Hello, When fuzzing the Linux kernel driver v6.0-rc4, the following crash was triggered. HEAD commit: 7e18e42e4b280c85b76967a9106a13ca61c16179 git tree: upstream kernel config: https://pastebin.com/raw/xtrgsXP3 C reproducer: https://pastebin.com/raw/C1xYEf7Q console output: https://pastebin.com/raw/3RLhvQHE Basically, in the c reproducer, we use the gadget module to emulate attaching a USB device(vendor id: 0x403, product id: 0xff3d, with the midi function) and executing some simple sequence of system calls. To reproduce this crash, we utilize a third-party library to emulate the attaching process: https://github.com/linux-usb-gadgets/libusbgx. Just clone this repository, install it, and compile the c reproducer with ``` gcc crash.c -lusbgx -lconfig -o crash ``` will do the trick. I would appreciate it if you have any idea how to solve this bug. The crash report is as follows: ============================================ WARNING: possible recursive locking detected 6.0.0-rc4+ #20 Not tainted -------------------------------------------- kworker/0:1H/9 is trying to acquire lock: ffff888057ed9228 (&midi->transmit_lock){....}-{2:2}, at: f_midi_transmit+0x18c/0x1460 drivers/usb/gadget/function/f_midi.c:683 but task is already holding lock: ffff888057ed9228 (&midi->transmit_lock){....}-{2:2}, at: f_midi_transmit+0x18c/0x1460 drivers/usb/gadget/function/f_midi.c:683 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&midi->transmit_lock); lock(&midi->transmit_lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kworker/0:1H/9: #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: arch_atomic_long_set include/linux/atomic/atomic-long.h:41 [inline] #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: atomic_long_set include/linux/atomic/atomic-instrumented.h:1280 [inline] #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:636 [inline] #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:663 [inline] #0: ffff888011c65138 ((wq_completion)events_highpri){+.+.}-{0:0}, at: process_one_work+0x8b0/0x1650 kernel/workqueue.c:2260 #1: ffffc900003afdb0 ((work_completion)(&midi->work)){+.+.}-{0:0}, at: process_one_work+0x8e4/0x1650 kernel/workqueue.c:2264 #2: ffff888057ed9228 (&midi->transmit_lock){....}-{2:2}, at: f_midi_transmit+0x18c/0x1460 drivers/usb/gadget/function/f_midi.c:683 stack backtrace: CPU: 0 PID: 9 Comm: kworker/0:1H Not tainted 6.0.0-rc4+ #20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Workqueue: events_highpri f_midi_in_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_deadlock_bug kernel/locking/lockdep.c:2988 [inline] check_deadlock kernel/locking/lockdep.c:3031 [inline] validate_chain kernel/locking/lockdep.c:3816 [inline] __lock_acquire.cold+0x152/0x3c3 kernel/locking/lockdep.c:5053 lock_acquire kernel/locking/lockdep.c:5666 [inline] lock_acquire+0x1ab/0x580 kernel/locking/lockdep.c:5631 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 f_midi_transmit+0x18c/0x1460 drivers/usb/gadget/function/f_midi.c:683 f_midi_complete+0x1bb/0x480 drivers/usb/gadget/function/f_midi.c:285 dummy_queue+0x84a/0xb20 drivers/usb/gadget/udc/dummy_hcd.c:736 usb_ep_queue+0xe8/0x3b0 drivers/usb/gadget/udc/core.c:288 f_midi_do_transmit drivers/usb/gadget/function/f_midi.c:658 [inline] f_midi_transmit+0x7e4/0x1460 drivers/usb/gadget/function/f_midi.c:686 process_one_work+0x9c7/0x1650 kernel/workqueue.c:2289 worker_thread+0x623/0x1070 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK>