syzbot


INFO: task hung in usb_remote_wakeup

Status: auto-closed as invalid on 2020/01/24 14:16
Subsystems: usb
[Documentation on labels]
First crash: 1802d, last: 1615d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 INFO: task hung in usb_remote_wakeup 1 1206d 1206d 0/1 auto-closed as invalid on 2021/04/07 18:31
upstream INFO: task hung in usb_remote_wakeup (2) usb syz inconclusive done 9 951d 1150d 20/26 fixed on 2021/11/10 00:50
upstream INFO: task hung in usb_remote_wakeup (3) usb 1 764d 764d 0/26 auto-closed as invalid on 2022/05/24 13:32
upstream INFO: task hung in usb_remote_wakeup (5) usb 1 324d 324d 0/26 auto-obsoleted due to no activity on 2023/08/08 04:40
upstream INFO: task hung in usb_remote_wakeup (4) usb 2 505d 555d 0/26 auto-obsoleted due to no activity on 2023/02/10 23:06
linux-4.14 INFO: task hung in usb_remote_wakeup 1 1266d 1266d 0/1 auto-closed as invalid on 2021/02/06 13:01

Sample crash report:
INFO: task kworker/1:3:2740 blocked for more than 143 seconds.
      Not tainted 5.4.0-rc3+ #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/1:3     D23696  2740      2 0x80004000
Workqueue: pm hcd_resume_work
Call Trace:
 schedule+0xca/0x250 kernel/sched/core.c:4136
 schedule_preempt_disabled+0xc/0x20 kernel/sched/core.c:4195
 __mutex_lock_common kernel/locking/mutex.c:1033 [inline]
 __mutex_lock+0x881/0x1360 kernel/locking/mutex.c:1103
 device_lock include/linux/device.h:1462 [inline]
 usb_remote_wakeup+0x1f/0xb0 drivers/usb/core/hub.c:3600
 process_one_work+0x92b/0x1530 kernel/workqueue.c:2269
 worker_thread+0x96/0xe20 kernel/workqueue.c:2415
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Showing all locks held in the system:
5 locks held by kworker/0:1/12:
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x827/0x1530 kernel/workqueue.c:2240
 #1: ffff8881da227dd0 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x85b/0x1530 kernel/workqueue.c:2244
 #2: ffff8881d5104200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #2: ffff8881d5104200 (&dev->mutex){....}, at: hub_event+0x18a/0x37e0 drivers/usb/core/hub.c:5497
 #3: ffff8881d9b15200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #3: ffff8881d9b15200 (&dev->mutex){....}, at: __device_attach+0x7b/0x360 drivers/base/dd.c:871
 #4: ffff8881d9b14190 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #4: ffff8881d9b14190 (&dev->mutex){....}, at: __device_attach+0x7b/0x360 drivers/base/dd.c:871
1 lock held by khungtaskd/23:
 #0: ffffffff86cfe4a0 (rcu_read_lock){....}, at: debug_show_all_locks+0x53/0x269 kernel/locking/lockdep.c:5335
1 lock held by rsyslogd/1607:
 #0: ffff8881d3178d60 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xe3/0x100 fs/file.c:801
2 locks held by login/1697:
 #0: ffff8881d14c4090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004792e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1698:
 #0: ffff8881d1df2090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004692e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1699:
 #0: ffff8881d2340090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004812e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1700:
 #0: ffff8881d3ba5090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004612e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1701:
 #0: ffff8881d1412090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004852e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1702:
 #0: ffff8881d14c3090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc900004752e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
2 locks held by getty/1703:
 #0: ffff8881d2061090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref_wait+0x22/0x80 drivers/tty/tty_ldisc.c:272
 #1: ffffc9000044d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x223/0x1ae0 drivers/tty/n_tty.c:2156
3 locks held by kworker/1:3/2740:
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline]
 #0: ffff8881da270d28 ((wq_completion)pm){+.+.}, at: process_one_work+0x827/0x1530 kernel/workqueue.c:2240
 #1: ffff8881aefdfdd0 ((work_completion)(&hcd->wakeup_work)){+.+.}, at: process_one_work+0x85b/0x1530 kernel/workqueue.c:2244
 #2: ffff8881d5104200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #2: ffff8881d5104200 (&dev->mutex){....}, at: usb_remote_wakeup+0x1f/0xb0 drivers/usb/core/hub.c:3600
5 locks held by kworker/0:3/2750:
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x827/0x1530 kernel/workqueue.c:2240
 #1: ffff8881d0d57dd0 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x85b/0x1530 kernel/workqueue.c:2244
 #2: ffff8881d50d5200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #2: ffff8881d50d5200 (&dev->mutex){....}, at: hub_event+0x18a/0x37e0 drivers/usb/core/hub.c:5497
 #3: ffff8881d2123200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #3: ffff8881d2123200 (&dev->mutex){....}, at: __device_attach+0x7b/0x360 drivers/base/dd.c:871
 #4: ffff8881d8fdc248 (&(&priv->bus_notifier)->rwsem){++++}, at: __blocking_notifier_call_chain kernel/notifier.c:318 [inline]
 #4: ffff8881d8fdc248 (&(&priv->bus_notifier)->rwsem){++++}, at: __blocking_notifier_call_chain kernel/notifier.c:306 [inline]
 #4: ffff8881d8fdc248 (&(&priv->bus_notifier)->rwsem){++++}, at: blocking_notifier_call_chain kernel/notifier.c:330 [inline]
 #4: ffff8881d8fdc248 (&(&priv->bus_notifier)->rwsem){++++}, at: blocking_notifier_call_chain+0x6f/0xa0 kernel/notifier.c:327
3 locks held by kworker/0:5/2858:
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x827/0x1530 kernel/workqueue.c:2240
 #1: ffff8881c1947dd0 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x85b/0x1530 kernel/workqueue.c:2244
 #2: ffff8881d508e200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #2: ffff8881d508e200 (&dev->mutex){....}, at: hub_event+0x18a/0x37e0 drivers/usb/core/hub.c:5497
5 locks held by kworker/0:6/2863:
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline]
 #0: ffff8881d8facd28 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x827/0x1530 kernel/workqueue.c:2240
 #1: ffff8881c6fdfdd0 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x85b/0x1530 kernel/workqueue.c:2244
 #2: ffff8881d51a9200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #2: ffff8881d51a9200 (&dev->mutex){....}, at: hub_event+0x18a/0x37e0 drivers/usb/core/hub.c:5497
 #3: ffff8881aee4c200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #3: ffff8881aee4c200 (&dev->mutex){....}, at: __device_attach+0x7b/0x360 drivers/base/dd.c:871
 #4: ffff8881cd620190 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline]
 #4: ffff8881cd620190 (&dev->mutex){....}, at: __device_attach+0x7b/0x360 drivers/base/dd.c:871
5 locks held by kworker/1:7/4564:
4 locks held by udevd/10597:
 #0: ffff8881d1ff41c0 (&p->lock){+.+.}, at: seq_read+0x6b/0x10f0 fs/seq_file.c:161
 #1: ffff8881c81a8880 (&of->mutex){+.+.}, at: kernfs_seq_start+0x49/0x180 fs/kernfs/file.c:111
 #2: ffff8881d9093c48 (kn->count#71){++++}, at: kernfs_seq_start+0x73/0x180 fs/kernfs/file.c:112
 #3: ffff8881d2123200 (&dev->mutex){....}, at: device_lock_interruptible include/linux/device.h:1467 [inline]
 #3: ffff8881d2123200 (&dev->mutex){....}, at: product_show+0x22/0xa0 drivers/usb/core/sysfs.c:140
3 locks held by syz-executor.3/10867:
 #0: ffff8881ce79bc60 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xe3/0x100 fs/file.c:801
 #1: ffff8881d4b2e410 (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2882 [inline]
 #1: ffff8881d4b2e410 (sb_writers#3){.+.+}, at: vfs_write+0x474/0x5c0 fs/read_write.c:557
 #2: ffff8881d2836e20 (&sb->s_type->i_mutex_key#10){++++}, at: inode_trylock include/linux/fs.h:811 [inline]
 #2: ffff8881d2836e20 (&sb->s_type->i_mutex_key#10){++++}, at: ext4_file_write_iter+0x1ab/0x1210 fs/ext4/file.c:234
1 lock held by syz-executor.3/10876:

=============================================

NMI backtrace for cpu 1
CPU: 1 PID: 23 Comm: khungtaskd Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xca/0x13e lib/dump_stack.c:113
 nmi_cpu_backtrace.cold+0x55/0x96 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x1b0/0x1c7 lib/nmi_backtrace.c:62
 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
 check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
 watchdog+0x9a4/0xe50 kernel/hung_task.c:289
 kthread+0x318/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 PID: 10848 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:compound_head include/linux/page-flags.h:174 [inline]
RIP: 0010:PageLRU include/linux/page-flags.h:320 [inline]
RIP: 0010:mark_page_accessed+0x202/0x6f0 mm/swap.c:385
Code: 01 89 de e8 c0 96 ec ff 84 db 0f 84 80 01 00 00 e8 83 95 ec ff 4c 89 e2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 <0f> 85 99 04 00 00 4c 8b 75 08 31 ff 48 89 eb 4d 89 f5 41 83 e5 01
RSP: 0018:ffff8881af52f728 EFLAGS: 00000246
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffffff81518320
RDX: 1ffffd4000db5fa9 RSI: ffffffff8151832d RDI: 0000000000000001
RBP: ffffea0006dafd40 R08: ffff8881d1789800 R09: fffff94000db5fa9
R10: fffff94000db5fa8 R11: ffffea0006dafd47 R12: ffffea0006dafd48
R13: 0000000000000000 R14: dead000000000100 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff8881db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020ec3000 CR3: 0000000006c21000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 zap_pte_range mm/memory.c:1059 [inline]
 zap_pmd_range mm/memory.c:1166 [inline]
 zap_pud_range mm/memory.c:1195 [inline]
 zap_p4d_range mm/memory.c:1216 [inline]
 unmap_page_range+0xa52/0x1a00 mm/memory.c:1237
 unmap_single_vma+0x196/0x300 mm/memory.c:1282
 unmap_vmas+0x179/0x300 mm/memory.c:1314
 exit_mmap+0x278/0x4d0 mm/mmap.c:3161
 __mmput kernel/fork.c:1079 [inline]
 mmput+0xce/0x3d0 kernel/fork.c:1100
 exit_mm kernel/exit.c:485 [inline]
 do_exit+0x7f8/0x2c00 kernel/exit.c:804
 do_group_exit+0x125/0x340 kernel/exit.c:921
 get_signal+0x466/0x23d0 kernel/signal.c:2734
 do_signal+0x88/0x14e0 arch/x86/kernel/signal.c:815
 exit_to_usermode_loop+0x1a2/0x200 arch/x86/entry/common.c:159
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:274 [inline]
 do_syscall_64+0x45f/0x580 arch/x86/entry/common.c:300
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x459f39
Code: Bad RIP value.
RSP: 002b:00007fff98158628 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffdfc RBX: 00000000000003e8 RCX: 0000000000459f39
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 000000000075bfd4
RBP: 00000000000007fd R08: ffffffffffffffff R09: ffffffffffffffff
R10: 00007fff98158700 R11: 0000000000000246 R12: 000000000075bfc8
R13: 000000000008c8a6 R14: 000000000008d0a3 R15: 000000000075bfd4

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/10/26 14:06 https://github.com/google/kasan.git usb-fuzzer 22be26f76193 25bb509e .config console log report ci2-upstream-usb
2019/09/29 21:02 https://github.com/google/kasan.git usb-fuzzer 2994c07743fe c1ad5441 .config console log report ci2-upstream-usb
2019/08/18 13:09 https://github.com/google/kasan.git usb-fuzzer d0847550e22d 55bf8926 .config console log report ci2-upstream-usb
2019/06/17 01:35 https://github.com/google/kasan.git usb-fuzzer 69bbe8c72e6f 442206d7 .config console log report ci2-upstream-usb
2019/06/16 03:08 https://github.com/google/kasan.git usb-fuzzer 69bbe8c72e6f 442206d7 .config console log report ci2-upstream-usb
2019/05/10 09:21 https://github.com/google/kasan.git usb-fuzzer 43151d6c3fce 018207ef .config console log report ci2-upstream-usb
2019/04/23 07:49 https://github.com/google/kasan.git usb-fuzzer d34f9519daaa 53199d6e .config console log report ci2-upstream-usb
* Struck through repros no longer work on HEAD.