Re: [syzbot] [usb?] [libertas?] INFO: task hung in lbs_remove_card

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+c99d17aa44dbdba16ad2@syzkaller.appspotmail.com>
To: jakovnovak30@gmail.com, linux-kernel@vger.kernel.org,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] [libertas?] INFO: task hung in lbs_remove_card
Date: Wed, 08 Apr 2026 05:13:02 -0700	[thread overview]
Message-ID: <69d6464e.a00a0220.468cb.0010.GAE@google.com> (raw)
In-Reply-To: <20260408114557.287659-2-jakovnovak30@gmail.com>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in lbs_remove_card

INFO: task kworker/0:1:10 blocked for more than 143 seconds.
      Not tainted syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:1     state:D stack:27608 pid:10    tgid:10    ppid:2      task_flags:0x4288060 flags:0x00080000
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0xeb1/0x4220 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0xdd/0x390 kernel/sched/core.c:7008
 lbs_wait_for_firmware_load+0x11e/0x1e0 drivers/net/wireless/marvell/libertas/firmware.c:116
 lbs_remove_card+0xb5/0x3d0 drivers/net/wireless/marvell/libertas/main.c:914
 if_usb_disconnect+0xaf/0x2e0 drivers/net/wireless/marvell/libertas/if_usb.c:316
 usb_unbind_interface+0x1dd/0x9e0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:633 [inline]
 device_remove+0x12a/0x180 drivers/base/dd.c:625
 __device_release_driver drivers/base/dd.c:1344 [inline]
 device_release_driver_internal+0x44e/0x620 drivers/base/dd.c:1367
 bus_remove_device+0x2bc/0x560 drivers/base/bus.c:657
 device_del+0x376/0x9b0 drivers/base/core.c:3880
 usb_disable_device+0x367/0x810 drivers/usb/core/message.c:1478
 usb_disconnect+0x2e2/0x9a0 drivers/usb/core/hub.c:2345
 hub_port_connect drivers/usb/core/hub.c:5407 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x1d0c/0x4af0 drivers/usb/core/hub.c:5953
 process_one_work+0xa23/0x19a0 kernel/workqueue.c:3276
 process_scheduled_works kernel/workqueue.c:3359 [inline]
 worker_thread+0x5ef/0xe50 kernel/workqueue.c:3440
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Showing all locks held in the system:
5 locks held by kworker/0:1/10:
 #0: ffff888103ae8148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
 #1: ffffc900000afd18 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
 #2: ffff88810b7d31e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #2: ffff88810b7d31e0 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899
 #3: ffff88810429b1e0 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #3: ffff88810429b1e0 (&dev->mutex){....}-{4:4}, at: usb_disconnect+0x10a/0x9a0 drivers/usb/core/hub.c:2336
 #4: ffff88810429a1a8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:949 [inline]
 #4: ffff88810429a1a8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1166 [inline]
 #4: ffff88810429a1a8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xb2/0x620 drivers/base/dd.c:1364
2 locks held by kworker/1:0/23:
 #0: ffff88810006b148 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1310/0x19a0 kernel/workqueue.c:3251
 #1: ffffc9000018fd18 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x988/0x19a0 kernel/workqueue.c:3252
1 lock held by khungtaskd/30:
 #0: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline]
 #0: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline]
 #0: ffffffff896de760 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775
2 locks held by getty/2917:
 #0: ffff888115e3a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
 #1: ffffc900000432f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120
 nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline]
 __sys_info lib/sys_info.c:157 [inline]
 sys_info+0x141/0x190 lib/sys_info.c:165
 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline]
 watchdog+0xd25/0x1050 kernel/hung_task.c:515
 kthread+0x370/0x450 kernel/kthread.c:436
 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63
Code: ee b0 01 e9 53 e8 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 b7 1c 00 fb f4 <c3> cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff89407e10 EFLAGS: 00000242
RAX: 00000000000fd60d RBX: ffffffff8942ea40 RCX: ffffffff8769c8d5
RDX: 0000000000000000 RSI: ffffffff890241d2 RDI: ffffffff87afcca0
RBP: 0000000000000000 R08: 0000000000000001 R09: ffffed103eac672d
R10: ffff8881f563396b R11: 0000000000000000 R12: 0000000000000000
R13: fffffbfff1285d48 R14: 0000000000000000 R15: ffffffff8af019d0
FS:  0000000000000000(0000) GS:ffff8882686ca000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdba9235900 CR3: 0000000105f12000 CR4: 00000000003506f0
Call Trace:
 <TASK>
 arch_safe_halt arch/x86/include/asm/paravirt.h:73 [inline]
 default_idle+0x9/0x10 arch/x86/kernel/process.c:767
 default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:199 [inline]
 do_idle+0x464/0x590 kernel/sched/idle.c:352
 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:451
 rest_init+0x251/0x260 init/main.c:760
 start_kernel+0x47a/0x480 init/main.c:1210
 x86_64_start_reservations+0x24/0x30 arch/x86/kernel/head64.c:310
 x86_64_start_kernel+0x12b/0x130 arch/x86/kernel/head64.c:291
 common_startup_64+0x13e/0x148
 </TASK>


Tested on:

commit:         8f993d30 usb: gadget: f_ncm: validate minimum block_le..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=113b23ca580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=dd0e4d4150f9f1da
dashboard link: https://syzkaller.appspot.com/bug?extid=c99d17aa44dbdba16ad2
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
patch:          https://syzkaller.appspot.com/x/patch.diff?x=16126df6580000

next      parent reply	other threads:[~2026-04-08 12:13 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20260408114557.287659-2-jakovnovak30@gmail.com>
2026-04-08 12:13 ` syzbot [this message]
     [not found] <20260408121058.324962-2-jakovnovak30@gmail.com>
2026-04-08 12:18 ` [syzbot] [usb?] [libertas?] INFO: task hung in lbs_remove_card syzbot
     [not found] <20260408121957.340471-2-jakovnovak30@gmail.com>
2026-04-08 12:24 ` syzbot
     [not found] <20260408131009.443003-2-jakovnovak30@gmail.com>
2026-04-08 15:40 ` syzbot
     [not found] <20260410153826.604733-2-jakovnovak30@gmail.com>
2026-04-10 16:12 ` syzbot
     [not found] <20260410205603.1129329-2-jakovnovak30@gmail.com>
2026-04-10 21:15 ` syzbot
     [not found] <20260504144858.17611-2-jakovnovak30@gmail.com>
2026-05-04 22:40 ` syzbot
     [not found] <20260504145714.27426-2-jakovnovak30@gmail.com>
2026-05-04 23:00 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69d6464e.a00a0220.468cb.0010.GAE@google.com \
    --to=syzbot+c99d17aa44dbdba16ad2@syzkaller.appspotmail.com \
    --cc=jakovnovak30@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.