[syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    eb5e56d14912 Merge tag 'platform-drivers-x86-v6.11-2' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=137edff9980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8a2eef9745ade09
dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/a6552acb8476/disk-eb5e56d1.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/5c0963cd33df/vmlinux-eb5e56d1.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7ba7283f6380/bzImage-eb5e56d1.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com

INFO: task kworker/0:7:5284 blocked for more than 143 seconds.
      Not tainted 6.11.0-rc2-syzkaller-00011-geb5e56d14912 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:7     state:D stack:13232 pid:5284  tgid:5284  ppid:2      flags:0x00004000
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5188 [inline]
 __schedule+0x1800/0x4a60 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
 device_lock include/linux/device.h:1009 [inline]
 ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1163 [inline]
 ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1296
 request_firmware_work_func+0x1a4/0x280 drivers/base/firmware_loader/main.c:1167
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task udevd:2711 blocked for more than 144 seconds.
      Not tainted 6.11.0-rc2-syzkaller-00011-geb5e56d14912 #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:udevd           state:D stack:24864 pid:2711  tgid:2711  ppid:4679   flags:0x00000002
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5188 [inline]
 __schedule+0x1800/0x4a60 kernel/sched/core.c:6529
 __schedule_loop kernel/sched/core.c:6606 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6621
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678
 __mutex_lock_common kernel/locking/mutex.c:684 [inline]
 __mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
 device_lock include/linux/device.h:1009 [inline]
 uevent_show+0x17d/0x340 drivers/base/core.c:2743
 dev_attr_show+0x55/0xc0 drivers/base/core.c:2437
 sysfs_kf_seq_show+0x331/0x4c0 fs/sysfs/file.c:59
 seq_read_iter+0x445/0xd60 fs/seq_file.c:230
 new_sync_read fs/read_write.c:395 [inline]
 vfs_read+0x9bd/0xbc0 fs/read_write.c:476
 ksys_read+0x1a0/0x2c0 fs/read_write.c:619
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa861574b6a
RSP: 002b:00007ffd4a139b78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00005608f0417730 RCX: 00007fa861574b6a
RDX: 0000000000001000 RSI: 00005608f0434930 RDI: 0000000000000008
RBP: 00005608f0417730 R08: 0000000000000008 R09: 0000000000000020
R10: 000000000000010f R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000003fff R14: 00007ffd4a13a058 R15: 000000000000000a
 </TASK>

Showing all locks held in the system:
1 lock held by khungtaskd/30:
 #0: ffffffff8e9382a0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:326 [inline]
 #0: ffffffff8e9382a0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:838 [inline]
 #0: ffffffff8e9382a0 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6620
2 locks held by getty/4986:
 #0: ffff88802b1460a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc900034b32f0 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6ac/0x1e00 drivers/tty/n_tty.c:2211
3 locks held by kworker/0:7/5284:
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc90004097d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc90004097d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffff888023f4b190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1009 [inline]
 #2: ffff888023f4b190 (&dev->mutex){....}-{3:3}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1163 [inline]
 #2: ffff888023f4b190 (&dev->mutex){....}-{3:3}, at: ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1296
3 locks held by kworker/u8:12/7485:
 #0: ffff88802ad75948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff88802ad75948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc900035a7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc900035a7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xd0/0x16f0 net/ipv6/addrconf.c:4194
3 locks held by kworker/1:5/14520:
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc90003db7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc90003db7d00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:276
3 locks held by kworker/0:0/22216:
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3206 [inline]
 #0: ffff888015880948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x90a/0x1830 kernel/workqueue.c:3312
 #1: ffffc90003977d00 ((work_completion)(&(&devlink->rwork)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3207 [inline]
 #1: ffffc90003977d00 ((work_completion)(&(&devlink->rwork)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x945/0x1830 kernel/workqueue.c:3312
 #2: ffffffff8e93d678 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:328 [inline]
 #2: ffffffff8e93d678 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x451/0x830 kernel/rcu/tree_exp.h:958
5 locks held by kworker/1:4/1612:
1 lock held by syz.1.6316/1883:
4 locks held by udevd/2711:
 #0: ffff888074214e80 (&p->lock){+.+.}-{3:3}, at: seq_read_iter+0xb7/0xd60 fs/seq_file.c:182
 #1: ffff88802cf7a088 (&of->mutex#2){+.+.}-{3:3}, at: kernfs_seq_start+0x53/0x3b0 fs/kernfs/file.c:154
 #2: ffff88805dac6878 (kn->active#5){++++}-{0:0}, at: kernfs_seq_start+0x72/0x3b0 fs/kernfs/file.c:155
 #3: ffff888056d20190 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:1009 [inline]
 #3: ffff888056d20190 (&dev->mutex){....}-{3:3}, at: uevent_show+0x17d/0x340 drivers/base/core.c:2743
3 locks held by syz-executor/4016:
 #0: ffff88805bc68d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline]
 #0: ffff88805bc68d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x203/0x510 net/bluetooth/hci_core.c:2692
 #1: ffff88805bc68078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x572/0x11a0 net/bluetooth/hci_sync.c:5131
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1977 [inline]
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xa6/0x240 net/bluetooth/hci_conn.c:2592
3 locks held by syz-executor/4137:
 #0: ffff88805b408d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline]
 #0: ffff88805b408d80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x203/0x510 net/bluetooth/hci_core.c:2692
 #1: ffff88805b408078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x572/0x11a0 net/bluetooth/hci_sync.c:5131
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1977 [inline]
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xa6/0x240 net/bluetooth/hci_conn.c:2592
3 locks held by syz-executor/4253:
 #0: ffff88806a4bcd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_dev_do_close net/bluetooth/hci_core.c:481 [inline]
 #0: ffff88806a4bcd80 (&hdev->req_lock){+.+.}-{3:3}, at: hci_unregister_dev+0x203/0x510 net/bluetooth/hci_core.c:2692
 #1: ffff88806a4bc078 (&hdev->lock){+.+.}-{3:3}, at: hci_dev_close_sync+0x572/0x11a0 net/bluetooth/hci_sync.c:5131
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_disconn_cfm include/net/bluetooth/hci_core.h:1977 [inline]
 #2: ffffffff8fdecfa8 (hci_cb_list_lock){+.+.}-{3:3}, at: hci_conn_hash_flush+0xa6/0x240 net/bluetooth/hci_conn.c:2592
1 lock held by syz.2.6861/4431:
 #0: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline]
 #0: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3e/0x1b0 drivers/net/tun.c:3510
1 lock held by syz.0.6862/4436:
 #0: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: tun_detach drivers/net/tun.c:698 [inline]
 #0: ffffffff8fc81688 (rtnl_mutex){+.+.}-{3:3}, at: tun_chr_close+0x3e/0x1b0 drivers/net/tun.c:3510

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.11.0-rc2-syzkaller-00011-geb5e56d14912 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:93 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:223 [inline]
 watchdog+0xfee/0x1030 kernel/hung_task.c:379
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 7493 Comm: kworker/u8:17 Not tainted 6.11.0-rc2-syzkaller-00011-geb5e56d14912 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: events_unbound cfg80211_wiphy_work
RIP: 0010:unwind_next_frame+0x8ea/0x2a00 arch/x86/kernel/unwind_orc.c:517
Code: fd 04 0f 84 6c 01 00 00 83 fd 05 0f 85 ff 02 00 00 e8 ca 56 52 00 48 8b 44 24 58 42 80 3c 28 00 74 08 48 89 df e8 46 90 b9 00 <48> 8b 33 48 8b 54 24 18 48 8d 5a 01 48 89 d0 48 c1 e8 03 42 0f b6
RSP: 0018:ffffc90003ab7308 EFLAGS: 00000246
RAX: 1ffff92000756e83 RBX: ffffc90003ab7418 RCX: ffff88804523da00
RDX: 0000000000000000 RSI: ffffffff8e7a3d60 RDI: 0000000000000005
RBP: 0000000000000005 R08: 0000000000000005 R09: ffffffff81411f0e
R10: 0000000000000008 R11: ffff88804523da00 R12: ffffffff9030505c
R13: dffffc0000000000 R14: ffffc90003ab7430 R15: 1ffff92000756e7c
FS:  0000000000000000(0000) GS:ffff8880b9200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056487295a131 CR3: 000000000e734000 CR4: 00000000003506f0
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 arch_stack_walk+0x151/0x1b0 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
 kasan_slab_free include/linux/kasan.h:184 [inline]
 slab_free_hook mm/slub.c:2252 [inline]
 slab_free mm/slub.c:4473 [inline]
 kfree+0x149/0x360 mm/slub.c:4594
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1580 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x1b1e/0x2d70 net/mac80211/ibss.c:1606
 ieee80211_iface_process_skb net/mac80211/iface.c:1588 [inline]
 ieee80211_iface_work+0x8a5/0xf20 net/mac80211/iface.c:1642
 cfg80211_wiphy_work+0x2db/0x490 net/wireless/core.c:440
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[Toke Høiland-Jørgensen]

syzbot <syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com> writes:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:    eb5e56d14912 Merge tag 'platform-drivers-x86-v6.11-2' of g..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=137edff9980000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e8a2eef9745ade09
> dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> Unfortunately, I don't have any reproducer for this issue yet.
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/a6552acb8476/disk-eb5e56d1.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/5c0963cd33df/vmlinux-eb5e56d1.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/7ba7283f6380/bzImage-eb5e56d1.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com
>
> INFO: task kworker/0:7:5284 blocked for more than 143 seconds.
>       Not tainted 6.11.0-rc2-syzkaller-00011-geb5e56d14912 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/0:7     state:D stack:13232 pid:5284  tgid:5284  ppid:2      flags:0x00004000
> Workqueue: events request_firmware_work_func
> Call Trace:
>  <TASK>
>  context_switch kernel/sched/core.c:5188 [inline]
>  __schedule+0x1800/0x4a60 kernel/sched/core.c:6529
>  __schedule_loop kernel/sched/core.c:6606 [inline]
>  schedule+0x14b/0x320 kernel/sched/core.c:6621
>  schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6678
>  __mutex_lock_common kernel/locking/mutex.c:684 [inline]
>  __mutex_lock+0x6a4/0xd70 kernel/locking/mutex.c:752
>  device_lock include/linux/device.h:1009 [inline]
>  ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1163 [inline]
>  ath9k_hif_usb_firmware_cb+0x34a/0x4b0
> drivers/net/wireless/ath/ath9k/hif_usb.c:1296

Ugh. Okay, so ath9k_hif_usb_firmware_cb can recursively call another
firmware request, and if that fails (because it runs out of firmware
names to try), it will do a device_release_driver() from within the
firmware callback. Which takes a lock, and seems to deadlock.

It does seem odd to try to do an asynchronous driver release from within
a callback like this, so I'm not surprised that it deadlocks, really.
The question is whether this has ever worked - does anyone know?

Also, ath9k_htc_probe_device() has wait_for_target logic that depends on
speaking to the firmware; and it seems to tear everything down if that
fails. So my immediate thought is that we could just get rid of the
device_release_driver() from the firmware callback entirely, and just
rely on that timeout to tear things down. However, I am not well-versed
enough in the USB probe and device setup logic, so I am not sure if
there is any reason that wouldn't be enough. Anyone with a better grip
on these things care to chime in? :)

-Toke

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    78d4f34e2115 Linux 6.13-rc3
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10d10b44580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=6c532525a32eb57d
dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=166cb4f8580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/297b40bb0993/disk-78d4f34e.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/e3ec807b99e0/vmlinux-78d4f34e.xz
kernel image: https://storage.googleapis.com/syzbot-assets/226a54b87ab2/bzImage-78d4f34e.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com

INFO: task kworker/0:0:8 blocked for more than 143 seconds.
      Not tainted 6.13.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:0     state:D stack:23832 pid:8     tgid:8     ppid:2      flags:0x00004000
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0x1850/0x4c30 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 __mutex_lock_common kernel/locking/mutex.c:665 [inline]
 __mutex_lock+0x7e7/0xee0 kernel/locking/mutex.c:735
 device_lock include/linux/device.h:1014 [inline]
 ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
 ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
 request_firmware_work_func+0x1a6/0x280 drivers/base/firmware_loader/main.c:1196
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa68/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
INFO: task kworker/0:5:6041 blocked for more than 143 seconds.
      Not tainted 6.13.0-rc3-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/0:5     state:D stack:23856 pid:6041  tgid:6041  ppid:2      flags:0x00004000
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0x1850/0x4c30 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6848
 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6905
 __mutex_lock_common kernel/locking/mutex.c:665 [inline]
 __mutex_lock+0x7e7/0xee0 kernel/locking/mutex.c:735
 device_lock include/linux/device.h:1014 [inline]
 ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
 ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
 request_firmware_work_func+0x1a6/0x280 drivers/base/firmware_loader/main.c:1196
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa68/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>

Showing all locks held in the system:
3 locks held by kworker/0:0/8:
 #0: ffff88801ac78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88801ac78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc900000d7d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc900000d7d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffff888144f05190 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #2: ffff888144f05190 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
 #2: ffff888144f05190 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
4 locks held by kworker/1:0/25:
1 lock held by khungtaskd/30:
 #0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
 #0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:849 [inline]
 #0: ffffffff8e937ae0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x55/0x2a0 kernel/locking/lockdep.c:6744
3 locks held by kworker/u8:2/35:
 #0: ffff88814d7b6948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88814d7b6948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc90000ab7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc90000ab7d00 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0xd0/0x16f0 net/ipv6/addrconf.c:4215
3 locks held by kworker/1:1/46:
3 locks held by kworker/u8:3/47:
4 locks held by kworker/u8:7/3543:
 #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88801baed948 ((wq_completion)netns){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc9000d297d00 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc9000d297d00 (net_cleanup_work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffffffff8fca6390 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0x16a/0xd50 net/core/net_namespace.c:602
 #3: ffff8880304214e8 (&wg->device_update_lock){+.+.}-{4:4}, at: wg_destruct+0x110/0x2e0 drivers/net/wireguard/device.c:249
2 locks held by getty/5582:
 #0: ffff8880317de0a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x25/0x70 drivers/tty/tty_ldisc.c:243
 #1: ffffc90002fde2f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x6a6/0x1e00 drivers/tty/n_tty.c:2211
5 locks held by kworker/1:5/6014:
3 locks held by kworker/1:6/6029:
3 locks held by kworker/0:5/6041:
 #0: ffff88801ac78948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88801ac78948 ((wq_completion)events){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc90003417d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc90003417d00 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffff88814532e190 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #2: ffff88814532e190 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_fail drivers/net/wireless/ath/ath9k/hif_usb.c:1161 [inline]
 #2: ffff88814532e190 (&dev->mutex){....}-{4:4}, at: ath9k_hif_usb_firmware_cb+0x34a/0x4b0 drivers/net/wireless/ath/ath9k/hif_usb.c:1294
5 locks held by kworker/0:7/6074:
 #0: ffff88801e285148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88801e285148 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc90003537d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc90003537d00 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffff888145346190 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #2: ffff888145346190 (&dev->mutex){....}-{4:4}, at: hub_event+0x1fe/0x5150 drivers/usb/core/hub.c:5849
 #3: ffff88805b53c190 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #3: ffff88805b53c190 (&dev->mutex){....}-{4:4}, at: usb_disconnect+0x103/0x950 drivers/usb/core/hub.c:2295
 #4: ffff8880606b3160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #4: ffff8880606b3160 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
 #4: ffff8880606b3160 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
2 locks held by kworker/1:8/6083:
2 locks held by kworker/1:10/6095:
3 locks held by kworker/1:11/6098:
3 locks held by kworker/u8:12/6337:
 #0: ffff88801ac81148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3204 [inline]
 #0: ffff88801ac81148 ((wq_completion)events_unbound){+.+.}-{0:0}, at: process_scheduled_works+0x93b/0x1840 kernel/workqueue.c:3310
 #1: ffffc9000415fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work kernel/workqueue.c:3205 [inline]
 #1: ffffc9000415fd00 ((linkwatch_work).work){+.+.}-{0:0}, at: process_scheduled_works+0x976/0x1840 kernel/workqueue.c:3310
 #2: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0xe/0x60 net/core/link_watch.c:281
4 locks held by syz-executor/6344:
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2964 [inline]
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x225/0xd30 fs/read_write.c:675
 #1: ffff888027074c88 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
 #2: ffff8880275f2e18 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
 #3: ffffffff8f55e628 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
4 locks held by syz-executor/6350:
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2964 [inline]
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x225/0xd30 fs/read_write.c:675
 #1: ffff88809451fc88 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
 #2: ffff8880275f2d28 (kn->active#56){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
 #3: ffffffff8f55e628 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: new_device_store+0x1b4/0x890 drivers/net/netdevsim/bus.c:166
1 lock held by syz-executor/6351:
 #0: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:79 [inline]
 #0: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:326 [inline]
 #0: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0xbcb/0x2150 net/core/rtnetlink.c:4010
4 locks held by syz-executor/6355:
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2964 [inline]
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x225/0xd30 fs/read_write.c:675
 #1: ffff88807bd80088 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
 #2: ffff8880275f2e18 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
 #3: ffffffff8f55e628 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
4 locks held by syz-executor/6357:
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2964 [inline]
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x225/0xd30 fs/read_write.c:675
 #1: ffff8880a018b888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
 #2: ffff8880275f2e18 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
 #3: ffffffff8f55e628 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
8 locks held by syz-executor/6371:
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2964 [inline]
 #0: ffff8880240f8420 (sb_writers#8){.+.+}-{0:0}, at: vfs_write+0x225/0xd30 fs/read_write.c:675
 #1: ffff8880926f3888 (&of->mutex){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x1ea/0x500 fs/kernfs/file.c:325
 #2: ffff8880275f2e18 (kn->active#55){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x20e/0x500 fs/kernfs/file.c:326
 #3: ffffffff8f55e628 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xfc/0x480 drivers/net/netdevsim/bus.c:216
 #4: ffff8880755860e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:1014 [inline]
 #4: ffff8880755860e8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1095 [inline]
 #4: ffff8880755860e8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xce/0x7c0 drivers/base/dd.c:1293
 #5: ffff888075587250 (&devlink->lock_key#2){+.+.}-{4:4}, at: nsim_drv_remove+0x50/0x160 drivers/net/netdevsim/dev.c:1675
 #6: ffffffff8fcb2848 (rtnl_mutex){+.+.}-{4:4}, at: nsim_destroy+0x71/0x5c0 drivers/net/netdevsim/netdev.c:816
 #7: ffffffff8e93cff8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock kernel/rcu/tree_exp.h:297 [inline]
 #7: ffffffff8e93cff8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: synchronize_rcu_expedited+0x381/0x830 kernel/rcu/tree_exp.h:976

=============================================

NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted 6.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
 nmi_cpu_backtrace+0x49c/0x4d0 lib/nmi_backtrace.c:113
 nmi_trigger_cpumask_backtrace+0x198/0x320 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:162 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:234 [inline]
 watchdog+0xff6/0x1040 kernel/hung_task.c:397
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 6029 Comm: kworker/1:6 Not tainted 6.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Workqueue: events_power_efficient neigh_periodic_work
RIP: 0010:unwind_next_frame+0x37/0x22d0 arch/x86/kernel/unwind_orc.c:470
Code: 53 48 81 ec 98 00 00 00 49 89 fd 49 bc 00 00 00 00 00 fc ff df 48 8d 5f 48 48 89 d8 48 c1 e8 03 48 89 44 24 30 42 80 3c 20 00 <74> 08 48 89 df e8 df 33 ba 00 48 89 5c 24 18 4d 8b 75 48 49 8d 6d
RSP: 0018:ffffc90000a183f0 EFLAGS: 00000046
RAX: 1ffff920001430ad RBX: ffffc90000a18568 RCX: 0000000000000002
RDX: dffffc0000000000 RSI: ffffffff8e19e0e4 RDI: ffffc90000a18520
RBP: 1ffff920001430a5 R08: ffffc90000a18500 R09: ffffc90000a18520
R10: dffffc0000000000 R11: fffff520001430b0 R12: dffffc0000000000
R13: ffffc90000a18520 R14: ffffc90000a18520 R15: ffffc90000a18528
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2f35ffff CR3: 000000000e736000 CR4: 0000000000350ef0
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 __unwind_start+0x59a/0x740 arch/x86/kernel/unwind_orc.c:760
 unwind_start arch/x86/include/asm/unwind.h:64 [inline]
 arch_stack_walk+0xe5/0x150 arch/x86/kernel/stacktrace.c:24
 stack_trace_save+0x118/0x1d0 kernel/stacktrace.c:122
 kasan_save_stack mm/kasan/common.c:47 [inline]
 kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x196/0x430 mm/slub.c:4761
 dummy_timer+0x7f4/0x4620 drivers/usb/gadget/udc/dummy_hcd.c:1987
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x59d/0xd30 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1820
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:should_resched arch/x86/include/asm/preempt.h:103 [inline]
RIP: 0010:__local_bh_enable_ip+0x170/0x200 kernel/softirq.c:396
Code: 8c e8 94 c3 66 0a 65 66 8b 05 34 11 a2 7e 66 85 c0 75 5d bf 01 00 00 00 e8 5d bd 0b 00 e8 c8 78 45 00 fb 65 8b 05 f8 10 a2 7e <85> c0 75 05 e8 77 82 a8 ff 48 c7 44 24 20 0e 36 e0 45 49 c7 04 1c
RSP: 0018:ffffc90003437a80 EFLAGS: 00000282
RAX: 0000000080000000 RBX: 1ffff92000686f54 RCX: ffffffff817b275a
RDX: dffffc0000000000 RSI: ffffffff8c0a96c0 RDI: ffffffff8c5faaa0
RBP: ffffc90003437b28 R08: ffffffff942a1927 R09: 1ffffffff2854324
R10: dffffc0000000000 R11: fffffbfff2854325 R12: dffffc0000000000
R13: 1ffff92000686f58 R14: ffffc90003437ac0 R15: 0000000000000201
 neigh_periodic_work+0xbcb/0xde0 net/core/neighbour.c:968
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa68/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[Toke Høiland-Jørgensen]

#syz test

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index fe9abe8cd268..8d18043ebdbe 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1152,18 +1152,7 @@ static void ath9k_hif_usb_dev_deinit(struct hif_device_usb *hif_dev)
  */
 static void ath9k_hif_usb_firmware_fail(struct hif_device_usb *hif_dev)
 {
-	struct device *dev = &hif_dev->udev->dev;
-	struct device *parent = dev->parent;
-
 	complete_all(&hif_dev->fw_done);
-
-	if (parent)
-		device_lock(parent);
-
-	device_release_driver(dev);
-
-	if (parent)
-		device_unlock(parent);
 }
 
 static void ath9k_hif_usb_firmware_cb(const struct firmware *fw, void *context);

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
INFO: rcu detected stall in worker_thread

rcu: INFO: rcu_preempt detected stalls on CPUs/tasks:
rcu: 	(detected by 0, t=10502 jiffies, g=17573, q=329 ncpus=2)
rcu: All QSes seen, last rcu_preempt kthread activity 10486 (4294966972-4294956486), jiffies_till_next_fqs=1, root ->qsmask 0x0
rcu: rcu_preempt kthread starved for 10486 jiffies! g17573 f0x2 RCU_GP_WAIT_FQS(5) ->state=0x0 ->cpu=1
rcu: 	Unless rcu_preempt kthread gets sufficient CPU time, OOM is now expected behavior.
rcu: RCU grace-period kthread stack dump:
task:rcu_preempt     state:R  running task     stack:26264 pid:17    tgid:17    ppid:2      flags:0x00004000
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5369 [inline]
 __schedule+0x1850/0x4c30 kernel/sched/core.c:6756
 __schedule_loop kernel/sched/core.c:6833 [inline]
 schedule+0x14b/0x320 kernel/sched/core.c:6848
 schedule_timeout+0x15a/0x290 kernel/time/sleep_timeout.c:99
 rcu_gp_fqs_loop+0x2df/0x1330 kernel/rcu/tree.c:2045
 rcu_gp_kthread+0xa7/0x3b0 kernel/rcu/tree.c:2247
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
rcu: Stack dump where RCU GP kthread last ran:
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 5932 Comm: kworker/1:5 Not tainted 6.13.0-rc5-syzkaller-g0bc21e701a6f-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: events_power_efficient neigh_periodic_work
RIP: 0010:usb_pipe_endpoint include/linux/usb.h:2009 [inline]
RIP: 0010:usb_submit_urb+0x16c/0x1930 drivers/usb/core/urb.c:391
Code: f3 0f 85 d6 10 00 00 48 89 6c 24 38 44 8b 75 00 31 ed 44 89 f6 81 e6 80 00 00 00 40 0f 94 c5 31 ff e8 08 fc 5d fa 48 c1 e5 07 <48> 03 6c 24 20 4c 89 f0 48 c1 e8 0c 83 e0 78 48 8d ac 28 40 05 00
RSP: 0018:ffffc90000a18790 EFLAGS: 00000056
RAX: 0000000000000100 RBX: dffffc0000000000 RCX: ffff88807cb18000
RDX: ffff88807cb18000 RSI: 0000000000000080 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffff87417c18 R09: 1ffff1100660c25f
R10: dffffc0000000000 R11: ffffed100660c260 R12: 1ffff11029ad3803
R13: ffff88807436ae00 R14: 0000000040018280 R15: ffff88814d69c018
FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d05ffff CR3: 0000000074124000 CR4: 0000000000350ef0
Call Trace:
 <NMI>
 </NMI>
 <IRQ>
 ath9k_hif_usb_reg_in_cb+0x4ce/0x6e0 drivers/net/wireless/ath/ath9k/hif_usb.c:790
 __usb_hcd_giveback_urb+0x42e/0x6e0 drivers/usb/core/hcd.c:1650
 dummy_timer+0x856/0x4620 drivers/usb/gadget/udc/dummy_hcd.c:1993
 __run_hrtimer kernel/time/hrtimer.c:1739 [inline]
 __hrtimer_run_queues+0x59d/0xd30 kernel/time/hrtimer.c:1803
 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1820
 handle_softirqs+0x2d6/0x9b0 kernel/softirq.c:561
 __do_softirq kernel/softirq.c:595 [inline]
 invoke_softirq kernel/softirq.c:435 [inline]
 __irq_exit_rcu+0xf7/0x220 kernel/softirq.c:662
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:678
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1049
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:should_resched arch/x86/include/asm/preempt.h:103 [inline]
RIP: 0010:__local_bh_enable_ip+0x170/0x200 kernel/softirq.c:396
Code: 8c e8 e4 03 67 0a 65 66 8b 05 f4 10 a2 7e 66 85 c0 75 5d bf 01 00 00 00 e8 1d bd 0b 00 e8 c8 68 45 00 fb 65 8b 05 b8 10 a2 7e <85> c0 75 05 e8 37 82 a8 ff 48 c7 44 24 20 0e 36 e0 45 49 c7 04 1c
RSP: 0018:ffffc900041dfa80 EFLAGS: 00000282
RAX: 0000000080000000 RBX: 1ffff9200083bf54 RCX: ffffffff817b274a
RDX: dffffc0000000000 RSI: ffffffff8c0a98e0 RDI: ffffffff8c5fb0e0
RBP: ffffc900041dfb28 R08: ffffffff942a494f R09: 1ffffffff2854929
R10: dffffc0000000000 R11: fffffbfff285492a R12: dffffc0000000000
R13: 1ffff9200083bf58 R14: ffffc900041dfac0 R15: 0000000000000201
 neigh_periodic_work+0xbcb/0xde0 net/core/neighbour.c:968
 process_one_work kernel/workqueue.c:3229 [inline]
 process_scheduled_works+0xa68/0x1840 kernel/workqueue.c:3310
 worker_thread+0x870/0xd30 kernel/workqueue.c:3391
 kthread+0x2f2/0x390 kernel/kthread.c:389
 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>


Tested on:

commit:         0bc21e70 MAINTAINERS: Remove Olof from SoC maintainers
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16c156c4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=1c541fa8af5c9cc7
dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=158b0edf980000

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[Toke Høiland-Jørgensen]

syzbot <syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com> writes:

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit:    78d4f34e2115 Linux 6.13-rc3
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=10d10b44580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=6c532525a32eb57d
> dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=166cb4f8580000
>
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/297b40bb0993/disk-78d4f34e.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/e3ec807b99e0/vmlinux-78d4f34e.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/226a54b87ab2/bzImage-78d4f34e.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+e9b1ff41aa6a7ebf9640@syzkaller.appspotmail.com

#syz test

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index fe9abe8cd268..1cdc723fe4f5 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1153,17 +1153,9 @@ static void ath9k_hif_usb_dev_deinit(struct hif_device_usb *hif_dev)
 static void ath9k_hif_usb_firmware_fail(struct hif_device_usb *hif_dev)
 {
 	struct device *dev = &hif_dev->udev->dev;
-	struct device *parent = dev->parent;
 
 	complete_all(&hif_dev->fw_done);
-
-	if (parent)
-		device_lock(parent);
-
 	device_release_driver(dev);
-
-	if (parent)
-		device_unlock(parent);
 }
 
 static void ath9k_hif_usb_firmware_cb(const struct firmware *fw, void *context);

Re: [syzbot] [wireless?] INFO: task hung in ath9k_hif_usb_firmware_cb (3)

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

s enabled.
[    1.190003][    T0] rcu: 	RCU debug extended QS entry/exit.
[    1.190988][    T0] 	All grace periods are expedited (rcu_expedited).
[    1.191939][    T0] 	Trampoline variant of Tasks RCU enabled.
[    1.192694][    T0] 	Tracing variant of Tasks RCU enabled.
[    1.193396][    T0] rcu: RCU calculated value of scheduler-enlistment delay is 10 jiffies.
[    1.194479][    T0] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=2
[    1.195538][    T0] Running RCU synchronous self tests
[    1.196263][    T0] RCU Tasks: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[    1.197551][    T0] RCU Tasks Trace: Setting shift to 1 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=2.
[    1.275546][    T0] NR_IRQS: 4352, nr_irqs: 440, preallocated irqs: 16
[    1.277185][    T0] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[    1.278480][    T0] kfence: initialized - using 2097152 bytes for 255 objects at 0xffff88823be00000-0xffff88823c000000
[    1.280693][    T0] Console: colour VGA+ 80x25
[    1.281394][    T0] printk: legacy console [ttyS0] enabled
[    1.281394][    T0] printk: legacy console [ttyS0] enabled
[    1.282994][    T0] printk: legacy bootconsole [earlyser0] disabled
[    1.282994][    T0] printk: legacy bootconsole [earlyser0] disabled
[    1.284703][    T0] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[    1.285830][    T0] ... MAX_LOCKDEP_SUBCLASSES:  8
[    1.286485][    T0] ... MAX_LOCK_DEPTH:          48
[    1.287197][    T0] ... MAX_LOCKDEP_KEYS:        8192
[    1.287919][    T0] ... CLASSHASH_SIZE:          4096
[    1.288630][    T0] ... MAX_LOCKDEP_ENTRIES:     1048576
[    1.289352][    T0] ... MAX_LOCKDEP_CHAINS:      1048576
[    1.290119][    T0] ... CHAINHASH_SIZE:          524288
[    1.290963][    T0]  memory used by lock dependency info: 106625 kB
[    1.291807][    T0]  memory used for stack traces: 8320 kB
[    1.292562][    T0]  per task-struct memory footprint: 1920 bytes
[    1.293542][    T0] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[    1.295195][    T0] ACPI: Core revision 20240827
[    1.296401][    T0] APIC: Switch to symmetric I/O mode setup
[    1.297557][    T0] x2apic enabled
[    1.300642][    T0] APIC: Switched APIC routing to: physical x2apic
[    1.305247][    T0] ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1
[    1.306357][    T0] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x2350b6af5f8, max_idle_ns: 440795252949 ns
[    1.308110][    T0] Calibrating delay loop (skipped) preset value.. 4899.99 BogoMIPS (lpj=24499980)
[    1.309487][    T0] x86/cpu: User Mode Instruction Prevention (UMIP) activated
[    1.310835][    T0] Last level iTLB entries: 4KB 512, 2MB 512, 4MB 256
[    1.311724][    T0] Last level dTLB entries: 4KB 2048, 2MB 2048, 4MB 1024, 1GB 0
[    1.312765][    T0] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[    1.314119][    T0] Spectre V2 : Mitigation: Retpolines
[    1.314831][    T0] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[    1.316024][    T0] Spectre V2 : Spectre v2 / SpectreRSB : Filling RSB on VMEXIT
[    1.318151][    T0] Spectre V2 : Enabling Restricted Speculation for firmware calls
[    1.319414][    T0] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[    1.320674][    T0] Spectre V2 : User space: Mitigation: STIBP via prctl
[    1.321638][    T0] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[    1.323179][    T0] Speculative Return Stack Overflow: Mitigation: Safe RET
[    1.324189][    T0] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[    1.325303][    T0] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[    1.326298][    T0] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[    1.327284][    T0] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
[    1.328107][    T0] x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'compacted' format.
[    1.604248][    T0] Freeing SMP alternatives memory: 128K
[    1.605166][    T0] pid_max: default: 32768 minimum: 301
[    1.606440][    T0] LSM: initializing lsm=lockdown,capability,landlock,yama,safesetid,tomoyo,apparmor,bpf,ima,evm
[    1.608771][    T0] landlock: Up and running.
[    1.609554][    T0] Yama: becoming mindful.
[    1.610776][    T0] TOMOYO Linux initialized
[    1.612635][    T0] AppArmor: AppArmor initialized
[    1.616080][    T0] LSM support for eBPF active
[    1.621951][    T0] Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes, vmalloc hugepage)
[    1.625424][    T0] Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes, vmalloc hugepage)
[    1.627339][    T0] Mount-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[    1.628497][    T0] Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes, vmalloc)
[    1.634212][    T0] Running RCU synchronous self tests
[    1.635020][    T0] Running RCU synchronous self tests
[    1.757500][    T1] smpboot: CPU0: AMD EPYC 7B13 (family: 0x19, model: 0x1, stepping: 0x0)
[    1.758098][    T1] Running RCU Tasks wait API self tests
[    1.858617][    T1] Running RCU Tasks Trace wait API self tests
[    1.859754][    T1] Performance Events: PMU not available due to virtualization, using software events only.
[    1.869763][    T1] signal: max sigframe size: 1776
[    1.871320][    T1] rcu: Hierarchical SRCU implementation.
[    1.872132][    T1] rcu: 	Max phase no-delay instances is 1000.
[    1.874159][    T1] Timer migration: 1 hierarchy levels; 8 children per group; 0 crossnode level
[    1.878328][   T15] Callback from call_rcu_tasks_trace() invoked.
[    1.935530][    T1] NMI watchdog: Perf NMI watchdog permanently disabled
[    1.937523][    T1] smp: Bringing up secondary CPUs ...
[    1.950450][    T1] smpboot: x86: Booting SMP configuration:
[    1.951284][    T1] .... node  #0, CPUs:      #1
[    1.951629][   T22] ------------[ cut here ]------------
[    1.951629][   T22] workqueue: work disable count underflowed
[    1.951629][   T22] WARNING: CPU: 1 PID: 22 at kernel/workqueue.c:4317 enable_work+0x34d/0x360
[    1.951629][   T22] Modules linked in:
[    1.951832][   T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[    1.953189][   T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[    1.954559][   T22] RIP: 0010:enable_work+0x34d/0x360
[    1.955294][   T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d e9 08 3f 88 0a e8 18 82 37 00 c6 05 f9 ac 9b 0e 01 90 48 c7 c7 a0 d7 09 8c e8 d4 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 b5 c7 60 0a 0f 1f 44 00 00 90 90 90
[    1.957894][   T22] RSP: 0018:ffffc900001c7bc0 EFLAGS: 00010046
[    1.958098][   T22] RAX: caa1100063be3a00 RBX: 0000000000000000 RCX: ffff88801d2e3c00
[    1.958098][   T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[    1.958098][   T22] RBP: ffffc900001c7c88 R08: ffffffff81602a82 R09: 1ffffffff1cfa210
[    1.958098][   T22] R10: dffffc0000000000 R11: fffffbfff1cfa211 R12: 1ffff92000038f7c
[    1.958098][   T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[    1.958098][   T22] FS:  0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000
[    1.958098][   T22] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.958098][   T22] CR2: 0000000000000000 CR3: 000000000e736000 CR4: 0000000000350ef0
[    1.958098][   T22] Call Trace:
[    1.958098][   T22]  <TASK>
[    1.958098][   T22]  ? __warn+0x165/0x4d0
[    1.958098][   T22]  ? enable_work+0x34d/0x360
[    1.958098][   T22]  ? report_bug+0x2b3/0x500
[    1.958098][   T22]  ? enable_work+0x34d/0x360
[    1.958098][   T22]  ? handle_bug+0x60/0x90
[    1.958098][   T22]  ? exc_invalid_op+0x1a/0x50
[    1.958098][   T22]  ? asm_exc_invalid_op+0x1a/0x20
[    1.958098][   T22]  ? __warn_printk+0x292/0x360
[    1.958098][   T22]  ? enable_work+0x34d/0x360
[    1.958098][   T22]  ? __pfx_enable_work+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? rcu_is_watching+0x15/0xb0
[    1.958098][   T22]  vmstat_cpu_online+0xbb/0xe0
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  cpuhp_invoke_callback+0x48f/0x830
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  cpuhp_thread_fun+0x41c/0x810
[    1.958098][   T22]  ? cpuhp_thread_fun+0x130/0x810
[    1.958098][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[    1.958098][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    1.958098][   T22]  smpboot_thread_fn+0x546/0xa30
[    1.958098][   T22]  ? smpboot_thread_fn+0x4e/0xa30
[    1.958098][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    1.958098][   T22]  kthread+0x2f2/0x390
[    1.958098][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    1.958098][   T22]  ? __pfx_kthread+0x10/0x10
[    1.958098][   T22]  ret_from_fork+0x4d/0x80
[    1.958098][   T22]  ? __pfx_kthread+0x10/0x10
[    1.958098][   T22]  ret_from_fork_asm+0x1a/0x30
[    1.958098][   T22]  </TASK>
[    1.958098][   T22] Kernel panic - not syncing: kernel: panic_on_warn set ...
[    1.958098][   T22] CPU: 1 UID: 0 PID: 22 Comm: cpuhp/1 Not tainted 6.13.0-rc6-syzkaller-g9d89551994a4-dirty #0
[    1.958098][   T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
[    1.958098][   T22] Call Trace:
[    1.958098][   T22]  <TASK>
[    1.958098][   T22]  dump_stack_lvl+0x241/0x360
[    1.958098][   T22]  ? __pfx_dump_stack_lvl+0x10/0x10
[    1.958098][   T22]  ? __pfx__printk+0x10/0x10
[    1.958098][   T22]  ? _printk+0xd5/0x120
[    1.958098][   T22]  ? __init_begin+0x41000/0x41000
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? vscnprintf+0x5d/0x90
[    1.958098][   T22]  panic+0x349/0x880
[    1.958098][   T22]  ? __warn+0x174/0x4d0
[    1.958098][   T22]  ? __pfx_panic+0x10/0x10
[    1.958098][   T22]  ? ret_from_fork_asm+0x1a/0x30
[    1.958098][   T22]  __warn+0x344/0x4d0
[    1.958098][   T22]  ? enable_work+0x34d/0x360
[    1.958098][   T22]  report_bug+0x2b3/0x500
[    1.958098][   T22]  ? enable_work+0x34d/0x360
[    1.958098][   T22]  handle_bug+0x60/0x90
[    1.958098][   T22]  exc_invalid_op+0x1a/0x50
[    1.958098][   T22]  asm_exc_invalid_op+0x1a/0x20
[    1.958098][   T22] RIP: 0010:enable_work+0x34d/0x360
[    1.958098][   T22] Code: d8 5b 41 5c 41 5d 41 5e 41 5f 5d e9 08 3f 88 0a e8 18 82 37 00 c6 05 f9 ac 9b 0e 01 90 48 c7 c7 a0 d7 09 8c e8 d4 25 f8 ff 90 <0f> 0b 90 90 e9 56 ff ff ff e8 b5 c7 60 0a 0f 1f 44 00 00 90 90 90
[    1.958098][   T22] RSP: 0018:ffffc900001c7bc0 EFLAGS: 00010046
[    1.958098][   T22] RAX: caa1100063be3a00 RBX: 0000000000000000 RCX: ffff88801d2e3c00
[    1.958098][   T22] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[    1.958098][   T22] RBP: ffffc900001c7c88 R08: ffffffff81602a82 R09: 1ffffffff1cfa210
[    1.958098][   T22] R10: dffffc0000000000 R11: fffffbfff1cfa211 R12: 1ffff92000038f7c
[    1.958098][   T22] R13: 1ffff92000038f84 R14: 001fffffffc00001 R15: ffff8880b8738770
[    1.958098][   T22]  ? __warn_printk+0x292/0x360
[    1.958098][   T22]  ? __pfx_enable_work+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? rcu_is_watching+0x15/0xb0
[    1.958098][   T22]  vmstat_cpu_online+0xbb/0xe0
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  cpuhp_invoke_callback+0x48f/0x830
[    1.958098][   T22]  ? __pfx_vmstat_cpu_online+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  cpuhp_thread_fun+0x41c/0x810
[    1.958098][   T22]  ? cpuhp_thread_fun+0x130/0x810
[    1.958098][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    1.958098][   T22]  ? srso_alias_return_thunk+0x5/0xfbef5
[    1.958098][   T22]  ? _raw_spin_unlock_irqrestore+0xdd/0x140
[    1.958098][   T22]  ? __pfx_cpuhp_thread_fun+0x10/0x10
[    1.958098][   T22]  smpboot_thread_fn+0x546/0xa30
[    1.958098][   T22]  ? smpboot_thread_fn+0x4e/0xa30
[    1.958098][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    1.958098][   T22]  kthread+0x2f2/0x390
[    1.958098][   T22]  ? __pfx_smpboot_thread_fn+0x10/0x10
[    1.958098][   T22]  ? __pfx_kthread+0x10/0x10
[    1.958098][   T22]  ret_from_fork+0x4d/0x80
[    1.958098][   T22]  ? __pfx_kthread+0x10/0x10
[    1.958098][   T22]  ret_from_fork_asm+0x1a/0x30
[    1.958098][   T22]  </TASK>
[    1.958098][   T22] Rebooting in 86400 seconds..


syzkaller build log:
go env (err=<nil>)
GO111MODULE='auto'
GOARCH='amd64'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.22.7'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build1119513314=/tmp/go-build -gno-record-gcc-switches'

git status (err=<nil>)
HEAD detached at 1432fc845
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
go fmt ./sys/... >/dev/null
touch .descriptions
GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=1432fc84530255f6208c5719be796918244fa9d3 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20241218-130448'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
	-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \
	-DHOSTGOOS_linux=1 -DGIT_REVISION=\"1432fc84530255f6208c5719be796918244fa9d3\"
/usr/bin/ld: /tmp/ccsfxsCp.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x104): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=139fd6f8580000


Tested on:

commit:         9d895519 Linux 6.13-rc6
git tree:       upstream
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ef22c4fce5135b4
dashboard link: https://syzkaller.appspot.com/bug?extid=e9b1ff41aa6a7ebf9640
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12c039c4580000