[syzbot] [usb?] INFO: rcu detected stall in raw_ioctl

[syzbot <syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com>]

Hello,

syzbot found the following issue on:

HEAD commit:    9b6db9a3a675 Merge tag 'thunderbolt-for-v6.7-rc1' of git:/..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13cae767680000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a6685a8ab59f5838
dashboard link: https://syzkaller.appspot.com/bug?extid=5f996b83575ef4058638
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a7b1b6a564cc/disk-9b6db9a3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a091a2f990e1/vmlinux-9b6db9a3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/5d14ab1c75e4/bzImage-9b6db9a3.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+5f996b83575ef4058638@syzkaller.appspotmail.com

rcu: INFO: rcu_preempt detected expedited stalls on CPUs/tasks: {
 1-....
 } 2684 jiffies s: 17493 root: 0x2/.
rcu: blocking rcu_node structures (internal RCU debug):
Sending NMI from CPU 0 to CPUs 1:
lowmem_reserve[]: 0 0 3924 3924
NMI backtrace for cpu 1
CPU: 1 PID: 22191 Comm: syz-executor.1 Not tainted 6.6.0-rc6-syzkaller-00158-g9b6db9a3a675 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023
RIP: 0010:io_serial_out+0x8f/0xb0 drivers/tty/serial/8250/8250_port.c:424
Code: 48 8d 7d 40 44 89 e1 48 b8 00 00 00 00 00 fc ff df 48 89 fa d3 e3 48 c1 ea 03 80 3c 02 00 75 18 66 03 5d 40 44 89 e8 89 da ee <5b> 5d 41 5c 41 5d c3 e8 e5 49 16 ff eb a4 e8 3e 4a 16 ff eb e1 66
RSP: 0018:ffffc90000198388 EFLAGS: 00000006
RAX: 0000000000000000 RBX: 00000000000003f9 RCX: 0000000000000000
RDX: 00000000000003f9 RSI: ffffffff8283a005 RDI: ffffffff8c156d20
RBP: ffffffff8c156ce0 R08: 0000000000000001 R09: 000000000000001f
R10: 0000000000000000 R11: 205d314320202020 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff8c156d30 R15: 00000000000000c6
FS:  00007f0ea81f96c0(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f0ea8217ff0 CR3: 000000011831a000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 serial_out drivers/tty/serial/8250/8250.h:122 [inline]
 serial8250_clear_IER+0x98/0xb0 drivers/tty/serial/8250/8250_port.c:717
 serial8250_console_write+0x1e9/0x1060 drivers/tty/serial/8250/8250_port.c:3417
 console_emit_next_record kernel/printk/printk.c:2910 [inline]
 console_flush_all+0x4eb/0xfb0 kernel/printk/printk.c:2966
 console_unlock+0x10c/0x260 kernel/printk/printk.c:3035
 vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2307
 vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
 _printk+0xc8/0x100 kernel/printk/printk.c:2332
 show_free_areas+0x1257/0x2140 mm/show_mem.c:353
 __show_mem+0x34/0x140 mm/show_mem.c:409
 k_spec drivers/tty/vt/keyboard.c:667 [inline]
 k_spec+0xea/0x140 drivers/tty/vt/keyboard.c:656
 kbd_keycode drivers/tty/vt/keyboard.c:1524 [inline]
 kbd_event+0xcc8/0x17c0 drivers/tty/vt/keyboard.c:1543
 input_to_handler+0x382/0x4c0 drivers/input/input.c:132
 input_pass_values.part.0+0x52f/0x7a0 drivers/input/input.c:161
 input_pass_values drivers/input/input.c:148 [inline]
 input_event_dispose+0x5ee/0x770 drivers/input/input.c:378
 input_handle_event+0x11c/0xd80 drivers/input/input.c:406
 input_repeat_key+0x251/0x340 drivers/input/input.c:2263
 call_timer_fn+0x19e/0x580 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x764/0xb10 kernel/time/timer.c:2022
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
 __do_softirq+0x20b/0x94e kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x8e/0xb0 arch/x86/kernel/apic/apic.c:1074
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:console_flush_all+0x9e0/0xfb0 kernel/printk/printk.c:2972
Code: 66 19 23 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 b4 68 1c 00 48 85 db 0f 85 97 03 00 00 e8 16 6d 1c 00 fb 48 8b 44 24 08 <48> 8b 14 24 0f b6 00 83 e2 07 38 d0 7f 08 84 c0 0f 85 08 05 00 00
RSP: 0018:ffffc9000d37faf0 EFLAGS: 00000293
RAX: fffff52001a6ff89 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888120331d00 RSI: ffffffff8131088a RDI: 0000000000000007
RBP: dffffc0000000000 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 205d314320202020 R12: ffffffff88351760
R13: 0000000000000001 R14: ffffffff883517b8 R15: 0000000000000001
 console_unlock+0x10c/0x260 kernel/printk/printk.c:3035
 vprintk_emit+0x17f/0x5f0 kernel/printk/printk.c:2307
 vprintk+0x7b/0x90 kernel/printk/printk_safe.c:45
 _printk+0xc8/0x100 kernel/printk/printk.c:2332
 usb_gadget_register_driver_owner+0x1c2/0x2d0 drivers/usb/gadget/udc/core.c:1695
 raw_ioctl_run drivers/usb/gadget/legacy/raw_gadget.c:559 [inline]
 raw_ioctl+0x172f/0x2b80 drivers/usb/gadget/legacy/raw_gadget.c:1266
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:871 [inline]
 __se_sys_ioctl fs/ioctl.c:857 [inline]
 __x64_sys_ioctl+0x18f/0x210 fs/ioctl.c:857
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f0ea8eb884b
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00
RSP: 002b:00007f0ea81f6fa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0ea8eb884b
RDX: 0000000000000000 RSI: 0000000000005501 RDI: 0000000000000004
RBP: 00007f0ea81f8070 R08: 0000000000000010 R09: 00312e6364755f79
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f0ea81f7040 R14: 0000000020000080 R15: 00007f0ea90fcb88
 </TASK>
Node 0 Normal free:2722092kB boost:0kB min:6108kB low:10124kB high:14140kB reserved_highatomic:0KB active_anon:56432kB inactive_anon:206832kB active_file:21556kB inactive_file:162020kB unevictable:0kB writepending:48kB present:5242880kB managed:4018384kB mlocked:0kB bounce:0kB free_pcp:6736kB local_pcp:2472kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 0*4kB 0*8kB 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15360kB
Node 0 DMA32: 3*4kB (M) 1*8kB (M) 2*16kB (M) 3*32kB (M) 3*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 2*1024kB (M) 1*2048kB (M) 702*4096kB (M) = 2881748kB
Node 0 Normal: 833*4kB (ME) 497*8kB (UME) 242*16kB (ME) 124*32kB (UME) 42*64kB (UME) 9*128kB (ME) 1*256kB (E) 1*512kB (M) 3*1024kB (UME) 2*2048kB (UM) 658*4096kB (M) = 2722092kB
Node 0 hugepages_total=4 hugepages_free=4 hugepages_surp=0 hugepages_size=2048kB
101532 total pagecache pages
0 pages in swap cache
Free swap  = 124996kB
Total swap = 124996kB
2097051 pages RAM
0 pages HighMem/MovableOnly
367316 pages reserved
iowarrior 2-1:0.0: iowarrior_callback - usb_submit_urb failed with result -19
Mem-Info:
active_anon:14108 inactive_anon:51414 isolated_anon:0
 active_file:5389 inactive_file:40505 isolated_file:0
 unevictable:0 dirty:0 writeback:0
 slab_reclaimable:5350 slab_unreclaimable:84376
 mapped:11391 shmem:55640 pagetables:388
 sec_pagetables:0 bounce:0
 kernel_misc_reclaimable:0
 free:1412738 free_pcp:1798 free_cma:0
Node 0 active_anon:56432kB inactive_anon:205656kB active_file:21556kB inactive_file:162020kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:45564kB dirty:0kB writeback:0kB shmem:222560kB writeback_tmp:0kB kernel_stack:4020kB pagetables:1552kB sec_pagetables:0kB all_unreclaimable? no
Node 0 DMA free:15360kB boost:0kB min:20kB low:32kB high:44kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 2814 6738 6738
Node 0 DMA32 free:2881748kB boost:0kB min:4380kB low:7260kB high:10140kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2885196kB mlocked:0kB bounce:0kB free_pcp:3448kB local_pcp:3384kB free_cma:0kB
lowmem_reserve[]: 0 0 3924 3924
Node 0 Normal free:2753844kB boost:0kB min:6108kB low:10124kB high:14140kB reserved_highatomic:0KB active_anon:56432kB inactive_anon:205576kB active_file:21556kB inactive_file:162020kB unevictable:0kB writepending:0kB present:5242880kB managed:4018384kB mlocked:0kB bounce:0kB free_pcp:5844kB local_pcp:1464kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 0*4kB 0*8kB 0*16kB 0*32kB 0*64kB 0*128kB 0*256kB 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15360kB
Node 0 DMA32: 3*4kB (M) 1*8kB (M) 2*16kB (M) 3*32kB (M) 3*64kB (M) 3*128kB (M) 2*256kB (M) 2*512kB (M) 2*1024kB (M) 1*2048kB (M) 702*4096kB (M) = 2881748kB
Node 0 Normal: 1173*4kB (UME) 658*8kB (UME) 453*16kB (UME) 398*32kB (UME) 131*64kB (UME) 61*128kB (UME) 11*256kB (UME) 5*512kB (UME) 3*1024kB (UME) 2*2048kB (UM) 658*4096kB (M) = 2753844kB
Node 0 hugepages_total=4 hugepages_free=4 hugepages_surp=0 hugepages_size=2048kB
101535 total pagecache pages
0 pages in swap cache
Free swap  = 124996kB
Total swap = 124996kB
2097051 pages RAM
0 pages HighMem/MovableOnly
367316 pages reserved
iowarrior 2-1:0.0: iowarrior_callback - usb_submit_urb failed with result -19


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the bug is already fixed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite bug's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the bug is a duplicate of another bug, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup