================================ WARNING: inconsistent lock state syzkaller #0 Tainted: G L -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. kworker/u8:3/49 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff888031e91068 (&dev->spinlock){?...}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline] ffff888031e91068 (&dev->spinlock){?...}-{3:3}, at: das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460 {HARDIRQ-ON-W} state was registered at: lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:348 [inline] waveform_ao_cancel+0x8d/0x120 drivers/comedi/drivers/comedi_test.c:628 do_cancel drivers/comedi/comedi_fops.c:818 [inline] comedi_close+0x27e/0x5e0 drivers/comedi/comedi_fops.c:3036 __fput+0x44f/0xa70 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:269 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 8043512 hardirqs last enabled at (8043511): [] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:178 [inline] hardirqs last enabled at (8043511): [] _raw_spin_unlock_irqrestore+0x30/0x80 kernel/locking/spinlock.c:194 hardirqs last disabled at (8043512): [] common_interrupt+0x13/0xe0 arch/x86/kernel/irq.c:326 softirqs last enabled at (8042906): [] __do_softirq kernel/softirq.c:660 [inline] softirqs last enabled at (8042906): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (8042906): [] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:739 softirqs last disabled at (8042893): [] __do_softirq kernel/softirq.c:660 [inline] softirqs last disabled at (8042893): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (8042893): [] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:739 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&dev->spinlock); lock(&dev->spinlock); *** DEADLOCK *** 4 locks held by kworker/u8:3/49: #0: ffff88801dfeb948 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x894/0x1780 kernel/workqueue.c:3261 #1: ffffc90000b97c40 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x8bb/0x1780 kernel/workqueue.c:3262 #2: ffff888029bee0a8 (&ctx->uring_lock){+.+.}-{4:4}, at: class_mutex_constructor include/linux/mutex.h:253 [inline] #2: ffff888029bee0a8 (&ctx->uring_lock){+.+.}-{4:4}, at: io_req_caches_free+0x19/0x60 io_uring/io_uring.c:2145 #3: ffffffff8e75f420 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] #3: ffffffff8e75f420 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] #3: ffffffff8e75f420 (rcu_read_lock){....}-{1:3}, at: class_rcu_constructor include/linux/rcupdate.h:1193 [inline] #3: ffffffff8e75f420 (rcu_read_lock){....}-{1:3}, at: unwind_next_frame+0xa5/0x23c0 arch/x86/kernel/unwind_orc.c:495 stack backtrace: CPU: 0 UID: 0 PID: 49 Comm: kworker/u8:3 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026 Workqueue: iou_exit io_ring_exit_work Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042 valid_state kernel/locking/lockdep.c:4056 [inline] mark_lock_irq+0x410/0x420 kernel/locking/lockdep.c:-1 mark_lock+0x115/0x190 kernel/locking/lockdep.c:4753 mark_usage kernel/locking/lockdep.c:4639 [inline] __lock_acquire+0x661/0x2cf0 kernel/locking/lockdep.c:5191 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:342 [inline] das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460 __handle_irq_event_percpu+0x227/0x9e0 kernel/irq/handle.c:209 handle_irq_event_percpu kernel/irq/handle.c:246 [inline] handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:263 handle_edge_irq+0x23b/0xa10 kernel/irq/chip.c:855 generic_handle_irq_desc include/linux/irqdesc.h:186 [inline] handle_irq arch/x86/kernel/irq.c:262 [inline] call_irq_handler arch/x86/kernel/irq.c:-1 [inline] __common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:333 common_interrupt+0xb6/0xe0 arch/x86/kernel/irq.c:326 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688 RIP: 0010:lock_acquire+0x20b/0x2e0 kernel/locking/lockdep.c:5872 Code: e9 30 ff ff ff e8 b5 ee 10 0a f7 c3 00 02 00 00 0f 84 38 ff ff ff 65 48 8b 05 61 9b 7b 11 48 3b 44 24 30 75 33 fb 48 83 c4 38 <5b> 41 5c 41 5d 41 5e 41 5f 5d e9 06 d7 13 0a cc 48 8d 3d de 12 73 RSP: 0018:ffffc90000b97438 EFLAGS: 00000282 RAX: 88583ee97c3cc100 RBX: 0000000000000246 RCX: 0000000000000046 RDX: 000000000fee5d82 RSI: ffffffff8e1877bd RDI: ffffffff8c285fe0 RBP: 0000000000000000 R08: ffffffff81773bb5 R09: ffffffff8e75f420 R10: ffffc90000b97598 R11: ffffffff81b1cb20 R12: 0000000000000002 R13: ffffffff8e75f420 R14: 0000000000000000 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:312 [inline] rcu_read_lock include/linux/rcupdate.h:850 [inline] class_rcu_constructor include/linux/rcupdate.h:1193 [inline] unwind_next_frame+0xc2/0x23c0 arch/x86/kernel/unwind_orc.c:495 arch_stack_walk+0x11b/0x150 arch/x86/kernel/stacktrace.c:25 stack_trace_save+0xa9/0x100 kernel/stacktrace.c:122 kasan_save_stack+0x3e/0x60 mm/kasan/common.c:57 kasan_record_aux_stack+0xbd/0xd0 mm/kasan/generic.c:556 slab_free_hook mm/slub.c:2646 [inline] slab_free mm/slub.c:6165 [inline] kmem_cache_free+0x428/0x630 mm/slub.c:6295 __io_req_caches_free+0x1c1/0x270 io_uring/io_uring.c:2134 io_req_caches_free+0x21/0x60 io_uring/io_uring.c:2146 io_ring_exit_work+0x41b/0x960 io_uring/io_uring.c:2340 process_one_work+0x9ab/0x1780 kernel/workqueue.c:3289 process_scheduled_works kernel/workqueue.c:3380 [inline] worker_thread+0xb49/0x1140 kernel/workqueue.c:3461 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 comedi comedi3: fifo overflow ---------------- Code disassembly (best guess): 0: e9 30 ff ff ff jmp 0xffffff35 5: e8 b5 ee 10 0a call 0xa10eebf a: f7 c3 00 02 00 00 test $0x200,%ebx 10: 0f 84 38 ff ff ff je 0xffffff4e 16: 65 48 8b 05 61 9b 7b mov %gs:0x117b9b61(%rip),%rax # 0x117b9b7f 1d: 11 1e: 48 3b 44 24 30 cmp 0x30(%rsp),%rax 23: 75 33 jne 0x58 25: fb sti 26: 48 83 c4 38 add $0x38,%rsp * 2a: 5b pop %rbx <-- trapping instruction 2b: 41 5c pop %r12 2d: 41 5d pop %r13 2f: 41 5e pop %r14 31: 41 5f pop %r15 33: 5d pop %rbp 34: e9 06 d7 13 0a jmp 0xa13d73f 39: cc int3 3a: 48 rex.W 3b: 8d .byte 0x8d 3c: 3d .byte 0x3d 3d: de 12 ficoms (%rdx) 3f: 73 .byte 0x73