bisecting fixing commit since 4abf26854aade9732a215a168205fa9fecd6149a building syzkaller on 9af51e31617374d564a98084b3848045bc026a0f testing commit 4abf26854aade9732a215a168205fa9fecd6149a compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: 7c3248c9fff16896e86c6b2219edb343d6de2778bf21918f718f26c1bd4a2880 all runs: crashed: possible deadlock in __sock_release testing current HEAD b172b44fcb1771e083aad806fa96f3f60e2ddfac testing commit b172b44fcb1771e083aad806fa96f3f60e2ddfac compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: a42a09bed27916e4d2937cdc78ad47a06c33bfa7f1826b73ea37e3c030d0fe83 run #0: crashed: INFO: task hung in hub_port_init run #1: crashed: INFO: task hung in hub_port_init run #2: OK run #3: OK run #4: OK run #5: OK run #6: OK run #7: OK run #8: OK run #9: OK reproducer seems to be flaky Reproducer flagged being flaky revisions tested: 2, total time: 35m11.452698222s (build: 19m36.497809532s, test: 15m4.425433887s) the crash still happens on HEAD commit msg: Linux 4.19.206 crash: INFO: task hung in hub_port_init vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(11) INFO: task kworker/0:1:14 blocked for more than 140 seconds. vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached Not tainted 4.19.206-syzkaller #0 vhci_hcd vhci_hcd.0: pdev(5) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/0:1 D25064 14 2 0x80000000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 process_scheduled_works kernel/workqueue.c:2212 [inline] worker_thread+0x5b0/0xb60 kernel/workqueue.c:2298 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 INFO: task kworker/1:0:19 blocked for more than 140 seconds. vhci_hcd: connection closed vhci_hcd: stop threads Not tainted 4.19.206-syzkaller #0 vhci_hcd: release socket "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. vhci_hcd: disconnect device kworker/1:0 D25400 19 2 0x80000000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 INFO: task kworker/0:2:4386 blocked for more than 140 seconds. vhci_hcd: connection closed vhci_hcd: connection closed Not tainted 4.19.206-syzkaller #0 vhci_hcd: connection closed vhci_hcd: connection closed "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. vhci_hcd: stop threads vhci_hcd vhci_hcd.0: pdev(1) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) kworker/0:2 D26312 4386 2 0x80000000 vhci_hcd: release socket vhci_hcd vhci_hcd.0: Device attached Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 vhci_hcd: disconnect device schedule+0x7f/0x1b0 kernel/sched/core.c:3561 vhci_hcd: stop threads usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(11) vhci_hcd: release socket vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: port 0 already used vhci_hcd vhci_hcd.0: port 0 already used vhci_hcd: disconnect device usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 vhci_hcd: stop threads vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(11) vhci_hcd: release socket vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 vhci_hcd: disconnect device vhci_hcd vhci_hcd.0: Device attached hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 vhci_hcd: stop threads vhci_hcd: release socket process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 vhci_hcd: disconnect device process_scheduled_works kernel/workqueue.c:2212 [inline] worker_thread+0x5b0/0xb60 kernel/workqueue.c:2298 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 vhci_hcd: connection closed vhci_hcd: connection closed vhci_hcd: stop threads vhci_hcd: release socket INFO: task kworker/0:4:8319 blocked for more than 140 seconds. vhci_hcd: disconnect device vhci_hcd: stop threads Not tainted 4.19.206-syzkaller #0 vhci_hcd: release socket "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. vhci_hcd: disconnect device kworker/0:4 D26072 8319 2 0x80000000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 vhci_hcd vhci_hcd.0: pdev(5) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 vhci_hcd: connection closed vhci_hcd: stop threads INFO: task kworker/0:5:8490 blocked for more than 140 seconds. vhci_hcd: release socket vhci_hcd: connection closed Not tainted 4.19.206-syzkaller #0 vhci_hcd: disconnect device "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. vhci_hcd: stop threads vhci_hcd: release socket kworker/0:5 D24696 8490 2 0x80000000 vhci_hcd: disconnect device Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: pdev(1) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: pdev(2) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(11) process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: Device attached worker_thread+0x85/0xb60 kernel/workqueue.c:2296 vhci_hcd vhci_hcd.0: Device attached kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 INFO: task kworker/1:4:9697 blocked for more than 140 seconds. Not tainted 4.19.206-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. kworker/1:4 D25160 9697 2 0x80000000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:2828 [inline] __schedule+0x80c/0x1f70 kernel/sched/core.c:3517 schedule+0x7f/0x1b0 kernel/sched/core.c:3561 usb_kill_urb drivers/usb/core/urb.c:697 [inline] usb_kill_urb+0x1e8/0x270 drivers/usb/core/urb.c:689 usb_start_wait_urb+0x210/0x500 drivers/usb/core/message.c:63 vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x331/0x570 drivers/usb/core/message.c:152 vhci_hcd vhci_hcd.0: Device attached hub_port_init+0x74f/0x2ac0 drivers/usb/core/hub.c:4704 hub_port_connect drivers/usb/core/hub.c:5070 [inline] hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] port_event drivers/usb/core/hub.c:5361 [inline] hub_event+0xf8c/0x37e0 drivers/usb/core/hub.c:5441 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 process_scheduled_works kernel/workqueue.c:2212 [inline] worker_thread+0x5b0/0xb60 kernel/workqueue.c:2298 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Showing all locks held in the system: vhci_hcd: connection closed vhci_hcd: connection closed vhci_hcd: connection closed 5 locks held by kworker/0:1/14: vhci_hcd: connection closed vhci_hcd: stop threads vhci_hcd: connection closed vhci_hcd: connection closed vhci_hcd: release socket #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 vhci_hcd: disconnect device vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd: disconnect device #1: 00000000f1aea059 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 vhci_hcd: stop threads vhci_hcd vhci_hcd.0: port 0 already used #2: 0000000031fdba57 (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 0000000031fdba57 (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 vhci_hcd vhci_hcd.0: pdev(3) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd vhci_hcd.0: pdev(4) rhport(0) sockfd(11) vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd: release socket vhci_hcd vhci_hcd.0: port 0 already used vhci_hcd vhci_hcd.0: port 0 already used #3: 000000000f7be9d7 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 000000000f7be9d7 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 000000000f7be9d7 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 000000000f7be9d7 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 000000000f7be9d7 (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 vhci_hcd: disconnect device vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd vhci_hcd.0: Device attached vhci_hcd: disconnect device #4: 00000000cec85cf6 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd: disconnect device vhci_hcd vhci_hcd.0: pdev(0) rhport(0) sockfd(11) 5 locks held by kworker/1:0/19: vhci_hcd vhci_hcd.0: devid(0) speed(2) speed_str(full-speed) vhci_hcd vhci_hcd.0: Device attached vhci_hcd: stop threads vhci_hcd: release socket vhci_hcd: disconnect device #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 #1: 00000000e40115b6 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 #2: 00000000bfb04881 (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 00000000bfb04881 (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 #3: 00000000e9c60aa3 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 00000000e9c60aa3 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 00000000e9c60aa3 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 00000000e9c60aa3 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 00000000e9c60aa3 (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 #4: 000000000818237d (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 1 lock held by khungtaskd/1569: #0: 0000000021204555 (rcu_read_lock){....}, at: debug_show_all_locks+0x5b/0x27a kernel/locking/lockdep.c:4443 5 locks held by kworker/0:2/4386: #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 #1: 00000000a0bdacf3 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 #2: 00000000b8f41773 (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 00000000b8f41773 (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 #3: 0000000037dd4c43 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 0000000037dd4c43 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 0000000037dd4c43 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 0000000037dd4c43 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 0000000037dd4c43 (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 #4: 0000000074322c7f (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 1 lock held by in:imklog/7787: #0: 00000000e807c470 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:767 5 locks held by kworker/0:4/8319: #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 #1: 0000000034e4ec8e ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 #2: 00000000ee96015d (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 00000000ee96015d (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 #3: 00000000cd48a836 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 00000000cd48a836 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 00000000cd48a836 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 00000000cd48a836 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 00000000cd48a836 (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 #4: 00000000bace0888 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 5 locks held by kworker/0:5/8490: #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 #1: 000000008e620cd7 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 #2: 00000000a09ecd4f (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 00000000a09ecd4f (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 #3: 0000000006081bfc (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 0000000006081bfc (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 0000000006081bfc (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 0000000006081bfc (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 0000000006081bfc (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 #4: 0000000047d35f28 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 5 locks held by kworker/1:4/9697: #0: 000000004a65ba37 ((wq_completion)"usb_hub_wq"){+.+.}, at: process_one_work+0x6e8/0x15a0 kernel/workqueue.c:2124 #1: 00000000a8a48711 ((work_completion)(&hub->events)){+.+.}, at: process_one_work+0x71b/0x15a0 kernel/workqueue.c:2128 #2: 00000000eba72499 (&dev->mutex){....}, at: device_lock include/linux/device.h:1174 [inline] #2: 00000000eba72499 (&dev->mutex){....}, at: hub_event+0x12d/0x37e0 drivers/usb/core/hub.c:5387 #3: 00000000f07aada0 (&port_dev->status_lock){+.+.}, at: usb_lock_port drivers/usb/core/hub.c:2983 [inline] #3: 00000000f07aada0 (&port_dev->status_lock){+.+.}, at: hub_port_connect drivers/usb/core/hub.c:5069 [inline] #3: 00000000f07aada0 (&port_dev->status_lock){+.+.}, at: hub_port_connect_change drivers/usb/core/hub.c:5253 [inline] #3: 00000000f07aada0 (&port_dev->status_lock){+.+.}, at: port_event drivers/usb/core/hub.c:5361 [inline] #3: 00000000f07aada0 (&port_dev->status_lock){+.+.}, at: hub_event+0xf71/0x37e0 drivers/usb/core/hub.c:5441 #4: 0000000000ca4153 (hcd->address0_mutex){+.+.}, at: hub_port_init+0x1a5/0x2ac0 drivers/usb/core/hub.c:4578 2 locks held by syz-executor715/1705: #0: 00000000c2434609 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 00000000c2434609 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 00000000e6c41420 (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 00000000e6c41420 (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 3 locks held by syz-executor715/1713: #0: 0000000078bfa083 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xa7/0xd0 fs/file.c:767 #1: 00000000dd0ba88a (sb_writers#3){.+.+}, at: file_start_write include/linux/fs.h:2779 [inline] #1: 00000000dd0ba88a (sb_writers#3){.+.+}, at: vfs_write+0x378/0x4d0 fs/read_write.c:548 #2: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #2: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: ext4_file_write_iter+0x222/0xe50 fs/ext4/file.c:241 2 locks held by syz-executor715/1706: #0: 0000000060b36220 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 0000000060b36220 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 00000000e1a30777 (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 00000000e1a30777 (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 3 locks held by syz-executor715/1708: #0: 000000007b2a20f2 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 000000007b2a20f2 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 0000000041d4e9cb (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 0000000041d4e9cb (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 #2: 0000000050dee554 (rcu_preempt_state.exp_mutex){+.+.}, at: exp_funnel_lock kernel/rcu/tree_exp.h:329 [inline] #2: 0000000050dee554 (rcu_preempt_state.exp_mutex){+.+.}, at: _synchronize_rcu_expedited+0x616/0x8a0 kernel/rcu/tree_exp.h:667 2 locks held by syz-executor715/1717: #0: 00000000dd0ba88a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000dd0ba88a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 3 locks held by syz-executor715/1709: #0: 000000007c89067b (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 000000007c89067b (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 000000004746c632 (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 000000004746c632 (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 #2: 0000000050dee554 (rcu_preempt_state.exp_mutex){+.+.}, at: exp_funnel_lock kernel/rcu/tree_exp.h:297 [inline] #2: 0000000050dee554 (rcu_preempt_state.exp_mutex){+.+.}, at: _synchronize_rcu_expedited+0x3a0/0x8a0 kernel/rcu/tree_exp.h:667 2 locks held by syz-executor715/1712: #0: 0000000024b1bf9a (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 0000000024b1bf9a (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 000000009166737d (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 000000009166737d (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 2 locks held by syz-executor715/1720: #0: 00000000dd0ba88a (sb_writers#3){.+.+}, at: sb_start_write include/linux/fs.h:1579 [inline] #0: 00000000dd0ba88a (sb_writers#3){.+.+}, at: mnt_want_write+0x3c/0xa0 fs/namespace.c:360 #1: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #1: 0000000098b1478f (&sb->s_type->i_mutex_key#10){+.+.}, at: process_measurement+0x324/0x14a0 security/integrity/ima/ima_main.c:205 2 locks held by syz-executor715/1716: #0: 0000000011d685a9 (&sb->s_type->i_mutex_key#13){+.+.}, at: inode_lock include/linux/fs.h:748 [inline] #0: 0000000011d685a9 (&sb->s_type->i_mutex_key#13){+.+.}, at: __sock_release+0x7d/0x290 net/socket.c:598 #1: 0000000059568dfa (sk_lock-AF_CAN){+.+.}, at: lock_sock include/net/sock.h:1510 [inline] #1: 0000000059568dfa (sk_lock-AF_CAN){+.+.}, at: bcm_release+0x1d2/0x750 net/can/bcm.c:1558 4 locks held by syz-executor715/1719: vhci_hcd: connection closed ============================================= vhci_hcd: connection closed vhci_hcd: connection closed NMI backtrace for cpu 0 CPU: 0 PID: 1569 Comm: khungtaskd Not tainted 4.19.206-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 nmi_cpu_backtrace.cold.0+0x3c/0x78 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0xf6/0x120 lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:203 [inline] watchdog+0x5c3/0xb40 kernel/hung_task.c:287 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 1747 Comm: syz-executor715 Not tainted 4.19.206-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_release kernel/locking/lockdep.c:3665 [inline] RIP: 0010:lock_release+0x1f1/0x840 kernel/locking/lockdep.c:3927 Code: b2 9c 08 85 ff 0f 84 f9 01 00 00 49 8d 87 80 08 00 00 48 89 c2 49 89 c6 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 04 02 <84> c0 74 08 3c 03 0f 8e 3e 05 00 00 48 c7 c2 20 97 ad 8b 45 8b af RSP: 0018:ffff88808db3f5e8 EFLAGS: 00000802 RAX: 0000000000000000 RBX: 1ffff11011b67ec0 RCX: 1ffffd40003ea3ad RDX: 1ffff11014205d10 RSI: 0000000000000000 RDI: 0000000000000001 RBP: ffff88808db3f688 R08: 0000000000000000 R09: fffff940003ea3ae R10: fffff940003ea3ae R11: ffffea0001f51d77 R12: ffff888080f32be0 R13: ffff8880a102e000 R14: ffff8880a102e880 R15: ffff8880a102e000 FS: 00007fb323641700(0000) GS:ffff8880ba300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000009d5ad000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_unlock include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_unlock+0x1a/0x50 kernel/locking/spinlock.c:176 spin_unlock include/linux/spinlock.h:369 [inline] create_empty_buffers+0x405/0x720 fs/buffer.c:1549 create_page_buffers+0x199/0x310 fs/buffer.c:1645 __block_write_begin_int+0x1c7/0x1aa0 fs/buffer.c:1957 __block_write_begin+0xc/0x10 fs/buffer.c:2028 ext4_da_write_begin+0x2dc/0xd70 fs/ext4/inode.c:3109 generic_perform_write+0x22f/0x480 mm/filemap.c:3170 __generic_file_write_iter+0x205/0x590 mm/filemap.c:3295 ext4_file_write_iter+0x281/0xe50 fs/ext4/file.c:272 call_write_iter include/linux/fs.h:1821 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x443/0x890 fs/read_write.c:487 vfs_write+0x150/0x4d0 fs/read_write.c:549 ksys_write+0x103/0x260 fs/read_write.c:599 __do_sys_write fs/read_write.c:611 [inline] __se_sys_write fs/read_write.c:608 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:608 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fb323e97919 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 d1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fb323641188 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fb323f214e8 RCX: 00007fb323e97919 RDX: 000000000208e24b RSI: 00000000200000c0 RDI: 0000000000000005 RBP: 00007fb323f214e0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb323f214ec R13: 00007ffe34a873df R14: 00007fb323641300 R15: 0000000000022000 ---------------- Code disassembly (best guess): 0: b2 9c mov $0x9c,%dl 2: 08 85 ff 0f 84 f9 or %al,-0x67bf001(%rbp) 8: 01 00 add %eax,(%rax) a: 00 49 8d add %cl,-0x73(%rcx) d: 87 80 08 00 00 48 xchg %eax,0x48000008(%rax) 13: 89 c2 mov %eax,%edx 15: 49 89 c6 mov %rax,%r14 18: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1f: fc ff df 22: 48 c1 ea 03 shr $0x3,%rdx 26: 0f b6 04 02 movzbl (%rdx,%rax,1),%eax * 2a: 84 c0 test %al,%al <-- trapping instruction 2c: 74 08 je 0x36 2e: 3c 03 cmp $0x3,%al 30: 0f 8e 3e 05 00 00 jle 0x574 36: 48 c7 c2 20 97 ad 8b mov $0xffffffff8bad9720,%rdx 3d: 45 rex.RB 3e: 8b .byte 0x8b 3f: af scas %es:(%rdi),%eax