INFO: task hung in pick_next_task

ID	Workflow	Result	Correct	Bug	Created	Started	Finished	Revision	Error
38ed327d-7bd9-4e67-8f19-d63ff5f65b3e	assessment-security	DenialOfService: ✅ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ✅ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌	❓	INFO: task hung in pick_next_task_fair	2026/05/25 22:43	2026/05/25 22:43	2026/05/25 22:56	c69befb30ac10e158cc9d1557b508ee3f0eca1de

INFO: task kworker/0:5:5317 blocked for more than 143 seconds. Not tainted syzkaller #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:kworker/0:5 state:D running task stack:22696 pid:5317 tgid:5317 ppid:2 task_flags:0x4208060 flags:0x00080000 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> context_switch kernel/sched/core.c:5295 [inline] __schedule+0xeb1/0x41f0 kernel/sched/core.c:6907 pick_next_task_fair+0x12b0/0x1fe0 kernel/sched/fair.c:8959 </TASK> Showing all locks held in the system: 3 locks held by kworker/1:0/23: 4 locks held by kworker/1:1/28: 1 lock held by khungtaskd/30: #0: ffffffff896e05a0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x3d/0x184 kernel/locking/lockdep.c:6775 5 locks held by kworker/u8:7/336: #0: ffff888101299148 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1287/0x1920 kernel/workqueue.c:3250 #1: ffffc90001c7fd18 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x93c/0x1920 kernel/workqueue.c:3251 #2: ffffffff8aae0830 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xb8/0x9e0 net/core/net_namespace.c:675 #3: ffffffff8aaf8e68 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline] #3: ffffffff8aaf8e68 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x7ec/0xab0 net/core/net_namespace.c:248 #4: ffffffff896ec1b8 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x27f/0x3c0 kernel/rcu/tree_exp.h:311 4 locks held by kworker/1:2/923: 3 locks held by kworker/1:3/2813: #0: ffff88810006a148 ((wq_completion)events_power_efficient ){+.+.}-{0:0}, at: process_one_work+0x1287/0x1920 kernel/workqueue.c:3250 #1: ffffc9000555fd18 ((reg_check_chans).work){+.+.}-{0:0}, at: process_one_work+0x93c/0x1920 kernel/workqueue.c:3251 #2: ffffffff8aaf8e68 (rtnl_mutex){+.+.}-{4:4}, at: reg_check_chans_work+0x91/0x11d0 net/wireless/reg.c:2462 1 lock held by udevd/2853: #0: ffff888101298188 (&root->kernfs_rwsem){++++}-{4:4}, at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 2 locks held by getty/2918: #0: ffff8881157a90a0 ( &tty->ldisc_sem ){++++}-{0:0} , at: tty_ldisc_ref_wait+0x24/0x80 drivers/tty/tty_ldisc.c:243 #1: ffffc900000432f0 ( &ldata->atomic_read_lock ){+.+.}-{4:4} , at: n_tty_read+0x419/0x1500 drivers/tty/n_tty.c:2211 1 lock held by udevd/5215: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 1 lock held by udevd/5226: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 2 locks held by kworker/1:5/5227: 4 locks held by kworker/0:5/5317: #0: ffff88810006b548 ( (wq_completion)events ){+.+.}-{0:0} , at: process_one_work+0x1287/0x1920 kernel/workqueue.c:3250 #1: ffffc9000302fd18 ( kernfs_notify_work ){+.+.}-{0:0} , at: process_one_work+0x93c/0x1920 kernel/workqueue.c:3251 #2: ffff8881012982b8 ( &root->kernfs_supers_rwsem ){++++}-{4:4} , at: kernfs_notify_workfn+0xf7/0x5f0 fs/kernfs/file.c:932 #3: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_notify_workfn+0xff/0x5f0 fs/kernfs/file.c:933 3 locks held by kworker/1:6/5507: 1 lock held by syz.0.274/6369: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_remove_by_name_ns+0x3d/0xf0 fs/kernfs/dir.c:1717 1 lock held by syz.3.277/6389: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_remove_by_name_ns+0x3d/0xf0 fs/kernfs/dir.c:1717 2 locks held by syz-executor/6395: #0: ffffffff8aae0830 ( pernet_ops_rwsem ){++++}-{4:4} , at: copy_net_ns+0x41e/0x780 net/core/net_namespace.c:577 #1: ffffffff8aaf8e68 ( rtnl_mutex ){+.+.}-{4:4} , at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] , at: register_netdevice_notifier_net+0x23/0xb0 net/core/dev.c:2102 2 locks held by syz-executor/6402: #0: ffffffff8aae0830 ( pernet_ops_rwsem ){++++}-{4:4} , at: copy_net_ns+0x41e/0x780 net/core/net_namespace.c:577 #1: ffffffff8aaf8e68 ( rtnl_mutex ){+.+.}-{4:4} , at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] , at: register_netdevice_notifier_net+0x23/0xb0 net/core/dev.c:2102 2 locks held by syz-executor/6404: #0: ffffffff8aae0830 ( pernet_ops_rwsem ){++++}-{4:4} , at: copy_net_ns+0x41e/0x780 net/core/net_namespace.c:577 #1: ffffffff8aaf8e68 ( rtnl_mutex ){+.+.}-{4:4} , at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] , at: register_netdevice_notifier_net+0x23/0xb0 net/core/dev.c:2102 2 locks held by syz-executor/6426: #0: ffffffff8aae0830 ( pernet_ops_rwsem ){++++}-{4:4} , at: copy_net_ns+0x41e/0x780 net/core/net_namespace.c:577 #1: ffffffff8aaf8e68 ( rtnl_mutex ){+.+.}-{4:4} , at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] , at: register_netdevice_notifier_net+0x23/0xb0 net/core/dev.c:2102 2 locks held by syz-executor/6428: #0: ffffffff8aae0830 (pernet_ops_rwsem ){++++}-{4:4} , at: copy_net_ns+0x41e/0x780 net/core/net_namespace.c:577 #1: ffffffff8aaf8e68 ( rtnl_mutex ){+.+.}-{4:4} , at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline] , at: register_netdevice_notifier_net+0x23/0xb0 net/core/dev.c:2102 1 lock held by syz-executor/6445: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 1 lock held by syz-executor/6446: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 1 lock held by syz-executor/6447: #0: ffff888101298188 ( &root->kernfs_rwsem ){++++}-{4:4} , at: kernfs_dop_revalidate+0xa5/0x740 fs/kernfs/dir.c:1185 ============================================= NMI backtrace for cpu 0 CPU: 0 UID: 0 PID: 30 Comm: khungtaskd Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 nmi_cpu_backtrace.cold+0x12d/0x151 lib/nmi_backtrace.c:113 nmi_trigger_cpumask_backtrace+0x1d7/0x230 lib/nmi_backtrace.c:62 trigger_all_cpu_backtrace include/linux/nmi.h:161 [inline] __sys_info lib/sys_info.c:157 [inline] sys_info+0x141/0x190 lib/sys_info.c:165 check_hung_uninterruptible_tasks kernel/hung_task.c:346 [inline] watchdog+0xd25/0x1050 kernel/hung_task.c:515 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Sending NMI from CPU 0 to CPUs 1: gspca_pac7302 1-1:1.0: URB error -71, resubmitting NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 28 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Workqueue: events free_obj_work RIP: 0010:its_return_thunk+0x0/0x10 arch/x86/lib/retpoline.S:417 Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc <c3> cc 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 e9 2b e0 ed f9 cc RSP: 0018:ffffc900001a8298 EFLAGS: 00000046 RAX: ffffc900001a8598 RBX: ffffffff878aa301 RCX: 000000000000005b RDX: 0000000000000000 RSI: ffffffff878aa300 RDI: ffffc900001a8598 RBP: ffffc900001a8390 R08: 0000000000000001 R09: fffff520000350b3 R10: ffffc900001a8598 R11: 00000000001abce8 R12: 0000000000000000 R13: 0000000000000001 R14: ffffffff878aa300 R15: 000000007fffffff FS: 0000000000000000(0000) GS:ffff8882687d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000000094ae000 CR4: 00000000003506f0 Call Trace: <IRQ> vsnprintf+0x7e2/0x1240 lib/vsprintf.c:2899 sprintf+0xcc/0x100 lib/vsprintf.c:3111 print_time kernel/printk/printk.c:1359 [inline] info_print_prefix+0x25a/0x350 kernel/printk/printk.c:1385 record_print_text+0x143/0x3c0 kernel/printk/printk.c:1434 printk_get_next_message+0x2d1/0x6c0 kernel/printk/printk.c:3072 console_emit_next_record kernel/printk/printk.c:3137 [inline] console_flush_one_record+0x67c/0xe50 kernel/printk/printk.c:3269 console_flush_all kernel/printk/printk.c:3343 [inline] __console_flush_and_unlock kernel/printk/printk.c:3373 [inline] console_unlock+0x103/0x260 kernel/printk/printk.c:3413 vprintk_emit+0x407/0x6b0 kernel/printk/printk.c:2479 _printk+0xcf/0x110 kernel/printk/printk.c:2504 int_irq.cold+0x1a/0x7f drivers/media/usb/gspca/gspca.c:104 __usb_hcd_giveback_urb+0x38d/0x610 drivers/usb/core/hcd.c:1657 usb_hcd_giveback_urb+0x3ca/0x4a0 drivers/usb/core/hcd.c:1741 dummy_timer+0xd85/0x3670 drivers/usb/gadget/udc/dummy_hcd.c:1995 __run_hrtimer kernel/time/hrtimer.c:1785 [inline] __hrtimer_run_queues+0x50e/0xa70 kernel/time/hrtimer.c:1849 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1866 handle_softirqs+0x1de/0x9d0 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xed/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0x8f/0xb0 arch/x86/kernel/apic/apic.c:1056 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:118 [inline] RIP: 0010:lock_release+0x46/0x320 kernel/locking/lockdep.c:5881 Code: 89 6c 24 10 48 89 f5 0f 1f 44 00 00 65 8b 05 45 18 66 0b 83 f8 07 0f 87 1d 02 00 00 48 0f a3 05 d0 2a 61 09 0f 82 18 02 00 00 <44> 8b 05 77 3a 61 09 45 85 c0 0f 84 48 01 00 00 65 8b 05 0b 5c 66 RSP: 0018:ffffc900001e76c0 EFLAGS: 00000202 RAX: 0000000000000001 RBX: ffffffff896e05a0 RCX: ffffffff8b536201 RDX: 0000000000000000 RSI: ffffffff87afa3a0 RDI: ffffffff891a2be8 RBP: ffffffff816f75ce R08: 0000000000000001 R09: 0000000000000007 R10: 0000000000000200 R11: 0000000000007d46 R12: ffffc900001e77c8 R13: ffffc900001e7778 R14: ffffc900001e7dc0 R15: ffffc900001e77ac rcu_lock_release include/linux/rcupdate.h:322 [inline] rcu_read_unlock include/linux/rcupdate.h:881 [inline] class_rcu_destructor include/linux/rcupdate.h:1193 [inline] unwind_next_frame+0x3c3/0x1ea0 arch/x86/kernel/unwind_orc.c:495 arch_stack_walk+0x94/0xf0 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x43/0x70 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kmem_cache_free+0x105/0x640 mm/slub.c:6254 free_object_list.isra.0+0xf8/0x2a0 lib/debugobjects.c:326 free_obj_work+0x19d/0x3d0 lib/debugobjects.c:513 process_one_work+0x9d7/0x1920 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x6c3/0xcb0 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK>

Crashes (1):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/03/01 21:28	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	bb375c251ab4	43249bac	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	INFO: task hung in pick_next_task_fair

Crashes (1):

Assets (help?)