From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-oo1-f69.google.com (mail-oo1-f69.google.com [209.85.161.69])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 85FDC2032D
	for <linux-kernel@vger.kernel.org>; Sun,  5 Apr 2026 01:21:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.69
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1775352063; cv=none; b=p+IYaWSg/S631zHECuT7adz9RUa03ntFp5+gfPVwYRQ+tQsD9pDyiHiD/dVy9xA8Loq4HW/I8BYA2MVyaftN08gppLjM+/vq9Zy2j0Ia6iI4/e5W2/VBT7ZZKPNqybNF7ddp0UkHxCeU17R3YkP4MbXAOabFV+cb0ybW1sdrrns=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1775352063; c=relaxed/simple;
	bh=3g6C2QG0wfCNcFHxkyXV9gHXvEfOIVyEe8Gt0OmiymI=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type; b=ITIq0XF//Y4g0+Y1aKyoTX+F/SQxWgzOFuFSUPqx/GNxa344BOlgspwfGQe3TkB/wGEGj0kYe4ed+qOlxF/yXGN3p4ywQst0Y4z0yL2jQApWlneXorTaFK4GlwTuDWlkmA7VtmYU6+8eaWSNCiCa3HSSFCwFH0B9LUpWBpdllRY=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.69
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-oo1-f69.google.com with SMTP id 006d021491bc7-679c51b2d6cso7387010eaf.2
        for <linux-kernel@vger.kernel.org>; Sat, 04 Apr 2026 18:21:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1775352060; x=1775956860;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=ZsUa01Un/PD+eW1RY1r3hK3WNuYC0mA1Q45rm9a2Ifw=;
        b=bJbAo6OnUcWxifysise3E08wjhCzSpazRI9B3MNPBMT19TDGPxPlebluVI9p2cjPOj
         yzKBAWIfVvEhRtnufOKqAmLm6gJKBFxQFvh3BUPURaGOXFzbHTVB38yf3Hkek2zgJnWE
         YCYWuAtu1Yyak5U6zsLKsGogDchxG7ZX0YOUJFT9W4LTcEBE3DNvmBAjZ2XbceCIX3Zd
         x0mmZLpe1Jqxtnn/WmoI5Rn1BmskYsJ8VJtY4/AV6vDfSc+q5bwqSkQVSnqrjJAm1+PE
         WrDwyur6r4tnpGgAXE68GE04HK+t6Csq+RUXNcLunzQ2UAluximIT18YMr2PAG40rXv+
         20cg==
X-Gm-Message-State: AOJu0YxJxxa+ZfwqZPfkqJ2gUtWlSKHDnMQVQV5Fz1aP4LWw3OzT2YRX
	PEDUVmXPeQ3XcI4uCbvhqcQQ3tD1w4ZkFevnuiuQT5kuHXryzihXhfQptQZTxxM5/GfaBqC12ON
	aWx6PSHsob7/563DBhm/T33zc8iXWGYzwJaS/CBl0kq2yhnR5Y4jKdOs4pK4=
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a4a:e915:0:b0:685:2a2d:ccd1 with SMTP id
 006d021491bc7-6852a2dcfeamr290635eaf.20.1775352060517; Sat, 04 Apr 2026
 18:21:00 -0700 (PDT)
Date: Sat, 04 Apr 2026 18:21:00 -0700
In-Reply-To: <69cffde1.050a0220.182279.0016.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <69d1b8fc.a70a0220.a26f2.0014.GAE@google.com>
Subject: Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
From: syzbot <syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Type: text/plain; charset="UTF-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.

Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:

  dummy_urb_enqueue()
    hrtimer_start(HRTIMER_MODE_REL_SOFT)
      dummy_timer()
        __usb_hcd_giveback_urb()
          ath9k_hif_usb_reg_in_cb()
            usb_submit_urb()  <- back to start

This keeps CPU busy in softirq context indefinitely, starving
the rcu_preempt kthread and causing an RCU stall:

  rcu: rcu_preempt kthread starved for 3053 jiffies!
  rcu: Unless rcu_preempt kthread gets sufficient CPU time,
       OOM is now expected behavior.

Fix this by deferring URB resubmission to a workqueue via
schedule_work(), allowing the softirq to exit quickly and
giving rcu_preempt kthread sufficient CPU time to process
the grace period.

Reported-by: syzbot+9b95da55ba5146a60734@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 drivers/net/wireless/ath/ath9k/hif_usb.c | 38 +++++++++++++++++++-----
 drivers/net/wireless/ath/ath9k/hif_usb.h |  2 ++
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..38c0cabe52bf 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,38 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
 	kfree(rx_buf);
 }
 
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+	struct rx_buf *rx_buf = container_of(work,
+					     struct rx_buf,
+					     work);
+	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+	struct urb *urb = rx_buf->urb;
+	int ret;
+
+	if (!hif_dev || !urb)
+		goto free_rx_buf;
+
+	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
+	ret = usb_submit_urb(urb, GFP_KERNEL);
+	if (ret) {
+		usb_unanchor_urb(urb);
+		goto free_skb;
+	}
+	return;
+
+free_skb:
+	kfree_skb(rx_buf->skb);
+free_rx_buf:
+	kfree(rx_buf);
+	urb->context = NULL;
+}
+
 static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 {
 	struct rx_buf *rx_buf = urb->context;
 	struct hif_device_usb *hif_dev = rx_buf->hif_dev;
 	struct sk_buff *skb = rx_buf->skb;
-	int ret;
 
 	if (!skb)
 		return;
@@ -786,13 +812,9 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
 	}
 
 resubmit:
-	usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
-	ret = usb_submit_urb(urb, GFP_ATOMIC);
-	if (ret) {
-		usb_unanchor_urb(urb);
-		goto free_skb;
-	}
-
+	rx_buf->urb = urb;
+	INIT_WORK(&rx_buf->work, ath9k_hif_usb_reg_in_resubmit);
+	schedule_work(&rx_buf->work);
 	return;
 free_skb:
 	kfree_skb(skb);
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..7c2a8d2c1cca 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -89,6 +89,8 @@ struct tx_buf {
 struct rx_buf {
 	struct sk_buff *skb;
 	struct hif_device_usb *hif_dev;
+	struct urb *urb;
+	struct work_struct work;
 };
 
 #define HIF_USB_TX_STOP  BIT(0)
-- 
2.43.0