| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <6988edcb.050a0220.3b3015.005e.GAE@google.com>
Date: Sun, 08 Feb 2026 12:10:51 -0800
From: syzbot <syzbot+25ba18e2c5040447585d@...kaller.appspotmail.com>
To: stern@...land.harvard.edu
Cc: greearb@...delatech.com, hdanton@...a.com, linux-kernel@...r.kernel.org,
linux-usb@...r.kernel.org, michal.pecio@...il.com, oneukum@...e.com,
stern@...land.harvard.edu, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [usb?] INFO: task hung in usb_bulk_msg (2)
> On Sun, Feb 08, 2026 at 07:50:03AM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> INFO: task hung in usb_bulk_msg
>>
>> INFO: task syz.3.17:4981 blocked for more than 143 seconds.
>> Not tainted syzkaller #0
>> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
>> task:syz.3.17 state:D stack:26904 pid:4981 tgid:4980 ppid:4531 task_flags:0x400040 flags:0x00080002
>> Call Trace:
>> <TASK>
>> context_switch kernel/sched/core.c:5260 [inline]
>> __schedule+0xeb0/0x3e50 kernel/sched/core.c:6867
>> __schedule_loop kernel/sched/core.c:6949 [inline]
>> schedule+0xdd/0x390 kernel/sched/core.c:6964
>> schedule_timeout+0x127/0x280 kernel/time/sleep_timeout.c:99
>> do_wait_for_common kernel/sched/completion.c:100 [inline]
>> __wait_for_common+0x2e7/0x4c0 kernel/sched/completion.c:121
>> usb_start_wait_urb+0x147/0x4c0 drivers/usb/core/message.c:64
>> usb_bulk_msg+0x22b/0x580 drivers/usb/core/message.c:388
>> send_request_dev_dep_msg_in drivers/usb/class/usbtmc.c:1350 [inline]
>> usbtmc_read.cold+0x48d/0xfe7 drivers/usb/class/usbtmc.c:1408
>
> Unfortunately the log didn't contain any new useful information. Let's
> try looking farther back.
>
> Alan Stern
>
> #syz test: #https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git da87d45b1951
"#https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git" does not look like a valid git repo address.
>
> Index: usb-devel/drivers/usb/class/usbtmc.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/class/usbtmc.c
> +++ usb-devel/drivers/usb/class/usbtmc.c
> @@ -1362,7 +1362,6 @@ static int send_request_dev_dep_msg_in(s
> data->bTag++;
>
> kfree(buffer);
> - if (retval < 0)
> dev_err(&data->intf->dev, "%s returned %d\n",
> __func__, retval);
>
> @@ -1404,7 +1403,7 @@ static ssize_t usbtmc_read(struct file *
> if (count > INT_MAX)
> count = INT_MAX;
>
> - dev_dbg(dev, "%s(count:%zu)\n", __func__, count);
> + dev_info(dev, "%s(count:%zu)\n", __func__, count);
>
> retval = send_request_dev_dep_msg_in(file_data, count);
>
> @@ -1425,7 +1424,7 @@ static ssize_t usbtmc_read(struct file *
> buffer, bufsize, &actual,
> file_data->timeout);
>
> - dev_dbg(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
> + dev_info(dev, "%s: bulk_msg retval(%u), actual(%d)\n",
> __func__, retval, actual);
>
> /* Store bTag (in case we need to abort) */
> @@ -1470,7 +1469,7 @@ static ssize_t usbtmc_read(struct file *
>
> file_data->bmTransferAttributes = buffer[8];
>
> - dev_dbg(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
> + dev_info(dev, "Bulk-IN header: N_characters(%u), bTransAttr(%u)\n",
> n_characters, buffer[8]);
>
> if (n_characters > remaining) {
> Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c
> +++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
> @@ -762,8 +762,13 @@ static int dummy_dequeue(struct usb_ep *
> ep = usb_ep_to_dummy_ep(_ep);
> dum = ep_to_dummy(ep);
>
> - if (!dum->driver)
> + if (!dum->driver) {
> + dev_info(udc_dev(dum), "Got dequeue, no driver\n");
> return -ESHUTDOWN;
> + }
> + dev_info(udc_dev(dum),
> + "dequeuing req %p from %s, len %d buf %p\n",
> + req, _ep->name, _req->length, _req->buf);
>
> spin_lock_irqsave(&dum->lock, flags);
> list_for_each_entry(iter, &ep->queue, queue) {
> @@ -777,12 +782,14 @@ static int dummy_dequeue(struct usb_ep *
> }
>
> if (retval == 0) {
> - dev_dbg(udc_dev(dum),
> + dev_info(udc_dev(dum),
> "dequeued req %p from %s, len %d buf %p\n",
> req, _ep->name, _req->length, _req->buf);
> spin_unlock(&dum->lock);
> usb_gadget_giveback_request(_ep, _req);
> spin_lock(&dum->lock);
> + } else {
> + dev_info(udc_dev(dum), "request not found\n");
> }
> spin_unlock_irqrestore(&dum->lock, flags);
> return retval;
> Index: usb-devel/drivers/usb/core/message.c
> ===================================================================
> --- usb-devel.orig/drivers/usb/core/message.c
> +++ usb-devel/drivers/usb/core/message.c
> @@ -57,15 +57,21 @@ static int usb_start_wait_urb(struct urb
> urb->context = &ctx;
> urb->actual_length = 0;
> retval = usb_submit_urb(urb, GFP_NOIO);
> - if (unlikely(retval))
> + if (unlikely(retval)) {
> + dev_info(&urb->dev->dev, "Submission failed on ep%d\n",
> + usb_endpoint_num(&urb->ep->desc));
> goto out;
> + }
>
> expire = timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT;
> if (!wait_for_completion_timeout(&ctx.done, expire)) {
> + dev_info(&urb->dev->dev, "Killing URB on ep%d\n",
> + usb_endpoint_num(&urb->ep->desc));
> +
> usb_kill_urb(urb);
> retval = (ctx.status == -ENOENT ? -ETIMEDOUT : ctx.status);
>
> - dev_dbg(&urb->dev->dev,
> + dev_info(&urb->dev->dev,
> "%s timed out on ep%d%s len=%u/%u\n",
> current->comm,
> usb_endpoint_num(&urb->ep->desc),
>
>
Powered by blists - more mailing lists