+0x1b7/0x270 kernel/jump_label.c:210
static_key_enable+0x1a/0x20 kernel/jump_label.c:223
toggle_allocation_gate mm/kfence/core.c:849 [inline]
toggle_allocation_gate+0xfc/0x260 mm/kfence/core.c:841
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.541 msecs

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Hillf Danton

unread,

Nov 2, 2024, 9:29:06 PM11/2/24

to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com

On Sat, 02 Nov 2024 17:09:25 -0700

> syzbot found the following issue on:
>
> HEAD commit: e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke..
> git tree: upstream

> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1274ca30580000

#syz test

--- x/sound/core/init.c
+++ y/sound/core/init.c
@@ -577,9 +577,13 @@ void snd_card_disconnect_sync(struct snd
}
EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);

+static DEFINE_SPINLOCK(release_sl);
+
static int snd_card_do_free(struct snd_card *card)
{
+ spin_lock(&release_sl);
card->releasing = true;
+ spin_unlock(&release_sl);
#if IS_ENABLED(CONFIG_SND_MIXER_OSS)
if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);
@@ -591,8 +595,10 @@ static int snd_card_do_free(struct snd_c
dev_warn(card->dev, "unable to free card info\n");
/* Not fatal error */
}
+ spin_lock(&release_sl);
if (card->release_completion)
complete(card->release_completion);
+ spin_unlock(&release_sl);
if (!card->managed)
kfree(card);
return 0;
@@ -637,16 +643,20 @@ void snd_card_free(struct snd_card *card
{
DECLARE_COMPLETION_ONSTACK(released);

+ spin_lock(&release_sl);
/* The call of snd_card_free() is allowed from various code paths;
* a manual call from the driver and the call via devres_free, and
* we need to avoid double-free. Moreover, the release via devres
* may call snd_card_free() twice due to its nature, we need to have
* the check here at the beginning.
*/
- if (card->releasing)
+ if (card->releasing) {
+ spin_unlock(&release_sl);
return;
+ }

card->release_completion = &released;
+ spin_unlock(&release_sl);
snd_card_free_when_closed(card);

/* wait, until all devices are ready for the free operation */
--

syzbot

unread,

Nov 2, 2024, 9:49:06 PM11/2/24

to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in snd_card_free

INFO: task kworker/0:1:9 blocked for more than 143 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:1 state:D stack:22400 pid:9 tgid:9 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x144/0x1b0 sound/core/init.c:663

snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3864
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

INFO: task kworker/1:1:51 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:1 state:D stack:24480 pid:51 tgid:51 ppid:2 flags:0x00004000

snd_card_free+0x144/0x1b0 sound/core/init.c:663

INFO: task kworker/0:3:5857 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:3 state:D
stack:24096 pid:5857 tgid:5857 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x144/0x1b0 sound/core/init.c:663

INFO: task kworker/1:7:6739 blocked for more than 145 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:7 state:D
stack:26032 pid:6739 tgid:6739 ppid:2 flags:0x00004000

snd_card_free+0x144/0x1b0 sound/core/init.c:663

INFO: task syz.1.16:6744 blocked for more than 146 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.1.16 state:D stack:28256 pid:6744 tgid:6743 ppid:6568 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0d03b7e719
RSP: 002b:00007f0d049ed038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f0d03d35f80 RCX: 00007f0d03b7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f0d03bf132e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f0d03d35f80 R15: 00007ffe05b28c68
</TASK>
INFO: task syz.4.19:6761 blocked for more than 146 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.4.19 state:D stack:27680 pid:6761 tgid:6760 ppid:6573 flags:0x00000004

RIP: 0033:0x7fdef957e719
RSP: 002b:00007fdefa2e4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fdef9735f80 RCX: 00007fdef957e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007fdef95f132e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fdef9735f80 R15: 00007fff0efa2c78
</TASK>
INFO: task syz.3.18:6769 blocked for more than 147 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.3.18 state:D stack:28384 pid:6769 tgid:6768 ppid:6562 flags:0x00000004

usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fecec77d0b0
RSP: 002b:00007feced522b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fecec77d0b0
RDX: 0000000000000d81 RSI: 00007feced522c10 RDI: 00000000ffffff9c
RBP: 00007feced522c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fecec935f80 R15: 00007ffc4cf1db68
</TASK>
INFO: task syz.2.21:6788 blocked for more than 148 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.2.21 state:D stack:27216 pid:6788 tgid:6786 ppid:6561 flags:0x00000004

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb7f857d0b0
RSP: 002b:00007fb7f92dbb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fb7f857d0b0
RDX: 0000000000000d81 RSI: 00007fb7f92dbc10 RDI: 00000000ffffff9c
RBP: 00007fb7f92dbc10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fb7f8735f80 R15: 00007fff3c60ecb8
</TASK>
INFO: task syz.0.22:6789 blocked for more than 148 seconds.
Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.0.22 state:D stack:28384 pid:6789 tgid:6787 ppid:6557 flags:0x00000004

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa27977d0b0
RSP: 002b:00007fa27a56db70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fa27977d0b0
RDX: 0000000000000d81 RSI: 00007fa27a56dc10 RDI: 00000000ffffff9c
RBP: 00007fa27a56dc10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fa279935f80 R15: 00007ffee83e1168

</TASK>

Showing all locks held in the system:

5 locks held by kworker/0:1/9:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900000e7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144341190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144341190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805d738190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805d738190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
3 locks held by kworker/u8:0/11:
#0: ffff88814d188148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000107d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888052b1ae58 (&p->pi_lock){-.-.}-{2:2}, at: class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
#2: ffff888052b1ae58 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xa1/0x14f0 kernel/sched/core.c:4165
5 locks held by kworker/1:0/25:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900001f7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029010190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029010190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805b026190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805b026190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293

1 lock held by khungtaskd/30:
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720

3 locks held by kworker/u8:2/35:
#0: ffff88814d188148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000ab7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196
5 locks held by kworker/1:1/51:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144344190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144344190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888035eb1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888035eb1190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/u8:4/64:
5 locks held by kworker/1:2/965:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900039bfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029000190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029000190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805df78190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805df78190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
2 locks held by kworker/u8:7/2944:
2 locks held by getty/5583:
#0: ffff888035da20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f162f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
5 locks held by kworker/0:3/5857:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900047afd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88802933d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88802933d190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/1:4/5927:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900049dfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888028e78190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888028e78190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880213ec190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880213ec190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/0:4/6092:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900043afd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88814474c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88814474c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88814476d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88814476d190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/u9:3/6565:
#0: ffff88802138b148 ((wq_completion)hci12){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900047bfd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88802adccd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88802adcc078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
5 locks held by kworker/u9:4/6566:
#0: ffff88802ab31948 ((wq_completion)hci13){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000479fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88807e558d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88807e558078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
5 locks held by kworker/u9:6/6571:
#0: ffff88805fc52148 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002e0fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88807b610d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88807b610078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
5 locks held by kworker/u9:7/6572:
#0: ffff8880618fe948 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002f2fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88807e55cd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88807e55c078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
5 locks held by kworker/1:6/6650:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003b17d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8881443f0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8881443f0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88807cbd6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807cbd6190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/1:7/6739:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900032ffd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88814473c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88814473c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888078fc8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888078fc8190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
1 lock held by syz.1.16/6744:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.4.19/6761:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.3.18/6769:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.21/6788:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.22/6789:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.23/7406:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
5 locks held by kworker/0:8/7468:
#0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000467fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880290d0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8880290d0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888078594190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888078594190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
1 lock held by syz.6.24/7471:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.27/7474:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.26/7476:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.25/7480:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.28/7499:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.31/7563:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.30/7570:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.32/7573:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.29/7576:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.33/7598:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.34/7625:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.37/7685:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.35/7695:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.36/7701:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.38/7708:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.39/7726:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.40/7748:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.42/7787:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.41/7790:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.43/7803:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.44/7825:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.45/7847:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.46/7898:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.47/7908:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.48/7925:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.49/7938:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.50/7948:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.51/7973:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.52/7995:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.53/8026:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.54/8044:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.55/8058:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.56/8087:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.57/8104:
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by syz-executor/8105:
#0: ffff88801206c420 (sb_writers#11){.+.+}-{0:0}, at: ksys_write+0x12f/0x260 fs/read_write.c:736
#1: ffff888043cb7488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27b/0x500 fs/kernfs/file.c:325
#2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline]
#2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_kn_lock_live+0x139/0x570 kernel/cgroup/cgroup.c:1662
#3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2435 [inline]
#3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_procs_write_start+0x18f/0x660 kernel/cgroup/cgroup.c:2939
#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2437 [inline]
#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2433 [inline]
#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_procs_write_start+0x19b/0x660 kernel/cgroup/cgroup.c:2939
#5: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297
2 locks held by syz-executor/8119:
#0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672
#1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
1 lock held by syz-executor/8122:
#0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

=============================================

NMI backtrace for cpu 1

CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Sending NMI from CPU 1 to CPUs 0:

NMI backtrace for cpu 0

CPU: 0 UID: 0 PID: 64 Comm: kworker/u8:4 Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:ieee80211_sta_get_rates+0x237/0x650 net/mac80211/util.c:1556
Code: 89 7c 24 24 e8 3a 63 ef f6 89 de 44 89 ff e8 b0 64 ef f6 44 39 fb 0f 8e 6f 02 00 00 e8 22 63 ef f6 48 8b 44 24 18 48 8d 78 38 <48> 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 82 03 00 00 48 8b 44 24
RSP: 0018:ffffc900015d7958 EFLAGS: 00000293
RAX: ffff888040429800 RBX: 0000000000000008 RCX: ffffffff8a9e1950
RDX: ffff88801d364880 RSI: ffffffff8a9e195e RDI: ffff888040429838
RBP: 000000000000000c R08: 0000000000000004 R09: 0000000000000004
R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: 000000000000000c R15: 0000000000000004
FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 000055555b3a6808 CR3: 000000000df7c000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

ieee80211_update_sta_info net/mac80211/ibss.c:989 [inline]
ieee80211_rx_bss_info net/mac80211/ibss.c:1098 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1039/0x2f40 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440

process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Tested on:

commit: 11066801 Merge tag 'linux_kselftest-fixes-6.12-rc6' of..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a41aa7980000

kernel config: https://syzkaller.appspot.com/x/.config?x=4340261e4e9f37fc
dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=157ff55f980000

Edward Adam Davis

unread,

Nov 4, 2024, 9:38:05 PM11/4/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.

#syz test

diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index 2f9cede242b3..43301e02557a 100644
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS];

static void snd_usx2y_card_private_free(struct snd_card *card);
static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s);
+static DEFINE_MUTEX(devices_mutex);

/*
* pipe 4 is used for switching the lamps, setting samplerate, volumes ....
@@ -407,9 +408,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)
struct usx2ydev *usx2y;
struct list_head *p;

+ mutex_lock(&devices_mutex);
card = usb_get_intfdata(intf);
- if (!card)
+ if (!card) {
+ mutex_unlock(&devices_mutex);
return;
+ }
usx2y = usx2y(card);
usx2y->chip_status = USX2Y_STAT_CHIP_HUP;
usx2y_unlinkseq(&usx2y->as04);
@@ -423,6 +427,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)
if (usx2y->us428ctls_sharedmem)
wake_up(&usx2y->us428ctls_wait_queue_head);
snd_card_free(card);
+ mutex_unlock(&devices_mutex);
}

static int snd_usx2y_probe(struct usb_interface *intf,
@@ -432,15 +437,18 @@ static int snd_usx2y_probe(struct usb_interface *intf,
struct snd_card *card;
int err;

+ mutex_lock(&devices_mutex);
if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 ||
(le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 &&
le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 &&
- le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428))
- return -EINVAL;
+ le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) {
+ err = -EINVAL;
+ goto out;
+ }

err = usx2y_create_card(device, intf, &card);
if (err < 0)
- return err;
+ goto out;
err = usx2y_hwdep_new(card, device);
if (err < 0)
goto error;
@@ -449,10 +457,13 @@ static int snd_usx2y_probe(struct usb_interface *intf,
goto error;

dev_set_drvdata(&intf->dev, card);
+ mutex_unlock(&devices_mutex);
return 0;

- error:
+error:
snd_card_free(card);
+out:
+ mutex_unlock(&devices_mutex);
return err;
}

syzbot

unread,

Nov 4, 2024, 10:12:07 PM11/4/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in snd_usx2y_probe

INFO: task kworker/0:0:8 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:0 state:D stack:24896 pid:8 tgid:8 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440
usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294
call_driver_probe drivers/base/dd.c:579 [inline]
really_probe+0x23e/0xa90 drivers/base/dd.c:658
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:958
bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459
__device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534
device_add+0x114b/0x1a70 drivers/base/core.c:3672
usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651
hub_port_connect drivers/usb/core/hub.c:5521 [inline]

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903

INFO: task kworker/1:1:81 blocked for more than 145 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:1 state:D stack:24624 pid:81 tgid:81 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x128/0x190 sound/core/init.c:653
snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:429

device_del+0x396/0x9f0 drivers/base/core.c:3861

usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

INFO: task kworker/1:3:5860 blocked for more than 145 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:3 state:D stack:23008 pid:5860 tgid:5860 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903

INFO: task kworker/1:4:5928 blocked for more than 146 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:4 state:D stack:26024 pid:5928 tgid:5928 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903

INFO: task kworker/1:6:5946 blocked for more than 146 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:6 state:D stack:25312 pid:5946 tgid:5946 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903

INFO: task udevd:6464 blocked for more than 147 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27232 pid:6464 tgid:6464 ppid:5201 flags:0x00000002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7035b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde7036008 R15: 000000000000000a
</TASK>
INFO: task udevd:6485 blocked for more than 147 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27120 pid:6485 tgid:6485 ppid:5201 flags:0x00000002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225af02ad0 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a
</TASK>
INFO: task udevd:6516 blocked for more than 148 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27232 pid:6516 tgid:6516 ppid:5201 flags:0x00000002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225af028c0 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a
</TASK>
INFO: task syz.1.16:6717 blocked for more than 148 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.1.16 state:D stack:24144 pid:6717 tgid:6716 ppid:6547 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fd9aad7e719
RSP: 002b:00007fd9ababd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fd9aaf35f80 RCX: 00007fd9aad7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007fd9aadf132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fd9aaf35f80 R15: 00007ffc913c6398
</TASK>
INFO: task udevd:6718 blocked for more than 148 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27232 pid:6718 tgid:6718 ppid:5201 flags:0x00004002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task udevd:6749 blocked for more than 149 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27680 pid:6749 tgid:6749 ppid:5201 flags:0x00004002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task kworker/1:7:6765 blocked for more than 149 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:7 state:D stack:24768 pid:6765 tgid:6765 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903

Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task syz.4.19:6814 blocked for more than 149 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.4.19 state:D stack:28384 pid:6814 tgid:6813 ppid:6560 flags:0x00004004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe00597d0b0
RSP: 002b:00007fe0067f3b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fe00597d0b0
RDX: 0000000000000d81 RSI: 00007fe0067f3c10 RDI: 00000000ffffff9c
RBP: 00007fe0067f3c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007fe005b35f80 R15: 00007fffe6ead4d8
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task syz.0.15:6850 blocked for more than 150 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.0.15 state:D stack:27680 pid:6850 tgid:6848 ppid:6545 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f72b397d0b0
RSP: 002b:00007f72b4693b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f72b397d0b0
RDX: 0000000000000d81 RSI: 00007f72b4693c10 RDI: 00000000ffffff9c
RBP: 00007f72b4693c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007f72b3b35f80 R15: 00007ffe3dd2b978
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task syz.2.17:6851 blocked for more than 150 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.2.17 state:D stack:28384 pid:6851 tgid:6849 ppid:6554 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7efc0497d0b0
RSP: 002b:00007efc0578fb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efc0497d0b0
RDX: 0000000000000d81 RSI: 00007efc0578fc10 RDI: 00000000ffffff9c
RBP: 00007efc0578fc10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007efc04b35f80 R15: 00007ffe620c9d98
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task syz.3.18:6860 blocked for more than 151 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.3.18 state:D stack:28384 pid:6860 tgid:6859 ppid:6557 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7efce1f7d0b0
RSP: 002b:00007efce2da8b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efce1f7d0b0
RDX: 0000000000000d81 RSI: 00007efce2da8c10 RDI: 00000000ffffff9c
RBP: 00007efce2da8c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007efce2135f80 R15: 00007fff025d24c8
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task udevd:6894 blocked for more than 151 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27232 pid:6894 tgid:6894 ppid:5201 flags:0x00000002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0a94516b6a
RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a
RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008
RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings
INFO: task syz.5.20:7318 blocked for more than 152 seconds.
Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.5.20 state:D stack:28384 pid:7318 tgid:7317 ppid:7299 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]

__schedule+0xe55/0x5740 kernel/sched/core.c:6690

__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f6ef7f7d0b0
RSP: 002b:00007f6ef8e27b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f6ef7f7d0b0
RDX: 0000000000000d81 RSI: 00007f6ef8e27c10 RDI: 00000000ffffff9c
RBP: 00007f6ef8e27c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007f6ef8135f80 R15: 00007ffcde8b4758
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:

6 locks held by kworker/0:0/8:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900000d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888145303190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145303190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88802d940190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88802d940190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88807a842160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807a842160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440

2 locks held by kworker/u8:4/80:
6 locks held by kworker/1:1/81:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900015d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88814539b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88814539b190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:411
2 locks held by kworker/0:2/968:
#0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598
#1: ffff8880b8628a48 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x2c1/0x8e0 kernel/sched/psi.c:987
2 locks held by getty/5586:
#0: ffff88814e5080a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
6 locks held by kworker/1:3/5860:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003ce7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029abb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029abb190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888063ac8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888063ac8190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888032b4a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888032b4a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440
6 locks held by kworker/1:4/5928:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000378fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8881453ab190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8881453ab190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88806020a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806020a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806ed10160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806ed10160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440
6 locks held by kworker/1:5/5931:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000376fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888145783190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145783190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880630cf190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880630cf190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806f018160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806f018160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440
6 locks held by kworker/1:6/5946:
#0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000377fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888145743190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145743190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888034111190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888034111190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff8880665a3160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff8880665a3160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440
4 locks held by udevd/6464:
#0: ffff88806f083418 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888033ff7488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88814c61f008 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6485:
#0: ffff8880322dbc30 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888020ad5888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880289f8d28 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888065e20190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888065e20190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6516:
#0: ffff888079b609e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880282d2888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888070c530f8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16b6a740580000
kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821

dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=10a5c6a7980000

Edward Adam Davis

unread,

Nov 4, 2024, 10:59:22 PM11/4/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.

debug: where hung in snd_card_do_free?

#syz test

diff --git a/sound/core/info.c b/sound/core/info.c
index 1f5b8a3d9e3b..e584f3eb742b 100644
--- a/sound/core/info.c
+++ b/sound/core/info.c
@@ -566,7 +566,9 @@ int snd_info_card_free(struct snd_card *card)
{
if (!card)
return 0;
+ printk("card: %p, %s\n", card, __func__);
snd_info_free_entry(card->proc_root);
+ printk("2card: %p, %s\n", card, __func__);
card->proc_root = NULL;
return 0;
}
diff --git a/sound/core/init.c b/sound/core/init.c
index 114fb87de990..900ae1e7fc22 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -186,6 +186,7 @@ int snd_card_new(struct device *parent, int idx, const char *xid,
return -ENOMEM;

err = snd_card_init(card, parent, idx, xid, module, extra_size);
+ printk("err: %d, card: %p, %s\n", err, card, __func__);
if (err < 0)
return err; /* card is freed by error handler */

@@ -584,7 +585,9 @@ static int snd_card_do_free(struct snd_card *card)
if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);
#endif
+ printk("card: %p, %s\n", card, __func__);
snd_device_free_all(card);
+ printk("2card: %p, %s\n", card, __func__);
if (card->private_free)
card->private_free(card);
if (snd_info_card_free(card) < 0) {
diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c
index 2f9cede242b3..129210a81545 100644

--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS];

static void snd_usx2y_card_private_free(struct snd_card *card);
static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s);
+static DEFINE_MUTEX(devices_mutex);

/*
* pipe 4 is used for switching the lamps, setting samplerate, volumes ....

@@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card)
{
struct usx2ydev *usx2y = usx2y(card);

+ printk("card: %p, %s\n", card, __func__);
kfree(usx2y->in04_buf);
usb_free_urb(usx2y->in04_urb);
if (usx2y->us428ctls_sharedmem)
@@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)

struct usx2ydev *usx2y;
struct list_head *p;

+ mutex_lock(&devices_mutex);
card = usb_get_intfdata(intf);
- if (!card)
+ if (!card) {
+ mutex_unlock(&devices_mutex);
return;
+ }
usx2y = usx2y(card);
usx2y->chip_status = USX2Y_STAT_CHIP_HUP;
usx2y_unlinkseq(&usx2y->as04);

@@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)

if (usx2y->us428ctls_sharedmem)
wake_up(&usx2y->us428ctls_wait_queue_head);
snd_card_free(card);
+ mutex_unlock(&devices_mutex);
}

static int snd_usx2y_probe(struct usb_interface *intf,

@@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf,

struct snd_card *card;
int err;

+ mutex_lock(&devices_mutex);
if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 ||
(le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 &&
le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 &&
- le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428))
- return -EINVAL;
+ le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) {
+ err = -EINVAL;
+ goto out;
+ }

err = usx2y_create_card(device, intf, &card);
if (err < 0)
- return err;
+ goto out;
err = usx2y_hwdep_new(card, device);
if (err < 0)
goto error;

@@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf,

syzbot

unread,

Nov 4, 2024, 11:18:04 PM11/4/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in snd_usx2y_probe

INFO: task kworker/0:1:9 blocked for more than 143 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:1 state:D stack:24016 pid:9 tgid:9 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752

snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

INFO: task kworker/1:1:51 blocked for more than 144 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:1 state:D stack:24928 pid:51 tgid:51 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x128/0x190 sound/core/init.c:656
snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430

usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3861
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

INFO: task kworker/1:3:5905 blocked for more than 145 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:3 state:D stack:22720 pid:5905 tgid:5905 ppid:2 flags:0x00004000

snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

INFO: task kworker/0:4:5989 blocked for more than 147 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:4 state:D stack:26384 pid:5989 tgid:5989 ppid:2 flags:0x00004000

snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412

INFO: task udevd:6311 blocked for more than 147 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27216 pid:6311 tgid:6311 ppid:5199 flags:0x00000002

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f6f46d16b6a
RSP: 002b:00007ffe20c8c6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00005620db10aa70 RCX: 00007f6f46d16b6a
RDX: 0000000000001000 RSI: 00005620db12a1b0 RDI: 0000000000000008
RBP: 00005620db10aa70 R08: 0000000000000008 R09: 0000000000000000

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe20c8cbd8 R15: 000000000000000a
</TASK>
INFO: task udevd:6332 blocked for more than 147 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27216 pid:6332 tgid:6332 ppid:5199 flags:0x00000002

RIP: 0033:0x7f6f46d16b6a
RSP: 002b:00007ffe20c8c6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00005620db10aa70 RCX: 00007f6f46d16b6a
RDX: 0000000000001000 RSI: 00005620db12c910 RDI: 0000000000000008
RBP: 00005620db10aa70 R08: 0000000000000008 R09: 0000000000000000

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe20c8cbd8 R15: 000000000000000a
</TASK>
INFO: task syz.3.22:6550 blocked for more than 148 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.3.22 state:D stack:26352 pid:6550 tgid:6549 ppid:6391 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f87b437e719
RSP: 002b:00007f87b51db038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f87b4535f80 RCX: 00007f87b437e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f87b43f132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f87b4535f80 R15: 00007fff56f3bd58
</TASK>
INFO: task syz.1.16:6557 blocked for more than 148 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.1.16 state:D stack:27632 pid:6557 tgid:6556 ppid:6384 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7ff338b7e719
RSP: 002b:00007ff3398cb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff338d35f80 RCX: 00007ff338b7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007ff338bf132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007ff338d35f80 R15: 00007ffda8d7b3f8
</TASK>
INFO: task kworker/1:6:6588 blocked for more than 149 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:6 state:D stack:26832 pid:6588 tgid:6588 ppid:2 flags:0x00004000

snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

INFO: task syz.0.15:6617 blocked for more than 149 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.0.15 state:D stack:28384 pid:6617 tgid:6615 ppid:6386 flags:0x00000004

RIP: 0033:0x7f0db2f7d0b0
RSP: 002b:00007f0db21fdb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f0db2f7d0b0
RDX: 0000000000000d81 RSI: 00007f0db21fdc10 RDI: 00000000ffffff9c
RBP: 00007f0db21fdc10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007f0db3135f80 R15: 00007ffeb5dc5cc8

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.2.17:6621 blocked for more than 150 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.2.17 state:D stack:27024 pid:6621 tgid:6619 ppid:6396 flags:0x00004004

RIP: 0033:0x7f22d457d0b0
RSP: 002b:00007f22d5366b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f22d457d0b0
RDX: 0000000000000d81 RSI: 00007f22d5366c10 RDI: 00000000ffffff9c
RBP: 00007f22d5366c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007f22d4735f80 R15: 00007ffdd9d18a78

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.4.19:6627 blocked for more than 150 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.4.19 state:D stack:27680 pid:6627 tgid:6626 ppid:6398 flags:0x00004004

RIP: 0033:0x7f8b8957d0b0
RSP: 002b:00007f8b8a376b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f8b8957d0b0
RDX: 0000000000000d81 RSI: 00007f8b8a376c10 RDI: 00000000ffffff9c
RBP: 00007f8b8a376c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007f8b89735f80 R15: 00007ffdd1dfae68

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:

6 locks held by kworker/0:1/9:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900000e7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fa0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fa0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88803371b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88803371b160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

3 locks held by kworker/u8:0/11:

#0: ffff88814d396148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000107d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196

6 locks held by kworker/1:1/51:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029210190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029210190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805eb5c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805eb5c190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412
3 locks held by kworker/u8:3/52:
6 locks held by kworker/0:2/969:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003e57d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fc0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fc0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888031dc4160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888031dc4160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syslogd/5181:

#0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598

1 lock held by klogd/5188:

#0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598

2 locks held by getty/5582:
#0: ffff888037c0a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211

6 locks held by kworker/0:3/5861:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004447d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888145330190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145330190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888029550160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888029550160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/1:3/5905:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003f07d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029228190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029228190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880636a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880636a9190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88802618d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802618d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/0:4/5989:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004dafd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88802ad74190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88802ad74190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412
4 locks held by udevd/6298:
#0: ffff888021b531c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88803176e888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880741142d8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6311:
#0: ffff8880300780a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888068868488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880307bdf08 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6332:
#0: ffff888033594e80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807fb58888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880372142d8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6333:
#0: ffff888036c06790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880660a5888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880325dfb48 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
3 locks held by kworker/u9:5/6393:
#0: ffff8880339ed148 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000381fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888032058d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
4 locks held by udevd/6436:
#0: ffff88803044e0a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888030e9f088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88805ed165a8 (kn->active#29){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:1019 [inline]
#3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: manufacturer_show+0x26/0xa0 drivers/usb/core/sysfs.c:142
1 lock held by syz.3.22/6550:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.1.16/6557:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
6 locks held by kworker/1:6/6588:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000344fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fb1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fb1190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88802618e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802618e160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/1:8/6591:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000341fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888145318190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145318190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888069111160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888069111160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.0.15/6617:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.17/6621:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by kworker/0:6/6623:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004747d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029368190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029368190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888037284160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888037284160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.4.19/6627:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.23/6891:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6897:
#0: ffff888062295b08 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807fbda488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888069384d28 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.6.24/6926:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6934:
#0: ffff8880622959e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807fbd9088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880284a6c38 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
3 locks held by kworker/u8:8/6948:
#0: ffff88801b081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000338fd80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:276

1 lock held by syz.7.25/6968:

#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by kworker/1:10/6971:
#0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002e4fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029358190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029358190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88803745b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88803745b160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

1 lock held by syz.9.27/6974:

1 lock held by syz.7.35/7144:

#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.36/7175:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.37/7178:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.38/7200:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.39/7210:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.40/7226:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.41/7251:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.42/7264:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.43/7291:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.44/7315:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.45/7330:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.46/7361:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.47/7377:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.48/7390:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.49/7413:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.50/7428:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.51/7453:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.52/7475:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.53/7497:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.54/7519:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.55/7536:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.56/7562:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.57/7585:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.58/7601:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.59/7620:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
2 locks held by syz-executor/7627:
#0: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672
#1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297
2 locks held by syz-executor/7633:
#0: ffffffff8fecde10 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x292/0x6b0 net/core/net_namespace.c:490
#1: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3885
1 lock held by syz.0.60/7639:
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051

=============================================

NMI backtrace for cpu 0

CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

Sending NMI from CPU 0 to CPUs 1:

NMI backtrace for cpu 1

CPU: 1 UID: 0 PID: 6948 Comm: kworker/u8:8 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound cfg80211_wiphy_work

RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:217 [inline]
RIP: 0010:unwind_next_frame+0x1c8/0x20c0 arch/x86/kernel/unwind_orc.c:494
Code: 56 ff 39 d0 0f 83 09 15 00 00 48 ba 00 00 00 00 00 fc ff df 89 c1 48 8d 3c 8d 4c b2 aa 91 49 89 f8 49 c1 e8 03 45 0f b6 04 10 <48> 89 fa 83 e2 07 83 c2 03 44 38 c2 7c 2f 45 84 c0 74 2a 48 89 4c
RSP: 0018:ffffc9000338f6f8 EFLAGS: 00000a03
RAX: 0000000000099168 RBX: 0000000000000001 RCX: 0000000000099168
RDX: dffffc0000000000 RSI: 00000000000a6001 RDI: ffffffff91d0f7ec
RBP: ffffc9000338f7b0 R08: 0000000000000000 R09: ffffffff917fb79a
R10: ffffc9000338f768 R11: 0000000000099168 R12: ffffc9000338f7b8
R13: ffffc9000338f768 R14: ffffc9000338f79d R15: ffffffff8a916806

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=1529a740580000

kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821
dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

patch: https://syzkaller.appspot.com/x/patch.diff?x=11210e30580000

Edward Adam Davis

unread,

Nov 5, 2024, 12:03:52 AM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.
debug: where hung in snd_card_do_free?

#syz test

diff --git a/sound/core/info.c b/sound/core/info.c
index 1f5b8a3d9e3b..e584f3eb742b 100644
--- a/sound/core/info.c
+++ b/sound/core/info.c
@@ -566,7 +566,9 @@ int snd_info_card_free(struct snd_card *card)
{
if (!card)
return 0;
+ printk("card: %p, %s\n", card, __func__);
snd_info_free_entry(card->proc_root);
+ printk("2card: %p, %s\n", card, __func__);
card->proc_root = NULL;
return 0;
}
diff --git a/sound/core/init.c b/sound/core/init.c

index 114fb87de990..84b88b1192d0 100644

--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -186,6 +186,7 @@ int snd_card_new(struct device *parent, int idx, const char *xid,
return -ENOMEM;

err = snd_card_init(card, parent, idx, xid, module, extra_size);
+ printk("err: %d, card: %p, %s\n", err, card, __func__);
if (err < 0)
return err; /* card is freed by error handler */

@@ -580,11 +581,14 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);

static int snd_card_do_free(struct snd_card *card)

{
card->releasing = true;
+ printk("0card: %p, %s\n", card, __func__);
#if IS_ENABLED(CONFIG_SND_MIXER_OSS)

if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);
#endif

+ printk("1card: %p, %s\n", card, __func__);

diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c
index 96a412beab2d..9e5a0eb43fec 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -523,9 +523,9 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev)
net_dev->dev_addr))
continue;

- pr_warn("The newly added mac address (%pM) already exists on: %s\n",
+ pr_warn_ratelimited("The newly added mac address (%pM) already exists on: %s\n",
net_dev->dev_addr, hard_iface->net_dev->name);
- pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n");
+ pr_warn_ratelimited("It is strongly recommended to keep mac addresses unique to avoid problems!\n");
}
rcu_read_unlock();
}

syzbot

unread,

Nov 5, 2024, 12:23:05 AM11/5/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in snd_usx2y_probe

INFO: task kworker/1:1:46 blocked for more than 143 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:1 state:D stack:24096 pid:46 tgid:46 ppid:2 flags:0x00004000

INFO: task kworker/1:2:5857 blocked for more than 144 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:2 state:D stack:24192 pid:5857 tgid:5857 ppid:2 flags:0x00004000

INFO: task kworker/0:4:5903 blocked for more than 144 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:4 state:D stack:24592 pid:5903 tgid:5903 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x128/0x190 sound/core/init.c:657

snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3861
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>

INFO: task udevd:6242 blocked for more than 145 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:26480 pid:6242 tgid:6242 ppid:5198 flags:0x00004002

RIP: 0033:0x7f083c716b6a
RSP: 002b:00007ffe92ad1e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056429ff187e0 RCX: 00007f083c716b6a
RDX: 0000000000001000 RSI: 000056429ff3fa50 RDI: 0000000000000008
RBP: 000056429ff187e0 R08: 0000000000000008 R09: 0000000000000010

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe92ad2358 R15: 000000000000000a
</TASK>
INFO: task kworker/0:5:6337 blocked for more than 145 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:5 state:D stack:26016 pid:6337 tgid:6337 ppid:2 flags:0x00004000

INFO: task kworker/1:4:6548 blocked for more than 146 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/1:4 state:D stack:25968 pid:6548 tgid:6548 ppid:2 flags:0x00004000

INFO: task syz.2.17:6616 blocked for more than 146 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.2.17 state:D stack:28224 pid:6616 tgid:6615 ppid:6339 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f7ee5b7e719
RSP: 002b:00007f7ee6950038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7ee5d35f80 RCX: 00007f7ee5b7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f7ee5bf132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f7ee5d35f80 R15: 00007fffd2223788
</TASK>
INFO: task syz.4.19:6629 blocked for more than 146 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.4.19 state:D stack:27632 pid:6629 tgid:6628 ppid:6336 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f4f9557e719
RSP: 002b:00007f4f963b6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4f95735f80 RCX: 00007f4f9557e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f4f955f132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f4f95735f80 R15: 00007ffd947243b8
</TASK>
INFO: task syz.1.16:6631 blocked for more than 147 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.1.16 state:D stack:27456 pid:6631 tgid:6630 ppid:6333 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f2bedd7e719
RSP: 002b:00007f2beec3f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2bedf35f80 RCX: 00007f2bedd7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f2beddf132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f2bedf35f80 R15: 00007ffd90612368
</TASK>
INFO: task syz.3.18:6637 blocked for more than 147 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.3.18 state:D stack:28384 pid:6637 tgid:6636 ppid:6341 flags:0x00000004

RIP: 0033:0x7efc32f7d0b0
RSP: 002b:00007efc33db5b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efc32f7d0b0
RDX: 0000000000000d81 RSI: 00007efc33db5c10 RDI: 00000000ffffff9c
RBP: 00007efc33db5c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007efc33135f80 R15: 00007ffef34f8dd8

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.0.20:6642 blocked for more than 148 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.0.20 state:D stack:27680 pid:6642 tgid:6641 ppid:6332 flags:0x00000004

RIP: 0033:0x7fcefcd7d0b0
RSP: 002b:00007fcefdb13b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fcefcd7d0b0
RDX: 0000000000000d81 RSI: 00007fcefdb13c10 RDI: 00000000ffffff9c
RBP: 00007fcefdb13c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007fcefcf35f80 R15: 00007ffd0dd07128

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task udevd:6666 blocked for more than 148 seconds.

Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27680 pid:6666 tgid:6666 ppid:5198 flags:0x00000002

RIP: 0033:0x7f083c716b6a
RSP: 002b:00007ffe92ad1e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000056429ff187e0 RCX: 00007f083c716b6a
RDX: 0000000000001000 RSI: 000056429ff20210 RDI: 0000000000000008
RBP: 000056429ff187e0 R08: 0000000000000008 R09: 0000000000000000

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe92ad2358 R15: 000000000000000a

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:

3 locks held by kworker/u8:2/35:
6 locks held by kworker/1:1/46:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000b77d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144f5a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144f5a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806438f160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806438f160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
7 locks held by kworker/u8:4/63:
6 locks held by kworker/0:2/966:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003fa7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029722190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029722190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88807b460160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807b460160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441

2 locks held by getty/5579:

#0: ffff88814d4610a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211

6 locks held by kworker/1:2/5857:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900037dfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806414d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806414d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/0:4/5903:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000349fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144f8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144f8a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880257a8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880257a8190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412
4 locks held by udevd/6242:
#0: ffff8880128ff9e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888061815488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88806cec41e8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6272:
#0: ffff888060c29d58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880673bac88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888036863878 (kn->active#19){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:1019 [inline]
#3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: manufacturer_show+0x26/0xa0 drivers/usb/core/sysfs.c:142

4 locks held by udevd/6273:

#0: ffff88807b9501c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88802b1e1c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880367b5f08 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/0:5/6337:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900035d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880295e2190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8880295e2190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880284f9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880284f9190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888012dc9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888012dc9160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/0:6/6512:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000347fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029739190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029739190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88807b461160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807b461160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/1:4/6548:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900031cfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fa2190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fa2190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888062c7e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888062c7e160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.2.17/6616:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.4.19/6629:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.1.16/6631:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
4 locks held by udevd/6632:
#0: ffff88807ff1cc30 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888032100488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880307025a8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.3.18/6637:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.20/6642:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6666:
#0: ffff88807df3f2f0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888063397c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880368d43c8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/0:7/6706:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000318fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88814534a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88814534a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff8880621e2160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff8880621e2160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
4 locks held by udevd/6779:
#0: ffff8880255b80a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88806874b488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888033a050f8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/1:9/6865:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003d9fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144fba190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144fba190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806a25a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806a25a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.6.22/6867:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by kworker/1:11/6870:
#0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003ddfd80

((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205

#2: ffff888145362190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888145362190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888068875160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888068875160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.5.21/6872:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.25/6875:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.24/6877:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.23/6881:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6882:
#0: ffff88807b9502f0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807f86b088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880378fde18 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6884:
#0: ffff8880255b81c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807ad9c088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880322572d8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.0.26/6964:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.29/6967:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.28/6971:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.30/6974:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.27/6976:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.31/7037:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.34/7075:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.32/7081:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.35/7086:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.33/7085:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.36/7133:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.37/7146:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.39/7165:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.40/7170:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.38/7173:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.41/7196:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.42/7223:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.43/7257:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.44/7280:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.45/7283:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.46/7305:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.47/7321:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.48/7352:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.50/7372:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.49/7375:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.51/7398:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.52/7419:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.53/7445:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.54/7483:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.55/7486:
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
2 locks held by syz-executor/7489:
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

#1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297

1 lock held by syz-executor/7498:
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: __rtnl_newlink+0x65a/0x1920 net/core/rtnetlink.c:3749
1 lock held by syz-executor/7504:
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1

CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:1 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound cfg80211_wiphy_work

RIP: 0010:jhash2 include/linux/jhash.h:130 [inline]
RIP: 0010:hash_stack lib/stackdepot.c:514 [inline]
RIP: 0010:stack_depot_save_flags+0x62/0x8f0 lib/stackdepot.c:614
Code: 31 c0 e9 73 01 00 00 41 89 c6 4b 8d 04 36 8d 1c 85 7b 71 f5 75 83 f8 03 89 c1 0f 86 18 03 00 00 89 d8 89 df 4c 89 ea 03 42 08 <83> e9 03 48 83 c2 0c 44 8b 4a f4 03 7a f8 89 c6 41 29 c1 c1 c6 04
RSP: 0018:ffffc90000116f00 EFLAGS: 00000213
RAX: 00000000009e9343 RBX: 0000000073bb44f3 RCX: 000000000000000a
RDX: ffffc90000116fc0 RSI: 0000000036f90ffc RDI: 00000000e8572e1b
RBP: 0000000000000000 R08: ffffffff90eb4466 R09: 000000009e870ba6
R10: ffffc90000116e30 R11: 0000000000000052 R12: 0000000000000000
R13: ffffc90000116f60 R14: 0000000000000011 R15: 0000000000000011
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f3870bfed00 CR3: 00000000360f2000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

kasan_save_stack+0x42/0x60 mm/kasan/common.c:48
__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
kvfree_call_rcu+0x74/0xbe0 kernel/rcu/tree.c:3810
cfg80211_update_known_bss+0x3c0/0x11e0 net/wireless/scan.c:1891
__cfg80211_bss_update+0x1aa/0x2440 net/wireless/scan.c:1938
cfg80211_inform_single_bss_data+0x7af/0x1de0 net/wireless/scan.c:2329
cfg80211_inform_bss_data+0x205/0x3ba0 net/wireless/scan.c:3188
cfg80211_inform_bss_frame_data+0x271/0x7a0 net/wireless/scan.c:3283
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1100 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1898/0x2f40 net/mac80211/ibss.c:1606

ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=140c3587980000

patch: https://syzkaller.appspot.com/x/patch.diff?x=12f5a740580000

Edward Adam Davis

unread,

Nov 5, 2024, 1:57:20 AM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.

dubug: why card_dev not release ?

#syz test

diff --git a/sound/core/init.c b/sound/core/init.c
index 114fb87de990..35717e1d0049 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -387,8 +387,10 @@ struct snd_card *snd_card_ref(int idx)

guard(mutex)(&snd_card_mutex);
card = snd_cards[idx];
- if (card)
+ if (card) {
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
get_device(&card->card_dev);
+ }
return card;
}
EXPORT_SYMBOL_GPL(snd_card_ref);
@@ -495,6 +497,7 @@ void snd_card_disconnect(struct snd_card *card)
if (!card)
return;

+ printk("card: %p, %s\n", card, __func__);

scoped_guard(spinlock, &card->files_lock) {
if (card->shutdown)
return;
@@ -544,6 +547,8 @@ void snd_card_disconnect(struct snd_card *card)

if (card->registered) {
device_del(&card->card_dev);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
+ put_device(&card->card_dev);
card->registered = false;
}

@@ -580,6 +585,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);

static int snd_card_do_free(struct snd_card *card)
{
card->releasing = true;

+ printk("card: %p, %s\n", card, __func__);

#if IS_ENABLED(CONFIG_SND_MIXER_OSS)
if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);

@@ -615,6 +621,7 @@ void snd_card_free_when_closed(struct snd_card *card)
return;

snd_card_disconnect(card);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
put_device(&card->card_dev);
return;
}
@@ -643,6 +650,7 @@ void snd_card_free(struct snd_card *card)

* may call snd_card_free() twice due to its nature, we need to have
* the check here at the beginning.
*/

+ printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__);
if (card->releasing)
return;

@@ -1074,6 +1082,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)
return -ENODEV;
}
list_add(&mfile->list, &card->files_list);
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
get_device(&card->card_dev);
return 0;

index 96a412beab2d..efd775aaa684 100644
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -509,6 +509,7 @@ batadv_hardif_is_iface_up(const struct batadv_hard_iface *hard_iface)

static void batadv_check_known_mac_addr(const struct net_device *net_dev)

{
const struct batadv_hard_iface *hard_iface;
+ static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL * 5, 1);

rcu_read_lock();
list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) {
@@ -523,9 +524,11 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev)
net_dev->dev_addr))
continue;

+ if (__ratelimit(&rs)) {

pr_warn("The newly added mac address (%pM) already exists on: %s\n",

net_dev->dev_addr, hard_iface->net_dev->name);

pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n");
+ }
}

rcu_read_unlock();
}

syzbot

unread,

Nov 5, 2024, 2:31:05 AM11/5/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in snd_ctl_release

==================================================================
BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dfe/0x3ce0 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff888024ae6270 by task syz.0.15/6671

CPU: 1 UID: 0 PID: 6671 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120

print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
__lock_acquire+0x2dfe/0x3ce0 kernel/locking/lockdep.c:5065
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
__raw_write_lock_irqsave include/linux/rwlock_api_smp.h:186 [inline]
_raw_write_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:318
class_write_lock_irqsave_constructor include/linux/spinlock.h:601 [inline]
snd_ctl_release+0x86/0x450 sound/core/control.c:120
__fput+0x3f6/0xb60 fs/file_table.c:431
task_work_run+0x14e/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6cdf97e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe6b8df9c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000017f6a RCX: 00007f6cdf97e719
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00007f6cdfb37a80 R08: 0000000000000001 R09: 00007ffe6b8dfcbf
R10: 00007f6cdf800000 R11: 0000000000000246 R12: 0000000000018360
R13: 00007ffe6b8dfad0 R14: 0000000000000032 R15: ffffffffffffffff
</TASK>

Allocated by task 965:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
kasan_kmalloc include/linux/kasan.h:257 [inline]
__do_kmalloc_node mm/slub.c:4264 [inline]
__kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
snd_card_new+0x74/0x120 sound/core/init.c:184
usx2y_create_card sound/usb/usx2y/usbusx2y.c:369 [inline]
snd_usx2y_probe+0x387/0x9c0 sound/usb/usx2y/usbusx2y.c:450

Freed by task 25:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727
snd_card_do_free sound/core/init.c:603 [inline]
release_card_device+0x17f/0x1f0 sound/core/init.c:153
device_release+0xa1/0x240 drivers/base/core.c:2574
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e4/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3780
snd_card_free_when_closed sound/core/init.c:625 [inline]
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free+0x1bf/0x250 sound/core/init.c:658

The buggy address belongs to the object at ffff888024ae6000
which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 624 bytes inside of
freed 4096-byte region [ffff888024ae6000, ffff888024ae7000)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24ae0
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b042140 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801b042140 0000000000000000 dead000000000001
head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea000092b801 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5202, tgid 5202 (udevd), ts 19805789419, free_ts 19472323126
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xf7d/0x2d10 mm/page_alloc.c:3457
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
__do_kmalloc_node mm/slub.c:4263 [inline]
__kmalloc_noprof+0x367/0x400 mm/slub.c:4276
kmalloc_noprof include/linux/slab.h:882 [inline]
tomoyo_realpath_from_path+0xb9/0x720 security/tomoyo/realpath.c:251
tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
tomoyo_path_perm+0x273/0x450 security/tomoyo/file.c:822
security_inode_getattr+0x116/0x290 security/security.c:2373
vfs_getattr+0x36/0xb0 fs/stat.c:204
vfs_statx_path+0x36/0x390 fs/stat.c:251
vfs_statx+0x145/0x1e0 fs/stat.c:315
vfs_fstatat+0x9f/0x160 fs/stat.c:341
__do_sys_newfstatat+0xa2/0x130 fs/stat.c:505
page last free pid 5224 tgid 5224 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]
kmem_cache_alloc_noprof+0x121/0x2f0 mm/slub.c:4141
getname_flags.part.0+0x4c/0x550 fs/namei.c:139
getname_flags+0x93/0xf0 include/linux/audit.h:322
vfs_fstatat+0x86/0x160 fs/stat.c:340
__do_sys_newfstatat+0xa2/0x130 fs/stat.c:505

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
ffff888024ae6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888024ae6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888024ae6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888024ae6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888024ae6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=10f8ed5f980000

patch: https://syzkaller.appspot.com/x/patch.diff?x=1630ed5f980000

Edward Adam Davis

unread,

Nov 5, 2024, 3:54:30 AM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.

debug: why card_dev not release ?
debug: why snd ctl not release ?

#syz test

diff --git a/sound/core/control.c b/sound/core/control.c
index 0ddade871b52..5a0d46e757ba 100644
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -82,6 +82,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
scoped_guard(write_lock_irqsave, &card->controls_rwlock)
list_add_tail(&ctl->list, &card->ctl_files);
snd_card_unref(card);

+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);

return 0;

__error:
@@ -91,6 +92,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
__error1:
if (card)
snd_card_unref(card);
+ printk("err: %d, card: %p, %s\n", err, card, __func__);
return err;
}

@@ -113,6 +115,9 @@ static int snd_ctl_release(struct inode *inode, struct file *file)
struct snd_kcontrol *control;
unsigned int idx;

+ if (!file->private_data)
+ return 0;
+
ctl = file->private_data;
file->private_data = NULL;
card = ctl->card;
@@ -133,6 +138,8 @@ static int snd_ctl_release(struct inode *inode, struct file *file)
kfree(ctl);
module_put(card->module);
snd_card_file_remove(card, file);

+ printk("card: %p, %s\n", card, __func__);

+ snd_card_unref(card);
return 0;
}

@@ -2316,6 +2323,7 @@ static int snd_ctl_dev_disconnect(struct snd_device *device)

}
}

+ printk("card: %p, %s\n", card, __func__);

call_snd_ctl_lops(card, ldisconnect);
return snd_unregister_device(card->ctl_dev);
}
@@ -2339,6 +2347,7 @@ static int snd_ctl_dev_free(struct snd_device *device)
xa_destroy(&card->ctl_hash);
#endif

}
+ printk("card: %p, %s\n", card, __func__);

put_device(card->ctl_dev);
return 0;
}
diff --git a/sound/core/init.c b/sound/core/init.c
index 114fb87de990..876cd1b80029 100644

--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -387,8 +387,10 @@ struct snd_card *snd_card_ref(int idx)

guard(mutex)(&snd_card_mutex);
card = snd_cards[idx];
- if (card)
+ if (card) {
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
get_device(&card->card_dev);
+ }
return card;
}
EXPORT_SYMBOL_GPL(snd_card_ref);

@@ -537,6 +539,11 @@ void snd_card_disconnect(struct snd_card *card)
synchronize_irq(card->sync_irq);

snd_info_card_disconnect(card);
+ struct device *child = device_find_any_child(&card->card_dev);
+ if (child) {
+ printk("child: %p, %s\n", child, __func__);
+ put_device(child);
+ }
#ifdef CONFIG_SND_DEBUG
debugfs_remove(card->debugfs_root);
card->debugfs_root = NULL;
@@ -544,6 +551,8 @@ void snd_card_disconnect(struct snd_card *card)

if (card->registered) {
device_del(&card->card_dev);

+ printk("card: %p, dev: %p, kref: %d, %s\n", card, &card->card_dev,
+ kref_read(&card->card_dev.kobj.kref), __func__);
card->registered = false;
}

@@ -580,6 +589,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);

static int snd_card_do_free(struct snd_card *card)
{
card->releasing = true;
+ printk("card: %p, %s\n", card, __func__);
#if IS_ENABLED(CONFIG_SND_MIXER_OSS)
if (snd_mixer_oss_notify_callback)
snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE);

@@ -615,6 +625,7 @@ void snd_card_free_when_closed(struct snd_card *card)

return;

snd_card_disconnect(card);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
put_device(&card->card_dev);
return;
}

@@ -643,6 +654,7 @@ void snd_card_free(struct snd_card *card)

* may call snd_card_free() twice due to its nature, we need to have
* the check here at the beginning.
*/
+ printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__);
if (card->releasing)
return;

@@ -1074,6 +1086,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)

syzbot

unread,

Nov 5, 2024, 5:52:04 AM11/5/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in put_device

card: ffff88807b9a4000, snd_card_do_free
card: ffff88807b9a4000, snd_ctl_dev_free
card: ffff88807b9a4000, snd_usx2y_card_private_free
card: ffff88807b9a4000, snd_ctl_release
==================================================================
BUG: KASAN: slab-use-after-free in kobject_put+0x4ed/0x5a0 lib/kobject.c:733
Read of size 1 at addr ffff88807b9a442c by task syz.2.17/6875

CPU: 0 UID: 0 PID: 6875 Comm: syz.2.17 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601

kobject_put+0x4ed/0x5a0 lib/kobject.c:733
put_device+0x1f/0x30 drivers/base/core.c:3780
snd_card_unref include/sound/core.h:314 [inline]
snd_ctl_release+0x3b2/0x480 sound/core/control.c:142

__fput+0x3f6/0xb60 fs/file_table.c:431
task_work_run+0x14e/0x250 kernel/task_work.c:239
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
exit_to_user_mode_loop kernel/entry/common.c:114 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218
do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f017e37e719

Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe61637728 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 0000000000019275 RCX: 00007f017e37e719

RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003

RBP: 00007f017e537a80 R08: 0000000000000001 R09: 00007ffe61637a1f
R10: 00007f017e200000 R11: 0000000000000246 R12: 00000000000196c6
R13: 00007ffe61637830 R14: 0000000000000032 R15: ffffffffffffffff
</TASK>

Allocated by task 2142:

Freed by task 6875:

kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2342 [inline]
slab_free mm/slub.c:4579 [inline]
kfree+0x14f/0x4b0 mm/slub.c:4727

snd_card_do_free sound/core/init.c:607 [inline]

release_card_device+0x17f/0x1f0 sound/core/init.c:153
device_release+0xa1/0x240 drivers/base/core.c:2574
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e4/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3780

snd_card_file_remove+0x3a0/0x5b0 sound/core/init.c:1132
snd_ctl_release+0x390/0x480 sound/core/control.c:140

The buggy address belongs to the object at ffff88807b9a4000

which belongs to the cache kmalloc-4k of size 4096

The buggy address is located 1068 bytes inside of
freed 4096-byte region [ffff88807b9a4000, ffff88807b9a5000)

The buggy address belongs to the physical page:

page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b9a0

head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0

flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)

raw: 00fff00000000040 ffff88801b042140 dead000000000122 0000000000000000

raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000

head: 00fff00000000040 ffff88801b042140 dead000000000122 0000000000000000

head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000

head: 00fff00000000003 ffffea0001ee6801 ffffffffffffffff 0000000000000000

head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6887, tgid 6887 (kworker/u8:7), ts 103656163705, free_ts 103633261852

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0xf7d/0x2d10 mm/page_alloc.c:3457
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]

__kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290
kmalloc_noprof include/linux/slab.h:878 [inline]
kzalloc_noprof include/linux/slab.h:1014 [inline]
tomoyo_environ security/tomoyo/domain.c:633 [inline]
tomoyo_find_next_domain+0xba0/0x2070 security/tomoyo/domain.c:881
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1297
search_binary_handler fs/exec.c:1740 [inline]
exec_binprm fs/exec.c:1794 [inline]
bprm_execve fs/exec.c:1845 [inline]
bprm_execve+0x642/0x1960 fs/exec.c:1821
kernel_execve+0x2ef/0x3b0 fs/exec.c:2012
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:110

ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

page last free pid 6618 tgid 6618 stack trace:

reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638

__put_partials+0x14c/0x170 mm/slub.c:3145

qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4085 [inline]
slab_alloc_node mm/slub.c:4134 [inline]

kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186
__alloc_skb+0x2b1/0x380 net/core/skbuff.c:668
alloc_skb include/linux/skbuff.h:1322 [inline]
netlink_alloc_large_skb+0x69/0x130 net/netlink/af_netlink.c:1206
netlink_sendmsg+0x689/0xd70 net/netlink/af_netlink.c:1876
sock_sendmsg_nosec net/socket.c:729 [inline]
__sock_sendmsg net/socket.c:744 [inline]
__sys_sendto+0x479/0x4d0 net/socket.c:2214
__do_sys_sendto net/socket.c:2226 [inline]
__se_sys_sendto net/socket.c:2222 [inline]
__x64_sys_sendto+0xe0/0x1c0 net/socket.c:2222

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:

ffff88807b9a4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807b9a4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88807b9a4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807b9a4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807b9a4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=175596a7980000

patch: https://syzkaller.appspot.com/x/patch.diff?x=128aed5f980000

Edward Adam Davis

unread,

Nov 5, 2024, 6:23:05 AM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

The sound card of usx2y's probe and disconnect need to be protected under mutex.

#syz test

diff --git a/sound/core/control.c b/sound/core/control.c

index 0ddade871b52..b9b9dde9807a 100644

--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -82,6 +82,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
scoped_guard(write_lock_irqsave, &card->controls_rwlock)
list_add_tail(&ctl->list, &card->ctl_files);
snd_card_unref(card);
+ printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__);
return 0;

__error:
@@ -91,6 +92,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file)
__error1:
if (card)
snd_card_unref(card);
+ printk("err: %d, card: %p, %s\n", err, card, __func__);
return err;
}

@@ -113,6 +115,9 @@ static int snd_ctl_release(struct inode *inode, struct file *file)
struct snd_kcontrol *control;
unsigned int idx;

+ if (!file->private_data)
+ return 0;
+
ctl = file->private_data;
file->private_data = NULL;
card = ctl->card;

@@ -133,6 +138,7 @@ static int snd_ctl_release(struct inode *inode, struct file *file)

kfree(ctl);
module_put(card->module);
snd_card_file_remove(card, file);
+ printk("card: %p, %s\n", card, __func__);

return 0;
}

@@ -2316,6 +2322,7 @@ static int snd_ctl_dev_disconnect(struct snd_device *device)

}
}

+ printk("card: %p, %s\n", card, __func__);
call_snd_ctl_lops(card, ldisconnect);
return snd_unregister_device(card->ctl_dev);
}

@@ -2339,6 +2346,7 @@ static int snd_ctl_dev_free(struct snd_device *device)

xa_destroy(&card->ctl_hash);
#endif
}
+ printk("card: %p, %s\n", card, __func__);
put_device(card->ctl_dev);
return 0;
}
diff --git a/sound/core/init.c b/sound/core/init.c

index 114fb87de990..70145add5ace 100644
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -544,6 +544,8 @@ void snd_card_disconnect(struct snd_card *card)

if (card->registered) {
device_del(&card->card_dev);
+ printk("card: %p, dev: %p, kref: %d, %s\n", card, &card->card_dev,
+ kref_read(&card->card_dev.kobj.kref), __func__);
card->registered = false;
}

@@ -580,6 +582,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync);

@@ -615,6 +618,7 @@ void snd_card_free_when_closed(struct snd_card *card)

return;

snd_card_disconnect(card);
+ printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__);
put_device(&card->card_dev);
return;
}

@@ -643,6 +647,7 @@ void snd_card_free(struct snd_card *card)

@@ -1074,6 +1079,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file)

syzbot

unread,

Nov 5, 2024, 4:06:08 PM11/5/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

INFO: task hung in snd_usx2y_probe

INFO: task kworker/0:0:8 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:0 state:D stack:25104 pid:8 tgid:8 ppid:2 flags:0x00004000

</TASK>
INFO: task kworker/0:3:5904 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:3 state:D stack:26080 pid:5904 tgid:5904 ppid:2 flags:0x00004000

snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412

hub_port_connect drivers/usb/core/hub.c:5361 [inline]

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903

</TASK>
INFO: task kworker/0:4:5912 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:4 state:D stack:25984 pid:5912 tgid:5912 ppid:2 flags:0x00004000

</TASK>
INFO: task kworker/0:5:5913 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:5 state:D stack:26368 pid:5913 tgid:5913 ppid:2 flags:0x00004000

</TASK>
INFO: task udevd:6245 blocked for more than 145 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27232 pid:6245 tgid:6245 ppid:5201 flags:0x00000002

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb774516b6a
RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a
RDX: 0000000000001000 RSI: 0000556737713800 RDI: 0000000000000008
RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a
</TASK>
INFO: task udevd:6273 blocked for more than 145 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27152 pid:6273 tgid:6273 ppid:5201 flags:0x00000002

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb774516b6a
RSP: 002b:00007ffe9a6a4e28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a
RDX: 0000000000001000 RSI: 000055673771cde0 RDI: 0000000000000008
RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000040000

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe9a6a5308 R15: 000000000000000a
</TASK>
INFO: task udevd:6279 blocked for more than 146 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27136 pid:6279 tgid:6279 ppid:5201 flags:0x00000002

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb774516b6a
RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a
RDX: 0000000000001000 RSI: 000055673771d530 RDI: 0000000000000008
RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a
</TASK>
INFO: task udevd:6385 blocked for more than 146 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:udevd state:D stack:27280 pid:6385 tgid:6385 ppid:5201 flags:0x00004002

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb774516b6a
RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a
RDX: 0000000000001000 RSI: 000055673771dd90 RDI: 0000000000000008
RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008

R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a
</TASK>
INFO: task kworker/0:6:6485 blocked for more than 146 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:kworker/0:6 state:D stack:24560 pid:6485 tgid:6485 ppid:2 flags:0x00004000

Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116

snd_card_free+0x1cc/0x250 sound/core/init.c:658

hub_port_connect drivers/usb/core/hub.c:5361 [inline]

hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]

hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903

</TASK>
INFO: task syz.1.16:6491 blocked for more than 147 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.1.16 state:D stack:26096 pid:6491 tgid:6490 ppid:6337 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fa9e657e719
RSP: 002b:00007fa9e57fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fa9e6735f80 RCX: 00007fa9e657e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007fa9e65f132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fa9e6735f80 R15: 00007ffc228d1e28

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.4.19:6495 blocked for more than 147 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.4.19 state:D stack:27680 pid:6495 tgid:6494 ppid:6349 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f7c92d7e719
RSP: 002b:00007f7c93bd0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f7c92f35f80 RCX: 00007f7c92d7e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007f7c92df132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007f7c92f35f80 R15: 00007ffef375c0d8

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.3.18:6507 blocked for more than 148 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.3.18 state:D stack:27632 pid:6507 tgid:6505 ppid:6339 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe68a37e719
RSP: 002b:00007fe68b094038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fe68a535f80 RCX: 00007fe68a37e719

RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003

RBP: 00007fe68a3f132e R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

R13: 0000000000000000 R14: 00007fe68a535f80 R15: 00007ffc418b42b8

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.0.15:6517 blocked for more than 148 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.0.15 state:D stack:28384 pid:6517 tgid:6516 ppid:6332 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe1beb7d0b0
RSP: 002b:00007fe1bfa37b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fe1beb7d0b0
RDX: 0000000000000d81 RSI: 00007fe1bfa37c10 RDI: 00000000ffffff9c
RBP: 00007fe1bfa37c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007fe1bed35f80 R15: 00007ffdbac6c328

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

INFO: task syz.2.17:6538 blocked for more than 149 seconds.
Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

task:syz.2.17 state:D stack:27216 pid:6538 tgid:6537 ppid:6338 flags:0x00000004

Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5740 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
chrdev_open+0x237/0x6a0 fs/char_dev.c:414
do_dentry_open+0x6ca/0x1530 fs/open.c:958
vfs_open+0x82/0x3f0 fs/open.c:1088
do_open fs/namei.c:3774 [inline]
path_openat+0x1e6a/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x175/0x210 fs/open.c:1441

do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fb4f517d0b0
RSP: 002b:00007fb4f5f78b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fb4f517d0b0
RDX: 0000000000000d81 RSI: 00007fb4f5f78c10 RDI: 00000000ffffff9c
RBP: 00007fb4f5f78c10 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000

R13: 0000000000000001 R14: 00007fb4f5335f80 R15: 00007fff57a0f898

</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:

6 locks held by kworker/0:0/8:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900000d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88802957c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88802957c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88802569a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802569a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/u8:1/12:

6 locks held by kworker/1:1/51:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880296a6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8880296a6190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888021757160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888021757160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
4 locks held by kworker/u9:0/54:
#0: ffff888049a9d948 ((wq_completion)hci42#2){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90000bf7d80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888040814078 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x99/0x980 net/bluetooth/hci_event.c:3687
#3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x486/0x980 net/bluetooth/hci_event.c:3721
2 locks held by kworker/u8:5/742:
6 locks held by kworker/1:2/968:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003927d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880296a4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8880296a4190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888024128160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888024128160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
3 locks held by kworker/u8:7/3645:
#0: ffff888031af1948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000be0fd80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196
5 locks held by kworker/u9:1/5139:
#0: ffff888035753148 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900100e7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888020b6cd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff888020b6c078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
2 locks held by getty/5578:
#0: ffff88814dff20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243

#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211

6 locks held by kworker/0:3/5904:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90005f2fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029684190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029684190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88803268b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88803268b190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412
6 locks held by kworker/0:4/5912:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000433fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029604190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029604190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88807c74a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88807c74a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/0:5/5913:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004ab7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8881447c9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8881447c9190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff88806670d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88806670d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
4 locks held by udevd/6245:
#0: ffff8880524a5790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880565a3888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880349a6d28 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6273:
#0: ffff88802b07ce80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88801c7d6088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88802035bf08 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6279:
#0: ffff888069665b08 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880347dd088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880656a9968 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
5 locks held by kworker/u9:4/6345:
#0: ffff8880532e2948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000485fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888028adcd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff888028adc078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
5 locks held by kworker/u9:5/6347:
#0: ffff888028dbf148 ((wq_completion)hci13){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900047efd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888074b58d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff888074b58078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
4 locks held by kworker/u9:6/6348:
#0: ffff8880451d2148 ((wq_completion)hci44#2){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc900042cfd80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8880427e8078 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x99/0x980 net/bluetooth/hci_event.c:3687
#3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x486/0x980 net/bluetooth/hci_event.c:3721
4 locks held by kworker/u9:8/6352:
#0: ffff888028db8948 ((wq_completion)hci12){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000468fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88802a500d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff88802a500078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
4 locks held by udevd/6385:
#0: ffff88803051f9e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888021b0c488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88805552e698 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/1:6/6422:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000432fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8881447fc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8881447fc190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888067045160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888067045160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
6 locks held by kworker/0:6/6485:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003cc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412
1 lock held by syz.1.16/6491:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.4.19/6495:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
6 locks held by kworker/1:7/6501:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003917d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144b16190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144b16190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff888066754160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888066754160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.3.18/6507:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz.0.15/6517:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by kworker/0:8/6526:
#0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003e67d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888029786190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888029786190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#4: ffff8880795de160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff8880795de160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005
#5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441
1 lock held by syz.2.17/6538:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6578:
#0: ffff88802849c1c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807a6bfc88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880773011e8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6579:
#0: ffff888027cb90a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880517df488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888067b923c8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.6.21/6927:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.20/6929:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.22/6934:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.23/6937:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6939:
#0: ffff8880294e78b8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff888031869088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff8880785faa58 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/6940:
#0: ffff8880294e7668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88807d1b7488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88802afad878 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.9.24/6942:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
4 locks held by udevd/6945:
#0: ffff88807d179790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8880346d6c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88801c3c9e18 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by syz.1.25/6999:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.26/7020:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.27/7027:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.28/7030:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051

1 lock held by syz.3.29/7033:

#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.30/7091:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.31/7104:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.33/7137:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.32/7141:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.34/7142:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.35/7159:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.36/7212:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.37/7219:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.38/7227:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.39/7230:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.40/7252:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.41/7301:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.9.42/7328:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.43/7337:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.44/7340:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.45/7356:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.4.46/7385:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.0.47/7423:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.2.48/7430:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.3.49/7433:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.7.50/7455:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.5.51/7477:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
5 locks held by kworker/u9:9/7479:
#0: ffff888052482148 ((wq_completion)hci10){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000bd3fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888061fd8d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331
#3: ffff888061fd8078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline]
#4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265
1 lock held by syz.9.52/7523:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.6.54/7544:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.8.53/7548:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
1 lock held by syz.1.55/7560:
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051
6 locks held by syz-executor/7563:
#0: ffff88807ad2c420 (sb_writers#11){.+.+}-{0:0}, at: ksys_write+0x12f/0x260 fs/read_write.c:736
#1: ffff8880461aa088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27b/0x500 fs/kernfs/file.c:325

#2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline]
#2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_kn_lock_live+0x139/0x570 kernel/cgroup/cgroup.c:1662
#3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2435 [inline]
#3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_procs_write_start+0x18f/0x660 kernel/cgroup/cgroup.c:2939
#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2437 [inline]
#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2433 [inline]

#4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_procs_write_start+0x19b/0x660 kernel/cgroup/cgroup.c:2939
#5: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
2 locks held by syz-executor/7582:
#0: ffffffff8fee3ae8 (

rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]

rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

#1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329

1 lock held by syz-executor/7590:
#0: ffffffff8fee3ae8 (rtnl_mutex

){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]

){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

1 lock held by syz-executor/7592:
#0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672
1 lock held by syz-executor/7595:
#0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
#0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672

=============================================

NMI backtrace for cpu 0

CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120

nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379

kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1

CPU: 1 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:unwind_next_frame+0x4d0/0x20c0 arch/x86/kernel/unwind_orc.c:505
Code: e8 55 f1 ff ff 48 85 c0 48 89 c1 0f 84 13 fe ff ff 4c 8d 79 05 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 0f b6 04 02 <4c> 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 d8 13 00 00 0f b6 41 05
RSP: 0018:ffffc90000106dc0 EFLAGS: 00000a06
RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff91996f1c
RDX: 1ffffffff2332de4 RSI: 0000000000000000 RDI: ffffffff90dfb898
RBP: ffffc90000106e78 R08: ffffffff91996f52 R09: ffffffff9197603a
R10: ffffc90000106e30 R11: 0000000000098df2 R12: ffffc90000106e80
R13: ffffc90000106e30 R14: ffffc90000106e65 R15: ffffffff91996f21

FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007f272f508000 CR3: 000000000df7c000 CR4: 00000000003526f0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>

arch_stack_walk+0x95/0x100 arch/x86/kernel/stacktrace.c:25
stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47

__kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541
kvfree_call_rcu+0x74/0xbe0 kernel/rcu/tree.c:3810
cfg80211_update_known_bss+0x3c0/0x11e0 net/wireless/scan.c:1891
__cfg80211_bss_update+0x1aa/0x2440 net/wireless/scan.c:1938
cfg80211_inform_single_bss_data+0x7af/0x1de0 net/wireless/scan.c:2329
cfg80211_inform_bss_data+0x205/0x3ba0 net/wireless/scan.c:3188
cfg80211_inform_bss_frame_data+0x271/0x7a0 net/wireless/scan.c:3283
ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226
ieee80211_rx_bss_info net/mac80211/ibss.c:1100 [inline]
ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline]
ieee80211_ibss_rx_queued_mgmt+0x1898/0x2f40 net/mac80211/ibss.c:1606
ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline]
ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657
cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440

</TASK>

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=17d58f40580000

patch: https://syzkaller.appspot.com/x/patch.diff?x=149a0f40580000

Edward Adam Davis

unread,

Nov 5, 2024, 8:37:34 PM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

1. snd ctrl will add card_dev ref count and can't call close to dec it,
it is waiting for 2 to release usb dev lock.

2. usb dev lock has been locked by hung task (here is usb_disconnect), it waiting 1
to exit and release card_dev.

#syz test

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3beb6a862e80..dd037dc4cb37 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -2605,7 +2605,8 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
if (!(file->f_mode & FMODE_WRITE))
return -EPERM;

- usb_lock_device(dev);
+ if (!usb_trylock_device(dev))
+ return -EBUSY;

/* Reap operations are allowed even after disconnection */
switch (cmd) {

syzbot

unread,

Nov 5, 2024, 9:02:06 PM11/5/24

to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+73582d...@syzkaller.appspotmail.com
Tested-by: syzbot+73582d...@syzkaller.appspotmail.com

Tested on:

commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker..
git tree: upstream

console output: https://syzkaller.appspot.com/x/log.txt?x=11519d5f980000

patch: https://syzkaller.appspot.com/x/patch.diff?x=10d24f40580000

Note: testing is done by a robot and is best-effort only.

Edward Adam Davis

unread,

Nov 5, 2024, 9:16:15 PM11/5/24

to syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com

task 1: snd ctrl will add card_dev ref count and can't call close to dec it,
it is blocked waiting for task 2 to release the USB dev lock.

task 2: usb dev lock has been locked by hung task (here is usb_disconnect),
it is hung waiting for task 1 to exit and release card_dev.

Adjust the USB lock acquisition method to non-blocking in ioctl to avoid
hang when the USB connection is closed.

Reported-and-tested-by: syzbot+73582d...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
drivers/usb/core/devio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 3beb6a862e80..dd037dc4cb37 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -2605,7 +2605,8 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd,
if (!(file->f_mode & FMODE_WRITE))
return -EPERM;

- usb_lock_device(dev);
+ if (!usb_trylock_device(dev))
+ return -EBUSY;

/* Reap operations are allowed even after disconnection */
switch (cmd) {

--
2.43.0

Takashi Iwai

unread,

Nov 12, 2024, 11:04:09 AM11/12/24

to Edward Adam Davis, syzbot+73582d...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzkall...@googlegroups.com, ti...@suse.com

On Wed, 06 Nov 2024 03:15:49 +0100,
Edward Adam Davis wrote:
>
> task 1: snd ctrl will add card_dev ref count and can't call close to dec it,
> it is blocked waiting for task 2 to release the USB dev lock.
>
> task 2: usb dev lock has been locked by hung task (here is usb_disconnect),
> it is hung waiting for task 1 to exit and release card_dev.
>
> Adjust the USB lock acquisition method to non-blocking in ioctl to avoid
> hang when the USB connection is closed.

I'm afraid that this change would break things too badly.
i.e. changing the blocking behavior to non-blocking is no-go.

> Reported-and-tested-by: syzbot+73582d...@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd

This particular syzkaller entry can be fixed rather by replacing
snd_card_free() in snd_usx2y_disconnect() with
snd_card_free_when_closed() like other USB audio drivers, something
like below.

Judging from the git log, it had been with snd_card_free_in_thread(),
but was switch to snd_card_free() around year 2005. Meanwhile the
handling of async card release got improved, and it's very likely OK
to use snd_card_free_when_closed() there with the recent kernel.

thanks,

Takashi

-- 8< --
--- a/sound/usb/usx2y/usbusx2y.c
+++ b/sound/usb/usx2y/usbusx2y.c
@@ -422,7 +422,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf)

}
if (usx2y->us428ctls_sharedmem)
wake_up(&usx2y->us428ctls_wait_queue_head);

- snd_card_free(card);
+ snd_card_free_when_closed(card);

Edward Adam Davis

unread,

Nov 12, 2024, 8:48:59 PM11/12/24

to ti...@suse.de, ead...@qq.com, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzbot+73582d...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, ti...@suse.com

On Tue, 12 Nov 2024 17:04:04 +0100, Takashi Iwai wrote:
> On Wed, 06 Nov 2024 03:15:49 +0100,
> Edward Adam Davis wrote:
> >
> > task 1: snd ctrl will add card_dev ref count and can't call close to dec it,
> > it is blocked waiting for task 2 to release the USB dev lock.
> >
> > task 2: usb dev lock has been locked by hung task (here is usb_disconnect),
> > it is hung waiting for task 1 to exit and release card_dev.
> >
> > Adjust the USB lock acquisition method to non-blocking in ioctl to avoid
> > hang when the USB connection is closed.
>
> I'm afraid that this change would break things too badly.
> i.e. changing the blocking behavior to non-blocking is no-go.
>
> > Reported-and-tested-by: syzbot+73582d...@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
>
> This particular syzkaller entry can be fixed rather by replacing
> snd_card_free() in snd_usx2y_disconnect() with
> snd_card_free_when_closed() like other USB audio drivers, something
> like below.
>
> Judging from the git log, it had been with snd_card_free_in_thread(),
> but was switch to snd_card_free() around year 2005. Meanwhile the
> handling of async card release got improved, and it's very likely OK
> to use snd_card_free_when_closed() there with the recent kernel.

The snd_card instance will be released in snd_card_do_free().
So, if snd_card_free_when_closed() is used to replace snd_card_free(), who will release the snd_card instance?

BR,
Edward

Takashi Iwai

unread,

Nov 13, 2024, 1:48:08 AM11/13/24

to Edward Adam Davis, ti...@suse.de, linux-...@vger.kernel.org, linux...@vger.kernel.org, pe...@perex.cz, syzbot+73582d...@syzkaller.appspotmail.com, syzkall...@googlegroups.com, ti...@suse.com

On Wed, 13 Nov 2024 02:48:49 +0100,

Edward Adam Davis wrote:
>
> On Tue, 12 Nov 2024 17:04:04 +0100, Takashi Iwai wrote:
> > On Wed, 06 Nov 2024 03:15:49 +0100,
> > Edward Adam Davis wrote:
> > >
> > > task 1: snd ctrl will add card_dev ref count and can't call close to dec it,
> > > it is blocked waiting for task 2 to release the USB dev lock.
> > >
> > > task 2: usb dev lock has been locked by hung task (here is usb_disconnect),
> > > it is hung waiting for task 1 to exit and release card_dev.
> > >
> > > Adjust the USB lock acquisition method to non-blocking in ioctl to avoid
> > > hang when the USB connection is closed.
> >
> > I'm afraid that this change would break things too badly.
> > i.e. changing the blocking behavior to non-blocking is no-go.
> >
> > > Reported-and-tested-by: syzbot+73582d...@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
> >
> > This particular syzkaller entry can be fixed rather by replacing
> > snd_card_free() in snd_usx2y_disconnect() with
> > snd_card_free_when_closed() like other USB audio drivers, something
> > like below.
> >
> > Judging from the git log, it had been with snd_card_free_in_thread(),
> > but was switch to snd_card_free() around year 2005. Meanwhile the
> > handling of async card release got improved, and it's very likely OK
> > to use snd_card_free_when_closed() there with the recent kernel.
> The snd_card instance will be released in snd_card_do_free().
> So, if snd_card_free_when_closed() is used to replace snd_card_free(), who will release the snd_card instance?

Via the release callback of the card device object, which is triggered
at the last close by refcounting.

Takashi

Reply all

Reply to author

Forward

0 new messages