From: syzbot <syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com>
To: stern@rowland.harvard.edu
Cc: greearb@candelatech.com, hdanton@sina.com,
linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
michal.pecio@gmail.com, oneukum@suse.com,
stern@rowland.harvard.edu, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] INFO: task hung in usb_bulk_msg (2)
Date: Sun, 08 Feb 2026 12:10:51 -0800 [thread overview]
Message-ID: <6988edcb.050a0220.3b3015.005e.GAE@google.com> (raw)
In-Reply-To: <f986d2fd-e2a2-4233-a7bb-df962bcafcd5@rowland.harvard.edu>
> On Sun, Feb 08, 2026 at 07:50:03AM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> INFO: task hung in usb_bulk_msg
>>
>> INFO: task syz.3.17:4981 blocked for more than 143 seconds.
>> Not tainted syzkaller #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz.3.17 state:D stack:26904 pid:4981 tgid:4980 ppid:4531 task_flags:0x400040 flags:0x00080002
>> Call Trace:
>> <TASK>
>> context_switch kernel/sched/core.c:5260 [inline]
>> __schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
>> __schedule_loop kernel/sched/core.c:6949 [inline]
>> schedule+0xdd/0x390 kernel/sched/core.c:6964
>> schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
>> do_wait_for_common kernel/sched/completion.c:100 [inline]
>> __wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
>> usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
>> usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
>> send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
>> usbtmc_read.cold+0x48d/0xfe7 drivers/usb/class/usbtmc.c:1408
>
> Unfortunately the log didn't contain any new useful information. Let's
> try looking farther back.
>
> Alan Stern
>
> #syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
"#https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git" does not look like a valid git repo address.
>
> Index: usb-devel/drivers/usb/class/usbtmc.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/class/usbtmc.c
> +++ usb-devel/drivers/usb/class/usbtmc.c
> @@ -1362,7 +1362,6 @@ static int send_request_dev_dep_msg_in(s
> data->bTag++;
>
> kfree(buffer);
> - if (retval < 0)
> dev_err(&data->intf->dev, "%s returned %d\n",
> __func__, retval);
>
> @@ -1404,7 +1403,7 @@ static ssize_t usbtmc_read(struct file *
> if (count > INT_MAX)
> count = INT_MAX;
>
> - dev_dbg(dev, "%s(count:%zu)\n", __func__, count);
> + dev_info(dev, "%s(count:%zu)\n", __func__, count);
>
> retval = send_request_dev_dep_msg_in(file_data, count);
>
> @@ -1425,7 +1424,7 @@ static ssize_t usbtmc_read(struct file *
> buffer, bufsize, &actual,
> file_data->timeout);
>
> - dev_dbg(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
> + dev_info(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
> __func__, retval, actual);
>
> /* Store bTag (in case we need to abort) */
> @@ -1470,7 +1469,7 @@ static ssize_t usbtmc_read(struct file *
>
> file_data->bmTransferAttributes = buffer[8];
>
> - dev_dbg(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
> + dev_info(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
> n_characters, buffer[8]);
>
> if (n_characters > remaining) {
> Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c
> +++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -762,8 +762,13 @@ static int dummy_dequeue(struct usb_ep *
> ep = usb_ep_to_dummy_ep(_ep);
> dum = ep_to_dummy(ep);
>
> - if (!dum->driver)
> + if (!dum->driver) {
> + dev_info(udc_dev(dum), "Got dequeue, no driver\n");
> return -ESHUTDOWN;
> + }
> + dev_info(udc_dev(dum),
> + "dequeuing req %p from %s, len %d buf %p\n",
> + req, _ep->name, _req->length, _req->buf);
>
> spin_lock_irqsave(&dum->lock, flags);
> list_for_each_entry(iter, &ep->queue, queue) {
> @@ -777,12 +782,14 @@ static int dummy_dequeue(struct usb_ep *
> }
>
> if (retval == 0) {
> - dev_dbg(udc_dev(dum),
> + dev_info(udc_dev(dum),
> "dequeued req %p from %s, len %d buf %p\n",
> req, _ep->name, _req->length, _req->buf);
> spin_unlock(&dum->lock);
> usb_gadget_giveback_request(_ep, _req);
> spin_lock(&dum->lock);
> + } else {
> + dev_info(udc_dev(dum), "request not found\n");
> }
> spin_unlock_irqrestore(&dum->lock, flags);
> return retval;
> Index: usb-devel/drivers/usb/core/message.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/message.c
> +++ usb-devel/drivers/usb/core/message.c
> @@ -57,15 +57,21 @@ static int usb_start_wait_urb(struct urb
> urb->context = &ctx;
> urb->actual_length = 0;
> retval = usb_submit_urb(urb, GFP_NOIO);
> - if (unlikely(retval))
> + if (unlikely(retval)) {
> + dev_info(&urb->dev->dev, "Submission failed on ep%d\n",
> + usb_endpoint_num(&urb->ep->desc));
> goto out;
> + }
>
> expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
> if (!wait_for_completion_timeout(&ctx.done, expire)) {
> + dev_info(&urb->dev->dev, "Killing URB on ep%d\n",
> + usb_endpoint_num(&urb->ep->desc));
> +
> usb_kill_urb(urb);
> retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
>
> - dev_dbg(&urb->dev->dev,
> + dev_info(&urb->dev->dev,
> "%s timed out on ep%d%s len=%u/%u\n",
> current->comm,
> usb_endpoint_num(&urb->ep->desc),
>
>
next prev parent reply other threads:[~2026-02-08 20:10 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-08 6:34 [syzbot] [usb?] INFO: task hung in usb_bulk_msg (2) syzbot
2026-02-08 8:55 ` Hillf Danton
2026-02-08 14:47 ` Alan Stern
2026-02-08 15:03 ` syzbot
2026-02-08 15:17 ` Alan Stern
2026-02-08 15:17 ` syzbot
2026-02-08 15:19 ` Alan Stern
2026-02-08 15:50 ` syzbot
2026-02-08 20:10 ` Alan Stern
2026-02-08 20:10 ` syzbot [this message]
2026-02-08 20:13 ` Alan Stern
2026-02-08 20:34 ` syzbot
2026-02-08 21:32 ` Alan Stern
2026-02-08 21:53 ` syzbot
2026-02-09 1:26 ` Alan Stern
2026-02-09 1:46 ` syzbot
2026-02-09 16:34 ` Alan Stern
2026-02-09 17:30 ` syzbot
2026-02-13 21:30 ` Alan Stern
2026-02-13 21:49 ` syzbot
2026-02-09 10:03 ` Oliver Neukum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6988edcb.050a0220.3b3015.005e.GAE@google.com \
--to=syzbot+25ba18e2c5040447585d@syzkaller.appspotmail.com \
--cc=greearb@candelatech.com \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=michal.pecio@gmail.com \
--cc=oneukum@suse.com \
--cc=stern@rowland.harvard.edu \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox