[syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    9147566d8016 Merge tag 'sched_ext-for-7.0-rc6-fixes' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=151c1516580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=111973d6580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12070dda580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c0b15aadfaef/disk-9147566d.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9df2af7be859/vmlinux-9147566d.xz
kernel image: https://storage.googleapis.com/syzbot-assets/87eba4cf352e/bzImage-9147566d.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	Tasks blocked on level-0 rcu_node (CPUs 0-1): P5969/1:b..l
rcu: 	(detected by 1, t=10502 jiffies, g=14521, q=2117 ncpus=2)
task:syz-executor    state:R  running task     stack:22432 pid:5969  tgid:5969  ppid:5967   task_flags:0x400140 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
 preempt_schedule_irq+0x4d/0xa0 kernel/sched/core.c:7238
 irqentry_exit+0x599/0x620 kernel/entry/common.c:239
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:lock_release+0x2d7/0x3d0 kernel/locking/lockdep.c:5893
Code: 16 7b 11 00 00 00 00 eb b5 e8 45 73 0d 0a f7 c3 00 02 00 00 74 b9 65 48 8b 05 c5 d0 7a 11 48 3b 44 24 28 75 44 fb 48 83 c4 30 <5b> 41 5c 41 5d 41 5e 41 5f 5d e9 95 81 6e ff cc 48 8d 3d 72 64 73
RSP: 0018:ffffc90003aafd78 EFLAGS: 00000286
RAX: d3d4042ff14ac900 RBX: 0000000000000202 RCX: 0000000000000046
RDX: 0000000000000000 RSI: ffffffff8e16b29d RDI: ffffffff8c27d100
RBP: ffff8880290229d8 R08: ffffffff9011ccb7 R09: 1ffffffff2023996
R10: dffffc0000000000 R11: fffffbfff2023997 R12: 0000000000000000
R13: 0000000000000000 R14: ffffffff8e75e5e0 R15: ffff888029021e80
 rcu_lock_release include/linux/rcupdate.h:322 [inline]
 rcu_read_unlock include/linux/rcupdate.h:881 [inline]
 kill_proc_info+0x168/0x180 kernel/signal.c:1481
 kill_something_info kernel/signal.c:1577 [inline]
 __do_sys_kill kernel/signal.c:3953 [inline]
 __se_sys_kill+0xd9/0x460 kernel/signal.c:3947
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fb210b3dda7
RSP: 002b:00007ffe1e460eb8 EFLAGS: 00000217 ORIG_RAX: 000000000000003e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fb210b3dda7
RDX: 0000000000000097 RSI: 0000000000000009 RDI: 0000000000000003
RBP: 00007ffe1e460efc R08: 7fffffffffffffff R09: 0000000000000000
R10: 4000000000000000 R11: 0000000000000217 R12: 0000000000000000
R13: 0000000000000064 R14: 000000000003f067 R15: 00007ffe1e460f50
 </TASK>
rcu: rcu_preempt kthread starved for 3053 jiffies! g14521 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=0
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:27744 pid:16    tgid:16    ppid:2      task_flags:0x208040 flags:0x00080000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5298 [inline]
 __schedule+0x15dd/0x52d0 kernel/sched/core.c:6911
 __schedule_loop kernel/sched/core.c:6993 [inline]
 schedule+0x164/0x360 kernel/sched/core.c:7008
 schedule_timeout+0x158/0x2c0 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x312/0x11d0 kernel/rcu/tree.c:2095
 rcu_gp_kthread+0x9e/0x2b0 kernel/rcu/tree.c:2297
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 3405 Comm: kworker/R-bat_e Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: bat_events batadv_tt_purge
RIP: 0010:get_current arch/x86/include/asm/current.h:25 [inline]
RIP: 0010:__sanitizer_cov_trace_pc+0x8/0x70 kernel/kcov.c:216
Code: 8b 3d 04 8b 55 0c 48 89 de 5b e9 e3 99 5e 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 48 8b 04 24 <65> 48 8b 0d 28 db 56 11 65 8b 15 49 db 56 11 81 e2 00 01 ff 00 74
RSP: 0018:ffffc900000078f0 EFLAGS: 00000046
RAX: ffffffff878d4630 RBX: 0000000000000000 RCX: 0000000000000100
RDX: ffff888033120000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888156eed200 R08: 0000000000000003 R09: 0000000000000004
R10: dffffc0000000000 R11: fffff52000000f0c R12: ffff88802b35bc00
R13: dffffc0000000000 R14: ffff888029c47000 R15: ffff888029c47408
FS:  0000000000000000(0000) GS:ffff888125457000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000557a11963a38 CR3: 00000000677c5000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 dummy_validate_stream drivers/usb/gadget/udc/dummy_hcd.c:1244 [inline]
 dummy_urb_enqueue+0x270/0x780 drivers/usb/gadget/udc/dummy_hcd.c:1282
 usb_hcd_submit_urb+0x328/0x1b70 drivers/usb/core/hcd.c:1542
 ath9k_hif_usb_reg_in_cb+0x4d5/0x6f0 drivers/net/wireless/ath/ath9k/hif_usb.c:790
 __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1657
 dummy_timer+0xbbd/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x53a/0xcc0 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:395 [inline]
 batadv_tt_local_purge+0x2a7/0x340 net/batman-adv/translation-table.c:1315
 batadv_tt_purge+0x35/0x9e0 net/batman-adv/translation-table.c:3509
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 rescuer_thread+0x827/0x1130 kernel/workqueue.c:3583
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps CPU busy in softirq context indefinitely, starving
the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by deferring URB resubmission to a workqueue via
schedule_work(), allowing the softirq to exit quickly and
giving rcu_preempt kthread sufficient CPU time to process
the grace period.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 38 +++++++++++++++++++-----
 drivers/net/wireless/ath/ath9k/hif_usb.h |  2 ++
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..38c0cabe52bf 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,38 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct rx_buf *rx_buf = container_of(work,
+					     struct rx_buf,
+					     work);
+	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+	struct urb *urb = rx_buf->urb;
+	int ret;
+
+	if (!hif_dev || !urb)
+		goto free_rx_buf;
+
+	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(urb, GFP_KERNEL);
+	if (ret) {
+		usb_unanchor_urb(urb);
+		goto free_skb;
+	}
+	return;
+
+free_skb:
+	kfree_skb(rx_buf->skb);
+free_rx_buf:
+	kfree(rx_buf);
+	urb->context = NULL;
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,13 +812,9 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
-	}
-
+	rx_buf->urb = urb;
+	INIT_WORK(&rx_buf->work, ath9k_hif_usb_reg_in_resubmit);
+	schedule_work(&rx_buf->work);
 	return;
 free_skb:
 	kfree_skb(skb);
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..7c2a8d2c1cca 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -89,6 +89,8 @@ struct tx_buf {
 struct rx_buf {
 	struct sk_buff *skb;
 	struct hif_device_usb *hif_dev;
+	struct urb *urb;
+	struct work_struct work;
 };
 
 #define HIF_USB_TX_STOP  BIT(0)
-- 
2.43.0

Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps the CPU busy in softirq context indefinitely,
starving the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by introducing a small per-resubmission wrapper
struct (reg_in_work) that is freshly allocated on each URB
completion and carries its own work_struct. The resubmission
is then deferred to the system workqueue via schedule_work(),
allowing the softirq to exit quickly.

Using a fresh wrapper per completion avoids the races that
would arise from reusing a single embedded work_struct:
  - INIT_WORK() is called on a newly allocated struct so
    there is no risk of reinitialising a work item that is
    still queued or running.
  - schedule_work() always returns true so no resubmission
    is silently dropped.
  - usb_get_urb() is called before schedule_work() and
    usb_put_urb() is called in the worker, ensuring the URB
    remains valid for the lifetime of the work item.

On resubmission failure in the worker the original error
path is preserved: the skb and rx_buf are freed and
urb->context is set to NULL, matching the behaviour of the
original goto free_skb path.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 53 ++++++++++++++++++++----
 1 file changed, 45 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..3ce598167731 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,43 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+struct reg_in_work {
+	struct urb		*urb;
+	struct hif_device_usb	*hif_dev;
+	struct work_struct	work;
+};
+
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct reg_in_work *rw = container_of(work,
+					      struct reg_in_work,
+					      work);
+	struct urb *urb = rw->urb;
+	struct rx_buf *rx_buf = urb->context;
+
+	int ret;
+
+	usb_anchor_urb(rw->urb, &rw->hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(rw->urb, GFP_KERNEL);
+	usb_put_urb(rw->urb);
+
+	if (ret) {
+		usb_unanchor_urb(rw->urb);
+		if (rx_buf) {
+			kfree_skb(rx_buf->skb);
+			kfree(rx_buf);
+			urb->context = NULL;
+		}
+	}
+
+	kfree(rw);
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,14 +817,20 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
+	{
+		struct reg_in_work *rw;
+
+		rw = kmalloc_obj(*rw, GFP_ATOMIC);
+		if (!rw)
+			goto free_skb;
+
+		rw->urb = urb;
+		rw->hif_dev = hif_dev;
+		usb_get_urb(urb);
+		INIT_WORK(&rw->work, ath9k_hif_usb_reg_in_resubmit);
+		schedule_work(&rw->work);
+		return;
 	}
-
-	return;
 free_skb:
 	kfree_skb(skb);
 free_rx_buf:
-- 
2.43.0

Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps the CPU busy in softirq context indefinitely,
starving the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by introducing a small per-resubmission wrapper
struct (reg_in_work) that is freshly allocated on each URB
completion and carries its own work_struct. The resubmission
is then deferred to the system workqueue via schedule_work(),
allowing the softirq to exit quickly.

Using a fresh wrapper per completion avoids races that would
arise from reusing a single embedded work_struct:
  - INIT_WORK() is called on a newly allocated struct so
    there is no risk of reinitialising a work item that is
    still queued or running.
  - schedule_work() on a fresh work_struct always succeeds
    so no resubmission is ever silently dropped.
  - usb_get_urb() is called before schedule_work() and
    usb_put_urb() is called last in the worker after all
    URB accesses are complete, ensuring the URB remains
    valid for the entire lifetime of the work item.

On resubmission failure in the worker the original error
path is preserved: skb and rx_buf are freed and
urb->context is set to NULL before dropping the URB
reference, matching the behaviour of the original
goto free_skb path.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 53 ++++++++++++++++++++----
 1 file changed, 45 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..0f9536b2d0a2 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,43 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+struct reg_in_work {
+	struct urb		*urb;
+	struct hif_device_usb	*hif_dev;
+	struct work_struct	work;
+};
+
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct reg_in_work *rw = container_of(work,
+					      struct reg_in_work,
+					      work);
+	struct urb *urb = rw->urb;
+	struct rx_buf *rx_buf = urb->context;
+
+	int ret;
+
+	usb_anchor_urb(rw->urb, &rw->hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(rw->urb, GFP_KERNEL);
+
+	if (ret) {
+		usb_unanchor_urb(rw->urb);
+		if (rx_buf) {
+			kfree_skb(rx_buf->skb);
+			kfree(rx_buf);
+			urb->context = NULL;
+		}
+	}
+
+	usb_put_urb(urb);
+	kfree(rw);
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,14 +817,20 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
+	{
+		struct reg_in_work *rw;
+
+		rw = kmalloc_obj(*rw, GFP_ATOMIC);
+		if (!rw)
+			goto free_skb;
+
+		rw->urb = urb;
+		rw->hif_dev = hif_dev;
+		usb_get_urb(urb);
+		INIT_WORK(&rw->work, ath9k_hif_usb_reg_in_resubmit);
+		schedule_work(&rw->work);
+		return;
 	}
-
-	return;
 free_skb:
 	kfree_skb(skb);
 free_rx_buf:
-- 
2.43.0

Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps the CPU busy in softirq context indefinitely,
starving the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by introducing a small per-resubmission wrapper
struct (reg_in_work) that is freshly allocated on each URB
completion and carries its own work_struct. The resubmission
is deferred to a dedicated ordered workqueue (reg_in_wq)
via queue_work(), allowing the softirq to exit quickly.

Using a fresh wrapper per completion avoids races that would
arise from reusing a single embedded work_struct:
  - INIT_WORK() is called on a newly allocated struct so
    there is no risk of reinitialising a work item that is
    still queued or running.
  - queue_work() on a fresh work_struct always succeeds so
    no resubmission is ever silently dropped.
  - usb_get_urb() is called before queue_work() and
    usb_put_urb() is called last in the worker after all
    URB accesses are complete, ensuring the URB remains
    valid for the entire lifetime of the work item.

A dedicated ordered workqueue is used instead of the system
workqueue to allow proper synchronization on disconnect.
destroy_workqueue() in ath9k_hif_usb_dealloc_reg_in_urbs()
drains all pending resubmissions before hif_dev is freed,
preventing use-after-free when the device is disconnected
while work items are still pending.

On resubmission failure in the worker the original error
path is preserved: skb and rx_buf are freed and
urb->context is set to NULL before dropping the URB
reference, matching the behaviour of the original
goto free_skb path.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 58 ++++++++++++++++++++----
 drivers/net/wireless/ath/ath9k/hif_usb.h |  1 +
 2 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..370764681749 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,43 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+struct reg_in_work {
+	struct urb		*urb;
+	struct hif_device_usb	*hif_dev;
+	struct work_struct	work;
+};
+
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct reg_in_work *rw = container_of(work,
+					      struct reg_in_work,
+					      work);
+	struct urb *urb = rw->urb;
+	struct rx_buf *rx_buf = urb->context;
+
+	int ret;
+
+	usb_anchor_urb(rw->urb, &rw->hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(rw->urb, GFP_KERNEL);
+
+	if (ret) {
+		usb_unanchor_urb(rw->urb);
+		if (rx_buf) {
+			kfree_skb(rx_buf->skb);
+			kfree(rx_buf);
+			urb->context = NULL;
+		}
+	}
+
+	usb_put_urb(urb);
+	kfree(rw);
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,14 +817,20 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
+	{
+		struct reg_in_work *rw;
+
+		rw = kmalloc_obj(*rw, GFP_ATOMIC);
+		if (!rw)
+			goto free_skb;
+
+		rw->urb = urb;
+		rw->hif_dev = hif_dev;
+		usb_get_urb(urb);
+		INIT_WORK(&rw->work, ath9k_hif_usb_reg_in_resubmit);
+		queue_work(hif_dev->reg_in_wq, &rw->work);
+		return;
 	}
-
-	return;
 free_skb:
 	kfree_skb(skb);
 free_rx_buf:
@@ -959,6 +996,8 @@ static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev)
 static void ath9k_hif_usb_dealloc_reg_in_urbs(struct hif_device_usb *hif_dev)
 {
 	usb_kill_anchored_urbs(&hif_dev->reg_in_submitted);
+	if (hif_dev->reg_in_wq)
+		destroy_workqueue(hif_dev->reg_in_wq);
 }
 
 static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev)
@@ -969,6 +1008,9 @@ static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev)
 	int i, ret;
 
 	init_usb_anchor(&hif_dev->reg_in_submitted);
+	hif_dev->reg_in_wq = alloc_ordered_workqueue("ath9k_reg_in", 0);
+	if (!hif_dev->reg_in_wq)
+		return -ENOMEM;
 
 	for (i = 0; i < MAX_REG_IN_URB_NUM; i++) {
 
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..38f17a12fd5f 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -124,6 +124,7 @@ struct hif_device_usb {
 	struct usb_anchor regout_submitted;
 	struct usb_anchor rx_submitted;
 	struct usb_anchor reg_in_submitted;
+	struct workqueue_struct *reg_in_wq;
 	struct usb_anchor mgmt_submitted;
 	struct sk_buff *remain_skb;
 	char fw_name[64];
-- 
2.43.0

Re: [syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in usb_anchor_urb

usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
BUG: KASAN: slab-use-after-free in atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add include/linux/refcount.h:283 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc include/linux/refcount.h:366 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc include/linux/refcount.h:383 [inline]
BUG: KASAN: slab-use-after-free in kref_get include/linux/kref.h:45 [inline]
BUG: KASAN: slab-use-after-free in usb_get_urb drivers/usb/core/urb.c:113 [inline]
BUG: KASAN: slab-use-after-free in usb_anchor_urb+0x45/0x220 drivers/usb/core/urb.c:131
Write of size 4 at addr ffff88802a8dce00 by task kworker/1:8/6502

CPU: 1 UID: 0 PID: 6502 Comm: kworker/1:8 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events ath9k_hif_usb_reg_in_resubmit
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
 instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
 __refcount_add include/linux/refcount.h:283 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 kref_get include/linux/kref.h:45 [inline]
 usb_get_urb drivers/usb/core/urb.c:113 [inline]
 usb_anchor_urb+0x45/0x220 drivers/usb/core/urb.c:131
 ath9k_hif_usb_reg_in_resubmit+0x86/0x120 drivers/net/wireless/ath/ath9k/hif_usb.c:746
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6466:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5260 [inline]
 __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75
 ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:1004 [inline]
 ath9k_hif_usb_alloc_urbs+0xb8c/0x1120 drivers/net/wireless/ath/ath9k/hif_usb.c:1070
 ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1156 [inline]
 ath9k_hif_usb_firmware_cb+0x127/0x4c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1289
 request_firmware_work_func+0x105/0x1c0 drivers/base/firmware_loader/main.c:1152
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6345:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 dummy_timer+0xbbd/0x45d0 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1785 [inline]
 __hrtimer_run_queues+0x53a/0xcc0 kernel/time/hrtimer.c:1849
 hrtimer_run_softirq+0x182/0x5a0 kernel/time/hrtimer.c:1866
 handle_softirqs+0x22a/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0x5f/0x150 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1056
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697

The buggy address belongs to the object at ffff88802a8dce00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 freed 192-byte region [ffff88802a8dce00, ffff88802a8dcec0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2a8dc
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88813fea63c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9831863731, free_ts 9679699786
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_noprof+0x474/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75
 usb_internal_control_msg drivers/usb/core/message.c:110 [inline]
 usb_control_msg+0x118/0x3e0 drivers/usb/core/message.c:167
 usb_get_descriptor+0xb1/0x3e0 drivers/usb/core/message.c:852
 usb_get_configuration+0x2c3/0x54f0 drivers/usb/core/config.c:956
 usb_enumerate_device drivers/usb/core/hub.c:2527 [inline]
 usb_new_device+0x145/0x16f0 drivers/usb/core/hub.c:2665
 register_root_hub+0x270/0x5f0 drivers/usb/core/hcd.c:990
 usb_add_hcd+0xba1/0x10b0 drivers/usb/core/hcd.c:2987
 vhci_hcd_probe+0x141/0x3e0 drivers/usb/usbip/vhci_hcd.c:1388
 platform_probe+0xf9/0x190 drivers/base/platform.c:1418
page last free pid 29 tgid 29 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 vfree+0x25a/0x400 mm/vmalloc.c:3479
 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff88802a8dcd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88802a8dcd80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88802a8dce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88802a8dce80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88802a8dcf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


Tested on:

commit:         3aae9383 Merge tag 'input-for-v7.0-rc6' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=135c4e06580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=131ff3d6580000

Re: [syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in ath9k_hif_usb_reg_in_resubmit

==================================================================
BUG: KASAN: slab-use-after-free in ath9k_hif_usb_reg_in_resubmit+0x143/0x170 drivers/net/wireless/ath/ath9k/hif_usb.c:759
Write of size 8 at addr ffff8880282609b0 by task kworker/0:4/5926

CPU: 0 UID: 0 PID: 5926 Comm: kworker/0:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events ath9k_hif_usb_reg_in_resubmit
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 ath9k_hif_usb_reg_in_resubmit+0x143/0x170 drivers/net/wireless/ath/ath9k/hif_usb.c:759
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6436:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5260 [inline]
 __kmalloc_noprof+0x35c/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75
 ath9k_hif_usb_alloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:1019 [inline]
 ath9k_hif_usb_alloc_urbs+0xb8c/0x1120 drivers/net/wireless/ath/ath9k/hif_usb.c:1085
 ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1171 [inline]
 ath9k_hif_usb_firmware_cb+0x127/0x4c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1304
 request_firmware_work_func+0x105/0x1c0 drivers/base/firmware_loader/main.c:1152
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 5926:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 urb_destroy drivers/usb/core/urb.c:27 [inline]
 kref_put include/linux/kref.h:65 [inline]
 usb_free_urb drivers/usb/core/urb.c:96 [inline]
 __usb_unanchor_urb drivers/usb/core/urb.c:153 [inline]
 usb_unanchor_urb+0x283/0x380 drivers/usb/core/urb.c:183
 ath9k_hif_usb_reg_in_resubmit+0xf4/0x170 drivers/net/wireless/ath/ath9k/hif_usb.c:755
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888028260900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 176 bytes inside of
 freed 192-byte region [ffff888028260900, ffff8880282609c0)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28260
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88813fea63c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 24, tgid 24 (kworker/1:0), ts 10584606067, free_ts 6626023302
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __do_kmalloc_node mm/slub.c:5259 [inline]
 __kmalloc_noprof+0x474/0x760 mm/slub.c:5272
 kmalloc_noprof include/linux/slab.h:954 [inline]
 usb_alloc_urb+0x46/0x150 drivers/usb/core/urb.c:75
 usb_internal_control_msg drivers/usb/core/message.c:110 [inline]
 usb_control_msg+0x118/0x3e0 drivers/usb/core/message.c:167
 get_port_status drivers/usb/core/hub.c:607 [inline]
 hub_ext_port_status+0x116/0x820 drivers/usb/core/hub.c:624
 usb_hub_port_status drivers/usb/core/hub.c:674 [inline]
 hub_activate+0x6eb/0x1a80 drivers/usb/core/hub.c:1185
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 24 tgid 24 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 vfree+0x25a/0x400 mm/vmalloc.c:3479
 delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3398
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888028260880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff888028260900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888028260980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                     ^
 ffff888028260a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888028260a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit:         3aae9383 Merge tag 'input-for-v7.0-rc6' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=11424e06580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=108bc1ca580000

Re: [syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in usb_anchor_urb

==================================================================
BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:162
Read of size 1 at addr ffff888077fdd310 by task kworker/0:0/9

CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events ath9k_hif_usb_reg_in_resubmit
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xba/0x230 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __kasan_check_byte+0x2a/0x40 mm/kasan/common.c:574
 kasan_check_byte include/linux/kasan.h:402 [inline]
 lock_acquire+0x79/0x2e0 kernel/locking/lockdep.c:5842
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:132 [inline]
 _raw_spin_lock_irqsave+0x40/0x60 kernel/locking/spinlock.c:162
 usb_anchor_urb+0x2a/0x220 drivers/usb/core/urb.c:130
 ath9k_hif_usb_reg_in_resubmit+0xa7/0x1a0 drivers/net/wireless/ath/ath9k/hif_usb.c:750
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 9:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5380
 kmalloc_noprof include/linux/slab.h:950 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 ath9k_hif_usb_probe+0x364/0xae0 drivers/net/wireless/ath/ath9k/hif_usb.c:1416
 usb_probe_interface+0x668/0xc90 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:721
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:863
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:893
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1021
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1093
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1148
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6558:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2685 [inline]
 slab_free mm/slub.c:6165 [inline]
 kfree+0x1c1/0x630 mm/slub.c:6483
 ath9k_hif_usb_disconnect+0x1cf/0x250 drivers/net/wireless/ath/ath9k/hif_usb.c:1489
 usb_unbind_interface+0x26e/0x910 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:633 [inline]
 __device_release_driver drivers/base/dd.c:1344 [inline]
 device_release_driver_internal+0x4d9/0x870 drivers/base/dd.c:1367
 bus_remove_device+0x455/0x570 drivers/base/bus.c:657
 device_del+0x527/0x8f0 drivers/base/core.c:3880
 usb_disable_device+0x3d4/0x8d0 drivers/usb/core/message.c:1476
 usb_disconnect+0x32f/0x990 drivers/usb/core/hub.c:2345
 hub_port_connect drivers/usb/core/hub.c:5407 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x1cc9/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888077fdd000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 784 bytes inside of
 freed 2048-byte region [ffff888077fdd000, ffff888077fdd800)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x77fd8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fea7000 dead000000000100 dead000000000122
raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fea7000 dead000000000100 dead000000000122
head: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001dff601 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5176, tgid 5176 (klogd), ts 142953379597, free_ts 142877816667
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
 prep_new_page mm/page_alloc.c:1897 [inline]
 get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3962
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
 alloc_slab_page mm/slub.c:3292 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3481
 new_slab mm/slub.c:3539 [inline]
 refill_objects+0x331/0x3c0 mm/slub.c:7175
 refill_sheaf mm/slub.c:2812 [inline]
 __pcs_replace_empty_main+0x2e6/0x730 mm/slub.c:4615
 alloc_from_pcs mm/slub.c:4717 [inline]
 slab_alloc_node mm/slub.c:4851 [inline]
 __kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5375
 kmalloc_noprof include/linux/slab.h:950 [inline]
 syslog_print+0x103/0x610 kernel/printk/printk.c:1585
 do_syslog+0x583/0x7d0 kernel/printk/printk.c:1763
 __do_sys_syslog kernel/printk/printk.c:1855 [inline]
 __se_sys_syslog kernel/printk/printk.c:1853 [inline]
 __x64_sys_syslog+0x7c/0x90 kernel/printk/printk.c:1853
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
page last free pid 50 tgid 50 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1433 [inline]
 __free_frozen_pages+0xc2b/0xdb0 mm/page_alloc.c:2978
 __slab_free+0x263/0x2b0 mm/slub.c:5573
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4538 [inline]
 slab_alloc_node mm/slub.c:4866 [inline]
 kmem_cache_alloc_node_noprof+0x384/0x690 mm/slub.c:4918
 __alloc_skb+0x1d0/0x7d0 net/core/skbuff.c:702
 alloc_skb include/linux/skbuff.h:1383 [inline]
 mld_newpack+0x14c/0xc90 net/ipv6/mcast.c:1775
 add_grhead+0x5a/0x2a0 net/ipv6/mcast.c:1886
 add_grec+0x1452/0x1740 net/ipv6/mcast.c:2025
 mld_send_initial_cr+0x288/0x550 net/ipv6/mcast.c:2268
 ipv6_mc_dad_complete+0x88/0x540 net/ipv6/mcast.c:2279
 addrconf_dad_completed+0x8a7/0xe60 net/ipv6/addrconf.c:4344
 addrconf_dad_work+0xc5e/0x14c0 net/ipv6/addrconf.c:-1
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440

Memory state around the buggy address:
 ffff888077fdd200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888077fdd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888077fdd300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888077fdd380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888077fdd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         3aae9383 Merge tag 'input-for-v7.0-rc6' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1740d9f6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15ca5d02580000

Re: [syzbot] [kernel?] INFO: rcu detected stall in kill

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: locking bug in ath9k_hif_usb_dealloc_urbs

ath9k_htc: Failed to initialize the device
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#1: kworker/1:4/5897
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#1: kworker/1:4/5897
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#1: kworker/1:4/5897
Modules linked in:
CPU: 1 UID: 0 PID: 5897 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events request_firmware_work_func
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 c7 8a 0a 03 85 c0 74 1c 83 3d a0 76 70 0e 00 75 13 48 8d 3d a3 97 73 0e 48 c7 c6 0f 96 01 8e <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc90003c77588 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: ffff88807ca75b80
RDX: 0000000000000000 RSI: ffffffff8e01960f RDI: ffffffff90152ad0
RBP: 0000000000000002 R08: ffffffff901209c3 R09: 1ffffffff2024138
R10: dffffc0000000000 R11: fffffbfff2024139 R12: 0000000000000936
R13: ffff88807ca76728 R14: ffff88807ca75b80 R15: ffff88807ca766d8
FS:  0000000000000000(0000) GS:ffff888125554000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559755574be0 CR3: 000000005396b000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
 touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3991
 __flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:4033
 drain_workqueue+0xd3/0x390 kernel/workqueue.c:4197
 destroy_workqueue+0xbb/0xc60 kernel/workqueue.c:5967
 ath9k_hif_usb_dealloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:1000 [inline]
 ath9k_hif_usb_dealloc_urbs+0x6a/0x1c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1105
 ath9k_hif_usb_dev_deinit drivers/net/wireless/ath/ath9k/hif_usb.c:1188 [inline]
 ath9k_hif_usb_firmware_cb+0x260/0x4c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1330
 request_firmware_work_func+0x105/0x1c0 drivers/base/firmware_loader/main.c:1152
 process_one_work kernel/workqueue.c:3276 [inline]
 process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>
----------------
Code disassembly (best guess):
   0:	18 00                	sbb    %al,(%rax)
   2:	4c 8b 74 24 08       	mov    0x8(%rsp),%r14
   7:	75 27                	jne    0x30
   9:	90                   	nop
   a:	e8 c7 8a 0a 03       	call   0x30a8ad6
   f:	85 c0                	test   %eax,%eax
  11:	74 1c                	je     0x2f
  13:	83 3d a0 76 70 0e 00 	cmpl   $0x0,0xe7076a0(%rip)        # 0xe7076ba
  1a:	75 13                	jne    0x2f
  1c:	48 8d 3d a3 97 73 0e 	lea    0xe7397a3(%rip),%rdi        # 0xe7397c6
  23:	48 c7 c6 0f 96 01 8e 	mov    $0xffffffff8e01960f,%rsi
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	90                   	nop
  30:	31 c0                	xor    %eax,%eax
  32:	0f b6 98 c4 00 00 00 	movzbl 0xc4(%rax),%ebx
  39:	41 8b 45 20          	mov    0x20(%r13),%eax
  3d:	25                   	.byte 0x25
  3e:	ff 1f                	lcall  *(%rdi)


Tested on:

commit:         3aae9383 Merge tag 'input-for-v7.0-rc6' of git://git.k..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114706ba580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15e8cdda580000