syzbot

INFO: task kworker/1:4:3549 blocked for more than 143 seconds.
      Not tainted 5.15.163-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/1:4     state:D stack:22872 pid: 3549 ppid:     2 flags:0x00004000
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 context_switch kernel/sched/core.c:5030 [inline]
 __schedule+0x12c4/0x45b0 kernel/sched/core.c:6376
 schedule+0x11b/0x1f0 kernel/sched/core.c:6459
 schedule_preempt_disabled+0xf/0x20 kernel/sched/core.c:6518
 __mutex_lock_common+0xe34/0x25a0 kernel/locking/mutex.c:669
 __mutex_lock kernel/locking/mutex.c:729 [inline]
 mutex_lock_nested+0x17/0x20 kernel/locking/mutex.c:743
 hub_port_connect drivers/usb/core/hub.c:5352 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 port_event drivers/usb/core/hub.c:5741 [inline]
 hub_event+0x2fec/0x54c0 drivers/usb/core/hub.c:5823
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>

Showing all locks held in the system:
2 locks held by kworker/1:1/23:
1 lock held by khungtaskd/27:
 #0: ffffffff8c91fb20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x0/0x30
3 locks held by kworker/1:3/2925:
 #0: ffff88802378a938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc9000ab57d20 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcc/0x1720 net/ipv6/addrconf.c:4112
1 lock held by dhcpcd/3175:
 #0: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: __netlink_dump_start+0x12e/0x6f0 net/netlink/af_netlink.c:2347
2 locks held by kworker/0:3/3249:
 #0: ffff888011c70938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90002f97d20 ((work_completion)(&pwq->unbound_release_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
2 locks held by getty/3266:
 #0: ffff88807e461098 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x21/0x70 drivers/tty/tty_ldisc.c:252
 #1: ffffc9000209b2e8 (&ldata->atomic_read_lock){+.+.}-{3:3}, at: n_tty_read+0x6af/0x1db0 drivers/tty/n_tty.c:2158
5 locks held by kworker/1:4/3549:
 #0: ffff8881429e4938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90003097d20 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffff88801ecd5220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:760 [inline]
 #2: ffff88801ecd5220 (&dev->mutex){....}-{3:3}, at: hub_event+0x208/0x54c0 drivers/usb/core/hub.c:5769
 #3: ffff88801f0485c0 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3125 [inline]
 #3: ffff88801f0485c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5351 [inline]
 #3: ffff88801f0485c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 #3: ffff88801f0485c0 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5741 [inline]
 #3: ffff88801f0485c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0x2fc1/0x54c0 drivers/usb/core/hub.c:5823
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5352 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5741 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_event+0x2fec/0x54c0 drivers/usb/core/hub.c:5823
3 locks held by kworker/0:8/3590:
 #0: ffff888011c70938 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90003147d20 ((work_completion)(&data->fib_event_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffff88805c354240 (&data->fib_lock){+.+.}-{3:3}, at: nsim_fib_event_work+0x2cd/0x4120 drivers/net/netdevsim/fib.c:1478
5 locks held by kworker/1:9/4723:
 #0: ffff8881429e4938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90003047d20 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffff888147b24220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:760 [inline]
 #2: ffff888147b24220 (&dev->mutex){....}-{3:3}, at: hub_event+0x208/0x54c0 drivers/usb/core/hub.c:5769
 #3: ffff888066c475c0 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3125 [inline]
 #3: ffff888066c475c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5351 [inline]
 #3: ffff888066c475c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 #3: ffff888066c475c0 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5741 [inline]
 #3: ffff888066c475c0 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0x2238/0x54c0 drivers/usb/core/hub.c:5823
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5352 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5595 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5741 [inline]
 #4: ffff888147a8f068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_event+0x2260/0x54c0 drivers/usb/core/hub.c:5823
3 locks held by kworker/0:16/5067:
 #0: ffff88802378a938 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90002f27d20 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcc/0x1720 net/ipv6/addrconf.c:4112
2 locks held by kworker/0:22/7156:
 #0: ffff888011c72138 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90003007d20 ((work_completion)(&rew.rew_work)){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
1 lock held by syz.0.1356/11348:
 #0: ffff888147b24220 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:760 [inline]
 #0: ffff888147b24220 (&dev->mutex){....}-{3:3}, at: usbdev_open+0x152/0x7a0 drivers/usb/core/devio.c:1040
4 locks held by kworker/u4:16/12115:
 #0: ffff888011dcd138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x78a/0x10c0 kernel/workqueue.c:2283
 #1: ffffc90002527d20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x7d0/0x10c0 kernel/workqueue.c:2285
 #2: ffffffff8d9dc790 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf1/0xb60 net/core/net_namespace.c:561
 #3: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: ip_fib_net_exit+0x25/0x370 net/ipv4/fib_frontend.c:1559
3 locks held by syz-executor/12279:
 #0: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:72 [inline]
 #0: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x94c/0xee0 net/core/rtnetlink.c:5626
 #1: ffff8880792513e8 (&wg->device_update_lock){+.+.}-{3:3}, at: wg_open+0x224/0x410 drivers/net/wireguard/device.c:49
 #2: ffffffff8c9240e8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:322 [inline]
 #2: ffffffff8c9240e8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x350/0x740 kernel/rcu/tree_exp.h:845
1 lock held by syz.0.1518/12511:
 #0: ffffffff8c7df6a8 (sched_core_mutex){+.+.}-{3:3}, at: sched_core_get+0x47/0x1d0 kernel/sched/core.c:329
2 locks held by syz.0.1518/12515:
 #0: ffffffff8da45b50 (cb_lock){++++}-{3:3}, at: genl_rcv+0x15/0x40 net/netlink/genetlink.c:802
 #1: ffffffff8d9e8348 (rtnl_mutex){+.+.}-{3:3}, at: nl80211_pre_doit+0x28/0x540 net/wireless/nl80211.c:14965

=============================================

NMI backtrace for cpu 0
CPU: 0 PID: 27 Comm: khungtaskd Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 nmi_cpu_backtrace+0x46a/0x4a0 lib/nmi_backtrace.c:111
 nmi_trigger_cpumask_backtrace+0x181/0x2a0 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:148 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:210 [inline]
 watchdog+0xe72/0xeb0 kernel/hung_task.c:295
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 12115 Comm: kworker/u4:16 Not tainted 5.15.163-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Workqueue: phy43 ieee80211_iface_work
RIP: 0010:validate_chain+0x583/0x5930 kernel/locking/lockdep.c:3795
Code: 28 8b 8a 48 c7 c6 40 2b 8b 8a e8 28 9a e8 ff 0f 0b e9 d2 fb ff ff e8 bc 5d a2 02 89 c3 e8 45 fd fe ff 85 db 0f 85 2a 04 00 00 <48> c7 c0 84 aa e4 8d 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 0b 42
RSP: 0000:ffffc90002526e40 EFLAGS: 00000046
RAX: 52ca194ed006dc6a RBX: ffffffff8fe32880 RCX: ffffffff81636572
RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff8fbfa0e0
RBP: ffffc900025270f0 R08: dffffc0000000000 R09: fffffbfff1f7f41d
R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000
R13: ffff8880220c64f0 R14: 52ca194ed006dc6a R15: ffffffff8fe32898
FS:  0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1be9b813f1 CR3: 0000000078497000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <NMI>
 </NMI>
 <TASK>
 __lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012
 lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
 add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
 kvfree_call_rcu+0x1b5/0x8a0 kernel/rcu/tree.c:3597
 cfg80211_update_known_bss+0x16b/0x9e0
 cfg80211_bss_update+0x187/0x21e0 net/wireless/scan.c:1771
 cfg80211_inform_single_bss_frame_data net/wireless/scan.c:2492 [inline]
 cfg80211_inform_bss_frame_data+0xa13/0x20f0 net/wireless/scan.c:2525
 ieee80211_bss_info_update+0x7a6/0xc80 net/mac80211/scan.c:190
 ieee80211_rx_bss_info net/mac80211/ibss.c:1123 [inline]
 ieee80211_rx_mgmt_probe_beacon net/mac80211/ibss.c:1614 [inline]
 ieee80211_ibss_rx_queued_mgmt+0x175e/0x2af0 net/mac80211/ibss.c:1643
 ieee80211_iface_process_skb net/mac80211/iface.c:1441 [inline]
 ieee80211_iface_work+0x78f/0xcc0 net/mac80211/iface.c:1495
 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310
 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457
 kthread+0x3f6/0x4f0 kernel/kthread.c:334
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
 </TASK>