* [syzbot] [usb?] INFO: task hung in uevent_show (2)
@ 2024-11-09 14:37 syzbot
2024-11-10 0:59 ` syzbot
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
0 siblings, 2 replies; 45+ messages in thread
From: syzbot @ 2024-11-09 14:37 UTC (permalink / raw)
To: gregkh, linux-kernel, linux-usb, rafael, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=13459e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17fd60c0580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e48f2af8afd7/disk-226ff2e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76328e28b54c/vmlinux-226ff2e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab9f75a466a2/bzImage-226ff2e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
INFO: task udevd:5791 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:26960 pid:5791 tgid:5791 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d00f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000010000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5796 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27904 pid:5796 tgid:5796 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d00f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5798 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27600 pid:5798 tgid:5798 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13fed80 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000100
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5837 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5837 tgid:5837 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13bf2d0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000008
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5838 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5838 tgid:5838 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a13d61f0 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
INFO: task udevd:5840 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D stack:27488 pid:5840 tgid:5840 ppid:2861 flags:0x00000002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbc285c9b6a
RSP: 002b:00007fffbf7a8838 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055d1a13396f0 RCX: 00007fbc285c9b6a
RDX: 0000000000001000 RSI: 000055d1a1345640 RDI: 0000000000000008
RBP: 000055d1a13396f0 R08: 0000000000000008 R09: 0000000000000000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007fffbf7a8d18 R15: 000000000000000a
</TASK>
Showing all locks held in the system:
7 locks held by kworker/0:1/9:
2 locks held by kworker/u8:0/11:
6 locks held by kworker/1:0/24:
#0: ffff8881062c7548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000019fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1be/0x4f40 drivers/usb/core/hub.c:5849
#3: ffff888112a29190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888112a29190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888113966160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff89bd82a8 (input_mutex){+.+.}-{3:3}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2272
1 lock held by khungtaskd/30:
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff88ebb140 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
3 locks held by kworker/u8:8/2240:
#0: ffff888100abb148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90003fafd80 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffffffff8a18d750 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xbb/0xb40 net/core/net_namespace.c:580
1 lock held by acpid/2846:
#0: ffffffff88ec6a38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
2 locks held by getty/2921:
#0: ffff8881121220a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc900000432f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
4 locks held by udevd/5791:
#0: ffff8881115fb0a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811769e088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f5b878 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5796:
#0: ffff88810db8dd58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811df55488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f5b878 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810af01190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5798:
#0: ffff888131f13668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811769f488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af37008 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b349190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b349190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
6 locks held by kworker/0:3/5806:
#0: ffff8881062c7548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90001ac7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1be/0x4f40 drivers/usb/core/hub.c:5849
#3: ffff88811f7f3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88811f7f3190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88811f5b5160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
#5: ffffffff89bd82a8 (input_mutex){+.+.}-{3:3}, at: __input_unregister_device+0x136/0x450 drivers/input/input.c:2272
4 locks held by udevd/5819:
#0: ffff888112ca6e80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198cac88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f58a58 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5837:
#0: ffff88811529ae80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198cb088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff888108f58a58 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810afd1190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
4 locks held by udevd/5838:
#0: ffff88811529ad58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff8881198c8088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af46d28 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
1 lock held by udevd/5840:
#0: ffffffff88ec6a38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329
4 locks held by udevd/5842:
#0: ffff888112ca6668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1: ffff88811adac488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2: ffff88810af46d28 (kn->active#3){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff88810b36b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
2 locks held by kworker/u8:7/6505:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000203fd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:13/6524:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002ccfd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:14/6526:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002cefd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
2 locks held by kworker/u8:16/6530:
#0: ffff888100089148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90002d2fd80 ((work_completion)(&sub_info->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
1 lock held by modprobe/6557:
1 lock held by modprobe/6559:
1 lock held by modprobe/6560:
=============================================
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 6561 Comm: modprobe Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:check_kcov_mode kernel/kcov.c:183 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x13/0x70 kernel/kcov.c:217
Code: 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 65 48 8b 15 e4 d0 ad 7e 65 8b 05 e5 d0 ad 7e <a9> 00 01 ff 00 48 8b 34 24 74 1d f6 c4 01 74 43 a9 00 00 0f 00 75
RSP: 0000:ffffc90002d1fad0 EFLAGS: 00000293
RAX: 0000000080000001 RBX: ffffc90002d1fc68 RCX: ffffffff81885d98
RDX: ffff888133113a80 RSI: 0000000000000002 RDI: 0000000000000007
RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: ffffea0008ff9480
R13: 000000000000002d R14: ffff8881110d3440 R15: dffffc0000000000
FS: 00007f43362ce380(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f43362fc991 CR3: 0000000112e72000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
xas_next_entry+0x213/0x3c0 include/linux/xarray.h:1715
next_uptodate_folio+0x29/0x4b0 mm/filemap.c:3493
filemap_map_pages+0x5cb/0x13d0 mm/filemap.c:3686
do_fault_around mm/memory.c:5255 [inline]
do_read_fault mm/memory.c:5288 [inline]
do_fault mm/memory.c:5431 [inline]
do_pte_missing mm/memory.c:3965 [inline]
handle_pte_fault mm/memory.c:5766 [inline]
__handle_mm_fault+0x1e12/0x33b0 mm/memory.c:5909
handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
do_user_addr_fault+0x613/0x12c0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x7f43362fc991
Code: Unable to access opcode bytes at 0x7f43362fc967.
RSP: 002b:00007ffc553f3418 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00007f43365d0570 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007f4336323178
RBP: 0000000000000003 R08: 0000000000000000 R09: 000000000000000d
R10: 00007ffc553f30f0 R11: 0000000000000246 R12: 0000000000000004
R13: 00007ffc553f34b8 R14: 00007ffc553f34e0 R15: 0000000000000000
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2024-11-09 14:37 [syzbot] [usb?] INFO: task hung in uevent_show (2) syzbot
@ 2024-11-10 0:59 ` syzbot
2025-07-10 11:05 ` Hillf Danton
2025-07-10 12:59 ` [syzbot] [usb?] " Hillf Danton
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: syzbot @ 2024-11-10 0:59 UTC (permalink / raw)
To: gregkh, linux-kernel, linux-usb, rafael, syzkaller-bugs
syzbot has found a reproducer for the following issue on:
HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/e48f2af8afd7/disk-226ff2e6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/76328e28b54c/vmlinux-226ff2e6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/ab9f75a466a2/bzImage-226ff2e6.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
INFO: task udevd:5169 blocked for more than 143 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:27904 pid:5169 tgid:5169 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e4a253b6a
RSP: 002b:00007ffc471c56a8 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b598d2b6f0 RCX: 00007f9e4a253b6a
RDX: 0000000000001000 RSI: 000055b598e72930 RDI: 0000000000000008
RBP: 000055b598d2b6f0 R08: 0000000000000008 R09: 0000000000000000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffc471c5b88 R15: 000000000000000a
</TASK>
INFO: task udevd:5198 blocked for more than 144 seconds.
Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd state:D
stack:27136 pid:5198 tgid:5198 ppid:2861 flags:0x00004002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0x1042/0x34b0 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
uevent_show+0x188/0x3b0 drivers/base/core.c:2736
dev_attr_show+0x53/0xe0 drivers/base/core.c:2430
sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59
seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230
kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279
new_sync_read fs/read_write.c:488 [inline]
vfs_read+0x87f/0xbe0 fs/read_write.c:569
ksys_read+0x12f/0x260 fs/read_write.c:712
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9e4a253b6a
RSP: 002b:00007ffc471c56a8 EFLAGS: 00000246
ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 000055b598d2b6f0 RCX: 00007f9e4a253b6a
RDX: 0000000000001000 RSI: 000055b598e72930 RDI: 0000000000000008
RBP: 000055b598d2b6f0 R08: 0000000000000008 R09: 0000000000008000
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffc471c5b88 R15: 000000000000000a
</TASK>
Showing all locks held in the system:
7 locks held by kworker/1:0/24:
1 lock held by khungtaskd/30:
#0:
ffffffff88ebb140
(
rcu_read_lock
){....}-{1:2}
, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
5 locks held by kworker/1:2/1080:
2 locks held by getty/2919:
#0:
ffff888115b080a0
(
&tty->ldisc_sem
){++++}-{0:0}
, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1:
ffffc900000432f0
(
&ldata->atomic_read_lock
){+.+.}-{3:3}
, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
6 locks held by kworker/1:1/5068:
1 lock held by udevd/5168:
4 locks held by udevd/5169:
#0:
ffff888114560b08
(
&p->lock
){+.+.}-{3:3}
, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1:
ffff88811ea2c088
(
&of->mutex
#2
){+.+.}-{3:3}
, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2:
ffff8881133e90f8
(
kn->active
#5
){.+.+}-{0:0}
, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3:
ffff88811e7e9190
(
&dev->mutex
){....}-{3:3}
, at: device_lock include/linux/device.h:1014 [inline]
, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
5 locks held by kworker/1:3/5180:
4 locks held by udevd/5187:
5 locks held by kworker/1:4/5188:
3 locks held by kworker/1:5/5193:
4 locks held by udevd/5198:
#0: ffff888114560418
(
&p->lock
){+.+.}-{3:3}
, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182
#1:
ffff88810e326488
(
&of->mutex
#2
){+.+.}-{3:3}
, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154
#2:
ffff888113ce13c8
(
kn->active
#5
){.+.+}-{0:0}
, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155
#3:
ffff888105eee190
(
&dev->mutex
){....}-{3:3}
, at: device_lock include/linux/device.h:1014 [inline]
, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
imon 2-1:0.0: imon usb_rx_callback_intf0: status(-71): ignored
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5187 Comm: udevd Not tainted 6.12.0-rc6-syzkaller-00103-g226ff2e681d0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
RIP: 0010:io_serial_out+0x8f/0xb0 drivers/tty/serial/8250/8250_port.c:413
Code: 48 8d 7d 40 44 89 e1 48 b8 00 00 00 00 00 fc ff df 48 89 fa d3 e3 48 c1 ea 03 80 3c 02 00 75 1c 66 03 5d 40 44 89 e8 89 da ee <5b> 5d 41 5c 41 5d c3 cc cc cc cc e8 11 e5 0d ff eb a0 e8 9a e5 0d
RSP: 0000:ffffc900001b8500 EFLAGS: 00000002
RAX: 000000000000005b RBX: 00000000000003f8 RCX: 0000000000000000
RDX: 00000000000003f8 RSI: ffffffff82a096d5 RDI: ffffffff936396a0
RBP: ffffffff93639660 R08: 0000000000000001 R09: 000000000000001f
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 000000000000005b R14: ffffffff82a09670 R15: 0000000000000000
FS: 00007f9e4a128c80(0000) GS:ffff8881f5900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9e49821038 CR3: 000000011f1f6000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<IRQ>
serial_out drivers/tty/serial/8250/8250.h:142 [inline]
serial8250_console_fifo_write drivers/tty/serial/8250/8250_port.c:3322 [inline]
serial8250_console_write+0xf9e/0x17c0 drivers/tty/serial/8250/8250_port.c:3393
console_emit_next_record kernel/printk/printk.c:3092 [inline]
console_flush_all+0x800/0xc60 kernel/printk/printk.c:3180
__console_flush_and_unlock kernel/printk/printk.c:3239 [inline]
console_unlock+0xd9/0x210 kernel/printk/printk.c:3279
vprintk_emit+0x424/0x6f0 kernel/printk/printk.c:2407
dev_vprintk_emit drivers/base/core.c:4942 [inline]
dev_printk_emit+0xfb/0x140 drivers/base/core.c:4953
__dev_printk+0xf5/0x270 drivers/base/core.c:4965
_dev_warn+0xe5/0x120 drivers/base/core.c:5009
usb_rx_callback_intf0+0x11c/0x1a0 drivers/media/rc/imon.c:1768
__usb_hcd_giveback_urb+0x389/0x6e0 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x396/0x450 drivers/usb/core/hcd.c:1734
dummy_timer+0x17f0/0x3930 drivers/usb/gadget/udc/dummy_hcd.c:1993
__run_hrtimer kernel/time/hrtimer.c:1691 [inline]
__hrtimer_run_queues+0x20a/0xae0 kernel/time/hrtimer.c:1755
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1772
handle_softirqs+0x206/0x8d0 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu kernel/softirq.c:637 [inline]
irq_exit_rcu+0xac/0x110 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:___slab_alloc+0x388/0x1760 mm/slub.c:3887
Code: 44 24 28 00 00 00 00 4c 89 e7 48 8d 35 00 00 00 00 e8 9c 9f 8c ff 80 e7 02 0f 85 f1 04 00 00 9c 58 f6 c4 02 0f 85 76 07 00 00 <48> 8b 45 c8 65 48 2b 04 25 28 00 00 00 0f 85 34 11 00 00 48 8d 65
RSP: 0000:ffffc90001e3fb50 EFLAGS: 00000246
RAX: 0000000000000006 RBX: 0000000000000246 RCX: 1ffffffff1f5bc7f
RDX: 0000000000000000 RSI: ffffffff8727f220 RDI: ffffffff8746ec80
RBP: ffffc90001e3fc30 R08: 0000000000000001 R09: fffffbfff1f565c1
R10: ffffffff8fab2e0f R11: 0000000000000000 R12: ffff8881f59420d0
R13: 0000000000000000 R14: 00000000000420d0 R15: ffff888108329240
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x270/0x2b0 mm/slub.c:4141
ptlock_alloc+0x1f/0x70 mm/memory.c:6918
ptlock_init include/linux/mm.h:2958 [inline]
pagetable_pte_ctor include/linux/mm.h:2985 [inline]
__pte_alloc_one_noprof include/asm-generic/pgalloc.h:73 [inline]
pte_alloc_one+0x74/0x390 arch/x86/mm/pgtable.c:33
do_fault_around mm/memory.c:5249 [inline]
do_read_fault mm/memory.c:5288 [inline]
do_fault mm/memory.c:5431 [inline]
do_pte_missing mm/memory.c:3965 [inline]
handle_pte_fault mm/memory.c:5766 [inline]
__handle_mm_fault+0x1d49/0x33b0 mm/memory.c:5909
handle_mm_fault+0x3fa/0xaa0 mm/memory.c:6077
do_user_addr_fault+0x613/0x12c0 arch/x86/mm/fault.c:1338
handle_page_fault arch/x86/mm/fault.c:1481 [inline]
exc_page_fault+0x5c/0xc0 arch/x86/mm/fault.c:1539
asm_exc_page_fault+0x26/0x30 arch/x86/include/asm/idtentry.h:623
RIP: 0033:0x55b56813c77c
Code: 48 8b 04 25 28 00 00 00 48 89 84 24 18 08 00 00 31 c0 48 c7 84 24 08 08 00 00 00 00 00 00 48 c7 84 24 10 08 00 00 00 00 00 00 <48> 03 6d 38 48 8b 45 00 48 85 c0 74 6c 49 03 84 24 a8 00 00 00 4d
RSP: 002b:00007ffc471c85a0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 00007ffc471c8e98 RDI: 000055b598d587e0
RBP: 00007f9e49821000 R08: 0000000000000001 R09: 00007ffc471c87e8
R10: 0000000000000058 R11: 0000000000000000 R12: 000055b598d587e0
R13: 00007ffc471c8e98 R14: 000055b598d61170 R15: 00007ffc471c9309
</TASK>
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2024-11-09 14:37 [syzbot] [usb?] INFO: task hung in uevent_show (2) syzbot
2024-11-10 0:59 ` syzbot
@ 2025-07-09 4:39 ` Tetsuo Handa
2025-07-09 14:03 ` [syzbot] [kernel?] " syzbot
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 4:39 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..10124a26ffde 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1765,7 +1765,7 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
@@ -1806,7 +1806,7 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 92c752f5446f..baf536c56c21 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
static inline unsigned int __create_pipe(struct usb_device *dev,
unsigned int endpoint)
{
+ BUG_ON(dev->devnum < 0);
+ BUG_ON(dev->devnum > 0x7F);
+ BUG_ON(endpoint > 0xF);
return (dev->devnum << 8) | (endpoint << 15);
}
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-09 14:03 ` syzbot
2025-07-09 14:13 ` Tetsuo Handa
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 1 reply; 45+ messages in thread
From: syzbot @ 2025-07-09 14:03 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
T1] usbcore: registered new interface driver ssu100
[ 12.803467][ T1] usbserial: USB Serial support registered for Quatech SSU-100 USB to Serial Driver
[ 12.813847][ T1] usbcore: registered new interface driver symbolserial
[ 12.822971][ T1] usbserial: USB Serial support registered for symbol
[ 12.830470][ T1] usbcore: registered new interface driver ti_usb_3410_5052
[ 12.838383][ T1] usbserial: USB Serial support registered for TI USB 3410 1 port adapter
[ 12.847393][ T1] usbserial: USB Serial support registered for TI USB 5052 2 port adapter
[ 12.856857][ T1] usbcore: registered new interface driver upd78f0730
[ 12.864214][ T1] usbserial: USB Serial support registered for upd78f0730
[ 12.872005][ T1] usbcore: registered new interface driver visor
[ 12.878832][ T1] usbserial: USB Serial support registered for Handspring Visor / Palm OS
[ 12.888619][ T1] usbserial: USB Serial support registered for Sony Clie 5.0
[ 12.897025][ T1] usbserial: USB Serial support registered for Sony Clie 3.5
[ 12.905181][ T1] usbcore: registered new interface driver wishbone_serial
[ 12.912848][ T1] usbserial: USB Serial support registered for wishbone_serial
[ 12.921084][ T1] usbcore: registered new interface driver whiteheat
[ 12.928135][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT - (prerenumeration)
[ 12.939389][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT
[ 12.948619][ T1] usbcore: registered new interface driver xr_serial
[ 12.955889][ T1] usbserial: USB Serial support registered for xr_serial
[ 12.963719][ T1] usbcore: registered new interface driver xsens_mt
[ 12.972185][ T1] usbserial: USB Serial support registered for xsens_mt
[ 12.980323][ T1] usbcore: registered new interface driver adutux
[ 12.987512][ T1] usbcore: registered new interface driver appledisplay
[ 12.995415][ T1] usbcore: registered new interface driver cypress_cy7c63
[ 13.003293][ T1] usbcore: registered new interface driver cytherm
[ 13.010571][ T1] usbcore: registered new interface driver emi26 - firmware loader
[ 13.019440][ T1] usbcore: registered new interface driver emi62 - firmware loader
[ 13.027806][ T1] usbcore: registered new device driver apple-mfi-fastcharge
[ 13.036824][ T1] usbcore: registered new interface driver ljca
[ 13.044111][ T1] usbcore: registered new interface driver idmouse
[ 13.052002][ T1] usbcore: registered new interface driver iowarrior
[ 13.059704][ T1] usbcore: registered new interface driver isight_firmware
[ 13.067642][ T1] usbcore: registered new interface driver usblcd
[ 13.074816][ T1] usbcore: registered new interface driver ldusb
[ 13.082081][ T1] usbcore: registered new interface driver legousbtower
[ 13.089958][ T1] usbcore: registered new interface driver usbtest
[ 13.097300][ T1] usbcore: registered new interface driver usb_ehset_test
[ 13.105262][ T1] usbcore: registered new interface driver trancevibrator
[ 13.113543][ T1] usbcore: registered new interface driver uss720
[ 13.120280][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 13.130535][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 13.138957][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 13.147209][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 13.156564][ T1] usbcore: registered new interface driver usbsevseg
[ 13.164290][ T1] usbcore: registered new interface driver yurex
[ 13.172561][ T1] usbcore: registered new interface driver chaoskey
[ 13.180124][ T1] usbcore: registered new interface driver sisusb
[ 13.187445][ T1] usbcore: registered new interface driver lvs
[ 13.194534][ T1] usbcore: registered new interface driver cxacru
[ 13.201660][ T1] usbcore: registered new interface driver speedtch
[ 13.209706][ T1] usbcore: registered new interface driver ueagle-atm
[ 13.217258][ T1] xusbatm: malformed module parameters
[ 13.236709][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 13.245196][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 13.257875][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 13.277863][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.16
[ 13.288670][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 13.296864][ T1] usb usb1: Product: Dummy host controller
[ 13.303515][ T1] usb usb1: Manufacturer: Linux 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty dummy_hcd
[ 13.313553][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 13.333561][ T1] hub 1-0:1.0: USB hub found
[ 13.342305][ T1] hub 1-0:1.0: 1 port detected
[ 13.350916][ T1] ------------[ cut here ]------------
[ 13.356580][ T1] kernel BUG at ./include/linux/usb.h:1990!
[ 13.362686][ T1] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
[ 13.368994][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0 PREEMPT(full)
[ 13.372565][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[ 13.372565][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
[ 13.372565][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
[ 13.372565][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
[ 13.372565][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
[ 13.372565][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
[ 13.372565][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
[ 13.372565][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
[ 13.372565][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
[ 13.372565][ T1] FS: 0000000000000000(0000) GS:ffff8881261a1000(0000) knlGS:0000000000000000
[ 13.372565][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 13.372565][ T1] CR2: 0000000000000000 CR3: 000000000dd38000 CR4: 00000000003526f0
[ 13.372565][ T1] Call Trace:
[ 13.372565][ T1] <TASK>
[ 13.372565][ T1] hub_probe+0x2300/0x3840
[ 13.372565][ T1] ? __pfx_hub_probe+0x10/0x10
[ 13.372565][ T1] ? _raw_spin_unlock_irqrestore+0xad/0x110
[ 13.372565][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[ 13.372565][ T1] ? ktime_get_mono_fast_ns+0x2af/0x2d0
[ 13.372565][ T1] ? pm_runtime_enable+0x1f3/0x340
[ 13.372565][ T1] usb_probe_interface+0x644/0xbc0
[ 13.372565][ T1] ? __pfx_usb_probe_interface+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] usb_set_configuration+0x1ab9/0x2120
[ 13.372565][ T1] usb_generic_driver_probe+0x8d/0x150
[ 13.372565][ T1] usb_probe_device+0x1c1/0x390
[ 13.372565][ T1] ? __pfx_usb_probe_device+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] usb_new_device+0x9fd/0x1610
[ 13.372565][ T1] ? __pfx_usb_new_device+0x10/0x10
[ 13.372565][ T1] ? register_root_hub+0x153/0x590
[ 13.372565][ T1] ? kfree+0x18e/0x440
[ 13.372565][ T1] register_root_hub+0x275/0x590
[ 13.372565][ T1] ? usb_add_hcd+0xb90/0x1050
[ 13.372565][ T1] usb_add_hcd+0xba1/0x1050
[ 13.372565][ T1] dummy_hcd_probe+0x134/0x270
[ 13.372565][ T1] platform_probe+0x148/0x1d0
[ 13.372565][ T1] ? __pfx_platform_probe+0x10/0x10
[ 13.372565][ T1] really_probe+0x26a/0x9a0
[ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
[ 13.372565][ T1] driver_probe_device+0x4f/0x430
[ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
[ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
[ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
[ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
[ 13.372565][ T1] __device_attach+0x2b8/0x400
[ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
[ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
[ 13.372565][ T1] bus_probe_device+0x185/0x260
[ 13.372565][ T1] device_add+0x7b6/0xb50
[ 13.372565][ T1] platform_device_add+0x4b4/0x820
[ 13.372565][ T1] ? deferred_probe_extend_timeout+0x79/0xb0
[ 13.372565][ T1] dummy_hcd_init+0x293/0x1070
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] ? __pfx_add_device_randomness+0x10/0x10
[ 13.372565][ T1] ? configfs_register_subsystem+0x4ca/0x520
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] do_one_initcall+0x233/0x820
[ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
[ 13.372565][ T1] ? __pfx_do_one_initcall+0x10/0x10
[ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
[ 13.372565][ T1] ? trace_irq_disable+0x37/0x110
[ 13.372565][ T1] ? preempt_schedule_irq+0xde/0x150
[ 13.372565][ T1] ? __pfx_preempt_schedule_irq+0x10/0x10
[ 13.372565][ T1] ? irqentry_exit+0x74/0x90
[ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
[ 13.372565][ T1] ? irqentry_exit+0x74/0x90
[ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
[ 13.372565][ T1] ? next_arg+0x498/0x5e0
[ 13.372565][ T1] ? parameq+0x14d/0x170
[ 13.372565][ T1] ? parse_args+0x993/0xa70
[ 13.372565][ T1] ? __pfx_parse_args+0x10/0x10
[ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
[ 13.372565][ T1] do_initcall_level+0x137/0x1f0
[ 13.372565][ T1] do_initcalls+0x69/0xd0
[ 13.372565][ T1] kernel_init_freeable+0x3d9/0x570
[ 13.372565][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
[ 13.372565][ T1] ? _raw_spin_unlock_irq+0x23/0x50
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] kernel_init+0x1d/0x1d0
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] ret_from_fork+0x3fc/0x770
[ 13.372565][ T1] ? __pfx_ret_from_fork+0x10/0x10
[ 13.372565][ T1] ? __switch_to_asm+0x39/0x70
[ 13.372565][ T1] ? __switch_to_asm+0x33/0x70
[ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
[ 13.372565][ T1] ret_from_fork_asm+0x1a/0x30
[ 13.372565][ T1] </TASK>
[ 13.372565][ T1] Modules linked in:
[ 13.372565][ C1] vkms_vblank_simulate: vblank timer overrun
[ 13.995865][ T1] ---[ end trace 0000000000000000 ]---
[ 14.001889][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
[ 14.007135][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
[ 14.026940][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
[ 14.033310][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
[ 14.041768][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
[ 14.049904][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
[ 14.058174][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
[ 14.066824][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
[ 14.074933][ T1] FS: 0000000000000000(0000) GS:ffff8881260a1000(0000) knlGS:0000000000000000
[ 14.084097][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 14.090767][ T1] CR2: ffff88823ffff000 CR3: 000000000dd38000 CR4: 00000000003526f0
[ 14.098809][ T1] Kernel panic - not syncing: Fatal exception
[ 14.100723][ T1] Kernel Offset: disabled
[ 14.100723][ T1] Rebooting in 86400 seconds..
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4116787073=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 6a8fcbc4a6
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6a8fcbc4a6172c831c89c507007f59fba13408aa -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250226-150939'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"6a8fcbc4a6172c831c89c507007f59fba13408aa\"
/usr/bin/ld: /tmp/ccrMQnbM.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=148c1a8c580000
Tested on:
commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=13f27f70580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:03 ` [syzbot] [kernel?] " syzbot
@ 2025-07-09 14:13 ` Tetsuo Handa
2025-07-09 14:27 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 14:13 UTC (permalink / raw)
To: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
Hello.
I tried below change (in case somebody is by error passing
out-of-range values) and hit this BUG_ON().
Did I use wrong boundary condition?
Are there exceptions where out-of-range values make sense?
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 92c752f5446f..baf536c56c21 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
static inline unsigned int __create_pipe(struct usb_device *dev,
unsigned int endpoint)
{
+ BUG_ON(dev->devnum < 0);
+ BUG_ON(dev->devnum > 0x7F);
+ BUG_ON(endpoint > 0xF);
return (dev->devnum << 8) | (endpoint << 15);
}
On 2025/07/09 23:03, syzbot wrote:
> Hello,
>
> syzbot tried to test the proposed patch but the build/boot failed:
>
> T1] usbcore: registered new interface driver ssu100
> [ 12.803467][ T1] usbserial: USB Serial support registered for Quatech SSU-100 USB to Serial Driver
> [ 12.813847][ T1] usbcore: registered new interface driver symbolserial
> [ 12.822971][ T1] usbserial: USB Serial support registered for symbol
> [ 12.830470][ T1] usbcore: registered new interface driver ti_usb_3410_5052
> [ 12.838383][ T1] usbserial: USB Serial support registered for TI USB 3410 1 port adapter
> [ 12.847393][ T1] usbserial: USB Serial support registered for TI USB 5052 2 port adapter
> [ 12.856857][ T1] usbcore: registered new interface driver upd78f0730
> [ 12.864214][ T1] usbserial: USB Serial support registered for upd78f0730
> [ 12.872005][ T1] usbcore: registered new interface driver visor
> [ 12.878832][ T1] usbserial: USB Serial support registered for Handspring Visor / Palm OS
> [ 12.888619][ T1] usbserial: USB Serial support registered for Sony Clie 5.0
> [ 12.897025][ T1] usbserial: USB Serial support registered for Sony Clie 3.5
> [ 12.905181][ T1] usbcore: registered new interface driver wishbone_serial
> [ 12.912848][ T1] usbserial: USB Serial support registered for wishbone_serial
> [ 12.921084][ T1] usbcore: registered new interface driver whiteheat
> [ 12.928135][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT - (prerenumeration)
> [ 12.939389][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT
> [ 12.948619][ T1] usbcore: registered new interface driver xr_serial
> [ 12.955889][ T1] usbserial: USB Serial support registered for xr_serial
> [ 12.963719][ T1] usbcore: registered new interface driver xsens_mt
> [ 12.972185][ T1] usbserial: USB Serial support registered for xsens_mt
> [ 12.980323][ T1] usbcore: registered new interface driver adutux
> [ 12.987512][ T1] usbcore: registered new interface driver appledisplay
> [ 12.995415][ T1] usbcore: registered new interface driver cypress_cy7c63
> [ 13.003293][ T1] usbcore: registered new interface driver cytherm
> [ 13.010571][ T1] usbcore: registered new interface driver emi26 - firmware loader
> [ 13.019440][ T1] usbcore: registered new interface driver emi62 - firmware loader
> [ 13.027806][ T1] usbcore: registered new device driver apple-mfi-fastcharge
> [ 13.036824][ T1] usbcore: registered new interface driver ljca
> [ 13.044111][ T1] usbcore: registered new interface driver idmouse
> [ 13.052002][ T1] usbcore: registered new interface driver iowarrior
> [ 13.059704][ T1] usbcore: registered new interface driver isight_firmware
> [ 13.067642][ T1] usbcore: registered new interface driver usblcd
> [ 13.074816][ T1] usbcore: registered new interface driver ldusb
> [ 13.082081][ T1] usbcore: registered new interface driver legousbtower
> [ 13.089958][ T1] usbcore: registered new interface driver usbtest
> [ 13.097300][ T1] usbcore: registered new interface driver usb_ehset_test
> [ 13.105262][ T1] usbcore: registered new interface driver trancevibrator
> [ 13.113543][ T1] usbcore: registered new interface driver uss720
> [ 13.120280][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
> [ 13.130535][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
> [ 13.138957][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
> [ 13.147209][ T1] uss720: If you just want to connect to a printer, use usblp instead
> [ 13.156564][ T1] usbcore: registered new interface driver usbsevseg
> [ 13.164290][ T1] usbcore: registered new interface driver yurex
> [ 13.172561][ T1] usbcore: registered new interface driver chaoskey
> [ 13.180124][ T1] usbcore: registered new interface driver sisusb
> [ 13.187445][ T1] usbcore: registered new interface driver lvs
> [ 13.194534][ T1] usbcore: registered new interface driver cxacru
> [ 13.201660][ T1] usbcore: registered new interface driver speedtch
> [ 13.209706][ T1] usbcore: registered new interface driver ueagle-atm
> [ 13.217258][ T1] xusbatm: malformed module parameters
> [ 13.236709][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
> [ 13.245196][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
> [ 13.257875][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
> [ 13.277863][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 6.16
> [ 13.288670][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
> [ 13.296864][ T1] usb usb1: Product: Dummy host controller
> [ 13.303515][ T1] usb usb1: Manufacturer: Linux 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty dummy_hcd
> [ 13.313553][ T1] usb usb1: SerialNumber: dummy_hcd.0
> [ 13.333561][ T1] hub 1-0:1.0: USB hub found
> [ 13.342305][ T1] hub 1-0:1.0: 1 port detected
> [ 13.350916][ T1] ------------[ cut here ]------------
> [ 13.356580][ T1] kernel BUG at ./include/linux/usb.h:1990!
> [ 13.362686][ T1] Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
> [ 13.368994][ T1] CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0 PREEMPT(full)
> [ 13.372565][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
> [ 13.372565][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
> [ 13.372565][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
> [ 13.372565][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
> [ 13.372565][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
> [ 13.372565][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
> [ 13.372565][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
> [ 13.372565][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
> [ 13.372565][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
> [ 13.372565][ T1] FS: 0000000000000000(0000) GS:ffff8881261a1000(0000) knlGS:0000000000000000
> [ 13.372565][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 13.372565][ T1] CR2: 0000000000000000 CR3: 000000000dd38000 CR4: 00000000003526f0
> [ 13.372565][ T1] Call Trace:
> [ 13.372565][ T1] <TASK>
> [ 13.372565][ T1] hub_probe+0x2300/0x3840
> [ 13.372565][ T1] ? __pfx_hub_probe+0x10/0x10
> [ 13.372565][ T1] ? _raw_spin_unlock_irqrestore+0xad/0x110
> [ 13.372565][ T1] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
> [ 13.372565][ T1] ? ktime_get_mono_fast_ns+0x2af/0x2d0
> [ 13.372565][ T1] ? pm_runtime_enable+0x1f3/0x340
> [ 13.372565][ T1] usb_probe_interface+0x644/0xbc0
> [ 13.372565][ T1] ? __pfx_usb_probe_interface+0x10/0x10
> [ 13.372565][ T1] really_probe+0x26a/0x9a0
> [ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
> [ 13.372565][ T1] driver_probe_device+0x4f/0x430
> [ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
> [ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
> [ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
> [ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
> [ 13.372565][ T1] __device_attach+0x2b8/0x400
> [ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
> [ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
> [ 13.372565][ T1] bus_probe_device+0x185/0x260
> [ 13.372565][ T1] device_add+0x7b6/0xb50
> [ 13.372565][ T1] usb_set_configuration+0x1ab9/0x2120
> [ 13.372565][ T1] usb_generic_driver_probe+0x8d/0x150
> [ 13.372565][ T1] usb_probe_device+0x1c1/0x390
> [ 13.372565][ T1] ? __pfx_usb_probe_device+0x10/0x10
> [ 13.372565][ T1] really_probe+0x26a/0x9a0
> [ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
> [ 13.372565][ T1] driver_probe_device+0x4f/0x430
> [ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
> [ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
> [ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
> [ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
> [ 13.372565][ T1] __device_attach+0x2b8/0x400
> [ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
> [ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
> [ 13.372565][ T1] bus_probe_device+0x185/0x260
> [ 13.372565][ T1] device_add+0x7b6/0xb50
> [ 13.372565][ T1] usb_new_device+0x9fd/0x1610
> [ 13.372565][ T1] ? __pfx_usb_new_device+0x10/0x10
> [ 13.372565][ T1] ? register_root_hub+0x153/0x590
> [ 13.372565][ T1] ? kfree+0x18e/0x440
> [ 13.372565][ T1] register_root_hub+0x275/0x590
> [ 13.372565][ T1] ? usb_add_hcd+0xb90/0x1050
> [ 13.372565][ T1] usb_add_hcd+0xba1/0x1050
> [ 13.372565][ T1] dummy_hcd_probe+0x134/0x270
> [ 13.372565][ T1] platform_probe+0x148/0x1d0
> [ 13.372565][ T1] ? __pfx_platform_probe+0x10/0x10
> [ 13.372565][ T1] really_probe+0x26a/0x9a0
> [ 13.372565][ T1] __driver_probe_device+0x18c/0x2f0
> [ 13.372565][ T1] driver_probe_device+0x4f/0x430
> [ 13.372565][ T1] __device_attach_driver+0x2ce/0x530
> [ 13.372565][ T1] bus_for_each_drv+0x251/0x2e0
> [ 13.372565][ T1] ? __pfx___device_attach_driver+0x10/0x10
> [ 13.372565][ T1] ? __pfx_bus_for_each_drv+0x10/0x10
> [ 13.372565][ T1] __device_attach+0x2b8/0x400
> [ 13.372565][ T1] ? __pfx___device_attach+0x10/0x10
> [ 13.372565][ T1] ? do_raw_spin_unlock+0x122/0x240
> [ 13.372565][ T1] bus_probe_device+0x185/0x260
> [ 13.372565][ T1] device_add+0x7b6/0xb50
> [ 13.372565][ T1] platform_device_add+0x4b4/0x820
> [ 13.372565][ T1] ? deferred_probe_extend_timeout+0x79/0xb0
> [ 13.372565][ T1] dummy_hcd_init+0x293/0x1070
> [ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
> [ 13.372565][ T1] ? __pfx_add_device_randomness+0x10/0x10
> [ 13.372565][ T1] ? configfs_register_subsystem+0x4ca/0x520
> [ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
> [ 13.372565][ T1] do_one_initcall+0x233/0x820
> [ 13.372565][ T1] ? __pfx_dummy_hcd_init+0x10/0x10
> [ 13.372565][ T1] ? __pfx_do_one_initcall+0x10/0x10
> [ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
> [ 13.372565][ T1] ? trace_irq_disable+0x37/0x110
> [ 13.372565][ T1] ? preempt_schedule_irq+0xde/0x150
> [ 13.372565][ T1] ? __pfx_preempt_schedule_irq+0x10/0x10
> [ 13.372565][ T1] ? irqentry_exit+0x74/0x90
> [ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
> [ 13.372565][ T1] ? irqentry_exit+0x74/0x90
> [ 13.372565][ T1] ? lockdep_hardirqs_on+0x9c/0x150
> [ 13.372565][ T1] ? next_arg+0x498/0x5e0
> [ 13.372565][ T1] ? parameq+0x14d/0x170
> [ 13.372565][ T1] ? parse_args+0x993/0xa70
> [ 13.372565][ T1] ? __pfx_parse_args+0x10/0x10
> [ 13.372565][ T1] ? rcu_is_watching+0x15/0xb0
> [ 13.372565][ T1] do_initcall_level+0x137/0x1f0
> [ 13.372565][ T1] do_initcalls+0x69/0xd0
> [ 13.372565][ T1] kernel_init_freeable+0x3d9/0x570
> [ 13.372565][ T1] ? __pfx_kernel_init_freeable+0x10/0x10
> [ 13.372565][ T1] ? _raw_spin_unlock_irq+0x23/0x50
> [ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
> [ 13.372565][ T1] kernel_init+0x1d/0x1d0
> [ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
> [ 13.372565][ T1] ret_from_fork+0x3fc/0x770
> [ 13.372565][ T1] ? __pfx_ret_from_fork+0x10/0x10
> [ 13.372565][ T1] ? __switch_to_asm+0x39/0x70
> [ 13.372565][ T1] ? __switch_to_asm+0x33/0x70
> [ 13.372565][ T1] ? __pfx_kernel_init+0x10/0x10
> [ 13.372565][ T1] ret_from_fork_asm+0x1a/0x30
> [ 13.372565][ T1] </TASK>
> [ 13.372565][ T1] Modules linked in:
> [ 13.372565][ C1] vkms_vblank_simulate: vblank timer overrun
> [ 13.995865][ T1] ---[ end trace 0000000000000000 ]---
> [ 14.001889][ T1] RIP: 0010:__create_pipe+0xa2/0xb0
> [ 14.007135][ T1] Code: 80 e1 07 80 c1 03 38 c1 7c a5 4c 89 f7 e8 56 8f 0a fb eb 9b e8 5f 33 a9 fa 90 0f 0b e8 57 33 a9 fa 90 0f 0b e8 4f 33 a9 fa 90 <0f> 0b 66 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90
> [ 14.026940][ T1] RSP: 0000:ffffc90000066680 EFLAGS: 00010293
> [ 14.033310][ T1] RAX: ffffffff8716c411 RBX: 0000000000000081 RCX: ffff88801caf8000
> [ 14.041768][ T1] RDX: 0000000000000000 RSI: 0000000000000081 RDI: 000000000000000f
> [ 14.049904][ T1] RBP: 0000000000000001 R08: ffffc900000665c7 R09: 1ffff9200000ccb8
> [ 14.058174][ T1] R10: dffffc0000000000 R11: fffff5200000ccb9 R12: 00000000000001f4
> [ 14.066824][ T1] R13: 1ffff11004fd0c37 R14: ffff888027e82000 R15: ffff888027e861b8
> [ 14.074933][ T1] FS: 0000000000000000(0000) GS:ffff8881260a1000(0000) knlGS:0000000000000000
> [ 14.084097][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 14.090767][ T1] CR2: ffff88823ffff000 CR3: 000000000dd38000 CR4: 00000000003526f0
> [ 14.098809][ T1] Kernel panic - not syncing: Fatal exception
> [ 14.100723][ T1] Kernel Offset: disabled
> [ 14.100723][ T1] Rebooting in 86400 seconds..
>
>
> syzkaller build log:
> go env (err=<nil>)
> AR='ar'
> CC='gcc'
> CGO_CFLAGS='-O2 -g'
> CGO_CPPFLAGS=''
> CGO_CXXFLAGS='-O2 -g'
> CGO_ENABLED='1'
> CGO_FFLAGS='-O2 -g'
> CGO_LDFLAGS='-O2 -g'
> CXX='g++'
> GCCGO='gccgo'
> GO111MODULE='auto'
> GOAMD64='v1'
> GOARCH='amd64'
> GOAUTH='netrc'
> GOBIN=''
> GOCACHE='/syzkaller/.cache/go-build'
> GOCACHEPROG=''
> GODEBUG=''
> GOENV='/syzkaller/.config/go/env'
> GOEXE=''
> GOEXPERIMENT=''
> GOFIPS140='off'
> GOFLAGS=''
> GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build4116787073=/tmp/go-build -gno-record-gcc-switches'
> GOHOSTARCH='amd64'
> GOHOSTOS='linux'
> GOINSECURE=''
> GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
> GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
> GONOPROXY=''
> GONOSUMDB=''
> GOOS='linux'
> GOPATH='/syzkaller/jobs-2/linux/gopath'
> GOPRIVATE=''
> GOPROXY='https://proxy.golang.org,direct'
> GOROOT='/usr/local/go'
> GOSUMDB='sum.golang.org'
> GOTELEMETRY='local'
> GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
> GOTMPDIR=''
> GOTOOLCHAIN='auto'
> GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
> GOVCS=''
> GOVERSION='go1.24.4'
> GOWORK=''
> PKG_CONFIG='pkg-config'
>
> git status (err=<nil>)
> HEAD detached at 6a8fcbc4a6
> nothing to commit, working tree clean
>
>
> tput: No value for $TERM and no -T specified
> tput: No value for $TERM and no -T specified
> Makefile:31: run command via tools/syz-env for best compatibility, see:
> Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
> go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
> make .descriptions
> tput: No value for $TERM and no -T specified
> tput: No value for $TERM and no -T specified
> Makefile:31: run command via tools/syz-env for best compatibility, see:
> Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
> bin/syz-sysgen
> touch .descriptions
> GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=6a8fcbc4a6172c831c89c507007f59fba13408aa -X 'github.com/google/syzkaller/prog.gitRevisionDate=20250226-150939'" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
> mkdir -p ./bin/linux_amd64
> g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
> -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
> -DHOSTGOOS_linux=1 -DGIT_REVISION=\"6a8fcbc4a6172c831c89c507007f59fba13408aa\"
> /usr/bin/ld: /tmp/ccrMQnbM.o: in function `Connection::Connect(char const*, char const*)':
> executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
>
>
> Error text is too large and was truncated, full error text is at:
> https://syzkaller.appspot.com/x/error.txt?x=148c1a8c580000
>
>
> Tested on:
>
> commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
> git tree: upstream
> kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
> dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> patch: https://syzkaller.appspot.com/x/patch.diff?x=13f27f70580000
>
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:03 ` [syzbot] [kernel?] " syzbot
@ 2025-07-09 14:15 ` Tetsuo Handa
2025-07-09 14:44 ` [syzbot] [kernel?] " syzbot
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 14:15 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..10124a26ffde 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1765,7 +1765,7 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
@@ -1806,7 +1806,7 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
default:
- dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
+ dev_warn_ratelimited(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:13 ` Tetsuo Handa
@ 2025-07-09 14:27 ` Alan Stern
2025-07-09 14:44 ` Tetsuo Handa
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-09 14:27 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On Wed, Jul 09, 2025 at 11:13:29PM +0900, Tetsuo Handa wrote:
> Hello.
>
> I tried below change (in case somebody is by error passing
> out-of-range values) and hit this BUG_ON().
>
> Did I use wrong boundary condition?
> Are there exceptions where out-of-range values make sense?
>
> diff --git a/include/linux/usb.h b/include/linux/usb.h
> index 92c752f5446f..baf536c56c21 100644
> --- a/include/linux/usb.h
> +++ b/include/linux/usb.h
> @@ -1985,6 +1985,9 @@ void usb_sg_wait(struct usb_sg_request *io);
> static inline unsigned int __create_pipe(struct usb_device *dev,
> unsigned int endpoint)
> {
> + BUG_ON(dev->devnum < 0);
> + BUG_ON(dev->devnum > 0x7F);
> + BUG_ON(endpoint > 0xF);
> return (dev->devnum << 8) | (endpoint << 15);
> }
Which of these three BUG_ON's did you hit, and where did you hit it?
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-09 14:44 ` syzbot
2025-07-09 15:01 ` Tetsuo Handa
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 1 reply; 45+ messages in thread
From: syzbot @ 2025-07-09 14:44 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl
INFO: task syz.0.16:6824 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.16 state:D stack:26072 pid:6824 tgid:6823 ppid:6626 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3e6ed8d169
RSP: 002b:00007f3e6fc82038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f3e6efa5fa0 RCX: 00007f3e6ed8d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007f3e6ee0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f3e6efa5fa0 R15: 00007fff8d808c58
</TASK>
INFO: task syz.0.16:6824 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.2.18:6836 blocked for more than 146 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:27304 pid:6836 tgid:6835 ppid:6633 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fc6a198d169
RSP: 002b:00007fc6a2819038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fc6a1ba5fa0 RCX: 00007fc6a198d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fc6a1a0e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fc6a1ba5fa0 R15: 00007ffca85e32a8
</TASK>
INFO: task syz.2.18:6836 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.3.19:6847 blocked for more than 147 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.19 state:D stack:28328 pid:6847 tgid:6846 ppid:6634 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f221d98bad0
RSP: 002b:00007f221e739b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f221d98bad0
RDX: 0000000000000002 RSI: 00007f221e739c10 RDI: 00000000ffffff9c
RBP: 00007f221e739c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f221dba5fa0 R15: 00007fff3a314ce8
</TASK>
INFO: task syz.3.19:6847 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.1.17:6856 blocked for more than 149 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17 state:D stack:28248 pid:6856 tgid:6854 ppid:6632 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6bae78bad0
RSP: 002b:00007f6baf6d2b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f6bae78bad0
RDX: 0000000000000002 RSI: 00007f6baf6d2c10 RDI: 00000000ffffff9c
RBP: 00007f6baf6d2c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f6bae9a5fa0 R15: 00007ffcc18baff8
</TASK>
INFO: task syz.1.17:6856 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.4.20:6865 blocked for more than 151 seconds.
Not tainted 6.16.0-rc5-syzkaller-00038-g733923397fd9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.20 state:D stack:28328 pid:6865 tgid:6864 ppid:6635 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdc69d8bad0
RSP: 002b:00007fdc6ab85b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fdc69d8bad0
RDX: 0000000000000002 RSI: 00007fdc6ab85c10 RDI: 00000000ffffff9c
RBP: 00007fdc6ab85c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fdc69fa5fa0 R15: 00007fffcbd9c4f8
</TASK>
INFO: task syz.4.20:6865 is blocked on a mutex likely owned by task kworker/1:3:980.
task:kworker/1:3 state:S stack:23144 pid:980 tgid:980 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1988 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2277 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2434
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Showing all locks held in the system:
2 locks held by kworker/u8:1/13:
6 locks held by kworker/1:0/24:
Tested on:
commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17f6b582580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=141c1a8c580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:27 ` Alan Stern
@ 2025-07-09 14:44 ` Tetsuo Handa
2025-07-09 15:19 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 14:44 UTC (permalink / raw)
To: Alan Stern
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On 2025/07/09 23:27, Alan Stern wrote:
> Which of these three BUG_ON's did you hit, and where did you hit it?
kernel BUG at ./include/linux/usb.h:1990!
matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
Call Trace:
<TASK>
hub_configure drivers/usb/core/hub.c:1717 [inline]
hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
usb_probe_interface+0x644/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1ab9/0x2120 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0x9fd/0x1610 drivers/usb/core/hub.c:2694
register_root_hub+0x275/0x590 drivers/usb/core/hcd.c:994
usb_add_hcd+0xba1/0x1050 drivers/usb/core/hcd.c:2976
dummy_hcd_probe+0x134/0x270 drivers/usb/gadget/udc/dummy_hcd.c:2694
platform_probe+0x148/0x1d0 drivers/base/platform.c:1404
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
platform_device_add+0x4b4/0x820 drivers/base/platform.c:716
dummy_hcd_init+0x293/0x1070 drivers/usb/gadget/udc/dummy_hcd.c:2845
do_one_initcall+0x233/0x820 init/main.c:1274
do_initcall_level+0x137/0x1f0 init/main.c:1336
do_initcalls+0x69/0xd0 init/main.c:1352
kernel_init_freeable+0x3d9/0x570 init/main.c:1584
kernel_init+0x1d/0x1d0 init/main.c:1474
ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:44 ` [syzbot] [kernel?] " syzbot
@ 2025-07-09 15:01 ` Tetsuo Handa
0 siblings, 0 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 15:01 UTC (permalink / raw)
To: syzbot, linux-kernel, syzkaller-bugs
Hmm, mitigating stalls caused by printk() flooding is not sufficient.
Anyway, this hung task problem was addressed by
#syz fix: Revert "drivers: core: synchronize really_probe() and dev_uevent()"
but we would again see https://syzkaller.appspot.com/bug?extid=ffa8143439596313a85a
in near future?
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 14:44 ` Tetsuo Handa
@ 2025-07-09 15:19 ` Alan Stern
2025-07-09 15:33 ` Tetsuo Handa
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-09 15:19 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
> On 2025/07/09 23:27, Alan Stern wrote:
> > Which of these three BUG_ON's did you hit, and where did you hit it?
>
> kernel BUG at ./include/linux/usb.h:1990!
>
> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
>
> Call Trace:
> <TASK>
> hub_configure drivers/usb/core/hub.c:1717 [inline]
> hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
Those line numbers are completely different from the code I have. For
example, line 2005 in hub.c is part of the hub_ioctl() function, not
hub_probe().
Exactly what version of the kernel source are you using for your test?
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 15:19 ` Alan Stern
@ 2025-07-09 15:33 ` Tetsuo Handa
2025-07-09 15:41 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-09 15:33 UTC (permalink / raw)
To: Alan Stern
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On 2025/07/10 0:19, Alan Stern wrote:
> On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
>> On 2025/07/09 23:27, Alan Stern wrote:
>>> Which of these three BUG_ON's did you hit, and where did you hit it?
>>
>> kernel BUG at ./include/linux/usb.h:1990!
>>
>> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
>>
>> Call Trace:
>> <TASK>
>> hub_configure drivers/usb/core/hub.c:1717 [inline]
>> hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
>
> Those line numbers are completely different from the code I have. For
> example, line 2005 in hub.c is part of the hub_ioctl() function, not
> hub_probe().
>
> Exactly what version of the kernel source are you using for your test?
It is current linux.git tree.
https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L1717
https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L2005
commit: 73392339 Merge tag 'pwm/for-6.16-rc6-fixes' of git://g..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=13f27f70580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 15:33 ` Tetsuo Handa
@ 2025-07-09 15:41 ` Alan Stern
2025-07-10 10:17 ` Tetsuo Handa
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-09 15:41 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On Thu, Jul 10, 2025 at 12:33:00AM +0900, Tetsuo Handa wrote:
> On 2025/07/10 0:19, Alan Stern wrote:
> > On Wed, Jul 09, 2025 at 11:44:46PM +0900, Tetsuo Handa wrote:
> >> On 2025/07/09 23:27, Alan Stern wrote:
> >>> Which of these three BUG_ON's did you hit, and where did you hit it?
> >>
> >> kernel BUG at ./include/linux/usb.h:1990!
> >>
> >> matches the BUG_ON(endpoint > 0xF) line. The location is shown below.
> >>
> >> Call Trace:
> >> <TASK>
> >> hub_configure drivers/usb/core/hub.c:1717 [inline]
> >> hub_probe+0x2300/0x3840 drivers/usb/core/hub.c:2005
> >
> > Those line numbers are completely different from the code I have. For
> > example, line 2005 in hub.c is part of the hub_ioctl() function, not
> > hub_probe().
> >
> > Exactly what version of the kernel source are you using for your test?
>
> It is current linux.git tree.
>
> https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L1717
> https://elixir.bootlin.com/linux/v6.16-rc5/source/drivers/usb/core/hub.c#L2005
Okay, I see what your problem is.
The bEndpointAddress field of the endpoint descriptor is not just the
endpoint's number. It also includes the endpoint's direction in bit 7
(0 for OUT, 1 for IN).
__create_pipe() doesn't bother to mask out the direction bit because bit
22 of the pipe value (where the direction bit ends up after it has been
shifted left by 15) isn't used for anything.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-09 15:41 ` Alan Stern
@ 2025-07-10 10:17 ` Tetsuo Handa
2025-07-10 14:13 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-10 10:17 UTC (permalink / raw)
To: Alan Stern
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On 2025/07/10 0:41, Alan Stern wrote:
> Okay, I see what your problem is.
>
> The bEndpointAddress field of the endpoint descriptor is not just the
> endpoint's number. It also includes the endpoint's direction in bit 7
> (0 for OUT, 1 for IN).
I see, but I couldn't figure out whether BUG_ON(endpoint > 0xF) is bad.
I came up to try these BUG_ON() lines in case some of hung task reports (e.g.
https://lkml.kernel.org/r/686e8032.050a0220.385921.0006.GAE@google.com ) are
caused by use of unintended pipes created by out-of-range values being passed
to __create_pipe().
Should I give up BUG_ON(endpoint > 0xF) line?
Or should I try to update callers which trigger BUG_ON(endpoint > 0xF) line?
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2024-11-10 0:59 ` syzbot
@ 2025-07-10 11:05 ` Hillf Danton
2025-07-10 11:59 ` [syzbot] [kernel?] " syzbot
2025-07-10 12:59 ` [syzbot] [usb?] " Hillf Danton
1 sibling, 1 reply; 45+ messages in thread
From: Hillf Danton @ 2025-07-10 11:05 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sat, 09 Nov 2024 16:59:25 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
> dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
--- x/drivers/media/rc/imon.c
+++ y/drivers/media/rc/imon.c
@@ -1765,6 +1765,7 @@ static void usb_rx_callback_intf0(struct
break;
default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
@@ -1806,6 +1807,7 @@ static void usb_rx_callback_intf1(struct
break;
default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
--
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-10 11:05 ` Hillf Danton
@ 2025-07-10 11:59 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-10 11:59 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl
INFO: task syz.1.17:6837 blocked for more than 143 seconds.
Not tainted 6.16.0-rc4-syzkaller-00314-gb4b4dbfa96de-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.17 state:D stack:24088 pid:6837 tgid:6836 ppid:6635 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5396 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
__schedule_loop kernel/sched/core.c:6863 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6878
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6935
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fddcf58d169
RSP: 002b:00007fddd03af038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fddcf7a5fa0 RCX: 00007fddcf58d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fddcf60e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fddcf7a5fa0 R15: 00007fff1a55f668
</TASK>
INFO: task syz.1.17:6837 is blocked on a mutex likely owned by task kworker/1:4:5945.
task:kworker/1:4 state:S stack:22472 pid:5945 tgid:5945 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5396 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6785
__schedule_loop kernel/sched/core.c:6863 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6878
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3d7/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:1990 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2279 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2436
usb_probe_interface+0x644/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
Tested on:
commit: b4b4dbfa media: stk1160: use usb_alloc_noncoherent/usb..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=170c9bd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b49da22b2184ad70
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=152f5a8c580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2024-11-10 0:59 ` syzbot
2025-07-10 11:05 ` Hillf Danton
@ 2025-07-10 12:59 ` Hillf Danton
2025-07-10 13:25 ` [syzbot] [kernel?] " syzbot
1 sibling, 1 reply; 45+ messages in thread
From: Hillf Danton @ 2025-07-10 12:59 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Sat, 09 Nov 2024 16:59:25 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: 226ff2e681d0 usb: typec: ucsi: Convert connector specific ..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
> console output: https://syzkaller.appspot.com/x/log.txt?x=132b5e30580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=358c1689354aeef3
> dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=144614e8580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=172b5e30580000
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
--- x/drivers/media/rc/imon.c
+++ y/drivers/media/rc/imon.c
@@ -646,15 +646,15 @@ static int send_packet(struct imon_conte
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
/* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ long rc = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 60*HZ);
+ if (rc <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
- }
+ retval = rc ? -EINTR : -ETIMEDOUT;
+ } else
+ retval = ictx->tx.status;
ictx->tx.busy = false;
- retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);
}
@@ -1765,6 +1765,7 @@ static void usb_rx_callback_intf0(struct
break;
default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
@@ -1806,6 +1807,7 @@ static void usb_rx_callback_intf1(struct
break;
default:
+ return;
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
--
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-10 12:59 ` [syzbot] [usb?] " Hillf Danton
@ 2025-07-10 13:25 ` syzbot
0 siblings, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-10 13:25 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested on:
commit: b4b4dbfa media: stk1160: use usb_alloc_noncoherent/usb..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing
console output: https://syzkaller.appspot.com/x/log.txt?x=14529bd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=b49da22b2184ad70
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=123540f0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-10 10:17 ` Tetsuo Handa
@ 2025-07-10 14:13 ` Alan Stern
0 siblings, 0 replies; 45+ messages in thread
From: Alan Stern @ 2025-07-10 14:13 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot, linux-kernel, syzkaller-bugs, USB list,
Greg Kroah-Hartman
On Thu, Jul 10, 2025 at 07:17:19PM +0900, Tetsuo Handa wrote:
> On 2025/07/10 0:41, Alan Stern wrote:
> > Okay, I see what your problem is.
> >
> > The bEndpointAddress field of the endpoint descriptor is not just the
> > endpoint's number. It also includes the endpoint's direction in bit 7
> > (0 for OUT, 1 for IN).
>
> I see, but I couldn't figure out whether BUG_ON(endpoint > 0xF) is bad.
>
> I came up to try these BUG_ON() lines in case some of hung task reports (e.g.
> https://lkml.kernel.org/r/686e8032.050a0220.385921.0006.GAE@google.com ) are
> caused by use of unintended pipes created by out-of-range values being passed
> to __create_pipe().
I think this is unlikely to be the cause of those BUG_ON()s, but go
ahead and see what happens.
> Should I give up BUG_ON(endpoint > 0xF) line?
> Or should I try to update callers which trigger BUG_ON(endpoint > 0xF) line?
You can change the test to BUG_ON(endpoint & ~0x8F). That will mask
away the endpoint number and direction bit, leaving everything else
alone.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:44 ` [syzbot] [kernel?] " syzbot
@ 2025-07-11 11:09 ` Tetsuo Handa
2025-07-11 11:44 ` [syzbot] [kernel?] " syzbot
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-11 11:09 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..423e04328b86 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-11 11:44 ` syzbot
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-11 11:44 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl
INFO: task syz.1.21:6983 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.1.21 state:D stack:26472 pid:6983 tgid:6981 ppid:6661 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fef2f78d169
RSP: 002b:00007fef3062b038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fef2f9a5fa0 RCX: 00007fef2f78d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007fef2f80e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fef2f9a5fa0 R15: 00007ffeecb80378
</TASK>
INFO: task syz.1.21:6983 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.3.22:6985 blocked for more than 146 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.3.22 state:D stack:27240 pid:6985 tgid:6984 ppid:6674 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f773418d169
RSP: 002b:00007f7734f45038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f77343a5fa0 RCX: 00007f773418d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007f773420e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f77343a5fa0 R15: 00007ffe3cb895f8
</TASK>
INFO: task syz.3.22:6985 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.2.18:6991 blocked for more than 149 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:28328 pid:6991 tgid:6989 ppid:6663 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7ff9ef58d169
RSP: 002b:00007ff9f036c038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ff9ef7a5fa0 RCX: 00007ff9ef58d169
RDX: 0000000000000000 RSI: 0000000041045508 RDI: 0000000000000003
RBP: 00007ff9ef60e2a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007ff9ef7a5fa0 R15: 00007ffe967044c8
</TASK>
INFO: task syz.2.18:6991 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.0.23:6996 blocked for more than 151 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.23 state:D stack:28328 pid:6996 tgid:6994 ppid:6662 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fe51f78bad0
RSP: 002b:00007fe52063cb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fe51f78bad0
RDX: 0000000000000002 RSI: 00007fe52063cc10 RDI: 00000000ffffff9c
RBP: 00007fe52063cc10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007fe51f9a5fa0 R15: 00007ffdc4dade08
</TASK>
INFO: task syz.0.23:6996 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
wait_for_common kernel/sched/completion.c:127 [inline]
wait_for_completion_interruptible+0x1f/0x40 kernel/sched/completion.c:216
send_packet+0x63b/0xae0 drivers/media/rc/imon.c:649
imon_init_rdev drivers/media/rc/imon.c:2006 [inline]
imon_init_intf0 drivers/media/rc/imon.c:2295 [inline]
imon_probe+0x1f7e/0x3410 drivers/media/rc/imon.c:2452
usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9a0 drivers/base/dd.c:657
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1029
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3692
usb_new_device+0xa39/0x16c0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5866 [inline]
hub_event+0x2941/0x4a00 drivers/usb/core/hub.c:5948
process_one_work kernel/workqueue.c:3238 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402
kthread+0x711/0x8a0 kernel/kthread.c:464
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz.4.20:7000 blocked for more than 152 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.4.20 state:D stack:28328 pid:7000 tgid:6999 ppid:6676 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_open+0x16e/0x760 drivers/usb/core/devio.c:1054
chrdev_open+0x4cc/0x5e0 fs/char_dev.c:414
do_dentry_open+0xdf3/0x1970 fs/open.c:964
vfs_open+0x3b/0x340 fs/open.c:1094
do_open fs/namei.c:3896 [inline]
path_openat+0x2ee5/0x3830 fs/namei.c:4055
do_filp_open+0x1fa/0x410 fs/namei.c:4082
do_sys_openat2+0x121/0x1c0 fs/open.c:1437
do_sys_open fs/open.c:1452 [inline]
__do_sys_openat fs/open.c:1468 [inline]
__se_sys_openat fs/open.c:1463 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1463
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2d0878bad0
RSP: 002b:00007f2d09519b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f2d0878bad0
RDX: 0000000000000002 RSI: 00007f2d09519c10 RDI: 00000000ffffff9c
RBP: 00007f2d09519c10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 0000000000000001 R14: 00007f2d089a5fa0 R15: 00007ffd788db068
</TASK>
INFO: task syz.4.20:7000 is blocked on a mutex likely owned by task kworker/0:2:978.
task:kworker/0:2 state:S stack:24456 pid:978 tgid:978 ppid:2 task_flags:0x4208060 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_timeout+0x9a/0x270 kernel/time/sleep_timeout.c:75
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3da/0x710 kernel/sched/completion.c:116
Tested on:
commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15b5ba8c580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f2668c580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 11:44 ` [syzbot] [kernel?] " syzbot
@ 2025-07-11 11:52 ` Tetsuo Handa
2025-07-11 12:13 ` [syzbot] [kernel?] " syzbot
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-11 11:52 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..423e04328b86 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ //usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ //usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-11 12:13 ` syzbot
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-11 12:13 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in usbdev_ioctl
INFO: task syz.2.18:6951 blocked for more than 143 seconds.
Not tainted 6.16.0-rc5-syzkaller-00121-gbc9ff192a6c9-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D stack:26472 pid:6951 tgid:6949 ppid:6668 task_flags:0x400040 flags:0x00004004
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5401 [inline]
__schedule+0x16a2/0x4cb0 kernel/sched/core.c:6790
__schedule_loop kernel/sched/core.c:6868 [inline]
schedule+0x165/0x360 kernel/sched/core.c:6883
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6940
__mutex_lock_common kernel/locking/mutex.c:679 [inline]
__mutex_lock+0x65d/0xc70 kernel/locking/mutex.c:747
device_lock include/linux/device.h:884 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2611 [inline]
usbdev_ioctl+0x140/0x20c0 drivers/usb/core/devio.c:2827
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f8b3f58d169
RSP: 002b:00007f8b3f3f7038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f8b3f7a5fa0 RCX: 00007f8b3f58d169
Tested on:
commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10a8dbd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1166668c580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 12:13 ` [syzbot] [kernel?] " syzbot
@ 2025-07-11 13:34 ` Tetsuo Handa
2025-07-11 14:09 ` [syzbot] [kernel?] " syzbot
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-11 13:34 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..e130dc9db1b4 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -645,16 +645,16 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
}
ictx->tx.busy = false;
- retval = ictx->tx.status;
+ if (retval > 0)
+ retval = ictx->tx.status;
if (retval)
pr_err_ratelimited("packet tx failed (%d)\n", retval);
}
@@ -1764,6 +1764,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1814,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-11 14:09 ` syzbot
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-11 14:09 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested on:
commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=115fa0f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1650c68c580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 14:09 ` [syzbot] [kernel?] " syzbot
@ 2025-07-11 15:01 ` Tetsuo Handa
2025-07-11 15:46 ` [syzbot] [kernel?] " syzbot
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-11 15:01 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..ea702e3a83dc 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -645,12 +645,16 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ dump_stack();
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1125,6 +1129,11 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
+ if (mutex_get_owner(&ictx->lock) != (unsigned long) current) {
+ unlock = true;
+ mutex_lock(&ictx->lock);
+ }
+
if (*rc_proto && !(*rc_proto & rc->allowed_protocols))
dev_warn(dev, "Looks like you're trying to use an IR protocol this device does not support\n");
@@ -1148,8 +1157,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1764,6 +1771,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1805,6 +1821,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-11 15:46 ` syzbot
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-11 15:46 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested on:
commit: bc9ff192 Merge tag 'net-6.16-rc6' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15604d82580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=14e860f0580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 15:46 ` [syzbot] [kernel?] " syzbot
@ 2025-07-12 14:40 ` Tetsuo Handa
2025-07-12 15:18 ` [syzbot] [kernel?] " syzbot
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-12 14:40 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..f8e3e87cf1a3 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,8 +598,11 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;
+ BUG_ON(mutex_get_owner(&ictx->lock) != (unsigned long) current);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
+ printk(KERN_INFO "int %px %d\n", ictx, ictx->tx_endpoint->bEndpointAddress);
pipe = usb_sndintpipe(ictx->usbdev_intf0,
ictx->tx_endpoint->bEndpointAddress);
interval = ictx->tx_endpoint->bInterval;
@@ -623,6 +626,7 @@ static int send_packet(struct imon_context *ictx)
control_req->wIndex = cpu_to_le16(0x0001);
control_req->wLength = cpu_to_le16(0x0008);
+ printk(KERN_INFO "control %px\n", ictx);
/* control pipe is endpoint 0x00 */
pipe = usb_sndctrlpipe(ictx->usbdev_intf0, 0);
@@ -645,12 +649,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1125,6 +1132,11 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
+ if (mutex_get_owner(&ictx->lock) != (unsigned long) current) {
+ unlock = true;
+ mutex_lock(&ictx->lock);
+ }
+
if (*rc_proto && !(*rc_proto & rc->allowed_protocols))
dev_warn(dev, "Looks like you're trying to use an IR protocol this device does not support\n");
@@ -1148,8 +1160,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1744,14 +1754,17 @@ static void usb_rx_callback_intf0(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);
/*
* if we get a callback before we're done configuring the hardware, we
* can't yet process the data, as there's nowhere to send it, but we
* still need to submit a new rx URB to avoid wedging the hardware
*/
- if (!ictx->dev_present_intf0)
+ if (!ictx->dev_present_intf0) {
+ printk(KERN_INFO "%s %px %d\n", __func__, ictx, urb->status);
goto out;
+ }
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1764,6 +1777,15 @@ static void usb_rx_callback_intf0(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
@@ -1785,14 +1807,17 @@ static void usb_rx_callback_intf1(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);
/*
* if we get a callback before we're done configuring the hardware, we
* can't yet process the data, as there's nowhere to send it, but we
* still need to submit a new rx URB to avoid wedging the hardware
*/
- if (!ictx->dev_present_intf1)
+ if (!ictx->dev_present_intf1) {
+ printk(KERN_INFO "%s %px %d\n", __func__, ictx, urb->status);
goto out;
+ }
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1805,6 +1830,15 @@ static void usb_rx_callback_intf1(struct urb *urb)
imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-12 15:18 ` syzbot
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-12 15:18 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: task hung in corrupted
INFO: task syz.2.18:6947 blocked for more than 140 seconds.
Not tainted 6.16.0-rc5-syzkaller-00224-g379f604cc3dc-dirty #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.18 state:D
Tested on:
commit: 379f604c Merge tag 'pci-v6.16-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10a310f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=166b6d82580000
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [usb?] INFO: task hung in uevent_show (2)
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 15:18 ` [syzbot] [kernel?] " syzbot
@ 2025-07-12 15:41 ` Tetsuo Handa
2025-07-12 17:43 ` [syzbot] [kernel?] " syzbot
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-12 15:41 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML
#syz test
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..82403887bdda 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,8 +598,11 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;
+ BUG_ON(mutex_get_owner(&ictx->lock) != (unsigned long) current);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
+ printk(KERN_INFO "int %px %d\n", ictx, ictx->tx_endpoint->bEndpointAddress);
pipe = usb_sndintpipe(ictx->usbdev_intf0,
ictx->tx_endpoint->bEndpointAddress);
interval = ictx->tx_endpoint->bInterval;
@@ -623,6 +626,7 @@ static int send_packet(struct imon_context *ictx)
control_req->wIndex = cpu_to_le16(0x0001);
control_req->wLength = cpu_to_le16(0x0008);
+ printk(KERN_INFO "control %px\n", ictx);
/* control pipe is endpoint 0x00 */
pipe = usb_sndctrlpipe(ictx->usbdev_intf0, 0);
@@ -645,12 +649,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1125,6 +1132,11 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
+ if (mutex_get_owner(&ictx->lock) != (unsigned long) current) {
+ unlock = true;
+ mutex_lock(&ictx->lock);
+ }
+
if (*rc_proto && !(*rc_proto & rc->allowed_protocols))
dev_warn(dev, "Looks like you're trying to use an IR protocol this device does not support\n");
@@ -1148,8 +1160,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1744,14 +1754,7 @@ static void usb_rx_callback_intf0(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
-
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1761,16 +1764,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf0)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
}
@@ -1785,14 +1802,7 @@ static void usb_rx_callback_intf1(struct urb *urb)
ictx = (struct imon_context *)urb->context;
if (!ictx)
return;
-
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
+ printk(KERN_INFO "%s %px\n", __func__, ictx);
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
@@ -1802,16 +1812,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf1)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
}
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
@ 2025-07-12 17:43 ` syzbot
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-12 17:43 UTC (permalink / raw)
To: linux-kernel, penguin-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested on:
commit: 379f604c Merge tag 'pci-v6.16-fixes-3' of git://git.ke..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11a2fbd4580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=11bc8e8c580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* [PATCH] media: imon: make send_packet() more robust
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 17:43 ` [syzbot] [kernel?] " syzbot
@ 2025-07-13 7:50 ` Tetsuo Handa
2025-07-13 8:11 ` Hillf Danton
2025-07-13 8:29 ` [syzbot] [kernel?] INFO: task hung in uevent_show (2) syzbot
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-13 7:50 UTC (permalink / raw)
To: syzbot+592e2ab8775dbe0bf09a, LKML, Sean Young,
Mauro Carvalho Chehab
syzbot is reporting that imon has three problems which result in hung tasks
due to forever holding device lock.
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
We should do similar thing for imon.
Basically, I think that imon should refrain from resubmitting urb when
callback function got an error. But since I don't know which error codes
should retry resubmitting urb, this patch handles only union of error codes
chosen from modules in drivers/media/rc/ directory which handles -EPROTO
error (i.e. ir_toy, mceusb and igorplugusb).
We need to decide whether to call usb_unlink_urb() when we got -EPROTO
error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
of usb_unlink_urb() suggests that it is OK to call.
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). If some errors should stop resubmitting
urb regardless of whether configuring the hardware has completed or not,
what that commit is doing is wrong. The ictx->dev_present_intf0 test was
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured"), but that commit did not call usb_unlink_urb()
when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
test to immediately before imon_incoming_packet() so that we can call
usb_unlink_urb() as needed, or the first problem explained above happens
without printk() flooding (i.e. hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with 10 seconds of timeout.
Also, move mutex_trylock() in imon_ir_change_protocol() to the beginning,
for memcpy() which modifies ictx->usb_tx_buf should be protected by
ictx->lock.
Also, verify at the beginning of send_packet() that ictx->lock is held
in case send_packet() is by error called from imon_ir_change_protocol()
when mutex_trylock() failed due to concurrent requests.
Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
#syz test
drivers/media/rc/imon.c | 69 +++++++++++++++++++++++++----------------
1 file changed, 42 insertions(+), 27 deletions(-)
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..3469a401a572 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,6 +598,8 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;
+ lockdep_assert_held(&ictx->lock);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
pipe = usb_sndintpipe(ictx->usbdev_intf0,
@@ -645,12 +647,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1121,7 +1126,7 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
int retval;
struct imon_context *ictx = rc->priv;
struct device *dev = ictx->dev;
- bool unlock = false;
+ const bool unlock = mutex_trylock(&ictx->lock);
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
@@ -1148,8 +1153,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1745,14 +1748,6 @@ static void usb_rx_callback_intf0(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1761,16 +1756,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf0)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
}
@@ -1786,14 +1795,6 @@ static void usb_rx_callback_intf1(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1802,16 +1803,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf1)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
@ 2025-07-13 8:11 ` Hillf Danton
2025-07-13 15:21 ` Alan Stern
2025-07-13 8:29 ` [syzbot] [kernel?] INFO: task hung in uevent_show (2) syzbot
1 sibling, 1 reply; 45+ messages in thread
From: Hillf Danton @ 2025-07-13 8:11 UTC (permalink / raw)
To: Tetsuo Handa
Cc: syzbot+592e2ab8775dbe0bf09a, LKML, Sean Young, Alan Stern,
Mauro Carvalho Chehab
[loop Alan in]
On Sun, 13 Jul 2025 16:50:08 +0900 Tetsuo Handa wrote:
> syzbot is reporting that imon has three problems which result in hung tasks
> due to forever holding device lock.
>
> First problem is that when usb_rx_callback_intf0() once got -EPROTO error
> after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
> resubmits urb after printk(), and resubmitted urb causes
> usb_rx_callback_intf0() to again get -EPROTO error. This results in
> printk() flooding (RCU stalls).
>
> Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
> ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
> We should do similar thing for imon.
>
> Basically, I think that imon should refrain from resubmitting urb when
> callback function got an error. But since I don't know which error codes
> should retry resubmitting urb, this patch handles only union of error codes
> chosen from modules in drivers/media/rc/ directory which handles -EPROTO
> error (i.e. ir_toy, mceusb and igorplugusb).
>
> We need to decide whether to call usb_unlink_urb() when we got -EPROTO
> error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
> due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
> usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
> of usb_unlink_urb() suggests that it is OK to call.
>
> Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> hardware after early callbacks"). If some errors should stop resubmitting
> urb regardless of whether configuring the hardware has completed or not,
> what that commit is doing is wrong. The ictx->dev_present_intf0 test was
> introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> until intf configured"), but that commit did not call usb_unlink_urb()
> when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> test to immediately before imon_incoming_packet() so that we can call
> usb_unlink_urb() as needed, or the first problem explained above happens
> without printk() flooding (i.e. hung task).
>
> Third problem is that when usb_rx_callback_intf0() is not called for some
> reason (e.g. flaky hardware; the reproducer for this problem sometimes
> prevents usb_rx_callback_intf0() from being called),
> wait_for_completion_interruptible() in send_packet() never returns (i.e.
> hung task). As a workaround for such situation, change send_packet() to
> wait for completion with 10 seconds of timeout.
>
> Also, move mutex_trylock() in imon_ir_change_protocol() to the beginning,
> for memcpy() which modifies ictx->usb_tx_buf should be protected by
> ictx->lock.
>
> Also, verify at the beginning of send_packet() that ictx->lock is held
> in case send_packet() is by error called from imon_ir_change_protocol()
> when mutex_trylock() failed due to concurrent requests.
>
> Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
> #syz test
>
> drivers/media/rc/imon.c | 69 +++++++++++++++++++++++++----------------
> 1 file changed, 42 insertions(+), 27 deletions(-)
>
> diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
> index f5221b018808..3469a401a572 100644
> --- a/drivers/media/rc/imon.c
> +++ b/drivers/media/rc/imon.c
> @@ -598,6 +598,8 @@ static int send_packet(struct imon_context *ictx)
> int retval = 0;
> struct usb_ctrlrequest *control_req = NULL;
>
> + lockdep_assert_held(&ictx->lock);
> +
> /* Check if we need to use control or interrupt urb */
> if (!ictx->tx_control) {
> pipe = usb_sndintpipe(ictx->usbdev_intf0,
> @@ -645,12 +647,15 @@ static int send_packet(struct imon_context *ictx)
> smp_rmb(); /* ensure later readers know we're not busy */
> pr_err_ratelimited("error submitting urb(%d)\n", retval);
> } else {
> - /* Wait for transmission to complete (or abort) */
> - retval = wait_for_completion_interruptible(
> - &ictx->tx.finished);
> - if (retval) {
> + /* Wait for transmission to complete (or abort or timeout) */
> + retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
Is the underlying hardware is not stable if the submitted urb failed to
complete within 10 seconds for example? In the product environment is it
making sense to ask for change to BOM, bill of material, if 10s timedout
could be reliably reproduced twice a month?
> + if (retval <= 0) {
> usb_kill_urb(ictx->tx_urb);
> pr_err_ratelimited("task interrupted\n");
> + if (retval < 0)
> + ictx->tx.status = retval;
> + else
> + ictx->tx.status = -ETIMEDOUT;
> }
>
> ictx->tx.busy = false;
> @@ -1121,7 +1126,7 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
> int retval;
> struct imon_context *ictx = rc->priv;
> struct device *dev = ictx->dev;
> - bool unlock = false;
> + const bool unlock = mutex_trylock(&ictx->lock);
> unsigned char ir_proto_packet[] = {
> 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
>
> @@ -1148,8 +1153,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
>
> memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
>
> - unlock = mutex_trylock(&ictx->lock);
> -
> retval = send_packet(ictx);
> if (retval)
> goto out;
> @@ -1745,14 +1748,6 @@ static void usb_rx_callback_intf0(struct urb *urb)
> if (!ictx)
> return;
>
> - /*
> - * if we get a callback before we're done configuring the hardware, we
> - * can't yet process the data, as there's nowhere to send it, but we
> - * still need to submit a new rx URB to avoid wedging the hardware
> - */
> - if (!ictx->dev_present_intf0)
> - goto out;
> -
> switch (urb->status) {
> case -ENOENT: /* usbcore unlink successful! */
> return;
> @@ -1761,16 +1756,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
> break;
>
> case 0:
> - imon_incoming_packet(ictx, urb, intfnum);
> + /*
> + * if we get a callback before we're done configuring the hardware, we
> + * can't yet process the data, as there's nowhere to send it, but we
> + * still need to submit a new rx URB to avoid wedging the hardware
> + */
> + if (ictx->dev_present_intf0)
> + imon_incoming_packet(ictx, urb, intfnum);
> break;
>
> + case -ECONNRESET:
> + case -EILSEQ:
> + case -EPROTO:
> + case -EPIPE:
> + dev_warn(ictx->dev, "imon %s: status(%d)\n",
> + __func__, urb->status);
> + usb_unlink_urb(urb);
> + return;
> +
> default:
> dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
> __func__, urb->status);
> break;
> }
>
> -out:
> usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
> }
>
> @@ -1786,14 +1795,6 @@ static void usb_rx_callback_intf1(struct urb *urb)
> if (!ictx)
> return;
>
> - /*
> - * if we get a callback before we're done configuring the hardware, we
> - * can't yet process the data, as there's nowhere to send it, but we
> - * still need to submit a new rx URB to avoid wedging the hardware
> - */
> - if (!ictx->dev_present_intf1)
> - goto out;
> -
> switch (urb->status) {
> case -ENOENT: /* usbcore unlink successful! */
> return;
> @@ -1802,16 +1803,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
> break;
>
> case 0:
> - imon_incoming_packet(ictx, urb, intfnum);
> + /*
> + * if we get a callback before we're done configuring the hardware, we
> + * can't yet process the data, as there's nowhere to send it, but we
> + * still need to submit a new rx URB to avoid wedging the hardware
> + */
> + if (ictx->dev_present_intf1)
> + imon_incoming_packet(ictx, urb, intfnum);
> break;
>
> + case -ECONNRESET:
> + case -EILSEQ:
> + case -EPROTO:
> + case -EPIPE:
> + dev_warn(ictx->dev, "imon %s: status(%d)\n",
> + __func__, urb->status);
> + usb_unlink_urb(urb);
> + return;
> +
> default:
> dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
> __func__, urb->status);
> break;
> }
>
> -out:
> usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
> }
>
> --
> 2.50.1
>
>
>
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [syzbot] [kernel?] INFO: task hung in uevent_show (2)
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
2025-07-13 8:11 ` Hillf Danton
@ 2025-07-13 8:29 ` syzbot
1 sibling, 0 replies; 45+ messages in thread
From: syzbot @ 2025-07-13 8:29 UTC (permalink / raw)
To: linux-kernel, mchehab, penguin-kernel, sean, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested-by: syzbot+592e2ab8775dbe0bf09a@syzkaller.appspotmail.com
Tested on:
commit: 3f31a806 Merge tag 'mm-hotfixes-stable-2025-07-11-16-1..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16a150f0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=f481202e4ff2d138
dashboard link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=15fa07d4580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-13 8:11 ` Hillf Danton
@ 2025-07-13 15:21 ` Alan Stern
2025-07-15 20:19 ` Sean Young
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-13 15:21 UTC (permalink / raw)
To: Hillf Danton
Cc: Tetsuo Handa, syzbot+592e2ab8775dbe0bf09a, LKML, Sean Young,
Mauro Carvalho Chehab
On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> [loop Alan in]
I assume you're interested in the question of when to avoid resubmitting
URBs.
> On Sun, 13 Jul 2025 16:50:08 +0900 Tetsuo Handa wrote:
> > syzbot is reporting that imon has three problems which result in hung tasks
> > due to forever holding device lock.
> >
> > First problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
> > resubmits urb after printk(), and resubmitted urb causes
> > usb_rx_callback_intf0() to again get -EPROTO error. This results in
> > printk() flooding (RCU stalls).
> >
> > Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
> > ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
> > We should do similar thing for imon.
> >
> > Basically, I think that imon should refrain from resubmitting urb when
> > callback function got an error. But since I don't know which error codes
> > should retry resubmitting urb, this patch handles only union of error codes
> > chosen from modules in drivers/media/rc/ directory which handles -EPROTO
> > error (i.e. ir_toy, mceusb and igorplugusb).
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
As to which error codes drivers should pay attention to... In most
cases they only look at -EPROTO. According to
Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
also possible errors when a device has been unplugged, so it wouldn't
hurt to check for them too. But most host controller drivers don't
bother to issue them; -EPROTO is by far the most common error code
following an unplug.
> > We need to decide whether to call usb_unlink_urb() when we got -EPROTO
> > error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
> > due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
> > usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
> > of usb_unlink_urb() suggests that it is OK to call.
If the error occurred because the device was unplugged then unlinking
the outstanding URBs isn't necessary; the USB core will unlink them for
you after the device's parent hub reports that the unplug took place.
> > Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> > resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> > hardware after early callbacks"). If some errors should stop resubmitting
> > urb regardless of whether configuring the hardware has completed or not,
> > what that commit is doing is wrong. The ictx->dev_present_intf0 test was
> > introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> > until intf configured"), but that commit did not call usb_unlink_urb()
> > when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> > test to immediately before imon_incoming_packet() so that we can call
> > usb_unlink_urb() as needed, or the first problem explained above happens
> > without printk() flooding (i.e. hung task).
It seems odd for a driver to set up normal communications with a device
before the device has been configured, but of course that decision is up
to the creators and maintainers of the driver.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-13 15:21 ` Alan Stern
@ 2025-07-15 20:19 ` Sean Young
2025-07-16 1:30 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Sean Young @ 2025-07-15 20:19 UTC (permalink / raw)
To: Alan Stern
Cc: Hillf Danton, Tetsuo Handa, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
Hi Alan,
On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
> On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> > [loop Alan in]
>
> I assume you're interested in the question of when to avoid resubmitting
> URBs.
>
> > On Sun, 13 Jul 2025 16:50:08 +0900 Tetsuo Handa wrote:
> > > syzbot is reporting that imon has three problems which result in hung tasks
> > > due to forever holding device lock.
> > >
> > > First problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > > after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
> > > resubmits urb after printk(), and resubmitted urb causes
> > > usb_rx_callback_intf0() to again get -EPROTO error. This results in
> > > printk() flooding (RCU stalls).
> > >
> > > Commit 92f461517d22 ("media: ir_toy: do not resubmit broken urb") changed
> > > ir_toy module not to resubmit when irtoy_in_callback() got -EPROTO error.
> > > We should do similar thing for imon.
> > >
> > > Basically, I think that imon should refrain from resubmitting urb when
> > > callback function got an error. But since I don't know which error codes
> > > should retry resubmitting urb, this patch handles only union of error codes
> > > chosen from modules in drivers/media/rc/ directory which handles -EPROTO
> > > error (i.e. ir_toy, mceusb and igorplugusb).
>
> In theory it's okay to resubmit _if_ the driver has a robust
> error-recovery scheme (such as giving up after some fixed limit on the
> number of errors or after some fixed time has elapsed, perhaps with a
> time delay to prevent a flood of errors). Most drivers don't bother to
> do this; they simply give up right away. This makes them more
> vulnerable to short-term noise interference during USB transfers, but in
> reality such interference is quite rare. There's nothing really wrong
> with giving up right away.
>
> As to which error codes drivers should pay attention to... In most
> cases they only look at -EPROTO. According to
> Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
> also possible errors when a device has been unplugged, so it wouldn't
> hurt to check for them too. But most host controller drivers don't
> bother to issue them; -EPROTO is by far the most common error code
> following an unplug.
Thank you for explaining that, very helpful. Would it be useful to have
this in the USB completion handler documentation?
> > > We need to decide whether to call usb_unlink_urb() when we got -EPROTO
> > > error. ir_toy and mceusb call usb_unlink_urb() but igorplugusb does not
> > > due to commit 5e4029056263 ("media: igorplugusb: remove superfluous
> > > usb_unlink_urb()"). This patch calls usb_unlink_urb() because description
> > > of usb_unlink_urb() suggests that it is OK to call.
>
> If the error occurred because the device was unplugged then unlinking
> the outstanding URBs isn't necessary; the USB core will unlink them for
> you after the device's parent hub reports that the unplug took place.
Are you saying there is a case when usb_unlink_urb() is necessary: if the
device was not unplugged and -EPROTO is reported?
> > > Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > > before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> > > resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> > > hardware after early callbacks"). If some errors should stop resubmitting
> > > urb regardless of whether configuring the hardware has completed or not,
> > > what that commit is doing is wrong. The ictx->dev_present_intf0 test was
> > > introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> > > until intf configured"), but that commit did not call usb_unlink_urb()
> > > when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> > > test to immediately before imon_incoming_packet() so that we can call
> > > usb_unlink_urb() as needed, or the first problem explained above happens
> > > without printk() flooding (i.e. hung task).
>
> It seems odd for a driver to set up normal communications with a device
> before the device has been configured, but of course that decision is up
> to the creators and maintainers of the driver.
The usb device has two interfaces, and we need both of them before we can
do anything useful. Badly designed hardware.
I think that is why this driver code is so awkward.
Sean
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-15 20:19 ` Sean Young
@ 2025-07-16 1:30 ` Alan Stern
2025-07-16 9:38 ` Sean Young
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-16 1:30 UTC (permalink / raw)
To: Sean Young
Cc: Hillf Danton, Tetsuo Handa, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
> Hi Alan,
>
> On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
> > On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> > > [loop Alan in]
> >
> > I assume you're interested in the question of when to avoid resubmitting
> > URBs.
> > In theory it's okay to resubmit _if_ the driver has a robust
> > error-recovery scheme (such as giving up after some fixed limit on the
> > number of errors or after some fixed time has elapsed, perhaps with a
> > time delay to prevent a flood of errors). Most drivers don't bother to
> > do this; they simply give up right away. This makes them more
> > vulnerable to short-term noise interference during USB transfers, but in
> > reality such interference is quite rare. There's nothing really wrong
> > with giving up right away.
> >
> > As to which error codes drivers should pay attention to... In most
> > cases they only look at -EPROTO. According to
> > Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
> > also possible errors when a device has been unplugged, so it wouldn't
> > hurt to check for them too. But most host controller drivers don't
> > bother to issue them; -EPROTO is by far the most common error code
> > following an unplug.
>
> Thank you for explaining that, very helpful. Would it be useful to have
> this in the USB completion handler documentation?
I don't know what USB completion handler documentation you're talking
about. Is it something in the Documentation/ directory? If it is then
it should already include or refer to error-codes.rst.
Or perhaps you're talking about the kerneldoc for this particular
completion handler? There's no reason for that to include all the
material that's already in error-codes.rst. But you might put a comment
in the code at the point where -EPROTO errors are handled, explaining
that they generally indicate that the device has been unplugged.
> > If the error occurred because the device was unplugged then unlinking
> > the outstanding URBs isn't necessary; the USB core will unlink them for
> > you after the device's parent hub reports that the unplug took place.
>
> Are you saying there is a case when usb_unlink_urb() is necessary: if the
> device was not unplugged and -EPROTO is reported?
That depends on the driver. If it wants to cancel other outstanding
URBs merely because one URB got a -EPROTO error but the device wasn't
unplugged, then it has to call usb_unlink_urb() or something equivalent.
Otherwise it will have to wait for those other URBs to complete in the
usual way.
(Of course, when the -EPROTO error code shows up in the completion
handler, the driver doesn't know yet whether the device has been
unplugged...)
> > > > Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> > > > before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> > > > resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> > > > hardware after early callbacks"). If some errors should stop resubmitting
> > > > urb regardless of whether configuring the hardware has completed or not,
> > > > what that commit is doing is wrong. The ictx->dev_present_intf0 test was
> > > > introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> > > > until intf configured"), but that commit did not call usb_unlink_urb()
> > > > when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> > > > test to immediately before imon_incoming_packet() so that we can call
> > > > usb_unlink_urb() as needed, or the first problem explained above happens
> > > > without printk() flooding (i.e. hung task).
> >
> > It seems odd for a driver to set up normal communications with a device
> > before the device has been configured, but of course that decision is up
> > to the creators and maintainers of the driver.
>
> The usb device has two interfaces, and we need both of them before we can
> do anything useful. Badly designed hardware.
>
> I think that is why this driver code is so awkward.
That's what usb_driver_claim_interface() is for. IIRC, the cdc-acm
driver uses it in exactly this way.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-16 1:30 ` Alan Stern
@ 2025-07-16 9:38 ` Sean Young
2025-07-16 10:09 ` Tetsuo Handa
2025-07-16 14:38 ` [PATCH] " Alan Stern
0 siblings, 2 replies; 45+ messages in thread
From: Sean Young @ 2025-07-16 9:38 UTC (permalink / raw)
To: Alan Stern
Cc: Hillf Danton, Tetsuo Handa, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On Tue, Jul 15, 2025 at 09:30:02PM -0400, Alan Stern wrote:
> On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
> > Hi Alan,
> >
> > On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
> > > On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> > > > [loop Alan in]
> > >
> > > I assume you're interested in the question of when to avoid resubmitting
> > > URBs.
>
> > > In theory it's okay to resubmit _if_ the driver has a robust
> > > error-recovery scheme (such as giving up after some fixed limit on the
> > > number of errors or after some fixed time has elapsed, perhaps with a
> > > time delay to prevent a flood of errors). Most drivers don't bother to
> > > do this; they simply give up right away. This makes them more
> > > vulnerable to short-term noise interference during USB transfers, but in
> > > reality such interference is quite rare. There's nothing really wrong
> > > with giving up right away.
> > >
> > > As to which error codes drivers should pay attention to... In most
> > > cases they only look at -EPROTO. According to
> > > Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
> > > also possible errors when a device has been unplugged, so it wouldn't
> > > hurt to check for them too. But most host controller drivers don't
> > > bother to issue them; -EPROTO is by far the most common error code
> > > following an unplug.
> >
> > Thank you for explaining that, very helpful. Would it be useful to have
> > this in the USB completion handler documentation?
>
> I don't know what USB completion handler documentation you're talking
> about. Is it something in the Documentation/ directory? If it is then
> it should already include or refer to error-codes.rst.
I can't see anything in error-codes.rst or URB.rst about the possibility
of retrying after -EPROTO errors or how the callback should respond if
it wants to give up. USB drivers seem to do all manner of different things.
> > I think that is why this driver code is so awkward.
>
> That's what usb_driver_claim_interface() is for. IIRC, the cdc-acm
> driver uses it in exactly this way.
Very interesting, we should look at re-writing this driver. Note this
function is not documented in Documentation/driver-api/usb/
Thank you for your help
Sean
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-16 9:38 ` Sean Young
@ 2025-07-16 10:09 ` Tetsuo Handa
2025-07-16 11:55 ` Hillf Danton
2025-07-16 12:47 ` Sean Young
2025-07-16 14:38 ` [PATCH] " Alan Stern
1 sibling, 2 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-16 10:09 UTC (permalink / raw)
To: Sean Young, Alan Stern
Cc: Hillf Danton, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On 2025/07/16 18:38, Sean Young wrote:
> On Tue, Jul 15, 2025 at 09:30:02PM -0400, Alan Stern wrote:
>> On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
>>> Hi Alan,
>>>
>>> On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
>>>> On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
>>>>> [loop Alan in]
>>>>
>>>> I assume you're interested in the question of when to avoid resubmitting
>>>> URBs.
I think that what Hillf wanted to know (and I wanted maintainers of this
driver to respond) is whether timeout of 10 seconds is reasonable
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
because the reproducer for this problem sometimes prevents
usb_rx_callback_intf0() from being called. Unless we somehow
handle such situation, the hung task reports won't go away.
>>> I think that is why this driver code is so awkward.
>>
>> That's what usb_driver_claim_interface() is for. IIRC, the cdc-acm
>> driver uses it in exactly this way.
>
> Very interesting, we should look at re-writing this driver. Note this
> function is not documented in Documentation/driver-api/usb/
OK. Then, what do you want to do for this syzbot report?
If you want to apply this patch, I'll send an updated patch with Alan's comment.
If you want to directly rewrite this module, this patch will be discarded.
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-16 10:09 ` Tetsuo Handa
@ 2025-07-16 11:55 ` Hillf Danton
2025-07-16 12:47 ` Sean Young
1 sibling, 0 replies; 45+ messages in thread
From: Hillf Danton @ 2025-07-16 11:55 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Sean Young, Alan Stern, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On Wed, 16 Jul 2025 19:09:51 +0900 Tetsuo Handa wrote:
>On 2025/07/16 18:38, Sean Young wrote:
>> On Tue, Jul 15, 2025 at 09:30:02PM -0400, Alan Stern wrote:
>>> On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
>>>> Hi Alan,
>>>>
>>>> On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
>>>>> On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
>>>>>> [loop Alan in]
>>>>>
>>>>> I assume you're interested in the question of when to avoid resubmitting
>>>>> URBs.
>
> I think that what Hillf wanted to know (and I wanted maintainers of this
> driver to respond) is whether timeout of 10 seconds is reasonable
>
Yes. In product environments like car cockpit I have option like change
to BOM if urb 10s timedout in general could be reliably reproduced twice
a month for example.
> - /* Wait for transmission to complete (or abort) */
> - retval = wait_for_completion_interruptible(
> - &ictx->tx.finished);
> - if (retval) {
> + /* Wait for transmission to complete (or abort or timeout) */
> + retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
>
> because the reproducer for this problem sometimes prevents
> usb_rx_callback_intf0() from being called. Unless we somehow
> handle such situation, the hung task reports won't go away.
>
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-16 10:09 ` Tetsuo Handa
2025-07-16 11:55 ` Hillf Danton
@ 2025-07-16 12:47 ` Sean Young
2025-07-16 14:07 ` [PATCH v2] " Tetsuo Handa
1 sibling, 1 reply; 45+ messages in thread
From: Sean Young @ 2025-07-16 12:47 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Alan Stern, Hillf Danton, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On Wed, Jul 16, 2025 at 07:09:51PM +0900, Tetsuo Handa wrote:
> On 2025/07/16 18:38, Sean Young wrote:
> > On Tue, Jul 15, 2025 at 09:30:02PM -0400, Alan Stern wrote:
> >> On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
> >>> I think that is why this driver code is so awkward.
> >>
> >> That's what usb_driver_claim_interface() is for. IIRC, the cdc-acm
> >> driver uses it in exactly this way.
> >
> > Very interesting, we should look at re-writing this driver. Note this
> > function is not documented in Documentation/driver-api/usb/
>
> OK. Then, what do you want to do for this syzbot report?
> If you want to apply this patch, I'll send an updated patch with Alan's comment.
> If you want to directly rewrite this module, this patch will be discarded.
Let's apply your updated patch. It looks good. I've started looking at
re-writing the driver to use usb_driver_claim_interface(), but I don't
know when that will be ready (or if it'll work).
Thanks,
Sean
^ permalink raw reply [flat|nested] 45+ messages in thread
* [PATCH v2] media: imon: make send_packet() more robust
2025-07-16 12:47 ` Sean Young
@ 2025-07-16 14:07 ` Tetsuo Handa
2025-07-16 14:45 ` Alan Stern
0 siblings, 1 reply; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-16 14:07 UTC (permalink / raw)
To: Sean Young, Mauro Carvalho Chehab
Cc: Alan Stern, Hillf Danton, syzbot+592e2ab8775dbe0bf09a, LKML
syzbot is reporting that imon has three problems which result in
hung tasks due to forever holding device lock [1].
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Alan Stern commented [2] that
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
but imon has a poor error-recovery scheme which just retries forever;
this behavior should be fixed.
Since I'm not sure whether it is safe for imon users to give up upon any
error code, this patch takes care of only union of error codes chosen from
modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
ir_toy, mceusb and igorplugusb).
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). The ictx->dev_present_intf0 test was
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured"), but that commit did not call usb_unlink_urb()
when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
test to immediately before imon_incoming_packet() so that we can call
usb_unlink_urb() as needed, or the first problem explained above happens
without printk() flooding (i.e. hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with timeout of 10 seconds.
Also, move mutex_trylock() in imon_ir_change_protocol() to the beginning,
for memcpy() which modifies ictx->usb_tx_buf should be protected by
ictx->lock.
Also, verify at the beginning of send_packet() that ictx->lock is held
in case send_packet() is by error called from imon_ir_change_protocol()
when mutex_trylock() failed due to concurrent requests.
Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a [1]
Link: https://lkml.kernel.org/r/d6da6709-d799-4be3-a695-850bddd6eb24@rowland.harvard.edu [2]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
Changes in v2:
Updated patch description.
drivers/media/rc/imon.c | 69 +++++++++++++++++++++++++----------------
1 file changed, 42 insertions(+), 27 deletions(-)
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..3469a401a572 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -598,6 +598,8 @@ static int send_packet(struct imon_context *ictx)
int retval = 0;
struct usb_ctrlrequest *control_req = NULL;
+ lockdep_assert_held(&ictx->lock);
+
/* Check if we need to use control or interrupt urb */
if (!ictx->tx_control) {
pipe = usb_sndintpipe(ictx->usbdev_intf0,
@@ -645,12 +647,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1121,7 +1126,7 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
int retval;
struct imon_context *ictx = rc->priv;
struct device *dev = ictx->dev;
- bool unlock = false;
+ const bool unlock = mutex_trylock(&ictx->lock);
unsigned char ir_proto_packet[] = {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x86 };
@@ -1148,8 +1153,6 @@ static int imon_ir_change_protocol(struct rc_dev *rc, u64 *rc_proto)
memcpy(ictx->usb_tx_buf, &ir_proto_packet, sizeof(ir_proto_packet));
- unlock = mutex_trylock(&ictx->lock);
-
retval = send_packet(ictx);
if (retval)
goto out;
@@ -1745,14 +1748,6 @@ static void usb_rx_callback_intf0(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1761,16 +1756,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf0)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
}
@@ -1786,14 +1795,6 @@ static void usb_rx_callback_intf1(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1802,16 +1803,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf1)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ usb_unlink_urb(urb);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 45+ messages in thread
* Re: [PATCH] media: imon: make send_packet() more robust
2025-07-16 9:38 ` Sean Young
2025-07-16 10:09 ` Tetsuo Handa
@ 2025-07-16 14:38 ` Alan Stern
1 sibling, 0 replies; 45+ messages in thread
From: Alan Stern @ 2025-07-16 14:38 UTC (permalink / raw)
To: Sean Young
Cc: Hillf Danton, Tetsuo Handa, syzbot+592e2ab8775dbe0bf09a, LKML,
Mauro Carvalho Chehab
On Wed, Jul 16, 2025 at 10:38:23AM +0100, Sean Young wrote:
> On Tue, Jul 15, 2025 at 09:30:02PM -0400, Alan Stern wrote:
> > On Tue, Jul 15, 2025 at 09:19:18PM +0100, Sean Young wrote:
> > > Hi Alan,
> > >
> > > On Sun, Jul 13, 2025 at 11:21:24AM -0400, Alan Stern wrote:
> > > > On Sun, Jul 13, 2025 at 04:11:47PM +0800, Hillf Danton wrote:
> > > > > [loop Alan in]
> > > >
> > > > I assume you're interested in the question of when to avoid resubmitting
> > > > URBs.
> >
> > > > In theory it's okay to resubmit _if_ the driver has a robust
> > > > error-recovery scheme (such as giving up after some fixed limit on the
> > > > number of errors or after some fixed time has elapsed, perhaps with a
> > > > time delay to prevent a flood of errors). Most drivers don't bother to
> > > > do this; they simply give up right away. This makes them more
> > > > vulnerable to short-term noise interference during USB transfers, but in
> > > > reality such interference is quite rare. There's nothing really wrong
> > > > with giving up right away.
> > > >
> > > > As to which error codes drivers should pay attention to... In most
> > > > cases they only look at -EPROTO. According to
> > > > Documentation/driver-api/usb/error-codes.rst, -EILSEQ and -ETIME are
> > > > also possible errors when a device has been unplugged, so it wouldn't
> > > > hurt to check for them too. But most host controller drivers don't
> > > > bother to issue them; -EPROTO is by far the most common error code
> > > > following an unplug.
> > >
> > > Thank you for explaining that, very helpful. Would it be useful to have
> > > this in the USB completion handler documentation?
> >
> > I don't know what USB completion handler documentation you're talking
> > about. Is it something in the Documentation/ directory? If it is then
> > it should already include or refer to error-codes.rst.
>
> I can't see anything in error-codes.rst or URB.rst about the possibility
> of retrying after -EPROTO errors or how the callback should respond if
> it wants to give up. USB drivers seem to do all manner of different things.
error-codes.rst is meant merely to explain the meanings of the different
error codes. How to deal with them when they occur is not in its scope.
Drivers behave in different ways because they were written by different
people and serve different purposes. For example, data loss in a
mass-storage driver would be a lot more serious than data loss in a
mouse driver, so of course the two drivers don't use the same amount of
care when recovering from errors.
As for how a callback should be behave if it wants to give up, that
depends on how the driver is designed. There is no one single answer
appropriate for all drivers. In the simplest case, where the driver
always keeps one URB in flight and resubmits the URB whenever it
completes, giving up is easy -- just don't resubmit the URB! This will
immediately end all the communication with the device.
> > > I think that is why this driver code is so awkward.
> >
> > That's what usb_driver_claim_interface() is for. IIRC, the cdc-acm
> > driver uses it in exactly this way.
>
> Very interesting, we should look at re-writing this driver. Note this
> function is not documented in Documentation/driver-api/usb/
The documentation files are quite old and were never complete. Nowadays
we rely much more heavily on the kerneldoc in the source code itself.
> Thank you for your help
You're welcome.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* Re: [PATCH v2] media: imon: make send_packet() more robust
2025-07-16 14:07 ` [PATCH v2] " Tetsuo Handa
@ 2025-07-16 14:45 ` Alan Stern
2025-07-17 14:21 ` [PATCH v3] " Tetsuo Handa
0 siblings, 1 reply; 45+ messages in thread
From: Alan Stern @ 2025-07-16 14:45 UTC (permalink / raw)
To: Tetsuo Handa
Cc: Sean Young, Mauro Carvalho Chehab, Hillf Danton,
syzbot+592e2ab8775dbe0bf09a, LKML
On Wed, Jul 16, 2025 at 11:07:17PM +0900, Tetsuo Handa wrote:
> syzbot is reporting that imon has three problems which result in
> hung tasks due to forever holding device lock [1].
>
> First problem is that when usb_rx_callback_intf0() once got -EPROTO error
> after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
> resubmits urb after printk(), and resubmitted urb causes
> usb_rx_callback_intf0() to again get -EPROTO error. This results in
> printk() flooding (RCU stalls).
>
> Alan Stern commented [2] that
>
> In theory it's okay to resubmit _if_ the driver has a robust
> error-recovery scheme (such as giving up after some fixed limit on the
> number of errors or after some fixed time has elapsed, perhaps with a
> time delay to prevent a flood of errors). Most drivers don't bother to
> do this; they simply give up right away. This makes them more
> vulnerable to short-term noise interference during USB transfers, but in
> reality such interference is quite rare. There's nothing really wrong
> with giving up right away.
>
> but imon has a poor error-recovery scheme which just retries forever;
> this behavior should be fixed.
>
> Since I'm not sure whether it is safe for imon users to give up upon any
> error code, this patch takes care of only union of error codes chosen from
> modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
> ir_toy, mceusb and igorplugusb).
>
> Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
> before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
> resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
> hardware after early callbacks"). The ictx->dev_present_intf0 test was
> introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
> until intf configured"), but that commit did not call usb_unlink_urb()
> when usb_rx_callback_intf0() got an error. Move the ictx->dev_present_intf0
> test to immediately before imon_incoming_packet() so that we can call
> usb_unlink_urb() as needed, or the first problem explained above happens
> without printk() flooding (i.e. hung task).
>
> Third problem is that when usb_rx_callback_intf0() is not called for some
> reason (e.g. flaky hardware; the reproducer for this problem sometimes
> prevents usb_rx_callback_intf0() from being called),
> wait_for_completion_interruptible() in send_packet() never returns (i.e.
> hung task). As a workaround for such situation, change send_packet() to
> wait for completion with timeout of 10 seconds.
>
> Also, move mutex_trylock() in imon_ir_change_protocol() to the beginning,
> for memcpy() which modifies ictx->usb_tx_buf should be protected by
> ictx->lock.
>
> Also, verify at the beginning of send_packet() that ictx->lock is held
> in case send_packet() is by error called from imon_ir_change_protocol()
> when mutex_trylock() failed due to concurrent requests.
>
> Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a [1]
> Link: https://lkml.kernel.org/r/d6da6709-d799-4be3-a695-850bddd6eb24@rowland.harvard.edu [2]
> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
> ---
Making multiple significant changes like these in a single patch is
generally a bad idea. It would be better to split this up into two or
three patches, each doing one thing.
> Changes in v2:
> Updated patch description.
>
> drivers/media/rc/imon.c | 69 +++++++++++++++++++++++++----------------
> 1 file changed, 42 insertions(+), 27 deletions(-)
>
> diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
> index f5221b018808..3469a401a572 100644
> --- a/drivers/media/rc/imon.c
> +++ b/drivers/media/rc/imon.c
> @@ -1761,16 +1756,30 @@ static void usb_rx_callback_intf0(struct urb *urb)
> break;
>
> case 0:
> - imon_incoming_packet(ictx, urb, intfnum);
> + /*
> + * if we get a callback before we're done configuring the hardware, we
> + * can't yet process the data, as there's nowhere to send it, but we
> + * still need to submit a new rx URB to avoid wedging the hardware
> + */
> + if (ictx->dev_present_intf0)
> + imon_incoming_packet(ictx, urb, intfnum);
> break;
>
> + case -ECONNRESET:
> + case -EILSEQ:
> + case -EPROTO:
> + case -EPIPE:
> + dev_warn(ictx->dev, "imon %s: status(%d)\n",
> + __func__, urb->status);
> + usb_unlink_urb(urb);
The URB you're unlinking here is the one that just completed, right?
Which means it's already unlinked, so this call is unnecessary.
> @@ -1802,16 +1803,30 @@ static void usb_rx_callback_intf1(struct urb *urb)
> break;
>
> case 0:
> - imon_incoming_packet(ictx, urb, intfnum);
> + /*
> + * if we get a callback before we're done configuring the hardware, we
> + * can't yet process the data, as there's nowhere to send it, but we
> + * still need to submit a new rx URB to avoid wedging the hardware
> + */
> + if (ictx->dev_present_intf1)
> + imon_incoming_packet(ictx, urb, intfnum);
> break;
>
> + case -ECONNRESET:
> + case -EILSEQ:
> + case -EPROTO:
> + case -EPIPE:
> + dev_warn(ictx->dev, "imon %s: status(%d)\n",
> + __func__, urb->status);
> + usb_unlink_urb(urb);
> + return;
Same here.
Alan Stern
^ permalink raw reply [flat|nested] 45+ messages in thread
* [PATCH v3] media: imon: make send_packet() more robust
2025-07-16 14:45 ` Alan Stern
@ 2025-07-17 14:21 ` Tetsuo Handa
0 siblings, 0 replies; 45+ messages in thread
From: Tetsuo Handa @ 2025-07-17 14:21 UTC (permalink / raw)
To: Alan Stern, linux-media, Sean Young, Mauro Carvalho Chehab
Cc: Hillf Danton, syzbot+592e2ab8775dbe0bf09a, LKML
syzbot is reporting that imon has three problems which result in
hung tasks due to forever holding device lock [1].
First problem is that when usb_rx_callback_intf0() once got -EPROTO error
after ictx->dev_present_intf0 became true, usb_rx_callback_intf0()
resubmits urb after printk(), and resubmitted urb causes
usb_rx_callback_intf0() to again get -EPROTO error. This results in
printk() flooding (RCU stalls).
Alan Stern commented [2] that
In theory it's okay to resubmit _if_ the driver has a robust
error-recovery scheme (such as giving up after some fixed limit on the
number of errors or after some fixed time has elapsed, perhaps with a
time delay to prevent a flood of errors). Most drivers don't bother to
do this; they simply give up right away. This makes them more
vulnerable to short-term noise interference during USB transfers, but in
reality such interference is quite rare. There's nothing really wrong
with giving up right away.
but imon has a poor error-recovery scheme which just retries forever;
this behavior should be fixed.
Since I'm not sure whether it is safe for imon users to give up upon any
error code, this patch takes care of only union of error codes chosen from
modules in drivers/media/rc/ directory which handle -EPROTO error (i.e.
ir_toy, mceusb and igorplugusb).
Second problem is that when usb_rx_callback_intf0() once got -EPROTO error
before ictx->dev_present_intf0 becomes true, usb_rx_callback_intf0() always
resubmits urb due to commit 8791d63af0cf ("[media] imon: don't wedge
hardware after early callbacks"). Move the ictx->dev_present_intf0 test
introduced by commit 6f6b90c9231a ("[media] imon: don't parse scancodes
until intf configured") to immediately before imon_incoming_packet(), or
the first problem explained above happens without printk() flooding (i.e.
hung task).
Third problem is that when usb_rx_callback_intf0() is not called for some
reason (e.g. flaky hardware; the reproducer for this problem sometimes
prevents usb_rx_callback_intf0() from being called),
wait_for_completion_interruptible() in send_packet() never returns (i.e.
hung task). As a workaround for such situation, change send_packet() to
wait for completion with timeout of 10 seconds.
Link: https://syzkaller.appspot.com/bug?extid=592e2ab8775dbe0bf09a [1]
Link: https://lkml.kernel.org/r/d6da6709-d799-4be3-a695-850bddd6eb24@rowland.harvard.edu [2]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
Changes in v3:
Dropped usb_unlink_urb() call from usb_rx_callback_intf{0,1}().
Dropped ictx->lock change for sending as a separate patch.
Changes in v2:
Updated patch description.
drivers/media/rc/imon.c | 61 +++++++++++++++++++++++++----------------
1 file changed, 37 insertions(+), 24 deletions(-)
diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c
index f5221b018808..b914dd39c21c 100644
--- a/drivers/media/rc/imon.c
+++ b/drivers/media/rc/imon.c
@@ -645,12 +645,15 @@ static int send_packet(struct imon_context *ictx)
smp_rmb(); /* ensure later readers know we're not busy */
pr_err_ratelimited("error submitting urb(%d)\n", retval);
} else {
- /* Wait for transmission to complete (or abort) */
- retval = wait_for_completion_interruptible(
- &ictx->tx.finished);
- if (retval) {
+ /* Wait for transmission to complete (or abort or timeout) */
+ retval = wait_for_completion_interruptible_timeout(&ictx->tx.finished, 10 * HZ);
+ if (retval <= 0) {
usb_kill_urb(ictx->tx_urb);
pr_err_ratelimited("task interrupted\n");
+ if (retval < 0)
+ ictx->tx.status = retval;
+ else
+ ictx->tx.status = -ETIMEDOUT;
}
ictx->tx.busy = false;
@@ -1745,14 +1748,6 @@ static void usb_rx_callback_intf0(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf0)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1761,16 +1756,29 @@ static void usb_rx_callback_intf0(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf0)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf0, GFP_ATOMIC);
}
@@ -1786,14 +1794,6 @@ static void usb_rx_callback_intf1(struct urb *urb)
if (!ictx)
return;
- /*
- * if we get a callback before we're done configuring the hardware, we
- * can't yet process the data, as there's nowhere to send it, but we
- * still need to submit a new rx URB to avoid wedging the hardware
- */
- if (!ictx->dev_present_intf1)
- goto out;
-
switch (urb->status) {
case -ENOENT: /* usbcore unlink successful! */
return;
@@ -1802,16 +1802,29 @@ static void usb_rx_callback_intf1(struct urb *urb)
break;
case 0:
- imon_incoming_packet(ictx, urb, intfnum);
+ /*
+ * if we get a callback before we're done configuring the hardware, we
+ * can't yet process the data, as there's nowhere to send it, but we
+ * still need to submit a new rx URB to avoid wedging the hardware
+ */
+ if (ictx->dev_present_intf1)
+ imon_incoming_packet(ictx, urb, intfnum);
break;
+ case -ECONNRESET:
+ case -EILSEQ:
+ case -EPROTO:
+ case -EPIPE:
+ dev_warn(ictx->dev, "imon %s: status(%d)\n",
+ __func__, urb->status);
+ return;
+
default:
dev_warn(ictx->dev, "imon %s: status(%d): ignored\n",
__func__, urb->status);
break;
}
-out:
usb_submit_urb(ictx->rx_urb_intf1, GFP_ATOMIC);
}
--
2.50.1
^ permalink raw reply related [flat|nested] 45+ messages in thread
end of thread, other threads:[~2025-07-17 14:22 UTC | newest]
Thread overview: 45+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-09 14:37 [syzbot] [usb?] INFO: task hung in uevent_show (2) syzbot
2024-11-10 0:59 ` syzbot
2025-07-10 11:05 ` Hillf Danton
2025-07-10 11:59 ` [syzbot] [kernel?] " syzbot
2025-07-10 12:59 ` [syzbot] [usb?] " Hillf Danton
2025-07-10 13:25 ` [syzbot] [kernel?] " syzbot
2025-07-09 4:39 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:03 ` [syzbot] [kernel?] " syzbot
2025-07-09 14:13 ` Tetsuo Handa
2025-07-09 14:27 ` Alan Stern
2025-07-09 14:44 ` Tetsuo Handa
2025-07-09 15:19 ` Alan Stern
2025-07-09 15:33 ` Tetsuo Handa
2025-07-09 15:41 ` Alan Stern
2025-07-10 10:17 ` Tetsuo Handa
2025-07-10 14:13 ` Alan Stern
2025-07-09 14:15 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-09 14:44 ` [syzbot] [kernel?] " syzbot
2025-07-09 15:01 ` Tetsuo Handa
2025-07-11 11:09 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 11:44 ` [syzbot] [kernel?] " syzbot
2025-07-11 11:52 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 12:13 ` [syzbot] [kernel?] " syzbot
2025-07-11 13:34 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 14:09 ` [syzbot] [kernel?] " syzbot
2025-07-11 15:01 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-11 15:46 ` [syzbot] [kernel?] " syzbot
2025-07-12 14:40 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 15:18 ` [syzbot] [kernel?] " syzbot
2025-07-12 15:41 ` [syzbot] [usb?] " Tetsuo Handa
2025-07-12 17:43 ` [syzbot] [kernel?] " syzbot
2025-07-13 7:50 ` [PATCH] media: imon: make send_packet() more robust Tetsuo Handa
2025-07-13 8:11 ` Hillf Danton
2025-07-13 15:21 ` Alan Stern
2025-07-15 20:19 ` Sean Young
2025-07-16 1:30 ` Alan Stern
2025-07-16 9:38 ` Sean Young
2025-07-16 10:09 ` Tetsuo Handa
2025-07-16 11:55 ` Hillf Danton
2025-07-16 12:47 ` Sean Young
2025-07-16 14:07 ` [PATCH v2] " Tetsuo Handa
2025-07-16 14:45 ` Alan Stern
2025-07-17 14:21 ` [PATCH v3] " Tetsuo Handa
2025-07-16 14:38 ` [PATCH] " Alan Stern
2025-07-13 8:29 ` [syzbot] [kernel?] INFO: task hung in uevent_show (2) syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).