bisecting fixing commit since d635a69dd4981cc51f90293f5f64268620ed1565 building syzkaller on f213e07ead587b07a84e60c356520bce7277166c testing commit d635a69dd4981cc51f90293f5f64268620ed1565 with gcc (GCC) 10.2.1 20210217 kernel signature: df4e209f660f8729d997698cc0ea7550877bea1c0e6bee49f9e3a81483166703 run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #7: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #8: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #9: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #10: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #11: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #12: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #13: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #14: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #15: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #16: crashed: INFO: task hung in usb_get_descriptor run #17: crashed: INFO: task hung in usb_get_descriptor run #18: crashed: INFO: task hung in usb_get_descriptor run #19: crashed: INFO: task hung in usb_get_descriptor testing current HEAD fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8 testing commit fe07bfda2fb9cdef8a4d4008a409bb02f35f1bd8 with gcc (GCC) 10.2.1 20210217 kernel signature: 7223de54153a406d64430953d9c30c7b90cebdeba042e93198dbb09b6e0aca3f run #0: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #1: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #2: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #3: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #4: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #5: crashed: KASAN: null-ptr-deref Write in vhci_shutdown_connection run #6: crashed: INFO: task hung in usb_get_descriptor run #7: crashed: INFO: task hung in usb_get_descriptor run #8: crashed: INFO: task hung in usb_get_descriptor run #9: crashed: INFO: task hung in usb_get_descriptor revisions tested: 2, total time: 25m22.253895358s (build: 12m7.745222483s, test: 12m35.251712428s) the crash still happens on HEAD commit msg: Linux 5.12-rc1 crash: INFO: task hung in usb_get_descriptor INFO: task kworker/0:0:5 blocked for more than 143 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:0 state:D stack:27504 pid: 5 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:2:2965 blocked for more than 143 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:2 state:D stack:26256 pid: 2965 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:4:8633 blocked for more than 144 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:4 state:D stack:26344 pid: 8633 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/1:6:10062 blocked for more than 144 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/1:6 state:D stack:27800 pid:10062 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:7:10184 blocked for more than 144 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:7 state:D stack:25800 pid:10184 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 INFO: task kworker/0:8:10189 blocked for more than 145 seconds. Not tainted 5.12.0-rc1-syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:8 state:D stack:27496 pid:10189 ppid: 2 flags:0x00004000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:4324 [inline] __schedule+0x8b8/0x2180 kernel/sched/core.c:5075 schedule+0xcf/0x270 kernel/sched/core.c:5154 usb_kill_urb.part.0+0x176/0x1e0 drivers/usb/core/urb.c:711 usb_start_wait_urb+0x1f7/0x460 drivers/usb/core/message.c:64 usb_internal_control_msg drivers/usb/core/message.c:102 [inline] usb_control_msg+0x306/0x460 drivers/usb/core/message.c:153 usb_get_descriptor+0xb5/0x140 drivers/usb/core/message.c:790 usb_get_device_descriptor+0x5e/0xb0 drivers/usb/core/message.c:1065 hub_port_init+0x86a/0x27a0 drivers/usb/core/hub.c:4799 hub_port_connect drivers/usb/core/hub.c:5155 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xf44/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13d0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Showing all locks held in the system: 5 locks held by kworker/0:0/5: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc90000ca7db0 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff88801b7c7218 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:740 [inline] #2: ffff88801b7c7218 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff88801b7fc578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] #3: ffff88801b7fc578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] #3: ffff88801b7fc578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] #3: ffff88801b7fc578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] #3: ffff88801b7fc578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff88801b4e7068 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 2 locks held by kworker/u4:3/162: 2 locks held by kworker/u4:6/881: 1 lock held by khungtaskd/1641: #0: ffffffff8a98b440 (rcu_read_lock){....}-{1:2}, at: debug_show_all_locks+0x53/0x28c kernel/locking/lockdep.c:6327 5 locks held by kworker/0:2/2965: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc9000225fdb0 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff88801b683218 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:740 [inline] #2: ffff88801b683218 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff88801b6b8578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] #3: ffff88801b6b8578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] #3: ffff88801b6b8578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] #3: ffff88801b6b8578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] #3: ffff88801b6b8578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff88801b52d768 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 2 locks held by kworker/0:3/3156: #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff88800f466538 ((wq_completion)rcu_gp){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc90002d17db0 ((work_completion)(&rew.rew_work)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 1 lock held by in:imklog/8125: #0: ffff88801d016ff0 ( &f->f_pos_lock ){+.+.}-{3:3}, at: __fdget_pos+0x9c/0xb0 fs/file.c:961 5 locks held by kworker/0:4/8633: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc9000242fdb0 ((work_completion)(&hub->events)){+.+.}-{0:0} , at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff888144615218 ( &dev->mutex ){....}-{3:3} , at: device_lock include/linux/device.h:740 [inline] , at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff888144660578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] ffff888144660578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] ffff888144660578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] ffff888144660578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] ffff888144660578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff888016d2cc68 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 1 lock held by syz-executor.0/8784: #0: ffff8881470e0308 (&xt[i].mutex){+.+.}-{3:3}, at: xt_find_table_lock+0x3a/0x480 net/netfilter/x_tables.c:1206 2 locks held by syz-executor.3/8791: #0: ffff8881470e0308 (&xt[i].mutex){+.+.}-{3:3}, at: xt_find_table_lock+0x3a/0x480 net/netfilter/x_tables.c:1206 #1: ffffffff8a995c68 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline] #1: ffffffff8a995c68 (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x507/0x630 kernel/rcu/tree_exp.h:836 1 lock held by syz-executor.5/8792: #0: ffff8881470e0308 (&xt[i].mutex){+.+.}-{3:3}, at: xt_find_table_lock+0x3a/0x480 net/netfilter/x_tables.c:1206 5 locks held by kworker/1:6/10062: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc9000a897db0 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff8881445f1218 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:740 [inline] #2: ffff8881445f1218 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff8881445f6578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] #3: ffff8881445f6578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] #3: ffff8881445f6578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] #3: ffff8881445f6578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] #3: ffff8881445f6578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff88801accda68 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 5 locks held by kworker/0:7/10184: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc9000af87db0 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff8881445a3218 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:740 [inline] #2: ffff8881445a3218 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff8881445c0578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] #3: ffff8881445c0578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] #3: ffff8881445c0578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] #3: ffff8881445c0578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] #3: ffff8881445c0578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff88801b509e68 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 5 locks held by kworker/0:8/10189: #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:616 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:643 [inline] #0: ffff8881417af938 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x771/0x13d0 kernel/workqueue.c:2246 #1: ffffc9000ad17db0 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x79e/0x13d0 kernel/workqueue.c:2250 #2: ffff888144517218 (&dev->mutex){....}-{3:3}, at: device_lock include/linux/device.h:740 [inline] #2: ffff888144517218 (&dev->mutex){....}-{3:3}, at: hub_event+0x127/0x36b0 drivers/usb/core/hub.c:5537 #3: ffff88801b724578 (&port_dev->status_lock){+.+.}-{3:3}, at: usb_lock_port drivers/usb/core/hub.c:3030 [inline] #3: ffff88801b724578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect drivers/usb/core/hub.c:5154 [inline] #3: ffff88801b724578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] #3: ffff88801b724578 (&port_dev->status_lock){+.+.}-{3:3}, at: port_event drivers/usb/core/hub.c:5509 [inline] #3: ffff88801b724578 (&port_dev->status_lock){+.+.}-{3:3}, at: hub_event+0xf2f/0x36b0 drivers/usb/core/hub.c:5591 #4: ffff88801b5c9468 (hcd->address0_mutex){+.+.}-{3:3}, at: hub_port_init+0x191/0x27a0 drivers/usb/core/hub.c:4582 ============================================= NMI backtrace for cpu 1 CPU: 1 PID: 1641 Comm: khungtaskd Not tainted 5.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x93/0xc2 lib/dump_stack.c:120 nmi_cpu_backtrace.cold+0x2d/0xac lib/nmi_backtrace.c:105 nmi_trigger_cpumask_backtrace+0x11f/0x170 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:209 [inline] watchdog+0x9cf/0xc00 kernel/hung_task.c:294 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Sending NMI from CPU 1 to CPUs 0: NMI backtrace for cpu 0 skipped: idling at native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] NMI backtrace for cpu 0 skipped: idling at arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] NMI backtrace for cpu 0 skipped: idling at acpi_safe_halt drivers/acpi/processor_idle.c:110 [inline] NMI backtrace for cpu 0 skipped: idling at acpi_idle_do_entry+0x161/0x1c0 drivers/acpi/processor_idle.c:516