================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {INITIAL USE} -> {IN-NMI} usage.
syz.3.9095/2900 [HC2[2]:SC0[0]:HE0:SE1] takes:
ffff888062429ca0 (&htab->lockdep_key){....}-{2:2}, at: htab_lock_bucket kernel/bpf/hashtab.c:183 [inline]
ffff888062429ca0 (&htab->lockdep_key){....}-{2:2}, at: htab_lru_map_delete_elem+0x1b1/0x640 kernel/bpf/hashtab.c:1397
{INITIAL USE} state was registered at:
  lock_acquire+0x19e/0x400 kernel/locking/lockdep.c:5623
  __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
  _raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
  htab_lock_bucket kernel/bpf/hashtab.c:183 [inline]
  htab_lru_map_delete_elem+0x1b1/0x640 kernel/bpf/hashtab.c:1397
  bpf_prog_2c29ac5cdc6b1842+0x3a/0x564
  bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
  __bpf_prog_run include/linux/filter.h:628 [inline]
  bpf_prog_run include/linux/filter.h:635 [inline]
  bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
  __perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
  perf_bp_event+0x276/0x320 kernel/events/core.c:10484
  hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
  hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
  notifier_call_chain kernel/notifier.c:83 [inline]
  atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
  notify_die+0x141/0x1a0 kernel/notifier.c:529
  notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
  exc_debug_user arch/x86/kernel/traps.c:998 [inline]
  noist_exc_debug+0x73/0x120 arch/x86/kernel/traps.c:1035
  asm_exc_debug+0x2f/0x40 arch/x86/include/asm/idtentry.h:642
irq event stamp: 3204
hardirqs last  enabled at (3203): [<ffffffff89bbf61e>] exc_debug_user arch/x86/kernel/traps.c:1022 [inline]
hardirqs last  enabled at (3203): [<ffffffff89bbf61e>] noist_exc_debug+0xee/0x120 arch/x86/kernel/traps.c:1035
hardirqs last disabled at (3204): [<ffffffff89bc257f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:332
softirqs last  enabled at (2608): [<ffffffff81494a7b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last  enabled at (2608): [<ffffffff81494a7b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last  enabled at (2608): [<ffffffff81494a7b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659
softirqs last disabled at (2455): [<ffffffff81494a7b>] __do_softirq kernel/softirq.c:610 [inline]
softirqs last disabled at (2455): [<ffffffff81494a7b>] invoke_softirq kernel/softirq.c:450 [inline]
softirqs last disabled at (2455): [<ffffffff81494a7b>] __irq_exit_rcu+0x13b/0x230 kernel/softirq.c:659

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&htab->lockdep_key);
  <Interrupt>
    lock(&htab->lockdep_key);

 *** DEADLOCK ***

1 lock held by syz.3.9095/2900:
 #0: ffffffff8c31eaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x9/0x30 include/linux/rcupdate.h:313

stack backtrace:
CPU: 0 PID: 2900 Comm: syz.3.9095 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
 <#DB>
 dump_stack_lvl+0x188/0x250 lib/dump_stack.c:106
 lock_acquire+0x2c3/0x400 kernel/locking/lockdep.c:5614
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162
 htab_lock_bucket kernel/bpf/hashtab.c:183 [inline]
 htab_lru_map_delete_elem+0x1b1/0x640 kernel/bpf/hashtab.c:1397
 bpf_prog_2c29ac5cdc6b1842+0x3a/0x564
 bpf_dispatcher_nop_func include/linux/bpf.h:888 [inline]
 __bpf_prog_run include/linux/filter.h:628 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 bpf_overflow_handler+0x1c2/0x4a0 kernel/events/core.c:10297
 __perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
 perf_bp_event+0x276/0x320 kernel/events/core.c:10484
 hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline]
 hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586
 notifier_call_chain kernel/notifier.c:83 [inline]
 atomic_notifier_call_chain+0x15d/0x280 kernel/notifier.c:198
 notify_die+0x141/0x1a0 kernel/notifier.c:529
 notify_debug+0x20/0x30 arch/x86/kernel/traps.c:872
 exc_debug_kernel arch/x86/kernel/traps.c:929 [inline]
 exc_debug+0xcf/0x130 arch/x86/kernel/traps.c:1029
 asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:642
RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160
Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00
RSP: 0000:ffffc900036af640 EFLAGS: 00040806
RAX: 0000200000000300 RBX: 0000000000000000 RCX: ffff88802c940000
RDX: 00006370692f736e RSI: 0000200000000300 RDI: 00007fffffffeff0
RBP: 0000000000000001 R08: 0000000000000003 R09: 0000000000000000
R10: dffffc0000000000 R11: fffff520006d5f27 R12: 0000200000000300
R13: 00007fffffffeff0 R14: 00000000ffffffff R15: dffffc0000000000
 </#DB>
 <TASK>
 perf_callchain_user+0x40e/0xfd0 arch/x86/events/core.c:2900
 get_perf_callchain+0x33d/0x460 kernel/events/callchain.c:221
 perf_callchain kernel/events/core.c:7606 [inline]
 perf_prepare_sample+0x352/0x1cd0 kernel/events/core.c:7633
 __perf_event_output kernel/events/core.c:7802 [inline]
 perf_event_output_forward+0x185/0x2e0 kernel/events/core.c:7822
 __perf_event_overflow+0x364/0x530 kernel/events/core.c:9515
 perf_swevent_hrtimer+0x41b/0x5b0 kernel/events/core.c:10934
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x4ad/0xb70 kernel/time/hrtimer.c:1749
 hrtimer_interrupt+0x3bb/0x8d0 kernel/time/hrtimer.c:1811
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1097 [inline]
 __sysvec_apic_timer_interrupt+0x137/0x4a0 arch/x86/kernel/apic/apic.c:1114
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
 sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1108
 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0033:0x7f0eb6a23dbd
Code: 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 c5 fd 74 0f <c5> fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 90 f3 0f bc
RSP: 002b:00007f0eb4c9e8a8 EFLAGS: 00000283
RAX: 0000000000000300 RBX: 00007f0eb4c9ede0 RCX: 2f666c65732f636f
RDX: 0000200000000300 RSI: 00007f0eb6b05660 RDI: 0000200000000300
RBP: 0000200000000300 R08: 00007f0eb4c9f010 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000073 R14: 00007f0eb6adab73 R15: 00007f0eb4c9eea0
 </TASK>
----------------
Code disassembly (best guess):
   0:	90                   	nop
   1:	0f 01 cb             	stac
   4:	0f ae e8             	lfence
   7:	0f b7 10             	movzwl (%rax),%edx
   a:	31 c0                	xor    %eax,%eax
   c:	0f 01 ca             	clac
   f:	c3                   	ret
  10:	90                   	nop
  11:	0f 01 cb             	stac
  14:	0f ae e8             	lfence
  17:	8b 10                	mov    (%rax),%edx
  19:	31 c0                	xor    %eax,%eax
  1b:	0f 01 ca             	clac
  1e:	c3                   	ret
  1f:	90                   	nop
  20:	90                   	nop
  21:	0f 01 cb             	stac
  24:	0f ae e8             	lfence
  27:	48 8b 10             	mov    (%rax),%rdx
* 2a:	31 c0                	xor    %eax,%eax <-- trapping instruction
  2c:	0f 01 ca             	clac
  2f:	c3                   	ret
  30:	90                   	nop
  31:	0f 01 ca             	clac
  34:	31 d2                	xor    %edx,%edx
  36:	48 c7 c0 f2 ff ff ff 	mov    $0xfffffffffffffff2,%rax
  3d:	c3                   	ret