bisecting cause commit starting from bec4c2968fce2f44ce62d05288a633cd99a722eb building syzkaller on 6593fd32d71a33f76462f347ef263e26600d998e testing commit bec4c2968fce2f44ce62d05288a633cd99a722eb with gcc (GCC) 10.2.1 20210217 kernel signature: 6cd810bc04c2bdc115f6fef6749b3bf5ecf976ab53e81584f9a3f3418d6ba393 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #8: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #9: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #10: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #11: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #12: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #13: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #14: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #15: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #16: crashed: INFO: task hung in usb_get_descriptor run #17: crashed: INFO: task hung in usb_get_descriptor run #18: crashed: INFO: task hung in usb_get_descriptor run #19: crashed: INFO: task hung in usb_get_descriptor testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: d531cd6bda67628eae047f8a2539c16881b20cd55994a63448311accf7ea4fe3 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: 1d2e226668b90b5f8546fbec28d6ef957c34c5c2e50e22e5c76e27b6144127e8 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217 kernel signature: 62745f1980c1b1b6d1b99806a6b51f11fb8d05ecb195b0f97e8e7776ee555ad6 all runs: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217 kernel signature: ff4409cbc2ec7e03ed9e88c2b4d48c9d75d02da3aa459fcc4bbf749a30220f15 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: INFO: task hung in usb_get_descriptor run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217 kernel signature: 7c8ce05dce5b3bbc88e48fa52fbc658ed4fa01f78fb6425cb9c02f140ac55e85 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.4.1 20210217 kernel signature: d898606e32a926de005768c146b8f87268f3c2fd3077c09711786554fc6131b4 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: INFO: task hung in usb_get_descriptor run #7: crashed: INFO: task hung in usb_get_descriptor run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.4.1 20210217 kernel signature: ec7a4219700ca4dbf6ac1d76d4271f1529d79e464a0553d2ba331d04e11423be run #0: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #1: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #2: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #3: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #4: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #5: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #6: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #7: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #8: crashed: BUG: unable to handle kernel NULL pointer dereference in vhci_shutdown_connection run #9: crashed: INFO: task hung in usb_get_descriptor testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.4.1 20210217 kernel signature: f7de3bbc6da40a4ebdfcac9a0be29b9e1ff9a6d452aaaf8607d88f971a55efc1 all runs: boot failed: BUG: spinlock bad magic in nf_connlabels_get testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.4.1 20210217 kernel signature: f875c5159cb28ceb0484c71a8389e55bf7f9370b932a1ba36a2015064a5405ee all runs: boot failed: can't ssh into the instance testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.4.1 20210217 kernel signature: 79fc2c063842a3a3a6f0c07deb953b2744cd5a7275277ac9b185f9166111c167 all runs: boot failed: can't ssh into the instance testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.4.1 20210217 kernel signature: cc1bbaffc36c438462f5d5f0701e87151f2175d292507d7e59472a96cdb4ec01 all runs: boot failed: can't ssh into the instance testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.4.1 20210217 kernel signature: 42704c45429d77e415deb257d804ed09623d711030d8df442e066719106c93ef all runs: boot failed: can't ssh into the instance testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.4.1 20210217 kernel signature: 740a2f3dbf73634136863844a5e19d1c9097a28f4ce76031074aaaf8d36c3ce7 all runs: boot failed: can't ssh into the instance testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.4.1 20210217 kernel signature: c438d8be16470a0324f449db5a6b83c0ba4c7f3ad326b091daf5804fde572351 all runs: boot failed: can't ssh into the instance testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.4.1 20210217 failed to run ["make" "-j" "64" "ARCH=x86_64" "CC=/syzkaller/shared/bisect_bin/gcc-8.1.0/bin/gcc" "bzImage"]: exit status 2 testing release v4.16 testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.4.1 20210217 orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] testing release v4.15 testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.4.1 20210217 orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] testing release v4.14 testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.4.1 20210217 orc_dump.c:105:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] orc_dump.c:110:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] elf.c:134:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:139:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] testing release v4.13 testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.4.1 20210217 pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] elf.c:144:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:149:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] testing release v4.12 testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.4.1 20210217 pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] testing release v4.11 testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.5.0 elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] testing release v4.10 testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0 tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes] elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] testing release v4.9 testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0 tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes] pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] testing release v4.8 testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0 tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes] elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] testing release v4.7 testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0 tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes] elf.c:122:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations] elf.c:127:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations] pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] testing release v4.6 testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a with gcc (GCC) 5.5.0 tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes] pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict] revisions tested: 15, total time: 3h23m32.503109907s (build: 1h24m10.822327561s, test: 1h55m37.616891322s) the crash already happened on the oldest tested release commit msg: Linux 5.4 crash: INFO: task hung in usb_get_descriptor INFO: task kworker/0:2:4947 blocked for more than 143 seconds. Not tainted 5.4.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:2 D25992 4947 2 0x80004000 Workqueue: usb_hub_wq hub_event Call Trace: schedule+0xc1/0x260 kernel/sched/core.c:4145 usb_kill_urb drivers/usb/core/urb.c:695 [inline] usb_kill_urb+0x1d4/0x250 drivers/usb/core/urb.c:687 usb_start_wait_urb+0x202/0x490 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x305/0x4d0 drivers/usb/core/message.c:152 usb_get_descriptor+0xb6/0x140 drivers/usb/core/message.c:647 usb_get_device_descriptor+0x66/0xb0 drivers/usb/core/message.c:919 hub_port_init+0x897/0x2820 drivers/usb/core/hub.c:4759 hub_port_connect drivers/usb/core/hub.c:5030 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0xf11/0x3020 drivers/usb/core/hub.c:5439 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269 worker_thread+0x82/0xb50 kernel/workqueue.c:2415 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 INFO: task kworker/0:4:9073 blocked for more than 143 seconds. Not tainted 5.4.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:4 D26512 9073 2 0x80004000 Workqueue: usb_hub_wq hub_event Call Trace: schedule+0xc1/0x260 kernel/sched/core.c:4145 usb_kill_urb drivers/usb/core/urb.c:695 [inline] usb_kill_urb+0x1d4/0x250 drivers/usb/core/urb.c:687 usb_start_wait_urb+0x202/0x490 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x305/0x4d0 drivers/usb/core/message.c:152 usb_get_descriptor+0xb6/0x140 drivers/usb/core/message.c:647 usb_get_device_descriptor+0x66/0xb0 drivers/usb/core/message.c:919 hub_port_init+0x897/0x2820 drivers/usb/core/hub.c:4759 hub_port_connect drivers/usb/core/hub.c:5030 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0xf11/0x3020 drivers/usb/core/hub.c:5439 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269 worker_thread+0x82/0xb50 kernel/workqueue.c:2415 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 INFO: task kworker/0:5:10507 blocked for more than 144 seconds. Not tainted 5.4.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:5 D26512 10507 2 0x80004000 Workqueue: usb_hub_wq hub_event Call Trace: schedule+0xc1/0x260 kernel/sched/core.c:4145 usb_kill_urb drivers/usb/core/urb.c:695 [inline] usb_kill_urb+0x1d4/0x250 drivers/usb/core/urb.c:687 usb_start_wait_urb+0x202/0x490 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x305/0x4d0 drivers/usb/core/message.c:152 usb_get_descriptor+0xb6/0x140 drivers/usb/core/message.c:647 usb_get_device_descriptor+0x66/0xb0 drivers/usb/core/message.c:919 hub_port_init+0x897/0x2820 drivers/usb/core/hub.c:4759 hub_port_connect drivers/usb/core/hub.c:5030 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0xf11/0x3020 drivers/usb/core/hub.c:5439 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269 worker_thread+0x82/0xb50 kernel/workqueue.c:2415 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 INFO: task kworker/0:7:10870 blocked for more than 144 seconds. Not tainted 5.4.0-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:7 D26528 10870 2 0x80004000 Workqueue: usb_hub_wq hub_event Call Trace: schedule+0xc1/0x260 kernel/sched/core.c:4145 usb_kill_urb drivers/usb/core/urb.c:695 [inline] usb_kill_urb+0x1d4/0x250 drivers/usb/core/urb.c:687 usb_start_wait_urb+0x202/0x490 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x305/0x4d0 drivers/usb/core/message.c:152 usb_get_descriptor+0xb6/0x140 drivers/usb/core/message.c:647 usb_get_device_descriptor+0x66/0xb0 drivers/usb/core/message.c:919 hub_port_init+0x897/0x2820 drivers/usb/core/hub.c:4759 hub_port_connect drivers/usb/core/hub.c:5030 [inline] hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] port_event drivers/usb/core/hub.c:5359 [inline] hub_event+0xf11/0x3020 drivers/usb/core/hub.c:5439 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269 worker_thread+0x82/0xb50 kernel/workqueue.c:2415 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Showing all locks held in the system: 5 locks held by kworker/0:1/7: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff8880b53e7e00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff888238198200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff888238198200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff88823819b528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] #3: ffff88823819b528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] #3: ffff88823819b528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] #3: ffff88823819b528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] #3: ffff88823819b528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff888238958760 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 1 lock held by khungtaskd/1583: #0: ffffffff8a0cb540 (rcu_read_lock){....}, at: debug_show_all_locks+0x52/0x2be kernel/locking/lockdep.c:5335 5 locks held by kworker/0:2/4947: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff8880a7327e00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff8880aaf0a200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff8880aaf0a200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff8880aaf0d528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] #3: ffff8880aaf0d528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] #3: ffff8880aaf0d528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] #3: ffff8880aaf0d528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] #3: ffff8880aaf0d528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff8880abfc7160 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 1 lock held by in:imklog/8425: #0: ffff8880ae8e0ae0 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0x96/0xb0 fs/file.c:801 5 locks held by kworker/0:4/9073: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff88809b94fe00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff8880aa9b4200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff8880aa9b4200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff8880aa9b7528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] #3: ffff8880aa9b7528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] #3: ffff8880aa9b7528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] #3: ffff8880aa9b7528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] #3: ffff8880aa9b7528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff888238165b60 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 5 locks held by kworker/0:5/10507: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff88809ac37e00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff8880aa83e200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff8880aa83e200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff888238139528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] #3: ffff888238139528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] #3: ffff888238139528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] #3: ffff888238139528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] #3: ffff888238139528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff8880aaf75560 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 5 locks held by kworker/0:6/10821: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff888088a0fe00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff8882381da200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff8882381da200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff8882381dd528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] #3: ffff8882381dd528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] #3: ffff8882381dd528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] #3: ffff8882381dd528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] #3: ffff8882381dd528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff888238145960 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 5 locks held by kworker/0:7/10870: #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: __write_once_size include/linux/compiler.h:226 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic64_set include/asm-generic/atomic-instrumented.h:855 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: atomic_long_set include/asm-generic/atomic-long.h:40 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_data kernel/workqueue.c:620 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: set_work_pool_and_clear_pending kernel/workqueue.c:647 [inline] #0: ffff88823a922128 ((wq_completion)usb_hub_wq){+.+.}, at: process_one_work+0x7dd/0x16c0 kernel/workqueue.c:2240 #1: ffff8880a379fe00 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x811/0x16c0 kernel/workqueue.c:2244 #2: ffff8880aafa4200 (&dev->mutex){....}, at: device_lock include/linux/device.h:1462 [inline] #2: ffff8880aafa4200 (&dev->mutex){....}, at: hub_event+0x135/0x3020 drivers/usb/core/hub.c:5385 #3: ffff8880aafa7528 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2996 [inline] ffff8880aafa7528 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5029 [inline] ffff8880aafa7528 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5213 [inline] ffff8880aafa7528 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5359 [inline] ffff8880aafa7528 (&port_dev->status_lock){+.+.}, at: hub_event+0xefa/0x3020 drivers/usb/core/hub.c:5439 #4: ffff8880ab211360 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a9/0x2820 drivers/usb/core/hub.c:4538 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1583 Comm: khungtaskd Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 nmi_cpu_backtrace.cold.6+0x2e/0x33 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x183/0x1ac lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] watchdog+0x6e7/0xce0 kernel/hung_task.c:289 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 CPU: 0 PID: 10697 Comm: kworker/u4:8 Not tainted 5.4.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usbip_event event_handler RIP: 0010:__lock_acquire+0xac5/0x4550 kernel/locking/lockdep.c:3828 Code: f8 48 8b 9c 24 e8 00 00 00 65 48 33 1c 25 28 00 00 00 0f 85 c9 29 00 00 48 81 c4 f0 00 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 <48> b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 80 3c 02 00 0f RSP: 0018:ffff8880b9e09d70 EFLAGS: 00000002 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffff110173c13c0 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: ffff88808b28b180 R12: 0000000000000000 R13: 0000000000000001 R14: ffff8880b9e25ed8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8880b9e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f83418b1000 CR3: 00000000a43c4000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: lock_acquire+0x12e/0x360 kernel/locking/lockdep.c:4487 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x33/0x50 kernel/locking/spinlock.c:159 hrtimer_interrupt+0x117/0x800 kernel/time/hrtimer.c:1619 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1110 [inline] smp_apic_timer_interrupt+0x18d/0x690 arch/x86/kernel/apic/apic.c:1135 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830 RIP: 0010:console_trylock_spinning kernel/printk/printk.c:1758 [inline] RIP: 0010:vprintk_emit+0x206/0x2b0 kernel/printk/printk.c:1995 Code: 01 00 00 00 48 c7 c7 e0 97 0b 8a e8 44 37 fd ff e8 6f 1d 00 00 41 f7 c4 00 02 00 00 0f 84 84 00 00 00 e8 5d 8e 19 00 41 54 9d <68> c6 d0 51 81 45 31 c9 41 b8 01 00 00 00 31 c9 ba 01 00 00 00 31 RSP: 0018:ffff88808ad67ba0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000007 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88808b28ba14 RBP: ffff88808ad67be8 R08: fffffbfff1bd5560 R09: fffffbfff1bd5560 R10: fffffbfff1bd555f R11: ffffffff8deaaaff R12: 0000000000000246 R13: ffffffff8a0b92a0 R14: 0000000000000018 R15: ffff8880b2ac8000 printk+0x9a/0xc0 kernel/printk/printk.c:2056 vhci_shutdown_connection.cold.14+0xb5/0x809 drivers/usb/usbip/vhci_hcd.c:1027 event_handler+0x18b/0x3e0 drivers/usb/usbip/usbip_event.c:78 process_one_work+0x8ca/0x16c0 kernel/workqueue.c:2269 worker_thread+0x82/0xb50 kernel/workqueue.c:2415 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352