Re: [syzbot] [kernel?] INFO: rcu detected stall in kill
From: syzbot
Date: Sun Apr 05 2026 - 01:36:15 EST
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: locking bug in ath9k_hif_usb_dealloc_urbs
ath9k_htc: Failed to initialize the device
------------[ cut here ]------------
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#1: kworker/1:4/5897
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#1: kworker/1:4/5897
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#1: kworker/1:4/5897
Modules linked in:
CPU: 1 UID: 0 PID: 5897 Comm: kworker/1:4 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: events request_firmware_work_func
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 c7 8a 0a 03 85 c0 74 1c 83 3d a0 76 70 0e 00 75 13 48 8d 3d a3 97 73 0e 48 c7 c6 0f 96 01 8e <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc90003c77588 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: ffff88807ca75b80
RDX: 0000000000000000 RSI: ffffffff8e01960f RDI: ffffffff90152ad0
RBP: 0000000000000002 R08: ffffffff901209c3 R09: 1ffffffff2024138
R10: dffffc0000000000 R11: fffffbfff2024139 R12: 0000000000000936
R13: ffff88807ca76728 R14: ffff88807ca75b80 R15: ffff88807ca766d8
FS: 0000000000000000(0000) GS:ffff888125554000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000559755574be0 CR3: 000000005396b000 CR4: 0000000000350ef0
Call Trace:
<TASK>
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3991
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:4033
drain_workqueue+0xd3/0x390 kernel/workqueue.c:4197
destroy_workqueue+0xbb/0xc60 kernel/workqueue.c:5967
ath9k_hif_usb_dealloc_reg_in_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:1000 [inline]
ath9k_hif_usb_dealloc_urbs+0x6a/0x1c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1105
ath9k_hif_usb_dev_deinit drivers/net/wireless/ath/ath9k/hif_usb.c:1188 [inline]
ath9k_hif_usb_firmware_cb+0x260/0x4c0 drivers/net/wireless/ath/ath9k/hif_usb.c:1330
request_firmware_work_func+0x105/0x1c0 drivers/base/firmware_loader/main.c:1152
process_one_work kernel/workqueue.c:3276 [inline]
process_scheduled_works+0xb6e/0x18c0 kernel/workqueue.c:3359
worker_thread+0xa53/0xfc0 kernel/workqueue.c:3440
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
----------------
Code disassembly (best guess):
0: 18 00 sbb %al,(%rax)
2: 4c 8b 74 24 08 mov 0x8(%rsp),%r14
7: 75 27 jne 0x30
9: 90 nop
a: e8 c7 8a 0a 03 call 0x30a8ad6
f: 85 c0 test %eax,%eax
11: 74 1c je 0x2f
13: 83 3d a0 76 70 0e 00 cmpl $0x0,0xe7076a0(%rip) # 0xe7076ba
1a: 75 13 jne 0x2f
1c: 48 8d 3d a3 97 73 0e lea 0xe7397a3(%rip),%rdi # 0xe7397c6
23: 48 c7 c6 0f 96 01 8e mov $0xffffffff8e01960f,%rsi
* 2a: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2f: 90 nop
30: 31 c0 xor %eax,%eax
32: 0f b6 98 c4 00 00 00 movzbl 0xc4(%rax),%ebx
39: 41 8b 45 20 mov 0x20(%r13),%eax
3d: 25 .byte 0x25
3e: ff 1f lcall *(%rdi)
Tested on:
commit: 3aae9383 Merge tag 'input-for-v7.0-rc6' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=114706ba580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6754c86e8d9e4c91
dashboard link: https://syzkaller.appspot.com/bug?extid=9b95da55ba5146a60734
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15e8cdda580000