Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
Date: Sat, 04 Apr 2026 18:21:00 -0700	[thread overview]
Message-ID: <69d1b8fc.a70a0220.a26f2.0014.GAE@google.com> (raw)
In-Reply-To: <69cffde1.050a0220.182279.0016.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps CPU busy in softirq context indefinitely, starving
the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by deferring URB resubmission to a workqueue via
schedule_work(), allowing the softirq to exit quickly and
giving rcu_preempt kthread sufficient CPU time to process
the grace period.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 38 +++++++++++++++++++-----
 drivers/net/wireless/ath/ath9k/hif_usb.h |  2 ++
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..38c0cabe52bf 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,38 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct rx_buf *rx_buf = container_of(work,
+					     struct rx_buf,
+					     work);
+	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+	struct urb *urb = rx_buf->urb;
+	int ret;
+
+	if (!hif_dev || !urb)
+		goto free_rx_buf;
+
+	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(urb, GFP_KERNEL);
+	if (ret) {
+		usb_unanchor_urb(urb);
+		goto free_skb;
+	}
+	return;
+
+free_skb:
+	kfree_skb(rx_buf->skb);
+free_rx_buf:
+	kfree(rx_buf);
+	urb->context = NULL;
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,13 +812,9 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
-	}
-
+	rx_buf->urb = urb;
+	INIT_WORK(&rx_buf->work, ath9k_hif_usb_reg_in_resubmit);
+	schedule_work(&rx_buf->work);
 	return;
 free_skb:
 	kfree_skb(skb);
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..7c2a8d2c1cca 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -89,6 +89,8 @@ struct tx_buf {
 struct rx_buf {
 	struct sk_buff *skb;
 	struct hif_device_usb *hif_dev;
+	struct urb *urb;
+	struct work_struct work;
 };
 
 #define HIF_USB_TX_STOP  BIT(0)
-- 
2.43.0

next prev parent reply	other threads:[~2026-04-05  1:21 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-03 17:50 [syzbot] [kernel?] INFO: rcu detected stall in kill syzbot
2026-04-05  1:21 ` syzbot [this message]
2026-04-05  2:19 ` Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue to fix RCU stall syzbot
2026-04-05  4:41 ` syzbot
2026-04-05  5:18 ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8533b88974b dfblob:38c0cabe52b dfblob:b3e66b0485a
dfblob:7c2a8d2c1cc )
 OR (
bs:"ath9k: defer reg_in URB resubmission to workqueue" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69d1b8fc.a70a0220.a26f2.0014.GAE@google.com \
    --to=syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox