From git at danielhodges.dev Fri Feb 6 11:53:56 2026 From: git at danielhodges.dev (Daniel Hodges) Date: Fri, 6 Feb 2026 14:53:56 -0500 Subject: [PATCH] wifi: libertas: fix use-after-free in lbs_free_adapter() Message-ID: <20260206195356.15647-1-git@danielhodges.dev> The lbs_free_adapter() function uses timer_delete() (non-synchronous) for both command_timer and tx_lockup_timer before the structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If a timer callback is executing when lbs_free_adapter() is called, the callback will access freed memory since lbs_cfg_free() frees the containing structure immediately after lbs_free_adapter() returns. Both timer callbacks (lbs_cmd_timeout_handler and lbs_tx_lockup_handler) access priv->driver_lock, priv->cur_cmd, priv->dev, and other fields, which would all be use-after-free violations. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. This bug was introduced in commit 8f641d93c38a ("libertas: detect TX lockups and reset hardware") where del_timer() was used instead of del_timer_sync() in the cleanup path. The command_timer has had the same issue since the driver was first written. Fixes: 8f641d93c38a ("libertas: detect TX lockups and reset hardware") Fixes: 954ee164f4f4 ("[PATCH] libertas: reorganize and simplify init sequence") Cc: stable at vger.kernel.org Signed-off-by: Daniel Hodges --- drivers/net/wireless/marvell/libertas/main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c index d44e02c6fe38..dd97f1b61f4d 100644 --- a/drivers/net/wireless/marvell/libertas/main.c +++ b/drivers/net/wireless/marvell/libertas/main.c @@ -799,8 +799,8 @@ static void lbs_free_adapter(struct lbs_private *priv) { lbs_free_cmd_buffer(priv); kfifo_free(&priv->event_fifo); - timer_delete(&priv->command_timer); - timer_delete(&priv->tx_lockup_timer); + timer_delete_sync(&priv->command_timer); + timer_delete_sync(&priv->tx_lockup_timer); } static const struct net_device_ops lbs_netdev_ops = { -- 2.52.0 From sashal at kernel.org Sat Feb 14 13:23:39 2026 From: sashal at kernel.org (Sasha Levin) Date: Sat, 14 Feb 2026 16:23:39 -0500 Subject: [PATCH AUTOSEL 6.19-5.10] wifi: libertas: fix WARNING in usb_tx_block In-Reply-To: <20260214212452.782265-1-sashal@kernel.org> References: <20260214212452.782265-1-sashal@kernel.org> Message-ID: <20260214212452.782265-74-sashal@kernel.org> From: Szymon Wilczek [ Upstream commit d66676e6ca96bf8680f869a9bd6573b26c634622 ] The function usb_tx_block() submits cardp->tx_urb without ensuring that any previous transmission on this URB has completed. If a second call occurs while the URB is still active (e.g. during rapid firmware loading), usb_submit_urb() detects the active state and triggers a warning: 'URB submitted while active'. Fix this by enforcing serialization: call usb_kill_urb() before submitting the new request. This ensures the URB is idle and safe to reuse. Reported-by: syzbot+67969ab6a2551c27f71b at syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=67969ab6a2551c27f71b Signed-off-by: Szymon Wilczek Link: https://patch.msgid.link/20251221155806.23925-1-swilczek.lx at gmail.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin --- LLM Generated explanations, may be completely bogus: ## Analysis of commit: wifi: libertas: fix WARNING in usb_tx_block ### 1. COMMIT MESSAGE ANALYSIS The commit message is clear and well-structured: - **Subject**: Explicitly says "fix WARNING" ? this is a bug fix - **Problem**: `usb_tx_block()` submits `cardp->tx_urb` without ensuring the previous transmission completed. If called rapidly (e.g., during firmware loading), the URB is still active and `usb_submit_urb()` triggers a WARNING: "URB submitted while active" - **Solution**: Add `usb_kill_urb()` before submitting to ensure the URB is idle - **Reported-by syzbot**: This is a fuzzer-found, reproducible bug with a concrete trigger ### 2. CODE CHANGE ANALYSIS The change is minimal ? a single line addition: ```c + usb_kill_urb(cardp->tx_urb); ``` Added right before `usb_fill_bulk_urb()` and `usb_submit_urb()`. This ensures the URB is in an idle state before being reused. - `usb_kill_urb()` is the standard kernel API for cancelling a pending URB and waiting for its completion. It is safe to call on an already- idle URB (it's a no-op in that case). - The fix is placed after the `surprise_removed` check but before the URB fill/submit, which is the correct location. ### 3. BUG CLASSIFICATION This is a **race condition / incorrect URB lifecycle management** bug. The URB can be submitted while still active from a previous call, which: - Triggers a kernel WARNING (stack trace in dmesg) - Could potentially lead to undefined behavior in the USB subsystem if the URB state is corrupted - Is a real correctness issue, not just a cosmetic warning ### 4. SYZBOT INDICATOR The bug was found by syzbot, which means: - It is **reproducible** with a concrete trigger - It is **reachable from userspace** (syzbot exercises syscall paths) - The syzkaller link confirms this is a documented, verified bug ### 5. SCOPE AND RISK ASSESSMENT - **Lines changed**: 2 (one blank line + one `usb_kill_urb()` call) - **Files changed**: 1 (`drivers/net/wireless/marvell/libertas/if_usb.c`) - **Risk**: Very low. `usb_kill_urb()` is a well-understood, safe API. Calling it on an idle URB is a no-op. The only effect is ensuring serialization of URB submissions. - **Regression potential**: Minimal. The worst case is a slight performance overhead from the synchronous kill call, but this is in a firmware loading path, not a hot data path. ### 6. STABLE CRITERIA CHECK | Criterion | Met? | |-----------|------| | Obviously correct and tested | Yes ? standard pattern, syzbot-verified | | Fixes a real bug | Yes ? WARNING + potential URB corruption | | Fixes an important issue | Yes ? kernel WARNING, USB subsystem correctness | | Small and contained | Yes ? 1 line in 1 file | | No new features | Correct ? pure bug fix | | Applies cleanly | Very likely ? minimal context dependencies | ### 7. USER IMPACT The libertas driver is used with Marvell wireless USB adapters. While not the most commonly used driver, users with this hardware would experience: - Kernel WARNING messages in dmesg during firmware loading - Potential instability in the USB subsystem - The bug is triggered during rapid firmware loading, which is a normal operation ### 8. DEPENDENCY CHECK This is a standalone fix with no dependencies on other commits. The `usb_kill_urb()` API has been available for many kernel versions. The function `usb_tx_block()` and the `if_usb_card` structure with `tx_urb` have been stable for a long time. ### CONCLUSION This is a textbook stable backport candidate: - Syzbot-reported, reproducible bug - Tiny, surgical fix (1 line) - Uses well-established kernel API (`usb_kill_urb`) - Fixes a real correctness issue (URB submitted while active) - Zero risk of regression - No dependencies on other commits **YES** drivers/net/wireless/marvell/libertas/if_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c index b3c4040257a67..924ab93b7b671 100644 --- a/drivers/net/wireless/marvell/libertas/if_usb.c +++ b/drivers/net/wireless/marvell/libertas/if_usb.c @@ -426,6 +426,8 @@ static int usb_tx_block(struct if_usb_card *cardp, uint8_t *payload, uint16_t nb goto tx_ret; } + usb_kill_urb(cardp->tx_urb); + usb_fill_bulk_urb(cardp->tx_urb, cardp->udev, usb_sndbulkpipe(cardp->udev, cardp->ep_out), -- 2.51.0 From syzbot+74afbb6355826ffc2239 at syzkaller.appspotmail.com Tue Feb 24 10:56:23 2026 From: syzbot+74afbb6355826ffc2239 at syzkaller.appspotmail.com (syzbot) Date: Tue, 24 Feb 2026 10:56:23 -0800 Subject: [syzbot] [usb?] BUG: sleeping function called from invalid context in usb_tx_block Message-ID: <699df457.050a0220.131eeb.0009.GAE@google.com> Hello, syzbot found the following issue on: HEAD commit: 8bf22c33e7a1 Merge tag 'net-7.0-rc1' of git://git.kernel.o.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=127b9722580000 kernel config: https://syzkaller.appspot.com/x/.config?x=1ff39736314a9939 dashboard link: https://syzkaller.appspot.com/bug?extid=74afbb6355826ffc2239 compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1561fffa580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1031795a580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/0e19c10e1a0e/disk-8bf22c33.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/8f3209ea7fd5/vmlinux-8bf22c33.xz kernel image: https://storage.googleapis.com/syzbot-assets/9be7f93d0a22/bzImage-8bf22c33.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+74afbb6355826ffc2239 at syzkaller.appspotmail.com usb8xxx: URB in failure status: -2 BUG: sleeping function called from invalid context at drivers/usb/core/urb.c:706 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 preempt_count: 101, expected: 0 RCU nest depth: 0, expected: 0 no locks held by swapper/1/0. irq event stamp: 328389 hardirqs last enabled at (328388): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline] hardirqs last enabled at (328388): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (328389): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline] hardirqs last disabled at (328389): [] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162 softirqs last enabled at (328372): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (328372): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (328372): [] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 softirqs last disabled at (328385): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (328385): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (328385): [] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 __might_resched.cold+0x1ec/0x232 kernel/sched/core.c:8884 usb_kill_urb+0x8e/0x320 drivers/usb/core/urb.c:706 usb_tx_block+0x91/0x320 drivers/net/wireless/marvell/libertas/if_usb.c:429 if_usb_send_fw_pkt.isra.0+0x2e4/0x550 drivers/net/wireless/marvell/libertas/if_usb.c:366 if_usb_receive_fwload+0x5d3/0x780 drivers/net/wireless/marvell/libertas/if_usb.c:592 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995 __run_hrtimer kernel/time/hrtimer.c:1785 [inline] __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63 Code: be b1 01 e9 13 e8 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 f1 1d 00 fb f4 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 RSP: 0018:ffffc9000013fe00 EFLAGS: 00000242 RAX: 00000000000502bf RBX: ffff8881022a1d00 RCX: ffffffff876888d5 RDX: 0000000000000000 RSI: ffffffff8901d71b RDI: ffffffff87afa420 RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed103eae6725 R10: ffff8881f573392b R11: 0000000000000000 R12: ffffed10204543a0 R13: 0000000000000001 R14: ffffffff8aefe2d0 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:73 [inline] default_idle+0x9/0x10 arch/x86/kernel/process.c:767 default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x35b/0x4b0 kernel/sched/idle.c:332 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430 start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312 common_startup_64+0x13e/0x148 BUG: scheduling while atomic: swapper/1/0/0x00000102 no locks held by swapper/1/0. Modules linked in: irq event stamp: 328389 hardirqs last enabled at (328388): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline] hardirqs last enabled at (328388): [] _raw_spin_unlock_irqrestore+0x52/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (328389): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:130 [inline] hardirqs last disabled at (328389): [] _raw_spin_lock_irqsave+0x52/0x60 kernel/locking/spinlock.c:162 softirqs last enabled at (328372): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (328372): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (328372): [] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 softirqs last disabled at (328385): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (328385): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (328385): [] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 Preemption disabled at: [<0000000000000000>] 0x0 ---------------- Code disassembly (best guess): 0: be b1 01 e9 13 mov $0x13e901b1,%esi 5: e8 02 00 0f 1f call 0x1f0f000c a: 00 90 90 90 90 90 add %dl,-0x6f6f6f70(%rax) 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: 90 nop 18: 90 nop 19: 90 nop 1a: 90 nop 1b: f3 0f 1e fa endbr64 1f: 66 90 xchg %ax,%ax 21: 0f 00 2d d3 f1 1d 00 verw 0x1df1d3(%rip) # 0x1df1fb 28: fb sti 29: f4 hlt * 2a: c3 ret <-- trapping instruction 2b: cc int3 2c: cc int3 2d: cc int3 2e: cc int3 2f: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1) 36: 00 00 00 39: 66 90 xchg %ax,%ax 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 90 nop --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller at googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup From syzbot+c99d17aa44dbdba16ad2 at syzkaller.appspotmail.com Fri Feb 27 03:22:26 2026 From: syzbot+c99d17aa44dbdba16ad2 at syzkaller.appspotmail.com (syzbot) Date: Fri, 27 Feb 2026 03:22:26 -0800 Subject: [syzbot] [libertas?] INFO: task hung in lbs_remove_card In-Reply-To: <689daf88.050a0220.2d37a5.0001.GAE@google.com> Message-ID: <69a17e72.050a0220.305b49.00de.GAE@google.com> syzbot has found a reproducer for the following issue on: HEAD commit: bb375c251ab4 dt-bindings: usb: st,st-ohci-300x: convert to.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=1141755a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=f1500201919951cc dashboard link: https://syzkaller.appspot.com/bug?extid=c99d17aa44dbdba16ad2 compiler: gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1191555a580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=114a15c6580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/2475c3172471/disk-bb375c25.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/30449aa672dd/vmlinux-bb375c25.xz kernel image: https://storage.googleapis.com/syzbot-assets/46d3937d1c16/bzImage-bb375c25.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+c99d17aa44dbdba16ad2 at syzkaller.appspotmail.com INFO: task kworker/0:1:10 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:1 state:D stack:26840 pid:10 tgid:10 ppid:2 task_flags:0x4288060 flags:0x00080000 Workqueue: usb_hub_wq hub_event Call Trace: context_switch kernel/sched/core.c:5295 [inline] __schedule+0xeb1/0x41f0 kernel/sched/core.c:6907 __schedule_loop kernel/sched/core.c:6989 [inline] schedule+0xdd/0x390 kernel/sched/core.c:7004 lbs_wait_for_firmware_load+0x11e/0x1e0 drivers/net/wireless/marvell/libertas/firmware.c:116 lbs_remove_card+0x84/0x390 drivers/net/wireless/marvell/libertas/main.c:913 if_usb_disconnect+0xaf/0x2e0 drivers/net/wireless/marvell/libertas/if_usb.c:316 usb_unbind_interface+0x1dd/0x9e0 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:573 [inline] device_remove+0x12a/0x180 drivers/base/dd.c:565 __device_release_driver drivers/base/dd.c:1284 [inline] device_release_driver_internal+0x42e/0x600 drivers/base/dd.c:1307 bus_remove_device+0x22f/0x440 drivers/base/bus.c:616 device_del+0x376/0x9b0 drivers/base/core.c:3878 usb_disable_device+0x367/0x810 drivers/usb/core/message.c:1418 usb_disconnect+0x2e2/0x9a0 drivers/usb/core/hub.c:2345 hub_port_connect drivers/usb/core/hub.c:5407 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x1d0c/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Showing all locks held in the system: 5 locks held by kworker/0:1/10: #0: ffff8881056afd48 ((wq_completion)usb_hub_wq){+.+.}-{0:0}, at: process_one_work+0x1287/0x1920 kernel/workqueue.c:3250 #1: ffffc900000afd18 ((work_completion)(&hub->events)){+.+.}-{0:0}, at: process_one_work+0x93c/0x1920 kernel/workqueue.c:3251 #2: ffff88810b795198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline] #2: ffff88810b795198 (&dev->mutex){....}-{4:4}, at: hub_event+0x1bd/0x4af0 drivers/usb/core/hub.c:5899 #3: ffff88811c2c3198 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline] #3: ffff88811c2c3198 (&dev->mutex){....}-{4:4}, at: usb_disconnect+0x10a/0x9a0 drivers/usb/core/hub.c:2336 #4: ffff88811bcbf160 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:895 [inline] #4: ffff88811bcbf160 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1106 [inline] #4: ffff88811bcbf160 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xaa/0x600 drivers/base/dd.c:1304 2 locks held by kworker/1:0/23: #0: ffff88810006b548 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1287/0x1920 kernel/workqueue.c:3250 #1: ffffc9000018fd18 ((work_completion)(&fw_work->work)){+.+.}-{0:0}, at: process_one_work+0x93c/0x1920 kernel/workqueue.c:3251 1 lock held by khungtaskd/30: #0: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] #0: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] #0: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775 2 locks held by getty/2917: #0: ffff888115dd90a0 (&tty->ldisc_sem){++++}-{0:0}, at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc900000432f0 (&ldata->atomic_read_lock){+.+.}-{4:4}, at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline] __sys_info lib/sys_info.c:157 [inline] sys_info+0x141/0x190 lib/sys_info.c:165 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline] watchdog+0xd25/0x1050 kernel/hung_task.c:515 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:63 Code: ae b1 01 e9 13 e8 02 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 e1 1d 00 fb f4 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90 RSP: 0018:ffffc9000013fe00 EFLAGS: 00000242 RAX: 000000000007f00b RBX: ffff8881022a1d00 RCX: ffffffff876898d5 RDX: 0000000000000000 RSI: ffffffff8901db96 RDI: ffffffff87afa420 RBP: 0000000000000001 R08: 0000000000000001 R09: ffffed103eae6725 R10: ffff8881f573392b R11: 0000000000000000 R12: ffffed10204543a0 R13: 0000000000000001 R14: ffffffff8aefe2d0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8882687d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f983bef5900 CR3: 0000000116d22000 CR4: 00000000003506f0 Call Trace: arch_safe_halt arch/x86/include/asm/paravirt.h:73 [inline] default_idle+0x9/0x10 arch/x86/kernel/process.c:767 default_idle_call+0x6c/0xb0 kernel/sched/idle.c:122 cpuidle_idle_call kernel/sched/idle.c:191 [inline] do_idle+0x35b/0x4b0 kernel/sched/idle.c:332 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:430 start_secondary+0x21d/0x2d0 arch/x86/kernel/smpboot.c:312 common_startup_64+0x13e/0x148 --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing.