From: syzbot <syzbot+74afbb6355826ffc2239@syzkaller.appspotmail.com>
To: libertas-dev@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-usb@vger.kernel.org, linux-wireless@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [usb?] BUG: sleeping function called from invalid context in usb_tx_block
Date: Tue, 24 Feb 2026 10:56:23 -0800 [thread overview]
Message-ID: <699df457.050a0220.131eeb.0009.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: 8bf22c33e7a1 Merge tag 'net-7.0-rc1' of git://git.kernel.o..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=127b9722580000
kernel config: https://syzkaller.appspot.com/x/.config?x=1ff39736314a9939
dashboard link: https://syzkaller.appspot.com/bug?extid=74afbb6355826ffc2239
compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1561fffa580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1031795a580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/0e19c10e1a0e/disk-8bf22c33.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/8f3209ea7fd5/vmlinux-8bf22c33.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9be7f93d0a22/bzImage-8bf22c33.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+74afbb6355826ffc2239@syzkaller.appspotmail.com
usb8xxx: URB in failure status: -2
BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:706
in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1
preempt_count: 101, expected: 0
RCU nest depth: 0, expected: 0
no locks held by swapper/1/0.
irq event stamp: 328389
hardirqs last enabled at (328388): [<ffffffff876b10b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (328388): [<ffffffff876b10b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (328389): [<ffffffff876b0dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (328389): [<ffffffff876b0dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (328372): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (328372): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (328372): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (328385): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (328385): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (328385): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
__might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8884
usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:706
usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429
if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366
if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592
__usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657
usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741
dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
invoke_softirq kernel/softirq.c:496 [inline]
__irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: be b1 01 e9 13 e8 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 f1 1d 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffc9000013fe00 EFLAGS: 00000242
RAX: 00000000000502bf RBX: ffff8881022a1d00 RCX: ffffffff876888d5
RDX: 0000000000000000 RSI: ffffffff8901d71b RDI: ffffffff87afa420
RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed103eae6725
R10: ffff8881f573392b R11: 0000000000000000 R12: ffffed10204543a0
R13: 0000000000000001 R14: ffffffff8aefe2d0 R15: 0000000000000000
arch_safe_halt arch/x86/include/asm/paravirt.h:73 [inline]
default_idle+0x9/0x10 arch/x86/kernel/process.c:767
default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:191 [inline]
do_idle+0x35b/0x4b0 kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430
start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312
common_startup_64+0x13e/0x148
</TASK>
BUG: scheduling while atomic: swapper/1/0/0x00000102
no locks held by swapper/1/0.
Modules linked in:
irq event stamp: 328389
hardirqs last enabled at (328388): [<ffffffff876b10b2>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline]
hardirqs last enabled at (328388): [<ffffffff876b10b2>] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194
hardirqs last disabled at (328389): [<ffffffff876b0dc2>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline]
hardirqs last disabled at (328389): [<ffffffff876b0dc2>] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162
softirqs last enabled at (328372): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last enabled at (328372): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last enabled at (328372): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
softirqs last disabled at (328385): [<ffffffff8176f0bd>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (328385): [<ffffffff8176f0bd>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (328385): [<ffffffff8176f0bd>] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723
Preemption disabled at:
[<0000000000000000>] 0x0
----------------
Code disassembly (best guess):
0: be b1 01 e9 13 mov $0x13e901b1,%esi
5: e8 02 00 0f 1f call 0x1f0f000c
a: 00 90 90 90 90 90 add %dl,-0x6f6f6f70(%rax)
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: 90 nop
18: 90 nop
19: 90 nop
1a: 90 nop
1b: f3 0f 1e fa endbr64
1f: 66 90 xchg %ax,%ax
21: 0f 00 2d d3 f1 1d 00 verw 0x1df1d3(%rip) # 0x1df1fb
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: cc int3
2c: cc int3
2d: cc int3
2e: cc int3
2f: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
36: 00 00 00
39: 66 90 xchg %ax,%ax
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2026-02-24 18:56 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-24 18:56 syzbot [this message]
2026-02-25 4:58 ` [syzbot] [usb?] BUG: sleeping function called from invalid context in usb_tx_block Hillf Danton
2026-02-25 5:59 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=699df457.050a0220.131eeb.0009.GAE@google.com \
--to=syzbot+74afbb6355826ffc2239@syzkaller.appspotmail.com \
--cc=libertas-dev@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.