* [syzbot] [sound?] INFO: task hung in snd_card_free
@ 2024-11-03 0:09 syzbot
2024-11-03 1:28 ` Hillf Danton
` (8 more replies)
0 siblings, 9 replies; 21+ messages in thread
From: syzbot @ 2024-11-03 0:09 UTC (permalink / raw)
To: linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai
Hello,
syzbot found the following issue on:
HEAD commit: e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke..
git tree: upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=114d615f980000
kernel config: https://syzkaller.appspot.com/x/.config?x=4340261e4e9f37fc
dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=130d3687980000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1274ca30580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/d0782982165a/disk-e42b1a9a.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f8ab91eac7df/vmlinux-e42b1a9a.xz
kernel image: https://storage.googleapis.com/syzbot-assets/debece1170ee/bzImage-e42b1a9a.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com
INFO: task kworker/0:2:965 blocked for more than 143 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:2 state:D stack:24576 pid:965 tgid:965 ppid:2 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116
snd_card_free+0x128/0x190 sound/core/init.c:653
snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3864
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task kworker/1:2:2143 blocked for more than 143 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:2 state:D stack:23744 pid:2143 tgid:2143 ppid:2 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591
do_wait_for_common kernel/sched/completion.c:95 [inline]
__wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116
snd_card_free+0x128/0x190 sound/core/init.c:653
snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425
usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
device_remove drivers/base/dd.c:569 [inline]
device_remove+0x122/0x170 drivers/base/dd.c:561
__device_release_driver drivers/base/dd.c:1273 [inline]
device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296
bus_remove_device+0x22f/0x420 drivers/base/bus.c:576
device_del+0x396/0x9f0 drivers/base/core.c:3864
usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
hub_port_connect drivers/usb/core/hub.c:5361 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
port_event drivers/usb/core/hub.c:5821 [inline]
hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: task syz-executor413:5880 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26352 pid:5880 tgid:5880 ppid:5851 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00312e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044933
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5881 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26640 pid:5881 tgid:5881 ppid:5853 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00322e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 000000000004493f
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5882 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:26912 pid:5882 tgid:5882 ppid:5856 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00332e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 000000000004494f
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5883 blocked for more than 144 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:28176 pid:5883 tgid:5883 ppid:5850 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00302e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044927
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
INFO: task syz-executor413:5884 blocked for more than 145 seconds.
Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor413 state:D stack:27200 pid:5884 tgid:5884 ppid:5857 flags:0x00004006
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5328 [inline]
__schedule+0xe55/0x5730 kernel/sched/core.c:6690
__schedule_loop kernel/sched/core.c:6767 [inline]
schedule+0xe7/0x350 kernel/sched/core.c:6782
schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839
__mutex_lock_common kernel/locking/mutex.c:684 [inline]
__mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
device_lock include/linux/device.h:1014 [inline]
usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl fs/ioctl.c:893 [inline]
__x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f7a45e945a9
RSP: 002b:00007ffea42b3558 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f7a45e945a9
RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003
RBP: 00000000000f4240 R08: 00342e6364755f79 R09: 00000000000000a0
R10: 000000000000001f R11: 0000000000000246 R12: 0000000000044952
R13: 00007ffea42b356c R14: 00007ffea42b3580 R15: 00007ffea42b3570
</TASK>
Showing all locks held in the system:
1 lock held by khungtaskd/30:
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
#0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720
5 locks held by kworker/0:2/965:
#0: ffff888022ef1d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc90004317d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144f04190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144f04190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888073193190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888073193190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff888076f82160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
5 locks held by kworker/1:2/2143:
#0: ffff888022ef1d48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204
#1: ffffc9000540fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205
#2: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#2: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849
#3: ffff888031f37190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#3: ffff888031f37190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
#4: ffff88802fe31160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293
2 locks held by getty/5579:
#0: ffff8880357d80a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243
#1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211
1 lock held by syz-executor413/5880:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5881:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5882:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5883:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
1 lock held by syz-executor413/5884:
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline]
#0: ffff888144bf4190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824
=============================================
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
watchdog+0xf0c/0x1240 kernel/hung_task.c:379
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 63 Comm: kworker/u8:4 Not tainted 6.12.0-rc5-syzkaller-00005-ge42b1a9a2557 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_unbound toggle_allocation_gate
RIP: 0010:call_function_single_prep_ipi+0x12e/0x1b0 kernel/sched/core.c:3806
Code: be 08 00 00 00 4c 89 ef e8 6f b4 91 00 48 8b 44 24 20 48 89 c2 48 83 ca 08 f0 48 0f b1 13 75 c3 44 89 e7 e8 14 ca fe ff 31 d2 <48> b8 00 00 00 00 00 fc ff df 48 c7 44 05 00 00 00 00 00 48 8b 44
RSP: 0018:ffffc900015d7910 EFLAGS: 00000246
RAX: 0000000000004000 RBX: ffffffff8de957c0 RCX: ffffffff8181686a
RDX: 0000000000000001 RSI: ffffffff81816945 RDI: ffff8880b863f990
RBP: 1ffff920002baf22 R08: 0000000000000005 R09: 0000000000000001
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900015d7930 R14: ffff8880b8740110 R15: ffff8880b8740100
FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5a4d87b580 CR3: 000000000df7c000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<NMI>
</NMI>
<TASK>
send_call_function_single_ipi kernel/smp.c:115 [inline]
smp_call_function_many_cond+0xcee/0x1300 kernel/smp.c:866
on_each_cpu_cond_mask+0x40/0x90 kernel/smp.c:1051
on_each_cpu include/linux/smp.h:71 [inline]
text_poke_sync arch/x86/kernel/alternative.c:2085 [inline]
text_poke_bp_batch+0x659/0x760 arch/x86/kernel/alternative.c:2295
text_poke_flush arch/x86/kernel/alternative.c:2486 [inline]
text_poke_flush arch/x86/kernel/alternative.c:2483 [inline]
text_poke_finish+0x30/0x40 arch/x86/kernel/alternative.c:2493
arch_jump_label_transform_apply+0x1c/0x30 arch/x86/kernel/jump_label.c:146
jump_label_update+0x1d7/0x400 kernel/jump_label.c:920
static_key_enable_cpuslocked+0x1b7/0x270 kernel/jump_label.c:210
static_key_enable+0x1a/0x20 kernel/jump_label.c:223
toggle_allocation_gate mm/kfence/core.c:849 [inline]
toggle_allocation_gate+0xfc/0x260 mm/kfence/core.c:841
process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
INFO: NMI handler (nmi_cpu_backtrace_handler) took too long to run: 1.541 msecs
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 21+ messages in thread* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot @ 2024-11-03 1:28 ` Hillf Danton 2024-11-03 1:49 ` syzbot 2024-11-05 2:37 ` Edward Adam Davis ` (7 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Hillf Danton @ 2024-11-03 1:28 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs On Sat, 02 Nov 2024 17:09:25 -0700 > syzbot found the following issue on: > > HEAD commit: e42b1a9a2557 Merge tag 'spi-fix-v6.12-rc5' of git://git.ke.. > git tree: upstream > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1274ca30580000 #syz test --- x/sound/core/init.c +++ y/sound/core/init.c @@ -577,9 +577,13 @@ void snd_card_disconnect_sync(struct snd } EXPORT_SYMBOL_GPL(snd_card_disconnect_sync); +static DEFINE_SPINLOCK(release_sl); + static int snd_card_do_free(struct snd_card *card) { + spin_lock(&release_sl); card->releasing = true; + spin_unlock(&release_sl); #if IS_ENABLED(CONFIG_SND_MIXER_OSS) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); @@ -591,8 +595,10 @@ static int snd_card_do_free(struct snd_c dev_warn(card->dev, "unable to free card info\n"); /* Not fatal error */ } + spin_lock(&release_sl); if (card->release_completion) complete(card->release_completion); + spin_unlock(&release_sl); if (!card->managed) kfree(card); return 0; @@ -637,16 +643,20 @@ void snd_card_free(struct snd_card *card { DECLARE_COMPLETION_ONSTACK(released); + spin_lock(&release_sl); /* The call of snd_card_free() is allowed from various code paths; * a manual call from the driver and the call via devres_free, and * we need to avoid double-free. Moreover, the release via devres * may call snd_card_free() twice due to its nature, we need to have * the check here at the beginning. */ - if (card->releasing) + if (card->releasing) { + spin_unlock(&release_sl); return; + } card->release_completion = &released; + spin_unlock(&release_sl); snd_card_free_when_closed(card); /* wait, until all devices are ready for the free operation */ -- ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 1:28 ` Hillf Danton @ 2024-11-03 1:49 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-03 1:49 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in snd_card_free INFO: task kworker/0:1:9 blocked for more than 143 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:1 state:D stack:22400 pid:9 tgid:9 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x144/0x1b0 sound/core/init.c:663 snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3864 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:1:51 blocked for more than 144 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:1 state:D stack:24480 pid:51 tgid:51 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x144/0x1b0 sound/core/init.c:663 snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3864 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:3:5857 blocked for more than 144 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:3 state:D stack:24096 pid:5857 tgid:5857 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x144/0x1b0 sound/core/init.c:663 snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3864 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:7:6739 blocked for more than 145 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:7 state:D stack:26032 pid:6739 tgid:6739 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x144/0x1b0 sound/core/init.c:663 snd_usx2y_disconnect+0x194/0x1f0 sound/usb/usx2y/usbusx2y.c:425 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3864 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task syz.1.16:6744 blocked for more than 146 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.1.16 state:D stack:28256 pid:6744 tgid:6743 ppid:6568 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0d03b7e719 RSP: 002b:00007f0d049ed038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f0d03d35f80 RCX: 00007f0d03b7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f0d03bf132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f0d03d35f80 R15: 00007ffe05b28c68 </TASK> INFO: task syz.4.19:6761 blocked for more than 146 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.19 state:D stack:27680 pid:6761 tgid:6760 ppid:6573 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fdef957e719 RSP: 002b:00007fdefa2e4038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fdef9735f80 RCX: 00007fdef957e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007fdef95f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fdef9735f80 R15: 00007fff0efa2c78 </TASK> INFO: task syz.3.18:6769 blocked for more than 147 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.18 state:D stack:28384 pid:6769 tgid:6768 ppid:6562 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fecec77d0b0 RSP: 002b:00007feced522b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fecec77d0b0 RDX: 0000000000000d81 RSI: 00007feced522c10 RDI: 00000000ffffff9c RBP: 00007feced522c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fecec935f80 R15: 00007ffc4cf1db68 </TASK> INFO: task syz.2.21:6788 blocked for more than 148 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.21 state:D stack:27216 pid:6788 tgid:6786 ppid:6561 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb7f857d0b0 RSP: 002b:00007fb7f92dbb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fb7f857d0b0 RDX: 0000000000000d81 RSI: 00007fb7f92dbc10 RDI: 00000000ffffff9c RBP: 00007fb7f92dbc10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fb7f8735f80 R15: 00007fff3c60ecb8 </TASK> INFO: task syz.0.22:6789 blocked for more than 148 seconds. Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.22 state:D stack:28384 pid:6789 tgid:6787 ppid:6557 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5730 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa27977d0b0 RSP: 002b:00007fa27a56db70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fa27977d0b0 RDX: 0000000000000d81 RSI: 00007fa27a56dc10 RDI: 00000000ffffff9c RBP: 00007fa27a56dc10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fa279935f80 R15: 00007ffee83e1168 </TASK> Showing all locks held in the system: 5 locks held by kworker/0:1/9: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900000e7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144341190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144341190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805d738190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805d738190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888026a58160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 3 locks held by kworker/u8:0/11: #0: ffff88814d188148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000107d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888052b1ae58 (&p->pi_lock){-.-.}-{2:2}, at: class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] #2: ffff888052b1ae58 (&p->pi_lock){-.-.}-{2:2}, at: try_to_wake_up+0xa1/0x14f0 kernel/sched/core.c:4165 5 locks held by kworker/1:0/25: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900001f7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029010190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029010190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805b026190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805b026190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88805b24e160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 1 lock held by khungtaskd/30: #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720 3 locks held by kworker/u8:2/35: #0: ffff88814d188148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000ab7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196 5 locks held by kworker/1:1/51: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144344190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144344190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888035eb1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888035eb1190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88802ae0a160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 5 locks held by kworker/u8:4/64: 5 locks held by kworker/1:2/965: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900039bfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029000190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029000190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805df78190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805df78190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888078cc9160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 2 locks held by kworker/u8:7/2944: 2 locks held by getty/5583: #0: ffff888035da20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f162f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211 5 locks held by kworker/0:3/5857: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900047afd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88802933d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88802933d190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88802a961160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 5 locks held by kworker/1:4/5927: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900049dfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888028e78190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888028e78190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880213ec190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880213ec190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888024a1b160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 5 locks held by kworker/0:4/6092: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900043afd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88814474c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff88814474c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88814476d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88814476d190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88807bcfd160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 5 locks held by kworker/u9:3/6565: #0: ffff88802138b148 ((wq_completion)hci12){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900047bfd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88802adccd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff88802adcc078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 5 locks held by kworker/u9:4/6566: #0: ffff88802ab31948 ((wq_completion)hci13){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000479fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88807e558d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff88807e558078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 5 locks held by kworker/u9:6/6571: #0: ffff88805fc52148 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90002e0fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88807b610d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff88807b610078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 5 locks held by kworker/u9:7/6572: #0: ffff8880618fe948 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90002f2fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88807e55cd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff88807e55c078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014bd68 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 5 locks held by kworker/1:6/6650: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003b17d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8881443f0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8881443f0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88807cbd6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807cbd6190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888027644160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 5 locks held by kworker/1:7/6739: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900032ffd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88814473c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff88814473c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888078fc8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888078fc8190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888030970160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 1 lock held by syz.1.16/6744: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.4.19/6761: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.3.18/6769: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.21/6788: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.22/6789: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.23/7406: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 5 locks held by kworker/0:8/7468: #0: ffff88801b745548 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000467fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880290d0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8880290d0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888078594190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888078594190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88805be4c160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 1 lock held by syz.6.24/7471: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.27/7474: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.26/7476: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.25/7480: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.28/7499: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.31/7563: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.30/7570: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.32/7573: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.29/7576: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.33/7598: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.34/7625: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.37/7685: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.35/7695: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.36/7701: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.38/7708: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.39/7726: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.40/7748: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.42/7787: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.41/7790: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.43/7803: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.44/7825: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.45/7847: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.46/7898: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.47/7908: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.48/7925: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.49/7938: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.50/7948: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.51/7973: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.52/7995: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.53/8026: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.54/8044: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.55/8058: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.56/8087: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.57/8104: #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8880284b7190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by syz-executor/8105: #0: ffff88801206c420 (sb_writers#11){.+.+}-{0:0}, at: ksys_write+0x12f/0x260 fs/read_write.c:736 #1: ffff888043cb7488 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27b/0x500 fs/kernfs/file.c:325 #2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline] #2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_kn_lock_live+0x139/0x570 kernel/cgroup/cgroup.c:1662 #3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2435 [inline] #3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_procs_write_start+0x18f/0x660 kernel/cgroup/cgroup.c:2939 #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2437 [inline] #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2433 [inline] #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_procs_write_start+0x19b/0x660 kernel/cgroup/cgroup.c:2939 #5: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297 2 locks held by syz-executor/8119: #0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 #1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329 1 lock held by syz-executor/8122: #0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee35a8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 ============================================= NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xf0c/0x1240 kernel/hung_task.c:379 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 64 Comm: kworker/u8:4 Not tainted 6.12.0-rc5-syzkaller-00299-g11066801dd4b-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:ieee80211_sta_get_rates+0x237/0x650 net/mac80211/util.c:1556 Code: 89 7c 24 24 e8 3a 63 ef f6 89 de 44 89 ff e8 b0 64 ef f6 44 39 fb 0f 8e 6f 02 00 00 e8 22 63 ef f6 48 8b 44 24 18 48 8d 78 38 <48> 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 82 03 00 00 48 8b 44 24 RSP: 0018:ffffc900015d7958 EFLAGS: 00000293 RAX: ffff888040429800 RBX: 0000000000000008 RCX: ffffffff8a9e1950 RDX: ffff88801d364880 RSI: ffffffff8a9e195e RDI: ffff888040429838 RBP: 000000000000000c R08: 0000000000000004 R09: 0000000000000004 R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: 000000000000000c R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055555b3a6808 CR3: 000000000df7c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> ieee80211_update_sta_info net/mac80211/ibss.c:989 [inline] ieee80211_rx_bss_info net/mac80211/ibss.c:1098 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline] ieee80211_ibss_rx_queued_mgmt+0x1039/0x2f40 net/mac80211/ibss.c:1606 ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline] ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657 cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Tested on: commit: 11066801 Merge tag 'linux_kselftest-fixes-6.12-rc6' of.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11a41aa7980000 kernel config: https://syzkaller.appspot.com/x/.config?x=4340261e4e9f37fc dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=157ff55f980000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot 2024-11-03 1:28 ` Hillf Danton @ 2024-11-05 2:37 ` Edward Adam Davis 2024-11-05 3:12 ` syzbot 2024-11-05 3:59 ` Edward Adam Davis ` (6 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 2:37 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. #syz test diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..43301e02557a 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -407,9 +408,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +427,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +437,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +457,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 2:37 ` Edward Adam Davis @ 2024-11-05 3:12 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 3:12 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in snd_usx2y_probe INFO: task kworker/0:0:8 blocked for more than 143 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:24896 pid:8 tgid:8 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:1:81 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:1 state:D stack:24624 pid:81 tgid:81 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x128/0x190 sound/core/init.c:653 snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:429 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:3:5860 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 state:D stack:23008 pid:5860 tgid:5860 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:4:5928 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:4 state:D stack:26024 pid:5928 tgid:5928 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:6:5946 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:6 state:D stack:25312 pid:5946 tgid:5946 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task udevd:6464 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27232 pid:6464 tgid:6464 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7035b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde7036008 R15: 000000000000000a </TASK> INFO: task udevd:6485 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27120 pid:6485 tgid:6485 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225af02ad0 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000020 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a </TASK> INFO: task udevd:6516 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27232 pid:6516 tgid:6516 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225af028c0 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000020 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a </TASK> INFO: task syz.1.16:6717 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.1.16 state:D stack:24144 pid:6717 tgid:6716 ppid:6547 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd9aad7e719 RSP: 002b:00007fd9ababd038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fd9aaf35f80 RCX: 00007fd9aad7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007fd9aadf132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fd9aaf35f80 R15: 00007ffc913c6398 </TASK> INFO: task udevd:6718 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27232 pid:6718 tgid:6718 ppid:5201 flags:0x00004002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task udevd:6749 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27680 pid:6749 tgid:6749 ppid:5201 flags:0x00004002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task kworker/1:7:6765 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:7 state:D stack:24768 pid:6765 tgid:6765 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.4.19:6814 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.19 state:D stack:28384 pid:6814 tgid:6813 ppid:6560 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe00597d0b0 RSP: 002b:00007fe0067f3b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fe00597d0b0 RDX: 0000000000000d81 RSI: 00007fe0067f3c10 RDI: 00000000ffffff9c RBP: 00007fe0067f3c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fe005b35f80 R15: 00007fffe6ead4d8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.0.15:6850 blocked for more than 150 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.15 state:D stack:27680 pid:6850 tgid:6848 ppid:6545 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f72b397d0b0 RSP: 002b:00007f72b4693b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f72b397d0b0 RDX: 0000000000000d81 RSI: 00007f72b4693c10 RDI: 00000000ffffff9c RBP: 00007f72b4693c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f72b3b35f80 R15: 00007ffe3dd2b978 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.2.17:6851 blocked for more than 150 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.17 state:D stack:28384 pid:6851 tgid:6849 ppid:6554 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc0497d0b0 RSP: 002b:00007efc0578fb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efc0497d0b0 RDX: 0000000000000d81 RSI: 00007efc0578fc10 RDI: 00000000ffffff9c RBP: 00007efc0578fc10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007efc04b35f80 R15: 00007ffe620c9d98 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.3.18:6860 blocked for more than 151 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.18 state:D stack:28384 pid:6860 tgid:6859 ppid:6557 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efce1f7d0b0 RSP: 002b:00007efce2da8b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efce1f7d0b0 RDX: 0000000000000d81 RSI: 00007efce2da8c10 RDI: 00000000ffffff9c RBP: 00007efce2da8c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007efce2135f80 R15: 00007fff025d24c8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task udevd:6894 blocked for more than 151 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27232 pid:6894 tgid:6894 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a94516b6a RSP: 002b:00007ffde7037108 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056225aedec60 RCX: 00007f0a94516b6a RDX: 0000000000001000 RSI: 000056225aecc640 RDI: 0000000000000008 RBP: 000056225aedec60 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffde70375e8 R15: 000000000000000a </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.5.20:7318 blocked for more than 152 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.5.20 state:D stack:28384 pid:7318 tgid:7317 ppid:7299 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6ef7f7d0b0 RSP: 002b:00007f6ef8e27b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f6ef7f7d0b0 RDX: 0000000000000d81 RSI: 00007f6ef8e27c10 RDI: 00000000ffffff9c RBP: 00007f6ef8e27c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f6ef8135f80 R15: 00007ffcde8b4758 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings Showing all locks held in the system: 6 locks held by kworker/0:0/8: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900000d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145303190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145303190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88802d940190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88802d940190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88807a842160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807a842160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 1 lock held by khungtaskd/30: #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720 2 locks held by kworker/u8:4/80: 6 locks held by kworker/1:1/81: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900015d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88814539b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff88814539b190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff888028f58160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:411 2 locks held by kworker/0:2/968: #0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598 #1: ffff8880b8628a48 (&per_cpu_ptr(group->pcpu, cpu)->seq){-.-.}-{0:0}, at: psi_task_switch+0x2c1/0x8e0 kernel/sched/psi.c:987 2 locks held by getty/5586: #0: ffff88814e5080a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211 6 locks held by kworker/1:3/5860: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003ce7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029abb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029abb190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888063ac8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888063ac8190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888032b4a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888032b4a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 6 locks held by kworker/1:4/5928: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000378fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8881453ab190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8881453ab190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88806020a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806020a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806ed10160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806ed10160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 6 locks held by kworker/1:5/5931: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000376fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145783190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145783190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880630cf190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880630cf190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806f018160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806f018160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 6 locks held by kworker/1:6/5946: #0: ffff888144a9f948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000377fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145743190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145743190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888034111190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888034111190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff8880665a3160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff8880665a3160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67a68 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:440 4 locks held by udevd/6464: #0: ffff88806f083418 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888033ff7488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88814c61f008 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888060fbc190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6485: #0: ffff8880322dbc30 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888020ad5888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880289f8d28 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888065e20190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888065e20190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6516: #0: ffff888079b609e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880282d2888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff888070c530f8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16b6a740580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=10a5c6a7980000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot 2024-11-03 1:28 ` Hillf Danton 2024-11-05 2:37 ` Edward Adam Davis @ 2024-11-05 3:59 ` Edward Adam Davis 2024-11-05 4:18 ` syzbot 2024-11-05 5:03 ` Edward Adam Davis ` (5 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 3:59 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. debug: where hung in snd_card_do_free? #syz test diff --git a/sound/core/info.c b/sound/core/info.c index 1f5b8a3d9e3b..e584f3eb742b 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -566,7 +566,9 @@ int snd_info_card_free(struct snd_card *card) { if (!card) return 0; + printk("card: %p, %s\n", card, __func__); snd_info_free_entry(card->proc_root); + printk("2card: %p, %s\n", card, __func__); card->proc_root = NULL; return 0; } diff --git a/sound/core/init.c b/sound/core/init.c index 114fb87de990..900ae1e7fc22 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -186,6 +186,7 @@ int snd_card_new(struct device *parent, int idx, const char *xid, return -ENOMEM; err = snd_card_init(card, parent, idx, xid, module, extra_size); + printk("err: %d, card: %p, %s\n", err, card, __func__); if (err < 0) return err; /* card is freed by error handler */ @@ -584,7 +585,9 @@ static int snd_card_do_free(struct snd_card *card) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); #endif + printk("card: %p, %s\n", card, __func__); snd_device_free_all(card); + printk("2card: %p, %s\n", card, __func__); if (card->private_free) card->private_free(card); if (snd_info_card_free(card) < 0) { diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..129210a81545 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card) { struct usx2ydev *usx2y = usx2y(card); + printk("card: %p, %s\n", card, __func__); kfree(usx2y->in04_buf); usb_free_urb(usx2y->in04_urb); if (usx2y->us428ctls_sharedmem) @@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 3:59 ` Edward Adam Davis @ 2024-11-05 4:18 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 4:18 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in snd_usx2y_probe INFO: task kworker/0:1:9 blocked for more than 143 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:1 state:D stack:24016 pid:9 tgid:9 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:1:51 blocked for more than 144 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:1 state:D stack:24928 pid:51 tgid:51 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x128/0x190 sound/core/init.c:656 snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:3:5905 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:3 state:D stack:22720 pid:5905 tgid:5905 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:4:5989 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:26384 pid:5989 tgid:5989 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task udevd:6311 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27216 pid:6311 tgid:6311 ppid:5199 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6f46d16b6a RSP: 002b:00007ffe20c8c6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00005620db10aa70 RCX: 00007f6f46d16b6a RDX: 0000000000001000 RSI: 00005620db12a1b0 RDI: 0000000000000008 RBP: 00005620db10aa70 R08: 0000000000000008 R09: 0000000000000000 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe20c8cbd8 R15: 000000000000000a </TASK> INFO: task udevd:6332 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27216 pid:6332 tgid:6332 ppid:5199 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6f46d16b6a RSP: 002b:00007ffe20c8c6f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 00005620db10aa70 RCX: 00007f6f46d16b6a RDX: 0000000000001000 RSI: 00005620db12c910 RDI: 0000000000000008 RBP: 00005620db10aa70 R08: 0000000000000008 R09: 0000000000000000 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe20c8cbd8 R15: 000000000000000a </TASK> INFO: task syz.3.22:6550 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.22 state:D stack:26352 pid:6550 tgid:6549 ppid:6391 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f87b437e719 RSP: 002b:00007f87b51db038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f87b4535f80 RCX: 00007f87b437e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f87b43f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f87b4535f80 R15: 00007fff56f3bd58 </TASK> INFO: task syz.1.16:6557 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.1.16 state:D stack:27632 pid:6557 tgid:6556 ppid:6384 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff338b7e719 RSP: 002b:00007ff3398cb038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ff338d35f80 RCX: 00007ff338b7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007ff338bf132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007ff338d35f80 R15: 00007ffda8d7b3f8 </TASK> INFO: task kworker/1:6:6588 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:6 state:D stack:26832 pid:6588 tgid:6588 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task syz.0.15:6617 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.15 state:D stack:28384 pid:6617 tgid:6615 ppid:6386 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0db2f7d0b0 RSP: 002b:00007f0db21fdb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f0db2f7d0b0 RDX: 0000000000000d81 RSI: 00007f0db21fdc10 RDI: 00000000ffffff9c RBP: 00007f0db21fdc10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f0db3135f80 R15: 00007ffeb5dc5cc8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.2.17:6621 blocked for more than 150 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.17 state:D stack:27024 pid:6621 tgid:6619 ppid:6396 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f22d457d0b0 RSP: 002b:00007f22d5366b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f22d457d0b0 RDX: 0000000000000d81 RSI: 00007f22d5366c10 RDI: 00000000ffffff9c RBP: 00007f22d5366c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f22d4735f80 R15: 00007ffdd9d18a78 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.4.19:6627 blocked for more than 150 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.19 state:D stack:27680 pid:6627 tgid:6626 ppid:6398 flags:0x00004004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8b8957d0b0 RSP: 002b:00007f8b8a376b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007f8b8957d0b0 RDX: 0000000000000d81 RSI: 00007f8b8a376c10 RDI: 00000000ffffff9c RBP: 00007f8b8a376c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007f8b89735f80 R15: 00007ffdd1dfae68 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings Showing all locks held in the system: 6 locks held by kworker/0:1/9: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900000e7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fa0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fa0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88803371b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88803371b160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 3 locks held by kworker/u8:0/11: #0: ffff88814d396148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000107d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196 1 lock held by khungtaskd/30: #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720 6 locks held by kworker/1:1/51: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029210190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029210190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805eb5c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805eb5c190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff8880797b6160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 3 locks held by kworker/u8:3/52: 6 locks held by kworker/0:2/969: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003e57d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fc0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fc0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888031dc4160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888031dc4160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syslogd/5181: #0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598 1 lock held by klogd/5188: #0: ffff8880b863ee98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x29/0x130 kernel/sched/core.c:598 2 locks held by getty/5582: #0: ffff888037c0a0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211 6 locks held by kworker/0:3/5861: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90004447d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145330190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145330190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888029550160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888029550160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/1:3/5905: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003f07d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029228190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029228190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880636a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880636a9190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88802618d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802618d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/0:4/5989: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90004dafd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88802ad74190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88802ad74190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88802b17f160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 4 locks held by udevd/6298: #0: ffff888021b531c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88803176e888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880741142d8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88802558c190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6311: #0: ffff8880300780a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888068868488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880307bdf08 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88803642b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6332: #0: ffff888033594e80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807fb58888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880372142d8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6333: #0: ffff888036c06790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880660a5888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880325dfb48 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806880a190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 3 locks held by kworker/u9:5/6393: #0: ffff8880339ed148 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000381fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888032058d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 4 locks held by udevd/6436: #0: ffff88803044e0a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888030e9f088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88805ed165a8 (kn->active#29){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:1019 [inline] #3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: manufacturer_show+0x26/0xa0 drivers/usb/core/sysfs.c:142 1 lock held by syz.3.22/6550: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.1.16/6557: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 6 locks held by kworker/1:6/6588: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000344fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fb1190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fb1190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888036e8f190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88802618e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802618e160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/1:8/6591: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000341fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145318190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145318190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888030cec190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888069111160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888069111160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.0.15/6617: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.17/6621: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by kworker/0:6/6623: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90004747d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029368190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029368190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888037284160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888037284160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.4.19/6627: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.23/6891: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6897: #0: ffff888062295b08 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807fbda488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff888069384d28 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.6.24/6926: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6934: #0: ffff8880622959e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807fbd9088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880284a6c38 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807eb81190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 3 locks held by kworker/u8:8/6948: #0: ffff88801b081148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000338fd80 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0x51/0xc0 net/core/link_watch.c:276 1 lock held by syz.7.25/6968: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by kworker/1:10/6971: #0: ffff88801b14b948 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90002e4fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029358190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029358190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ee58190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88803745b160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88803745b160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67c88 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.9.27/6974: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.26/6975: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.28/6999: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.29/7014: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.30/7048: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.31/7065: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.32/7068: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.33/7096: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.34/7112: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.35/7144: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.36/7175: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.37/7178: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.38/7200: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.39/7210: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.40/7226: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.41/7251: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.42/7264: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.43/7291: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.44/7315: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.45/7330: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.46/7361: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.47/7377: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.48/7390: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.49/7413: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.50/7428: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.51/7453: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.52/7475: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.53/7497: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.54/7519: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.55/7536: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.56/7562: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.57/7585: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.58/7601: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.59/7620: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 2 locks held by syz-executor/7627: #0: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 #1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297 2 locks held by syz-executor/7633: #0: ffffffff8fecde10 (pernet_ops_rwsem){++++}-{3:3}, at: copy_net_ns+0x292/0x6b0 net/core/net_namespace.c:490 #1: ffffffff8fee3828 (rtnl_mutex){+.+.}-{3:3}, at: register_nexthop_notifier+0x1b/0x70 net/ipv4/nexthop.c:3885 1 lock held by syz.0.60/7639: #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144fb0190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xf0c/0x1240 kernel/hung_task.c:379 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 6948 Comm: kworker/u8:8 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:orc_find arch/x86/kernel/unwind_orc.c:217 [inline] RIP: 0010:unwind_next_frame+0x1c8/0x20c0 arch/x86/kernel/unwind_orc.c:494 Code: 56 ff 39 d0 0f 83 09 15 00 00 48 ba 00 00 00 00 00 fc ff df 89 c1 48 8d 3c 8d 4c b2 aa 91 49 89 f8 49 c1 e8 03 45 0f b6 04 10 <48> 89 fa 83 e2 07 83 c2 03 44 38 c2 7c 2f 45 84 c0 74 2a 48 89 4c RSP: 0018:ffffc9000338f6f8 EFLAGS: 00000a03 RAX: 0000000000099168 RBX: 0000000000000001 RCX: 0000000000099168 RDX: dffffc0000000000 RSI: 00000000000a6001 RDI: ffffffff91d0f7ec RBP: ffffc9000338f7b0 R08: 0000000000000000 R09: ffffffff917fb79a R10: ffffc9000338f768 R11: 0000000000099168 R12: ffffc9000338f7b8 R13: ffffc9000338f768 R14: ffffc9000338f79d R15: ffffffff8a916806 Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=1529a740580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=11210e30580000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (2 preceding siblings ...) 2024-11-05 3:59 ` Edward Adam Davis @ 2024-11-05 5:03 ` Edward Adam Davis 2024-11-05 5:23 ` syzbot 2024-11-05 6:57 ` Edward Adam Davis ` (4 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 5:03 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. debug: where hung in snd_card_do_free? #syz test diff --git a/sound/core/info.c b/sound/core/info.c index 1f5b8a3d9e3b..e584f3eb742b 100644 --- a/sound/core/info.c +++ b/sound/core/info.c @@ -566,7 +566,9 @@ int snd_info_card_free(struct snd_card *card) { if (!card) return 0; + printk("card: %p, %s\n", card, __func__); snd_info_free_entry(card->proc_root); + printk("2card: %p, %s\n", card, __func__); card->proc_root = NULL; return 0; } diff --git a/sound/core/init.c b/sound/core/init.c index 114fb87de990..84b88b1192d0 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -186,6 +186,7 @@ int snd_card_new(struct device *parent, int idx, const char *xid, return -ENOMEM; err = snd_card_init(card, parent, idx, xid, module, extra_size); + printk("err: %d, card: %p, %s\n", err, card, __func__); if (err < 0) return err; /* card is freed by error handler */ @@ -580,11 +581,14 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync); static int snd_card_do_free(struct snd_card *card) { card->releasing = true; + printk("0card: %p, %s\n", card, __func__); #if IS_ENABLED(CONFIG_SND_MIXER_OSS) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); #endif + printk("1card: %p, %s\n", card, __func__); snd_device_free_all(card); + printk("2card: %p, %s\n", card, __func__); if (card->private_free) card->private_free(card); if (snd_info_card_free(card) < 0) { diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..129210a81545 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card) { struct usx2ydev *usx2y = usx2y(card); + printk("card: %p, %s\n", card, __func__); kfree(usx2y->in04_buf); usb_free_urb(usx2y->in04_urb); if (usx2y->us428ctls_sharedmem) @@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 96a412beab2d..9e5a0eb43fec 100644 --- a/net/batman-adv/hard-interface.c +++ b/net/batman-adv/hard-interface.c @@ -523,9 +523,9 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev) net_dev->dev_addr)) continue; - pr_warn("The newly added mac address (%pM) already exists on: %s\n", + pr_warn_ratelimited("The newly added mac address (%pM) already exists on: %s\n", net_dev->dev_addr, hard_iface->net_dev->name); - pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n"); + pr_warn_ratelimited("It is strongly recommended to keep mac addresses unique to avoid problems!\n"); } rcu_read_unlock(); } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 5:03 ` Edward Adam Davis @ 2024-11-05 5:23 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 5:23 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in snd_usx2y_probe INFO: task kworker/1:1:46 blocked for more than 143 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:1 state:D stack:24096 pid:46 tgid:46 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:2:5857 blocked for more than 144 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:2 state:D stack:24192 pid:5857 tgid:5857 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:4:5903 blocked for more than 144 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:24592 pid:5903 tgid:5903 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x128/0x190 sound/core/init.c:657 snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task udevd:6242 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:26480 pid:6242 tgid:6242 ppid:5198 flags:0x00004002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f083c716b6a RSP: 002b:00007ffe92ad1e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056429ff187e0 RCX: 00007f083c716b6a RDX: 0000000000001000 RSI: 000056429ff3fa50 RDI: 0000000000000008 RBP: 000056429ff187e0 R08: 0000000000000008 R09: 0000000000000010 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe92ad2358 R15: 000000000000000a </TASK> INFO: task kworker/0:5:6337 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:5 state:D stack:26016 pid:6337 tgid:6337 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/1:4:6548 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:4 state:D stack:25968 pid:6548 tgid:6548 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task syz.2.17:6616 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.17 state:D stack:28224 pid:6616 tgid:6615 ppid:6339 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7ee5b7e719 RSP: 002b:00007f7ee6950038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f7ee5d35f80 RCX: 00007f7ee5b7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f7ee5bf132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7ee5d35f80 R15: 00007fffd2223788 </TASK> INFO: task syz.4.19:6629 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.19 state:D stack:27632 pid:6629 tgid:6628 ppid:6336 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f4f9557e719 RSP: 002b:00007f4f963b6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f4f95735f80 RCX: 00007f4f9557e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f4f955f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4f95735f80 R15: 00007ffd947243b8 </TASK> INFO: task syz.1.16:6631 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.1.16 state:D stack:27456 pid:6631 tgid:6630 ppid:6333 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2bedd7e719 RSP: 002b:00007f2beec3f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f2bedf35f80 RCX: 00007f2bedd7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f2beddf132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2bedf35f80 R15: 00007ffd90612368 </TASK> INFO: task syz.3.18:6637 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.18 state:D stack:28384 pid:6637 tgid:6636 ppid:6341 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7efc32f7d0b0 RSP: 002b:00007efc33db5b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007efc32f7d0b0 RDX: 0000000000000d81 RSI: 00007efc33db5c10 RDI: 00000000ffffff9c RBP: 00007efc33db5c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007efc33135f80 R15: 00007ffef34f8dd8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.0.20:6642 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.20 state:D stack:27680 pid:6642 tgid:6641 ppid:6332 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcefcd7d0b0 RSP: 002b:00007fcefdb13b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fcefcd7d0b0 RDX: 0000000000000d81 RSI: 00007fcefdb13c10 RDI: 00000000ffffff9c RBP: 00007fcefdb13c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fcefcf35f80 R15: 00007ffd0dd07128 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task udevd:6666 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27680 pid:6666 tgid:6666 ppid:5198 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f083c716b6a RSP: 002b:00007ffe92ad1e78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000056429ff187e0 RCX: 00007f083c716b6a RDX: 0000000000001000 RSI: 000056429ff20210 RDI: 0000000000000008 RBP: 000056429ff187e0 R08: 0000000000000008 R09: 0000000000000000 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe92ad2358 R15: 000000000000000a </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings Showing all locks held in the system: 1 lock held by khungtaskd/30: #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720 3 locks held by kworker/u8:2/35: 6 locks held by kworker/1:1/46: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000b77d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144f5a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144f5a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806438f160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806438f160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 7 locks held by kworker/u8:4/63: 6 locks held by kworker/0:2/966: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003fa7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029722190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029722190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88807b460160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807b460160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 2 locks held by getty/5579: #0: ffff88814d4610a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211 6 locks held by kworker/1:2/5857: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900037dfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806414d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806414d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/0:4/5903: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000349fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144f8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144f8a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880257a8190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880257a8190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88801cbb9160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 4 locks held by udevd/6242: #0: ffff8880128ff9e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888061815488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88806cec41e8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807ce11190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6272: #0: ffff888060c29d58 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880673bac88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff888036863878 (kn->active#19){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: device_lock_interruptible include/linux/device.h:1019 [inline] #3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: manufacturer_show+0x26/0xa0 drivers/usb/core/sysfs.c:142 4 locks held by udevd/6273: #0: ffff88807b9501c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88802b1e1c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880367b5f08 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 6 locks held by kworker/0:5/6337: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900035d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880295e2190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8880295e2190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880284f9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880284f9190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888012dc9160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888012dc9160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/0:6/6512: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000347fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029739190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029739190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ecf6190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88807b461160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807b461160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/1:4/6548: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900031cfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fa2190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fa2190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888024725190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888062c7e160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888062c7e160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.2.17/6616: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.4.19/6629: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.1.16/6631: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 4 locks held by udevd/6632: #0: ffff88807ff1cc30 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888032100488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880307025a8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.3.18/6637: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.20/6642: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6666: #0: ffff88807df3f2f0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888063397c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880368d43c8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88814374d190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 6 locks held by kworker/0:7/6706: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000318fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88814534a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff88814534a190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806ab8a190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff8880621e2160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff8880621e2160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 4 locks held by udevd/6779: #0: ffff8880255b80a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88806874b488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff888033a050f8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 6 locks held by kworker/1:9/6865: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003d9fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144fba190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144fba190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88807cf52190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806a25a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806a25a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.6.22/6867: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by kworker/1:11/6870: #0: ffff88801b1ccd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003ddfd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888145362190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888145362190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888068875160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888068875160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67cc8 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.5.21/6872: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.25/6875: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.24/6877: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.23/6881: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6882: #0: ffff88807b9502f0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807f86b088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880378fde18 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805ecf7190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6884: #0: ffff8880255b81c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807ad9c088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880322572d8 (kn->active#5){.+.+}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88806a25b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.0.26/6964: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.29/6967: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.28/6971: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.30/6974: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.27/6976: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.31/7037: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.34/7075: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.32/7081: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.35/7086: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.33/7085: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.36/7133: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.37/7146: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.39/7165: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.40/7170: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.38/7173: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.41/7196: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.42/7223: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.43/7257: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.44/7280: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.45/7283: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.46/7305: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.47/7321: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.48/7352: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.50/7372: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.49/7375: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.51/7398: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.52/7419: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.53/7445: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.54/7483: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.55/7486: #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff888144f72190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 2 locks held by syz-executor/7489: #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 #1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x282/0x3b0 kernel/rcu/tree_exp.h:297 1 lock held by syz-executor/7498: #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: __rtnl_newlink+0x65a/0x1920 net/core/rtnetlink.c:3749 1 lock held by syz-executor/7504: #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3868 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xf0c/0x1240 kernel/hung_task.c:379 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 12 Comm: kworker/u8:1 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:jhash2 include/linux/jhash.h:130 [inline] RIP: 0010:hash_stack lib/stackdepot.c:514 [inline] RIP: 0010:stack_depot_save_flags+0x62/0x8f0 lib/stackdepot.c:614 Code: 31 c0 e9 73 01 00 00 41 89 c6 4b 8d 04 36 8d 1c 85 7b 71 f5 75 83 f8 03 89 c1 0f 86 18 03 00 00 89 d8 89 df 4c 89 ea 03 42 08 <83> e9 03 48 83 c2 0c 44 8b 4a f4 03 7a f8 89 c6 41 29 c1 c1 c6 04 RSP: 0018:ffffc90000116f00 EFLAGS: 00000213 RAX: 00000000009e9343 RBX: 0000000073bb44f3 RCX: 000000000000000a RDX: ffffc90000116fc0 RSI: 0000000036f90ffc RDI: 00000000e8572e1b RBP: 0000000000000000 R08: ffffffff90eb4466 R09: 000000009e870ba6 R10: ffffc90000116e30 R11: 0000000000000052 R12: 0000000000000000 R13: ffffc90000116f60 R14: 0000000000000011 R15: 0000000000000011 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3870bfed00 CR3: 00000000360f2000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> kasan_save_stack+0x42/0x60 mm/kasan/common.c:48 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541 kvfree_call_rcu+0x74/0xbe0 kernel/rcu/tree.c:3810 cfg80211_update_known_bss+0x3c0/0x11e0 net/wireless/scan.c:1891 __cfg80211_bss_update+0x1aa/0x2440 net/wireless/scan.c:1938 cfg80211_inform_single_bss_data+0x7af/0x1de0 net/wireless/scan.c:2329 cfg80211_inform_bss_data+0x205/0x3ba0 net/wireless/scan.c:3188 cfg80211_inform_bss_frame_data+0x271/0x7a0 net/wireless/scan.c:3283 ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226 ieee80211_rx_bss_info net/mac80211/ibss.c:1100 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline] ieee80211_ibss_rx_queued_mgmt+0x1898/0x2f40 net/mac80211/ibss.c:1606 ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline] ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657 cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=140c3587980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=12f5a740580000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (3 preceding siblings ...) 2024-11-05 5:03 ` Edward Adam Davis @ 2024-11-05 6:57 ` Edward Adam Davis 2024-11-05 7:31 ` syzbot 2024-11-05 8:54 ` Edward Adam Davis ` (3 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 6:57 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. dubug: why card_dev not release ? #syz test diff --git a/sound/core/init.c b/sound/core/init.c index 114fb87de990..35717e1d0049 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -387,8 +387,10 @@ struct snd_card *snd_card_ref(int idx) guard(mutex)(&snd_card_mutex); card = snd_cards[idx]; - if (card) + if (card) { + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); get_device(&card->card_dev); + } return card; } EXPORT_SYMBOL_GPL(snd_card_ref); @@ -495,6 +497,7 @@ void snd_card_disconnect(struct snd_card *card) if (!card) return; + printk("card: %p, %s\n", card, __func__); scoped_guard(spinlock, &card->files_lock) { if (card->shutdown) return; @@ -544,6 +547,8 @@ void snd_card_disconnect(struct snd_card *card) if (card->registered) { device_del(&card->card_dev); + printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__); + put_device(&card->card_dev); card->registered = false; } @@ -580,6 +585,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync); static int snd_card_do_free(struct snd_card *card) { card->releasing = true; + printk("card: %p, %s\n", card, __func__); #if IS_ENABLED(CONFIG_SND_MIXER_OSS) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); @@ -615,6 +621,7 @@ void snd_card_free_when_closed(struct snd_card *card) return; snd_card_disconnect(card); + printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__); put_device(&card->card_dev); return; } @@ -643,6 +650,7 @@ void snd_card_free(struct snd_card *card) * may call snd_card_free() twice due to its nature, we need to have * the check here at the beginning. */ + printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__); if (card->releasing) return; @@ -1074,6 +1082,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file) return -ENODEV; } list_add(&mfile->list, &card->files_list); + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); get_device(&card->card_dev); return 0; } diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..129210a81545 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card) { struct usx2ydev *usx2y = usx2y(card); + printk("card: %p, %s\n", card, __func__); kfree(usx2y->in04_buf); usb_free_urb(usx2y->in04_urb); if (usx2y->us428ctls_sharedmem) @@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 96a412beab2d..efd775aaa684 100644 --- a/net/batman-adv/hard-interface.c +++ b/net/batman-adv/hard-interface.c @@ -509,6 +509,7 @@ batadv_hardif_is_iface_up(const struct batadv_hard_iface *hard_iface) static void batadv_check_known_mac_addr(const struct net_device *net_dev) { const struct batadv_hard_iface *hard_iface; + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL * 5, 1); rcu_read_lock(); list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) { @@ -523,9 +524,11 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev) net_dev->dev_addr)) continue; + if (__ratelimit(&rs)) { pr_warn("The newly added mac address (%pM) already exists on: %s\n", net_dev->dev_addr, hard_iface->net_dev->name); pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n"); + } } rcu_read_unlock(); } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 6:57 ` Edward Adam Davis @ 2024-11-05 7:31 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 7:31 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in snd_ctl_release ================================================================== BUG: KASAN: slab-use-after-free in __lock_acquire+0x2dfe/0x3ce0 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff888024ae6270 by task syz.0.15/6671 CPU: 1 UID: 0 PID: 6671 Comm: syz.0.15 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 __lock_acquire+0x2dfe/0x3ce0 kernel/locking/lockdep.c:5065 lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825 __raw_write_lock_irqsave include/linux/rwlock_api_smp.h:186 [inline] _raw_write_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:318 class_write_lock_irqsave_constructor include/linux/spinlock.h:601 [inline] snd_ctl_release+0x86/0x450 sound/core/control.c:120 __fput+0x3f6/0xb60 fs/file_table.c:431 task_work_run+0x14e/0x250 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6cdf97e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe6b8df9c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000017f6a RCX: 00007f6cdf97e719 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f6cdfb37a80 R08: 0000000000000001 R09: 00007ffe6b8dfcbf R10: 00007f6cdf800000 R11: 0000000000000246 R12: 0000000000018360 R13: 00007ffe6b8dfad0 R14: 0000000000000032 R15: ffffffffffffffff </TASK> Allocated by task 965: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] snd_card_new+0x74/0x120 sound/core/init.c:184 usx2y_create_card sound/usb/usx2y/usbusx2y.c:369 [inline] snd_usx2y_probe+0x387/0x9c0 sound/usb/usx2y/usbusx2y.c:450 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 25: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x14f/0x4b0 mm/slub.c:4727 snd_card_do_free sound/core/init.c:603 [inline] release_card_device+0x17f/0x1f0 sound/core/init.c:153 device_release+0xa1/0x240 drivers/base/core.c:2574 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3780 snd_card_free_when_closed sound/core/init.c:625 [inline] snd_card_free_when_closed sound/core/init.c:618 [inline] snd_card_free+0x1bf/0x250 sound/core/init.c:658 snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff888024ae6000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 624 bytes inside of freed 4096-byte region [ffff888024ae6000, ffff888024ae7000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24ae0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801b042140 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801b042140 0000000000000000 dead000000000001 head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea000092b801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5202, tgid 5202 (udevd), ts 19805789419, free_ts 19472323126 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xf7d/0x2d10 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265 alloc_slab_page mm/slub.c:2412 [inline] allocate_slab mm/slub.c:2578 [inline] new_slab+0x2c9/0x410 mm/slub.c:2631 ___slab_alloc+0xdac/0x1880 mm/slub.c:3818 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] __do_kmalloc_node mm/slub.c:4263 [inline] __kmalloc_noprof+0x367/0x400 mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] tomoyo_realpath_from_path+0xb9/0x720 security/tomoyo/realpath.c:251 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x273/0x450 security/tomoyo/file.c:822 security_inode_getattr+0x116/0x290 security/security.c:2373 vfs_getattr+0x36/0xb0 fs/stat.c:204 vfs_statx_path+0x36/0x390 fs/stat.c:251 vfs_statx+0x145/0x1e0 fs/stat.c:315 vfs_fstatat+0x9f/0x160 fs/stat.c:341 __do_sys_newfstatat+0xa2/0x130 fs/stat.c:505 page last free pid 5224 tgid 5224 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4085 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_noprof+0x121/0x2f0 mm/slub.c:4141 getname_flags.part.0+0x4c/0x550 fs/namei.c:139 getname_flags+0x93/0xf0 include/linux/audit.h:322 vfs_fstatat+0x86/0x160 fs/stat.c:340 __do_sys_newfstatat+0xa2/0x130 fs/stat.c:505 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff888024ae6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888024ae6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888024ae6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888024ae6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888024ae6300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10f8ed5f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1630ed5f980000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (4 preceding siblings ...) 2024-11-05 6:57 ` Edward Adam Davis @ 2024-11-05 8:54 ` Edward Adam Davis 2024-11-05 10:52 ` syzbot 2024-11-05 11:22 ` Edward Adam Davis ` (2 subsequent siblings) 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 8:54 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. debug: why card_dev not release ? debug: why snd ctl not release ? #syz test diff --git a/sound/core/control.c b/sound/core/control.c index 0ddade871b52..5a0d46e757ba 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -82,6 +82,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file) scoped_guard(write_lock_irqsave, &card->controls_rwlock) list_add_tail(&ctl->list, &card->ctl_files); snd_card_unref(card); + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); return 0; __error: @@ -91,6 +92,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file) __error1: if (card) snd_card_unref(card); + printk("err: %d, card: %p, %s\n", err, card, __func__); return err; } @@ -113,6 +115,9 @@ static int snd_ctl_release(struct inode *inode, struct file *file) struct snd_kcontrol *control; unsigned int idx; + if (!file->private_data) + return 0; + ctl = file->private_data; file->private_data = NULL; card = ctl->card; @@ -133,6 +138,8 @@ static int snd_ctl_release(struct inode *inode, struct file *file) kfree(ctl); module_put(card->module); snd_card_file_remove(card, file); + printk("card: %p, %s\n", card, __func__); + snd_card_unref(card); return 0; } @@ -2316,6 +2323,7 @@ static int snd_ctl_dev_disconnect(struct snd_device *device) } } + printk("card: %p, %s\n", card, __func__); call_snd_ctl_lops(card, ldisconnect); return snd_unregister_device(card->ctl_dev); } @@ -2339,6 +2347,7 @@ static int snd_ctl_dev_free(struct snd_device *device) xa_destroy(&card->ctl_hash); #endif } + printk("card: %p, %s\n", card, __func__); put_device(card->ctl_dev); return 0; } diff --git a/sound/core/init.c b/sound/core/init.c index 114fb87de990..876cd1b80029 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -387,8 +387,10 @@ struct snd_card *snd_card_ref(int idx) guard(mutex)(&snd_card_mutex); card = snd_cards[idx]; - if (card) + if (card) { + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); get_device(&card->card_dev); + } return card; } EXPORT_SYMBOL_GPL(snd_card_ref); @@ -537,6 +539,11 @@ void snd_card_disconnect(struct snd_card *card) synchronize_irq(card->sync_irq); snd_info_card_disconnect(card); + struct device *child = device_find_any_child(&card->card_dev); + if (child) { + printk("child: %p, %s\n", child, __func__); + put_device(child); + } #ifdef CONFIG_SND_DEBUG debugfs_remove(card->debugfs_root); card->debugfs_root = NULL; @@ -544,6 +551,8 @@ void snd_card_disconnect(struct snd_card *card) if (card->registered) { device_del(&card->card_dev); + printk("card: %p, dev: %p, kref: %d, %s\n", card, &card->card_dev, + kref_read(&card->card_dev.kobj.kref), __func__); card->registered = false; } @@ -580,6 +589,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync); static int snd_card_do_free(struct snd_card *card) { card->releasing = true; + printk("card: %p, %s\n", card, __func__); #if IS_ENABLED(CONFIG_SND_MIXER_OSS) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); @@ -615,6 +625,7 @@ void snd_card_free_when_closed(struct snd_card *card) return; snd_card_disconnect(card); + printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__); put_device(&card->card_dev); return; } @@ -643,6 +654,7 @@ void snd_card_free(struct snd_card *card) * may call snd_card_free() twice due to its nature, we need to have * the check here at the beginning. */ + printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__); if (card->releasing) return; @@ -1074,6 +1086,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file) return -ENODEV; } list_add(&mfile->list, &card->files_list); + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); get_device(&card->card_dev); return 0; } diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..129210a81545 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card) { struct usx2ydev *usx2y = usx2y(card); + printk("card: %p, %s\n", card, __func__); kfree(usx2y->in04_buf); usb_free_urb(usx2y->in04_urb); if (usx2y->us428ctls_sharedmem) @@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 96a412beab2d..efd775aaa684 100644 --- a/net/batman-adv/hard-interface.c +++ b/net/batman-adv/hard-interface.c @@ -509,6 +509,7 @@ batadv_hardif_is_iface_up(const struct batadv_hard_iface *hard_iface) static void batadv_check_known_mac_addr(const struct net_device *net_dev) { const struct batadv_hard_iface *hard_iface; + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL * 5, 1); rcu_read_lock(); list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) { @@ -523,9 +524,11 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev) net_dev->dev_addr)) continue; + if (__ratelimit(&rs)) { pr_warn("The newly added mac address (%pM) already exists on: %s\n", net_dev->dev_addr, hard_iface->net_dev->name); pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n"); + } } rcu_read_unlock(); } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 8:54 ` Edward Adam Davis @ 2024-11-05 10:52 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 10:52 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in put_device card: ffff88807b9a4000, snd_card_do_free card: ffff88807b9a4000, snd_ctl_dev_free card: ffff88807b9a4000, snd_usx2y_card_private_free card: ffff88807b9a4000, snd_ctl_release ================================================================== BUG: KASAN: slab-use-after-free in kobject_put+0x4ed/0x5a0 lib/kobject.c:733 Read of size 1 at addr ffff88807b9a442c by task syz.2.17/6875 CPU: 0 UID: 0 PID: 6875 Comm: syz.2.17 Not tainted 6.12.0-rc6-syzkaller-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 kobject_put+0x4ed/0x5a0 lib/kobject.c:733 put_device+0x1f/0x30 drivers/base/core.c:3780 snd_card_unref include/sound/core.h:314 [inline] snd_ctl_release+0x3b2/0x480 sound/core/control.c:142 __fput+0x3f6/0xb60 fs/file_table.c:431 task_work_run+0x14e/0x250 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f017e37e719 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe61637728 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000019275 RCX: 00007f017e37e719 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007f017e537a80 R08: 0000000000000001 R09: 00007ffe61637a1f R10: 00007f017e200000 R11: 0000000000000246 R12: 00000000000196c6 R13: 00007ffe61637830 R14: 0000000000000032 R15: ffffffffffffffff </TASK> Allocated by task 2142: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_noprof+0x1e8/0x400 mm/slub.c:4276 kmalloc_noprof include/linux/slab.h:882 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] snd_card_new+0x74/0x120 sound/core/init.c:184 usx2y_create_card sound/usb/usx2y/usbusx2y.c:369 [inline] snd_usx2y_probe+0x387/0x9c0 sound/usb/usx2y/usbusx2y.c:450 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 6875: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x14f/0x4b0 mm/slub.c:4727 snd_card_do_free sound/core/init.c:607 [inline] release_card_device+0x17f/0x1f0 sound/core/init.c:153 device_release+0xa1/0x240 drivers/base/core.c:2574 kobject_cleanup lib/kobject.c:689 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1e4/0x5a0 lib/kobject.c:737 put_device+0x1f/0x30 drivers/base/core.c:3780 snd_card_file_remove+0x3a0/0x5b0 sound/core/init.c:1132 snd_ctl_release+0x390/0x480 sound/core/control.c:140 __fput+0x3f6/0xb60 fs/file_table.c:431 task_work_run+0x14e/0x250 kernel/task_work.c:239 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop kernel/entry/common.c:114 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x27b/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88807b9a4000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 1068 bytes inside of freed 4096-byte region [ffff88807b9a4000, ffff88807b9a5000) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b9a0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801b042140 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 00fff00000000040 ffff88801b042140 dead000000000122 0000000000000000 head: 0000000000000000 0000000000040004 00000001f5000000 0000000000000000 head: 00fff00000000003 ffffea0001ee6801 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6887, tgid 6887 (kworker/u8:7), ts 103656163705, free_ts 103633261852 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1537 prep_new_page mm/page_alloc.c:1545 [inline] get_page_from_freelist+0xf7d/0x2d10 mm/page_alloc.c:3457 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4733 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265 alloc_slab_page mm/slub.c:2412 [inline] allocate_slab mm/slub.c:2578 [inline] new_slab+0x2c9/0x410 mm/slub.c:2631 ___slab_alloc+0xdac/0x1880 mm/slub.c:3818 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908 __slab_alloc_node mm/slub.c:3961 [inline] slab_alloc_node mm/slub.c:4122 [inline] __kmalloc_cache_noprof+0x2b4/0x300 mm/slub.c:4290 kmalloc_noprof include/linux/slab.h:878 [inline] kzalloc_noprof include/linux/slab.h:1014 [inline] tomoyo_environ security/tomoyo/domain.c:633 [inline] tomoyo_find_next_domain+0xba0/0x2070 security/tomoyo/domain.c:881 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline] tomoyo_bprm_check_security+0x12b/0x1d0 security/tomoyo/tomoyo.c:92 security_bprm_check+0x1b9/0x1e0 security/security.c:1297 search_binary_handler fs/exec.c:1740 [inline] exec_binprm fs/exec.c:1794 [inline] bprm_execve fs/exec.c:1845 [inline] bprm_execve+0x642/0x1960 fs/exec.c:1821 kernel_execve+0x2ef/0x3b0 fs/exec.c:2012 call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:110 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 page last free pid 6618 tgid 6618 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1108 [inline] free_unref_page+0x5f4/0xdc0 mm/page_alloc.c:2638 __put_partials+0x14c/0x170 mm/slub.c:3145 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4e/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x192/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4085 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x153/0x310 mm/slub.c:4186 __alloc_skb+0x2b1/0x380 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1322 [inline] netlink_alloc_large_skb+0x69/0x130 net/netlink/af_netlink.c:1206 netlink_sendmsg+0x689/0xd70 net/netlink/af_netlink.c:1876 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg net/socket.c:744 [inline] __sys_sendto+0x479/0x4d0 net/socket.c:2214 __do_sys_sendto net/socket.c:2226 [inline] __se_sys_sendto net/socket.c:2222 [inline] __x64_sys_sendto+0xe0/0x1c0 net/socket.c:2222 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88807b9a4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807b9a4380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88807b9a4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88807b9a4480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88807b9a4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=175596a7980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=128aed5f980000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (5 preceding siblings ...) 2024-11-05 8:54 ` Edward Adam Davis @ 2024-11-05 11:22 ` Edward Adam Davis 2024-11-05 21:06 ` syzbot 2024-11-06 1:37 ` Edward Adam Davis 2024-11-06 2:15 ` [PATCH] usb: fix a " Edward Adam Davis 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-05 11:22 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs The sound card of usx2y's probe and disconnect need to be protected under mutex. #syz test diff --git a/sound/core/control.c b/sound/core/control.c index 0ddade871b52..b9b9dde9807a 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -82,6 +82,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file) scoped_guard(write_lock_irqsave, &card->controls_rwlock) list_add_tail(&ctl->list, &card->ctl_files); snd_card_unref(card); + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); return 0; __error: @@ -91,6 +92,7 @@ static int snd_ctl_open(struct inode *inode, struct file *file) __error1: if (card) snd_card_unref(card); + printk("err: %d, card: %p, %s\n", err, card, __func__); return err; } @@ -113,6 +115,9 @@ static int snd_ctl_release(struct inode *inode, struct file *file) struct snd_kcontrol *control; unsigned int idx; + if (!file->private_data) + return 0; + ctl = file->private_data; file->private_data = NULL; card = ctl->card; @@ -133,6 +138,7 @@ static int snd_ctl_release(struct inode *inode, struct file *file) kfree(ctl); module_put(card->module); snd_card_file_remove(card, file); + printk("card: %p, %s\n", card, __func__); return 0; } @@ -2316,6 +2322,7 @@ static int snd_ctl_dev_disconnect(struct snd_device *device) } } + printk("card: %p, %s\n", card, __func__); call_snd_ctl_lops(card, ldisconnect); return snd_unregister_device(card->ctl_dev); } @@ -2339,6 +2346,7 @@ static int snd_ctl_dev_free(struct snd_device *device) xa_destroy(&card->ctl_hash); #endif } + printk("card: %p, %s\n", card, __func__); put_device(card->ctl_dev); return 0; } diff --git a/sound/core/init.c b/sound/core/init.c index 114fb87de990..70145add5ace 100644 --- a/sound/core/init.c +++ b/sound/core/init.c @@ -544,6 +544,8 @@ void snd_card_disconnect(struct snd_card *card) if (card->registered) { device_del(&card->card_dev); + printk("card: %p, dev: %p, kref: %d, %s\n", card, &card->card_dev, + kref_read(&card->card_dev.kobj.kref), __func__); card->registered = false; } @@ -580,6 +582,7 @@ EXPORT_SYMBOL_GPL(snd_card_disconnect_sync); static int snd_card_do_free(struct snd_card *card) { card->releasing = true; + printk("card: %p, %s\n", card, __func__); #if IS_ENABLED(CONFIG_SND_MIXER_OSS) if (snd_mixer_oss_notify_callback) snd_mixer_oss_notify_callback(card, SND_MIXER_OSS_NOTIFY_FREE); @@ -615,6 +618,7 @@ void snd_card_free_when_closed(struct snd_card *card) return; snd_card_disconnect(card); + printk("card: %p, kref: %d, %s\n", card, kref_read(&card->card_dev.kobj.kref), __func__); put_device(&card->card_dev); return; } @@ -643,6 +647,7 @@ void snd_card_free(struct snd_card *card) * may call snd_card_free() twice due to its nature, we need to have * the check here at the beginning. */ + printk("card: %p, rl: %d, %s\n", card, card->releasing, __func__); if (card->releasing) return; @@ -1074,6 +1079,7 @@ int snd_card_file_add(struct snd_card *card, struct file *file) return -ENODEV; } list_add(&mfile->list, &card->files_list); + printk("card: %p, dev: %p, %s\n", card, &card->card_dev, __func__); get_device(&card->card_dev); return 0; } diff --git a/sound/usb/usx2y/usbusx2y.c b/sound/usb/usx2y/usbusx2y.c index 2f9cede242b3..129210a81545 100644 --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -150,6 +150,7 @@ static int snd_usx2y_card_used[SNDRV_CARDS]; static void snd_usx2y_card_private_free(struct snd_card *card); static void usx2y_unlinkseq(struct snd_usx2y_async_seq *s); +static DEFINE_MUTEX(devices_mutex); /* * pipe 4 is used for switching the lamps, setting samplerate, volumes .... @@ -392,6 +393,7 @@ static void snd_usx2y_card_private_free(struct snd_card *card) { struct usx2ydev *usx2y = usx2y(card); + printk("card: %p, %s\n", card, __func__); kfree(usx2y->in04_buf); usb_free_urb(usx2y->in04_urb); if (usx2y->us428ctls_sharedmem) @@ -407,9 +409,12 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) struct usx2ydev *usx2y; struct list_head *p; + mutex_lock(&devices_mutex); card = usb_get_intfdata(intf); - if (!card) + if (!card) { + mutex_unlock(&devices_mutex); return; + } usx2y = usx2y(card); usx2y->chip_status = USX2Y_STAT_CHIP_HUP; usx2y_unlinkseq(&usx2y->as04); @@ -423,6 +428,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); snd_card_free(card); + mutex_unlock(&devices_mutex); } static int snd_usx2y_probe(struct usb_interface *intf, @@ -432,15 +438,18 @@ static int snd_usx2y_probe(struct usb_interface *intf, struct snd_card *card; int err; + mutex_lock(&devices_mutex); if (le16_to_cpu(device->descriptor.idVendor) != 0x1604 || (le16_to_cpu(device->descriptor.idProduct) != USB_ID_US122 && le16_to_cpu(device->descriptor.idProduct) != USB_ID_US224 && - le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) - return -EINVAL; + le16_to_cpu(device->descriptor.idProduct) != USB_ID_US428)) { + err = -EINVAL; + goto out; + } err = usx2y_create_card(device, intf, &card); if (err < 0) - return err; + goto out; err = usx2y_hwdep_new(card, device); if (err < 0) goto error; @@ -449,10 +458,13 @@ static int snd_usx2y_probe(struct usb_interface *intf, goto error; dev_set_drvdata(&intf->dev, card); + mutex_unlock(&devices_mutex); return 0; - error: +error: snd_card_free(card); +out: + mutex_unlock(&devices_mutex); return err; } diff --git a/net/batman-adv/hard-interface.c b/net/batman-adv/hard-interface.c index 96a412beab2d..efd775aaa684 100644 --- a/net/batman-adv/hard-interface.c +++ b/net/batman-adv/hard-interface.c @@ -509,6 +509,7 @@ batadv_hardif_is_iface_up(const struct batadv_hard_iface *hard_iface) static void batadv_check_known_mac_addr(const struct net_device *net_dev) { const struct batadv_hard_iface *hard_iface; + static DEFINE_RATELIMIT_STATE(rs, DEFAULT_RATELIMIT_INTERVAL * 5, 1); rcu_read_lock(); list_for_each_entry_rcu(hard_iface, &batadv_hardif_list, list) { @@ -523,9 +524,11 @@ static void batadv_check_known_mac_addr(const struct net_device *net_dev) net_dev->dev_addr)) continue; + if (__ratelimit(&rs)) { pr_warn("The newly added mac address (%pM) already exists on: %s\n", net_dev->dev_addr, hard_iface->net_dev->name); pr_warn("It is strongly recommended to keep mac addresses unique to avoid problems!\n"); + } } rcu_read_unlock(); } ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-05 11:22 ` Edward Adam Davis @ 2024-11-05 21:06 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-05 21:06 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: INFO: task hung in snd_usx2y_probe INFO: task kworker/0:0:8 blocked for more than 143 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:25104 pid:8 tgid:8 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:3:5904 blocked for more than 143 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:3 state:D stack:26080 pid:5904 tgid:5904 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:4:5912 blocked for more than 144 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:25984 pid:5912 tgid:5912 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task kworker/0:5:5913 blocked for more than 144 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:5 state:D stack:26368 pid:5913 tgid:5913 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:579 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:658 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:958 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:459 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1030 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:534 device_add+0x114b/0x1a70 drivers/base/core.c:3672 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2d9a/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task udevd:6245 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27232 pid:6245 tgid:6245 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb774516b6a RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a RDX: 0000000000001000 RSI: 0000556737713800 RDI: 0000000000000008 RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a </TASK> INFO: task udevd:6273 blocked for more than 145 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27152 pid:6273 tgid:6273 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb774516b6a RSP: 002b:00007ffe9a6a4e28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a RDX: 0000000000001000 RSI: 000055673771cde0 RDI: 0000000000000008 RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000040000 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe9a6a5308 R15: 000000000000000a </TASK> INFO: task udevd:6279 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27136 pid:6279 tgid:6279 ppid:5201 flags:0x00000002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb774516b6a RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a RDX: 0000000000001000 RSI: 000055673771d530 RDI: 0000000000000008 RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a </TASK> INFO: task udevd:6385 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:udevd state:D stack:27280 pid:6385 tgid:6385 ppid:5201 flags:0x00004002 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] uevent_show+0x188/0x3b0 drivers/base/core.c:2736 dev_attr_show+0x53/0xe0 drivers/base/core.c:2430 sysfs_kf_seq_show+0x23e/0x410 fs/sysfs/file.c:59 seq_read_iter+0x4f4/0x12b0 fs/seq_file.c:230 kernfs_fop_read_iter+0x414/0x580 fs/kernfs/file.c:279 new_sync_read fs/read_write.c:488 [inline] vfs_read+0x87f/0xbe0 fs/read_write.c:569 ksys_read+0x12f/0x260 fs/read_write.c:712 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb774516b6a RSP: 002b:00007ffe9a6a5ff8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000055673771abd0 RCX: 00007fb774516b6a RDX: 0000000000001000 RSI: 000055673771dd90 RDI: 0000000000000008 RBP: 000055673771abd0 R08: 0000000000000008 R09: 0000000000000008 R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000003fff R14: 00007ffe9a6a64d8 R15: 000000000000000a </TASK> INFO: task kworker/0:6:6485 blocked for more than 146 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:6 state:D stack:24560 pid:6485 tgid:6485 ppid:2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_timeout+0x258/0x2a0 kernel/time/timer.c:2591 do_wait_for_common kernel/sched/completion.c:95 [inline] __wait_for_common+0x3e1/0x600 kernel/sched/completion.c:116 snd_card_free+0x1cc/0x250 sound/core/init.c:658 snd_usx2y_disconnect+0x1aa/0x230 sound/usb/usx2y/usbusx2y.c:430 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461 device_remove drivers/base/dd.c:569 [inline] device_remove+0x122/0x170 drivers/base/dd.c:561 __device_release_driver drivers/base/dd.c:1273 [inline] device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1296 bus_remove_device+0x22f/0x420 drivers/base/bus.c:576 device_del+0x396/0x9f0 drivers/base/core.c:3861 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304 hub_port_connect drivers/usb/core/hub.c:5361 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x1da5/0x4e10 drivers/usb/core/hub.c:5903 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> INFO: task syz.1.16:6491 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.1.16 state:D stack:26096 pid:6491 tgid:6490 ppid:6337 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa9e657e719 RSP: 002b:00007fa9e57fe038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fa9e6735f80 RCX: 00007fa9e657e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007fa9e65f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fa9e6735f80 R15: 00007ffc228d1e28 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.4.19:6495 blocked for more than 147 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.4.19 state:D stack:27680 pid:6495 tgid:6494 ppid:6349 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7c92d7e719 RSP: 002b:00007f7c93bd0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f7c92f35f80 RCX: 00007f7c92d7e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007f7c92df132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7c92f35f80 R15: 00007ffef375c0d8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.3.18:6507 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.3.18 state:D stack:27632 pid:6507 tgid:6505 ppid:6339 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18f/0x220 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe68a37e719 RSP: 002b:00007fe68b094038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe68a535f80 RCX: 00007fe68a37e719 RDX: 0000000000000000 RSI: 00000000c0105512 RDI: 0000000000000003 RBP: 00007fe68a3f132e R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fe68a535f80 R15: 00007ffc418b42b8 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.0.15:6517 blocked for more than 148 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.0.15 state:D stack:28384 pid:6517 tgid:6516 ppid:6332 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1beb7d0b0 RSP: 002b:00007fe1bfa37b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fe1beb7d0b0 RDX: 0000000000000d81 RSI: 00007fe1bfa37c10 RDI: 00000000ffffff9c RBP: 00007fe1bfa37c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fe1bed35f80 R15: 00007ffdbac6c328 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings INFO: task syz.2.17:6538 blocked for more than 149 seconds. Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz.2.17 state:D stack:27216 pid:6538 tgid:6537 ppid:6338 flags:0x00000004 Call Trace: <TASK> context_switch kernel/sched/core.c:5328 [inline] __schedule+0xe55/0x5740 kernel/sched/core.c:6690 __schedule_loop kernel/sched/core.c:6767 [inline] schedule+0xe7/0x350 kernel/sched/core.c:6782 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6839 __mutex_lock_common kernel/locking/mutex.c:684 [inline] __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752 device_lock include/linux/device.h:1014 [inline] usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x6ca/0x1530 fs/open.c:958 vfs_open+0x82/0x3f0 fs/open.c:1088 do_open fs/namei.c:3774 [inline] path_openat+0x1e6a/0x2d60 fs/namei.c:3933 do_filp_open+0x1dc/0x430 fs/namei.c:3960 do_sys_openat2+0x17a/0x1e0 fs/open.c:1415 do_sys_open fs/open.c:1430 [inline] __do_sys_openat fs/open.c:1446 [inline] __se_sys_openat fs/open.c:1441 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1441 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb4f517d0b0 RSP: 002b:00007fb4f5f78b70 EFLAGS: 00000293 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000d81 RCX: 00007fb4f517d0b0 RDX: 0000000000000d81 RSI: 00007fb4f5f78c10 RDI: 00000000ffffff9c RBP: 00007fb4f5f78c10 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000001 R14: 00007fb4f5335f80 R15: 00007fff57a0f898 </TASK> Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings Showing all locks held in the system: 6 locks held by kworker/0:0/8: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900000d7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88802957c190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff88802957c190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88802569a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802569a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/u8:1/12: 1 lock held by khungtaskd/30: #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline] #0: ffffffff8e1b8340 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x7f/0x390 kernel/locking/lockdep.c:6720 6 locks held by kworker/1:1/51: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000bc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880296a6190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8880296a6190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888021757160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888021757160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 4 locks held by kworker/u9:0/54: #0: ffff888049a9d948 ((wq_completion)hci42#2){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90000bf7d80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888040814078 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x99/0x980 net/bluetooth/hci_event.c:3687 #3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x486/0x980 net/bluetooth/hci_event.c:3721 2 locks held by kworker/u8:5/742: 6 locks held by kworker/1:2/968: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003927d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880296a4190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8880296a4190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888024128160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888024128160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 3 locks held by kworker/u8:7/3645: #0: ffff888031af1948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000be0fd80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x14d0 net/ipv6/addrconf.c:4196 5 locks held by kworker/u9:1/5139: #0: ffff888035753148 ((wq_completion)hci14){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900100e7d80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888020b6cd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff888020b6c078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 2 locks held by getty/5578: #0: ffff88814dff20a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc90002f062f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0xfba/0x1480 drivers/tty/n_tty.c:2211 6 locks held by kworker/0:3/5904: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90005f2fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029684190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029684190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88803268b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88803268b190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88807c450160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 6 locks held by kworker/0:4/5912: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000433fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029604190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029604190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88807c74a160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88807c74a160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/0:5/5913: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90004ab7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8881447c9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8881447c9190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff88806670d160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88806670d160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 4 locks held by udevd/6245: #0: ffff8880524a5790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880565a3888 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880349a6d28 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88801c77b190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6273: #0: ffff88802b07ce80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88801c7d6088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88802035bf08 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6279: #0: ffff888069665b08 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880347dd088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880656a9968 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888012973190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 5 locks held by kworker/u9:4/6345: #0: ffff8880532e2948 ((wq_completion)hci11){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000485fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888028adcd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff888028adc078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 5 locks held by kworker/u9:5/6347: #0: ffff888028dbf148 ((wq_completion)hci13){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900047efd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888074b58d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff888074b58078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 4 locks held by kworker/u9:6/6348: #0: ffff8880451d2148 ((wq_completion)hci44#2){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc900042cfd80 ((work_completion)(&hdev->rx_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8880427e8078 (&hdev->lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x99/0x980 net/bluetooth/hci_event.c:3687 #3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #3: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_remote_features_evt+0x486/0x980 net/bluetooth/hci_event.c:3721 4 locks held by kworker/u9:8/6352: #0: ffff888028db8948 ((wq_completion)hci12){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000468fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff88802a500d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff88802a500078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 4 locks held by udevd/6385: #0: ffff88803051f9e0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888021b0c488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88805552e698 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880794ef190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 6 locks held by kworker/1:6/6422: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000432fd80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8881447fc190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8881447fc190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888067045160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888067045160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 6 locks held by kworker/0:6/6485: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003cc7d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880776a9190 (&dev->mutex){....}-{3:3}, at: usb_disconnect+0x10a/0x920 drivers/usb/core/hub.c:2295 #4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: __device_driver_lock drivers/base/dd.c:1095 [inline] #4: ffff88802acbd160 (&dev->mutex){....}-{3:3}, at: device_release_driver_internal+0xa4/0x610 drivers/base/dd.c:1293 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_disconnect+0x22/0x230 sound/usb/usx2y/usbusx2y.c:412 1 lock held by syz.1.16/6491: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.4.19/6495: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 6 locks held by kworker/1:7/6501: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003917d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888144b16190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888144b16190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff888066754160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff888066754160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.3.18/6507: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_do_ioctl drivers/usb/core/devio.c:2608 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_ioctl+0x1a9/0x4010 drivers/usb/core/devio.c:2824 1 lock held by syz.0.15/6517: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by kworker/0:8/6526: #0: ffff888144eed148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc90003e67d80 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888029786190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #2: ffff888029786190 (&dev->mutex){....}-{3:3}, at: hub_event+0x1c1/0x4e10 drivers/usb/core/hub.c:5849 #3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #4: ffff8880795de160 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #4: ffff8880795de160 (&dev->mutex){....}-{3:3}, at: __device_attach+0x7f/0x4b0 drivers/base/dd.c:1005 #5: ffffffff8fe67f48 (devices_mutex){+.+.}-{3:3}, at: snd_usx2y_probe+0xaf/0x9c0 sound/usb/usx2y/usbusx2y.c:441 1 lock held by syz.2.17/6538: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6578: #0: ffff88802849c1c8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807a6bfc88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880773011e8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880650e3190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6579: #0: ffff888027cb90a0 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880517df488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff888067b923c8 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888053150190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.6.21/6927: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.20/6929: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.22/6934: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.23/6937: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6939: #0: ffff8880294e78b8 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff888031869088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff8880785faa58 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff888065ef7190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 4 locks held by udevd/6940: #0: ffff8880294e7668 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff88807d1b7488 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88802afad878 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff8880510eb190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.9.24/6942: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 4 locks held by udevd/6945: #0: ffff88807d179790 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xd8/0x12b0 fs/seq_file.c:182 #1: ffff8880346d6c88 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x4d/0x240 fs/kernfs/file.c:154 #2: ffff88801c3c9e18 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x71/0x240 fs/kernfs/file.c:155 #3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #3: ffff88805516e190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x188/0x3b0 drivers/base/core.c:2736 1 lock held by syz.1.25/6999: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.26/7020: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.27/7027: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.28/7030: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.29/7033: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.30/7091: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.31/7104: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.33/7137: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.32/7141: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.34/7142: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.35/7159: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.36/7212: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.37/7219: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.38/7227: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.39/7230: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.40/7252: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.41/7301: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.9.42/7328: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.43/7337: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.44/7340: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.45/7356: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.4.46/7385: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.0.47/7423: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.2.48/7430: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.3.49/7433: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.7.50/7455: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.5.51/7477: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 5 locks held by kworker/u9:9/7479: #0: ffff888052482148 ((wq_completion)hci10){+.+.}-{0:0}, at: process_one_work+0x129b/0x1ba0 kernel/workqueue.c:3204 #1: ffffc9000bd3fd80 ((work_completion)(&hdev->cmd_sync_work)){+.+.}-{0:0}, at: process_one_work+0x921/0x1ba0 kernel/workqueue.c:3205 #2: ffff888061fd8d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_cmd_sync_work+0x170/0x410 net/bluetooth/hci_sync.c:331 #3: ffff888061fd8078 (&hdev->lock){+.+.}-{3:3}, at: hci_abort_conn_sync+0x150/0xb50 net/bluetooth/hci_sync.c:5577 #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_connect_cfm include/net/bluetooth/hci_core.h:1957 [inline] #4: ffffffff9014c2a8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_failed+0x158/0x340 net/bluetooth/hci_conn.c:1265 1 lock held by syz.9.52/7523: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.6.54/7544: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.8.53/7548: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 1 lock held by syz.1.55/7560: #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1014 [inline] #0: ffff8881447b9190 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x1b8/0x8c0 drivers/usb/core/devio.c:1051 6 locks held by syz-executor/7563: #0: ffff88807ad2c420 (sb_writers#11){.+.+}-{0:0}, at: ksys_write+0x12f/0x260 fs/read_write.c:736 #1: ffff8880461aa088 (&of->mutex){+.+.}-{3:3}, at: kernfs_fop_write_iter+0x27b/0x500 fs/kernfs/file.c:325 #2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_lock include/linux/cgroup.h:368 [inline] #2: ffffffff8e20f448 (cgroup_mutex){+.+.}-{3:3}, at: cgroup_kn_lock_live+0x139/0x570 kernel/cgroup/cgroup.c:1662 #3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2435 [inline] #3: ffffffff8e05b950 (cpu_hotplug_lock){++++}-{0:0}, at: cgroup_procs_write_start+0x18f/0x660 kernel/cgroup/cgroup.c:2939 #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2437 [inline] #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_attach_lock kernel/cgroup/cgroup.c:2433 [inline] #4: ffffffff8e20f210 (cgroup_threadgroup_rwsem){++++}-{0:0}, at: cgroup_procs_write_start+0x19b/0x660 kernel/cgroup/cgroup.c:2939 #5: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329 2 locks held by syz-executor/7582: #0: ffffffff8fee3ae8 ( rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 #1: ffffffff8e1c3c38 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock+0x1a4/0x3b0 kernel/rcu/tree_exp.h:329 1 lock held by syz-executor/7590: #0: ffffffff8fee3ae8 (rtnl_mutex ){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] ){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 1 lock held by syz-executor/7592: #0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 1 lock held by syz-executor/7595: #0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:79 [inline] #0: ffffffff8fee3ae8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x372/0xea0 net/core/rtnetlink.c:6672 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 nmi_cpu_backtrace+0x27b/0x390 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline] watchdog+0xf0c/0x1240 kernel/hung_task.c:379 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 11 Comm: kworker/u8:0 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events_unbound cfg80211_wiphy_work RIP: 0010:unwind_next_frame+0x4d0/0x20c0 arch/x86/kernel/unwind_orc.c:505 Code: e8 55 f1 ff ff 48 85 c0 48 89 c1 0f 84 13 fe ff ff 4c 8d 79 05 48 b8 00 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 0f b6 04 02 <4c> 89 fa 83 e2 07 38 d0 7f 08 84 c0 0f 85 d8 13 00 00 0f b6 41 05 RSP: 0018:ffffc90000106dc0 EFLAGS: 00000a06 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffffffff91996f1c RDX: 1ffffffff2332de4 RSI: 0000000000000000 RDI: ffffffff90dfb898 RBP: ffffc90000106e78 R08: ffffffff91996f52 R09: ffffffff9197603a R10: ffffc90000106e30 R11: 0000000000098df2 R12: ffffc90000106e80 R13: ffffc90000106e30 R14: ffffc90000106e65 R15: ffffffff91996f21 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f272f508000 CR3: 000000000df7c000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> arch_stack_walk+0x95/0x100 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 __kasan_record_aux_stack+0xba/0xd0 mm/kasan/generic.c:541 kvfree_call_rcu+0x74/0xbe0 kernel/rcu/tree.c:3810 cfg80211_update_known_bss+0x3c0/0x11e0 net/wireless/scan.c:1891 __cfg80211_bss_update+0x1aa/0x2440 net/wireless/scan.c:1938 cfg80211_inform_single_bss_data+0x7af/0x1de0 net/wireless/scan.c:2329 cfg80211_inform_bss_data+0x205/0x3ba0 net/wireless/scan.c:3188 cfg80211_inform_bss_frame_data+0x271/0x7a0 net/wireless/scan.c:3283 ieee80211_bss_info_update+0x311/0xab0 net/mac80211/scan.c:226 ieee80211_rx_bss_info net/mac80211/ibss.c:1100 [inline] ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1579 [inline] ieee80211_ibss_rx_queued_mgmt+0x1898/0x2f40 net/mac80211/ibss.c:1606 ieee80211_iface_process_skb net/mac80211/iface.c:1603 [inline] ieee80211_iface_work+0xc0b/0xf00 net/mac80211/iface.c:1657 cfg80211_wiphy_work+0x3d9/0x550 net/wireless/core.c:440 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17d58f40580000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=149a0f40580000 ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (6 preceding siblings ...) 2024-11-05 11:22 ` Edward Adam Davis @ 2024-11-06 1:37 ` Edward Adam Davis 2024-11-06 2:02 ` syzbot 2024-11-06 2:15 ` [PATCH] usb: fix a " Edward Adam Davis 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-06 1:37 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd; +Cc: linux-kernel, syzkaller-bugs 1. snd ctrl will add card_dev ref count and can't call close to dec it, it is waiting for 2 to release usb dev lock. 2. usb dev lock has been locked by hung task (here is usb_disconnect), it waiting 1 to exit and release card_dev. #syz test diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 3beb6a862e80..dd037dc4cb37 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -2605,7 +2605,8 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd, if (!(file->f_mode & FMODE_WRITE)) return -EPERM; - usb_lock_device(dev); + if (!usb_trylock_device(dev)) + return -EBUSY; /* Reap operations are allowed even after disconnection */ switch (cmd) { ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [syzbot] [sound?] INFO: task hung in snd_card_free 2024-11-06 1:37 ` Edward Adam Davis @ 2024-11-06 2:02 ` syzbot 0 siblings, 0 replies; 21+ messages in thread From: syzbot @ 2024-11-06 2:02 UTC (permalink / raw) To: eadavis, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com Tested-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com Tested on: commit: 2e1b3cc9 Merge tag 'arm-fixes-6.12-2' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=11519d5f980000 kernel config: https://syzkaller.appspot.com/x/.config?x=2effb62852f5a821 dashboard link: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=10d24f40580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 21+ messages in thread
* [PATCH] usb: fix a task hung in snd_card_free 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot ` (7 preceding siblings ...) 2024-11-06 1:37 ` Edward Adam Davis @ 2024-11-06 2:15 ` Edward Adam Davis 2024-11-12 16:04 ` Takashi Iwai 8 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-06 2:15 UTC (permalink / raw) To: syzbot+73582d08864d8268b6fd Cc: linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai task 1: snd ctrl will add card_dev ref count and can't call close to dec it, it is blocked waiting for task 2 to release the USB dev lock. task 2: usb dev lock has been locked by hung task (here is usb_disconnect), it is hung waiting for task 1 to exit and release card_dev. Adjust the USB lock acquisition method to non-blocking in ioctl to avoid hang when the USB connection is closed. Reported-and-tested-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- drivers/usb/core/devio.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 3beb6a862e80..dd037dc4cb37 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -2605,7 +2605,8 @@ static long usbdev_do_ioctl(struct file *file, unsigned int cmd, if (!(file->f_mode & FMODE_WRITE)) return -EPERM; - usb_lock_device(dev); + if (!usb_trylock_device(dev)) + return -EBUSY; /* Reap operations are allowed even after disconnection */ switch (cmd) { -- 2.43.0 ^ permalink raw reply related [flat|nested] 21+ messages in thread
* Re: [PATCH] usb: fix a task hung in snd_card_free 2024-11-06 2:15 ` [PATCH] usb: fix a " Edward Adam Davis @ 2024-11-12 16:04 ` Takashi Iwai 2024-11-13 1:48 ` Edward Adam Davis 0 siblings, 1 reply; 21+ messages in thread From: Takashi Iwai @ 2024-11-12 16:04 UTC (permalink / raw) To: Edward Adam Davis Cc: syzbot+73582d08864d8268b6fd, linux-kernel, linux-sound, perex, syzkaller-bugs, tiwai On Wed, 06 Nov 2024 03:15:49 +0100, Edward Adam Davis wrote: > > task 1: snd ctrl will add card_dev ref count and can't call close to dec it, > it is blocked waiting for task 2 to release the USB dev lock. > > task 2: usb dev lock has been locked by hung task (here is usb_disconnect), > it is hung waiting for task 1 to exit and release card_dev. > > Adjust the USB lock acquisition method to non-blocking in ioctl to avoid > hang when the USB connection is closed. I'm afraid that this change would break things too badly. i.e. changing the blocking behavior to non-blocking is no-go. > Reported-and-tested-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd This particular syzkaller entry can be fixed rather by replacing snd_card_free() in snd_usx2y_disconnect() with snd_card_free_when_closed() like other USB audio drivers, something like below. Judging from the git log, it had been with snd_card_free_in_thread(), but was switch to snd_card_free() around year 2005. Meanwhile the handling of async card release got improved, and it's very likely OK to use snd_card_free_when_closed() there with the recent kernel. thanks, Takashi -- 8< -- --- a/sound/usb/usx2y/usbusx2y.c +++ b/sound/usb/usx2y/usbusx2y.c @@ -422,7 +422,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) } if (usx2y->us428ctls_sharedmem) wake_up(&usx2y->us428ctls_wait_queue_head); - snd_card_free(card); + snd_card_free_when_closed(card); } static int snd_usx2y_probe(struct usb_interface *intf, ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] usb: fix a task hung in snd_card_free 2024-11-12 16:04 ` Takashi Iwai @ 2024-11-13 1:48 ` Edward Adam Davis 2024-11-13 6:48 ` Takashi Iwai 0 siblings, 1 reply; 21+ messages in thread From: Edward Adam Davis @ 2024-11-13 1:48 UTC (permalink / raw) To: tiwai Cc: eadavis, linux-kernel, linux-sound, perex, syzbot+73582d08864d8268b6fd, syzkaller-bugs, tiwai On Tue, 12 Nov 2024 17:04:04 +0100, Takashi Iwai wrote: > On Wed, 06 Nov 2024 03:15:49 +0100, > Edward Adam Davis wrote: > > > > task 1: snd ctrl will add card_dev ref count and can't call close to dec it, > > it is blocked waiting for task 2 to release the USB dev lock. > > > > task 2: usb dev lock has been locked by hung task (here is usb_disconnect), > > it is hung waiting for task 1 to exit and release card_dev. > > > > Adjust the USB lock acquisition method to non-blocking in ioctl to avoid > > hang when the USB connection is closed. > > I'm afraid that this change would break things too badly. > i.e. changing the blocking behavior to non-blocking is no-go. > > > Reported-and-tested-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd > > This particular syzkaller entry can be fixed rather by replacing > snd_card_free() in snd_usx2y_disconnect() with > snd_card_free_when_closed() like other USB audio drivers, something > like below. > > Judging from the git log, it had been with snd_card_free_in_thread(), > but was switch to snd_card_free() around year 2005. Meanwhile the > handling of async card release got improved, and it's very likely OK > to use snd_card_free_when_closed() there with the recent kernel. The snd_card instance will be released in snd_card_do_free(). So, if snd_card_free_when_closed() is used to replace snd_card_free(), who will release the snd_card instance? BR, Edward > > > thanks, > > Takashi > > -- 8< -- > --- a/sound/usb/usx2y/usbusx2y.c > +++ b/sound/usb/usx2y/usbusx2y.c > @@ -422,7 +422,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) > } > if (usx2y->us428ctls_sharedmem) > wake_up(&usx2y->us428ctls_wait_queue_head); > - snd_card_free(card); > + snd_card_free_when_closed(card); > } > > static int snd_usx2y_probe(struct usb_interface *intf, ^ permalink raw reply [flat|nested] 21+ messages in thread
* Re: [PATCH] usb: fix a task hung in snd_card_free 2024-11-13 1:48 ` Edward Adam Davis @ 2024-11-13 6:48 ` Takashi Iwai 0 siblings, 0 replies; 21+ messages in thread From: Takashi Iwai @ 2024-11-13 6:48 UTC (permalink / raw) To: Edward Adam Davis Cc: tiwai, linux-kernel, linux-sound, perex, syzbot+73582d08864d8268b6fd, syzkaller-bugs, tiwai On Wed, 13 Nov 2024 02:48:49 +0100, Edward Adam Davis wrote: > > On Tue, 12 Nov 2024 17:04:04 +0100, Takashi Iwai wrote: > > On Wed, 06 Nov 2024 03:15:49 +0100, > > Edward Adam Davis wrote: > > > > > > task 1: snd ctrl will add card_dev ref count and can't call close to dec it, > > > it is blocked waiting for task 2 to release the USB dev lock. > > > > > > task 2: usb dev lock has been locked by hung task (here is usb_disconnect), > > > it is hung waiting for task 1 to exit and release card_dev. > > > > > > Adjust the USB lock acquisition method to non-blocking in ioctl to avoid > > > hang when the USB connection is closed. > > > > I'm afraid that this change would break things too badly. > > i.e. changing the blocking behavior to non-blocking is no-go. > > > > > Reported-and-tested-by: syzbot+73582d08864d8268b6fd@syzkaller.appspotmail.com > > > Closes: https://syzkaller.appspot.com/bug?extid=73582d08864d8268b6fd > > > > This particular syzkaller entry can be fixed rather by replacing > > snd_card_free() in snd_usx2y_disconnect() with > > snd_card_free_when_closed() like other USB audio drivers, something > > like below. > > > > Judging from the git log, it had been with snd_card_free_in_thread(), > > but was switch to snd_card_free() around year 2005. Meanwhile the > > handling of async card release got improved, and it's very likely OK > > to use snd_card_free_when_closed() there with the recent kernel. > The snd_card instance will be released in snd_card_do_free(). > So, if snd_card_free_when_closed() is used to replace snd_card_free(), who will release the snd_card instance? Via the release callback of the card device object, which is triggered at the last close by refcounting. Takashi > > BR, > Edward > > > > > > thanks, > > > > Takashi > > > > -- 8< -- > > --- a/sound/usb/usx2y/usbusx2y.c > > +++ b/sound/usb/usx2y/usbusx2y.c > > @@ -422,7 +422,7 @@ static void snd_usx2y_disconnect(struct usb_interface *intf) > > } > > if (usx2y->us428ctls_sharedmem) > > wake_up(&usx2y->us428ctls_wait_queue_head); > > - snd_card_free(card); > > + snd_card_free_when_closed(card); > > } > > > > static int snd_usx2y_probe(struct usb_interface *intf, > > ^ permalink raw reply [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-11-13 6:48 UTC | newest] Thread overview: 21+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-11-03 0:09 [syzbot] [sound?] INFO: task hung in snd_card_free syzbot 2024-11-03 1:28 ` Hillf Danton 2024-11-03 1:49 ` syzbot 2024-11-05 2:37 ` Edward Adam Davis 2024-11-05 3:12 ` syzbot 2024-11-05 3:59 ` Edward Adam Davis 2024-11-05 4:18 ` syzbot 2024-11-05 5:03 ` Edward Adam Davis 2024-11-05 5:23 ` syzbot 2024-11-05 6:57 ` Edward Adam Davis 2024-11-05 7:31 ` syzbot 2024-11-05 8:54 ` Edward Adam Davis 2024-11-05 10:52 ` syzbot 2024-11-05 11:22 ` Edward Adam Davis 2024-11-05 21:06 ` syzbot 2024-11-06 1:37 ` Edward Adam Davis 2024-11-06 2:02 ` syzbot 2024-11-06 2:15 ` [PATCH] usb: fix a " Edward Adam Davis 2024-11-12 16:04 ` Takashi Iwai 2024-11-13 1:48 ` Edward Adam Davis 2024-11-13 6:48 ` Takashi Iwai
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox