vcan0: j1939_xtp_rx_abort_one: 0xffff88805ed71c00: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
================================
WARNING: inconsistent lock state
syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
udevd/5198 [HC1[1]:SC1[1]:HE0:SE0] takes:
ffff88814c56d068 (&dev->spinlock){?.-.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88814c56d068 (&dev->spinlock){?.-.}-{3:3}, at: das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460
{HARDIRQ-ON-W} state was registered at:
  lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
  __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline]
  _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178
  spin_lock_bh include/linux/spinlock.h:356 [inline]
  waveform_ai_cmd+0x2fc/0x5c0 drivers/comedi/drivers/comedi_test.c:403
  do_cmd_ioctl+0x435/0x7c0 drivers/comedi/comedi_fops.c:1871
  comedi_unlocked_ioctl+0x997/0x1020 drivers/comedi/comedi_fops.c:2257
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:597 [inline]
  __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
  do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
  entry_SYSCALL_64_after_hwframe+0x77/0x7f
irq event stamp: 6938277
hardirqs last  enabled at (6938276): [<ffffffff8b4977a5>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last  enabled at (6938276): [<ffffffff8b4977a5>] _raw_spin_unlock_irqrestore+0x85/0x110 kernel/locking/spinlock.c:194
hardirqs last disabled at (6938277): [<ffffffff8b46ac73>] common_interrupt+0x13/0xe0 arch/x86/kernel/irq.c:318
softirqs last  enabled at (6937806): [<ffffffff8185245a>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last  enabled at (6937806): [<ffffffff8185245a>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last  enabled at (6937806): [<ffffffff8185245a>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
softirqs last disabled at (6938241): [<ffffffff8185245a>] __do_softirq kernel/softirq.c:656 [inline]
softirqs last disabled at (6938241): [<ffffffff8185245a>] invoke_softirq kernel/softirq.c:496 [inline]
softirqs last disabled at (6938241): [<ffffffff8185245a>] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&dev->spinlock);
  <Interrupt>
    lock(&dev->spinlock);

 *** DEADLOCK ***

1 lock held by udevd/5198:
 #0: ffffffff8e7e51f0 (tomoyo_ss){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
 #0: ffffffff8e7e51f0 (tomoyo_ss){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
 #0: ffffffff8e7e51f0 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_read_lock security/tomoyo/common.h:1108 [inline]
 #0: ffffffff8e7e51f0 (tomoyo_ss){.+.+}-{0:0}, at: tomoyo_check_open_permission+0x16a/0x3b0 security/tomoyo/file.c:767

stack backtrace:
CPU: 0 UID: 0 PID: 5198 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Call Trace:
 <IRQ>
 dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
 print_usage_bug+0x297/0x2e0 kernel/locking/lockdep.c:4042
 valid_state+0xc3/0xf0 kernel/locking/lockdep.c:4056
 mark_lock_irq+0x36/0x390 kernel/locking/lockdep.c:4267
 mark_lock+0x11b/0x190 kernel/locking/lockdep.c:4753
 mark_usage kernel/locking/lockdep.c:4639 [inline]
 __lock_acquire+0x65a/0xd20 kernel/locking/lockdep.c:5191
 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460
 __handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
 handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
 handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
 handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
 __common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
 common_interrupt+0x5e/0xe0 arch/x86/kernel/irq.c:318
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
RIP: 0010:trace_lock_acquire include/trace/events/lock.h:24 [inline]
RIP: 0010:lock_acquire+0x58/0x360 kernel/locking/lockdep.c:5831
Code: 8b 05 7c 36 f2 10 48 89 44 24 58 0f 1f 44 00 00 65 8b 05 7f 36 f2 10 83 f8 08 0f 83 b8 01 00 00 89 c0 48 0f a3 05 a8 2b 00 0e <73> 16 e8 a1 fc 08 00 84 c0 75 0d f6 05 14 39 ea 0d 01 0f 84 d7 01
RSP: 0018:ffffc90000007b40 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e13d400
RBP: ffffffff81a84117 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f3baaf R12: 0000000000000002
R13: ffffffff8e13d400 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_do_batch kernel/rcu/tree.c:2599 [inline]
 rcu_core+0xc54/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 2b a3 7e f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> b3 d1 46 f6 65 8b 05 5c 68 46 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc900030f72e0 EFLAGS: 00000206
RAX: 1ddb45c6372f1900 RBX: 0000000000000a06 RCX: 1ddb45c6372f1900
RDX: 0000000000000007 RSI: ffffffff8d7f7db3 RDI: 0000000000000001
RBP: ffffc900030f7378 R08: ffffffff8f9dd577 R09: 1ffffffff1f3baae
R10: dffffc0000000000 R11: fffffbfff1f3baaf R12: dffffc0000000000
R13: 0000000000000002 R14: ffff88813fe259c0 R15: 1ffff9200061ee5c
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 get_partial_node+0x41f/0x4a0 mm/slub.c:3515
 get_partial mm/slub.c:3595 [inline]
 ___slab_alloc+0xdea/0x18a0 mm/slub.c:4611
 __slab_alloc+0x65/0x100 mm/slub.c:4755
 __slab_alloc_node mm/slub.c:4831 [inline]
 slab_alloc_node mm/slub.c:5253 [inline]
 __do_kmalloc_node mm/slub.c:5626 [inline]
 __kmalloc_noprof+0x47d/0x800 mm/slub.c:5639
 kmalloc_noprof include/linux/slab.h:961 [inline]
 tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x1c1/0x3b0 security/tomoyo/file.c:771
 security_file_open+0xb1/0x270 security/security.c:3183
 do_dentry_open+0x384/0x13f0 fs/open.c:942
 vfs_open+0x3b/0x340 fs/open.c:1097
 do_open fs/namei.c:3975 [inline]
 path_openat+0x2ee5/0x3830 fs/namei.c:4134
 do_filp_open+0x1fa/0x410 fs/namei.c:4161
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f68eb3c8407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc74d44ce0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f68ead9b880 RCX: 00007f68eb3c8407
RDX: 0000000000080141 RSI: 000055df5798302e RDI: ffffffffffffff9c
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000001a4 R11: 0000000000000202 R12: 00000000ffffffff
R13: 00000000ffffffff R14: ffffffffffffffff R15: 0000000000000000
 </TASK>
Oops: divide error: 0000 [#1] SMP KASAN PTI
CPU: 0 UID: 0 PID: 5198 Comm: udevd Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
RIP: 0010:comedi_buf_munge drivers/comedi/comedi_buf.c:347 [inline]
RIP: 0010:comedi_buf_write_free+0x3c8/0x7e0 drivers/comedi/comedi_buf.c:391
Code: 41 03 45 00 48 8b 4c 24 78 42 0f b6 0c 21 84 c9 4c 8b bc 24 90 00 00 00 44 8b 74 24 54 0f 85 02 01 00 00 31 d2 48 8b 4c 24 30 <f7> 31 41 89 55 00 48 8b 44 24 70 42 0f b6 04 20 84 c0 0f 85 09 01
RSP: 0018:ffffc90000007658 EFLAGS: 00010046
RAX: 0000000000000001 RBX: dffffc0000000000 RCX: ffff8880336f0080
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888064504000
RBP: 0000000000000002 R08: 0000000000000000 R09: 00000000000000ff
R10: dffffc0000000000 R11: ffffffff88bee380 R12: dffffc0000000000
R13: ffff8880336f0038 R14: 0000000000000000 R15: ffff8880336f0000
FS:  00007f68ead9b880(0000) GS:ffff888125d22000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c462e7f CR3: 000000007d28a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000006c42 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 comedi_buf_write_samples+0x369/0x5a0 drivers/comedi/comedi_buf.c:602
 das16m1_handler+0x213/0x4b0 drivers/comedi/drivers/das16m1.c:413
 das16m1_interrupt+0xaf/0x180 drivers/comedi/drivers/das16m1.c:470
 __handle_irq_event_percpu+0x295/0xab0 kernel/irq/handle.c:203
 handle_irq_event_percpu kernel/irq/handle.c:240 [inline]
 handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:257
 handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855
 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline]
 handle_irq arch/x86/kernel/irq.c:254 [inline]
 call_irq_handler arch/x86/kernel/irq.c:-1 [inline]
 __common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:325
 common_interrupt+0x5e/0xe0 arch/x86/kernel/irq.c:318
 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688
RIP: 0010:trace_lock_acquire include/trace/events/lock.h:24 [inline]
RIP: 0010:lock_acquire+0x58/0x360 kernel/locking/lockdep.c:5831
Code: 8b 05 7c 36 f2 10 48 89 44 24 58 0f 1f 44 00 00 65 8b 05 7f 36 f2 10 83 f8 08 0f 83 b8 01 00 00 89 c0 48 0f a3 05 a8 2b 00 0e <73> 16 e8 a1 fc 08 00 84 c0 75 0d f6 05 14 39 ea 0d 01 0f 84 d7 01
RSP: 0018:ffffc90000007b40 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000002
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e13d400
RBP: ffffffff81a84117 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1f3baaf R12: 0000000000000002
R13: ffffffff8e13d400 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_do_batch kernel/rcu/tree.c:2599 [inline]
 rcu_core+0xc54/0x1770 kernel/rcu/tree.c:2861
 handle_softirqs+0x286/0x870 kernel/softirq.c:622
 __do_softirq kernel/softirq.c:656 [inline]
 invoke_softirq kernel/softirq.c:496 [inline]
 __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:723
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1052 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1052
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0xa8/0x110 kernel/locking/spinlock.c:194
Code: 74 05 e8 2b a3 7e f6 48 c7 44 24 20 00 00 00 00 9c 8f 44 24 20 f6 44 24 21 02 75 4f f7 c3 00 02 00 00 74 01 fb bf 01 00 00 00 <e8> b3 d1 46 f6 65 8b 05 5c 68 46 07 85 c0 74 40 48 c7 04 24 0e 36
RSP: 0018:ffffc900030f72e0 EFLAGS: 00000206
RAX: 1ddb45c6372f1900 RBX: 0000000000000a06 RCX: 1ddb45c6372f1900
RDX: 0000000000000007 RSI: ffffffff8d7f7db3 RDI: 0000000000000001
RBP: ffffc900030f7378 R08: ffffffff8f9dd577 R09: 1ffffffff1f3baae
R10: dffffc0000000000 R11: fffffbfff1f3baaf R12: dffffc0000000000
R13: 0000000000000002 R14: ffff88813fe259c0 R15: 1ffff9200061ee5c
 spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
 get_partial_node+0x41f/0x4a0 mm/slub.c:3515
 get_partial mm/slub.c:3595 [inline]
 ___slab_alloc+0xdea/0x18a0 mm/slub.c:4611
 __slab_alloc+0x65/0x100 mm/slub.c:4755
 __slab_alloc_node mm/slub.c:4831 [inline]
 slab_alloc_node mm/slub.c:5253 [inline]
 __do_kmalloc_node mm/slub.c:5626 [inline]
 __kmalloc_noprof+0x47d/0x800 mm/slub.c:5639
 kmalloc_noprof include/linux/slab.h:961 [inline]
 tomoyo_realpath_from_path+0xe3/0x5d0 security/tomoyo/realpath.c:251
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_check_open_permission+0x1c1/0x3b0 security/tomoyo/file.c:771
 security_file_open+0xb1/0x270 security/security.c:3183
 do_dentry_open+0x384/0x13f0 fs/open.c:942
 vfs_open+0x3b/0x340 fs/open.c:1097
 do_open fs/namei.c:3975 [inline]
 path_openat+0x2ee5/0x3830 fs/namei.c:4134
 do_filp_open+0x1fa/0x410 fs/namei.c:4161
 do_sys_openat2+0x121/0x1c0 fs/open.c:1437
 do_sys_open fs/open.c:1452 [inline]
 __do_sys_openat fs/open.c:1468 [inline]
 __se_sys_openat fs/open.c:1463 [inline]
 __x64_sys_openat+0x138/0x170 fs/open.c:1463
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xfa/0xfa0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f68eb3c8407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc74d44ce0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f68ead9b880 RCX: 00007f68eb3c8407
RDX: 0000000000080141 RSI: 000055df5798302e RDI: ffffffffffffff9c
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000001a4 R11: 0000000000000202 R12: 00000000ffffffff
R13: 00000000ffffffff R14: ffffffffffffffff R15: 0000000000000000
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:comedi_buf_munge drivers/comedi/comedi_buf.c:347 [inline]
RIP: 0010:comedi_buf_write_free+0x3c8/0x7e0 drivers/comedi/comedi_buf.c:391
Code: 41 03 45 00 48 8b 4c 24 78 42 0f b6 0c 21 84 c9 4c 8b bc 24 90 00 00 00 44 8b 74 24 54 0f 85 02 01 00 00 31 d2 48 8b 4c 24 30 <f7> 31 41 89 55 00 48 8b 44 24 70 42 0f b6 04 20 84 c0 0f 85 09 01
RSP: 0018:ffffc90000007658 EFLAGS: 00010046
RAX: 0000000000000001 RBX: dffffc0000000000 RCX: ffff8880336f0080
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888064504000
RBP: 0000000000000002 R08: 0000000000000000 R09: 00000000000000ff
R10: dffffc0000000000 R11: ffffffff88bee380 R12: dffffc0000000000
R13: ffff8880336f0038 R14: 0000000000000000 R15: ffff8880336f0000
FS:  00007f68ead9b880(0000) GS:ffff888125d22000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000110c462e7f CR3: 000000007d28a000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000006c42 DR6: 00000000ffff0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	8b 05 7c 36 f2 10    	mov    0x10f2367c(%rip),%eax        # 0x10f23682
   6:	48 89 44 24 58       	mov    %rax,0x58(%rsp)
   b:	0f 1f 44 00 00       	nopl   0x0(%rax,%rax,1)
  10:	65 8b 05 7f 36 f2 10 	mov    %gs:0x10f2367f(%rip),%eax        # 0x10f23696
  17:	83 f8 08             	cmp    $0x8,%eax
  1a:	0f 83 b8 01 00 00    	jae    0x1d8
  20:	89 c0                	mov    %eax,%eax
  22:	48 0f a3 05 a8 2b 00 	bt     %rax,0xe002ba8(%rip)        # 0xe002bd2
  29:	0e
* 2a:	73 16                	jae    0x42 <-- trapping instruction
  2c:	e8 a1 fc 08 00       	call   0x8fcd2
  31:	84 c0                	test   %al,%al
  33:	75 0d                	jne    0x42
  35:	f6 05 14 39 ea 0d 01 	testb  $0x1,0xdea3914(%rip)        # 0xdea3950
  3c:	0f                   	.byte 0xf
  3d:	84 d7                	test   %dl,%bh
  3f:	01                   	.byte 0x1