Forwarded: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
From: syzbot
Date: Sat Apr 04 2026 - 21:21:06 EST
For archival purposes, forwarding an incoming command email to
linux-kernel@xxxxxxxxxxxxxxx, syzkaller-bugs@xxxxxxxxxxxxxxxx.
***
Subject: [PATCH] ath9k: defer reg_in URB resubmission to workqueue
Author: kartikey406@xxxxxxxxx
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
ath9k_hif_usb_reg_in_cb() is a URB completion callback that
runs in softirq context via dummy_hcd's hrtimer which is
registered with HRTIMER_MODE_REL_SOFT.
Calling usb_submit_urb() directly from this softirq context
triggers a long synchronous chain:
dummy_urb_enqueue()
hrtimer_start(HRTIMER_MODE_REL_SOFT)
dummy_timer()
__usb_hcd_giveback_urb()
ath9k_hif_usb_reg_in_cb()
usb_submit_urb() <- back to start
This keeps CPU busy in softirq context indefinitely, starving
the rcu_preempt kthread and causing an RCU stall:
rcu: rcu_preempt kthread starved for 3053 jiffies!
rcu: Unless rcu_preempt kthread gets sufficient CPU time,
OOM is now expected behavior.
Fix this by deferring URB resubmission to a workqueue via
schedule_work(), allowing the softirq to exit quickly and
giving rcu_preempt kthread sufficient CPU time to process
the grace period.
Reported-by: syzbot+9b95da55ba5146a60734@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 38 +++++++++++++++++++-----
drivers/net/wireless/ath/ath9k/hif_usb.h | 2 ++
2 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 8533b88974b2..38c0cabe52bf 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -731,12 +731,38 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
kfree(rx_buf);
}
+static void ath9k_hif_usb_reg_in_resubmit(struct work_struct *work)
+{
+ struct rx_buf *rx_buf = container_of(work,
+ struct rx_buf,
+ work);
+ struct hif_device_usb *hif_dev = rx_buf->hif_dev;
+ struct urb *urb = rx_buf->urb;
+ int ret;
+
+ if (!hif_dev || !urb)
+ goto free_rx_buf;
+
+ usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
+ ret = usb_submit_urb(urb, GFP_KERNEL);
+ if (ret) {
+ usb_unanchor_urb(urb);
+ goto free_skb;
+ }
+ return;
+
+free_skb:
+ kfree_skb(rx_buf->skb);
+free_rx_buf:
+ kfree(rx_buf);
+ urb->context = NULL;
+}
+
static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
{
struct rx_buf *rx_buf = urb->context;
struct hif_device_usb *hif_dev = rx_buf->hif_dev;
struct sk_buff *skb = rx_buf->skb;
- int ret;
if (!skb)
return;
@@ -786,13 +812,9 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
}
resubmit:
- usb_anchor_urb(urb, &hif_dev->reg_in_submitted);
- ret = usb_submit_urb(urb, GFP_ATOMIC);
- if (ret) {
- usb_unanchor_urb(urb);
- goto free_skb;
- }
-
+ rx_buf->urb = urb;
+ INIT_WORK(&rx_buf->work, ath9k_hif_usb_reg_in_resubmit);
+ schedule_work(&rx_buf->work);
return;
free_skb:
kfree_skb(skb);
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..7c2a8d2c1cca 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -89,6 +89,8 @@ struct tx_buf {
struct rx_buf {
struct sk_buff *skb;
struct hif_device_usb *hif_dev;
+ struct urb *urb;
+ struct work_struct work;
};
#define HIF_USB_TX_STOP BIT(0)
--
2.43.0