======================================================== WARNING: possible irq lock inversion dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted -------------------------------------------------------- syz-executor.5/8357 just changed the state of lock: ffff888029d6a910 (&group->lock#2){..-.}-{2:2}, at: class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline] ffff888029d6a910 (&group->lock#2){..-.}-{2:2}, at: snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904 but this lock took another, SOFTIRQ-unsafe lock in the past: (&timer->lock){+.+.}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&timer->lock); local_irq_disable(); lock(&group->lock#2); lock(&timer->lock); lock(&group->lock#2); *** DEADLOCK *** 4 locks held by syz-executor.5/8357: #0: ffff88802ecf4420 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:409 #1: ffff88805f3d4a00 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:828 [inline] #1: ffff88805f3d4a00 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:3892 #2: ffff88802f000950 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1faa/0x2200 fs/jbd2/transaction.c:463 #3: ffffffff8de14718 (inode_hash_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] #3: ffffffff8de14718 (inode_hash_lock){+.+.}-{2:2}, at: insert_inode_locked+0xd0/0x410 fs/inode.c:1629 the shortest dependencies between 2nd lock and 1st lock: -> (&timer->lock){+.+.}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] class_spinlock_constructor include/linux/spinlock.h:561 [inline] snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412 snd_timer_close+0xae/0x130 sound/core/timer.c:464 snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302 queue_delete sound/core/seq/seq_queue.c:126 [inline] snd_seq_queue_client_leave+0x7f/0x2b0 sound/core/seq/seq_queue.c:543 seq_free_client1+0xfe/0x2b0 sound/core/seq/seq_clientmgr.c:285 seq_free_client+0x6c/0x180 sound/core/seq/seq_clientmgr.c:306 snd_seq_release+0x48/0xc0 sound/core/seq/seq_clientmgr.c:387 __fput+0x42b/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 SOFTIRQ-ON-W at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] class_spinlock_constructor include/linux/spinlock.h:561 [inline] snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412 snd_timer_close+0xae/0x130 sound/core/timer.c:464 snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302 queue_delete sound/core/seq/seq_queue.c:126 [inline] snd_seq_queue_client_leave+0x7f/0x2b0 sound/core/seq/seq_queue.c:543 seq_free_client1+0xfe/0x2b0 sound/core/seq/seq_clientmgr.c:285 seq_free_client+0x6c/0x180 sound/core/seq/seq_clientmgr.c:306 snd_seq_release+0x48/0xc0 sound/core/seq/seq_clientmgr.c:387 __fput+0x42b/0x8a0 fs/file_table.c:422 __do_sys_close fs/open.c:1556 [inline] __se_sys_close fs/open.c:1541 [inline] __x64_sys_close+0x7f/0x110 fs/open.c:1541 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 INITIAL USE at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline] snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040 snd_pcm_timer_notify sound/core/pcm_native.c:622 [inline] snd_pcm_post_stop sound/core/pcm_native.c:1520 [inline] snd_pcm_action sound/core/pcm_native.c:1370 [inline] snd_pcm_stop+0x358/0x490 sound/core/pcm_native.c:1543 snd_pcm_drop+0x158/0x250 sound/core/pcm_native.c:2208 snd_pcm_oss_sync+0x202/0xc30 sound/core/oss/pcm_oss.c:1734 snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575 __fput+0x42b/0x8a0 fs/file_table.c:422 task_work_run+0x251/0x310 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa1b/0x27e0 kernel/exit.c:878 do_group_exit+0x207/0x2c0 kernel/exit.c:1027 get_signal+0x176e/0x1850 kernel/signal.c:2907 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:105 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline] syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212 do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x6d/0x75 } ... key at: [] snd_timer_new.__key+0x0/0x20 ... acquired at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline] snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040 snd_pcm_timer_notify sound/core/pcm_native.c:622 [inline] snd_pcm_post_stop sound/core/pcm_native.c:1520 [inline] snd_pcm_action sound/core/pcm_native.c:1370 [inline] snd_pcm_stop+0x358/0x490 sound/core/pcm_native.c:1543 snd_pcm_drop+0x158/0x250 sound/core/pcm_native.c:2208 snd_pcm_oss_sync+0x202/0xc30 sound/core/oss/pcm_oss.c:1734 snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575 __fput+0x42b/0x8a0 fs/file_table.c:422 task_work_run+0x251/0x310 kernel/task_work.c:180 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xa1b/0x27e0 kernel/exit.c:878 do_group_exit+0x207/0x2c0 kernel/exit.c:1027 get_signal+0x176e/0x1850 kernel/signal.c:2907 arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:105 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline] syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212 do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x6d/0x75 -> (&group->lock#2){..-.}-{2:2} { IN-SOFTIRQ-W at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline] snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904 dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773 __do_softirq+0x2be/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 insert_inode_locked+0xe0/0x410 fs/inode.c:1630 __ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272 ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395 vfs_symlink+0x139/0x2a0 fs/namei.c:4484 do_symlinkat+0x222/0x3a0 fs/namei.c:4510 __do_sys_symlinkat fs/namei.c:4526 [inline] __se_sys_symlinkat fs/namei.c:4523 [inline] __x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 INITIAL USE at: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170 spin_lock_irq include/linux/spinlock.h:376 [inline] snd_pcm_group_lock_irq sound/core/pcm_native.c:97 [inline] snd_pcm_stream_lock_irq sound/core/pcm_native.c:136 [inline] class_pcm_stream_lock_irq_constructor include/sound/pcm.h:666 [inline] snd_pcm_hw_params+0x201/0x1ea0 sound/core/pcm_native.c:740 snd_pcm_oss_change_params_locked+0x20d5/0x3e00 sound/core/oss/pcm_oss.c:965 snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1105 [inline] snd_pcm_oss_make_ready+0x11d/0x350 sound/core/oss/pcm_oss.c:1164 snd_pcm_oss_get_odelay+0xbd/0x340 sound/core/oss/pcm_oss.c:2166 snd_pcm_oss_ioctl+0x87f/0xff0 sound/core/oss/pcm_oss.c:2732 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfe/0x170 fs/ioctl.c:890 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 } ... key at: [] snd_pcm_group_init.__key+0x0/0x20 ... acquired at: mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678 __lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline] snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904 dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773 __do_softirq+0x2be/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 insert_inode_locked+0xe0/0x410 fs/inode.c:1630 __ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272 ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395 vfs_symlink+0x139/0x2a0 fs/namei.c:4484 do_symlinkat+0x222/0x3a0 fs/namei.c:4510 __do_sys_symlinkat fs/namei.c:4526 [inline] __se_sys_symlinkat fs/namei.c:4523 [inline] __x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 stack backtrace: CPU: 1 PID: 8357 Comm: syz-executor.5 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114 mark_lock_irq+0x80c/0xc20 kernel/locking/lockdep.c:4243 mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678 __lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline] snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904 dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385 __run_hrtimer kernel/time/hrtimer.c:1692 [inline] __hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756 hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773 __do_softirq+0x2be/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:insert_inode_locked+0xe0/0x410 fs/inode.c:1630 Code: eb 31 dd 23 2d e5 f7 9f 0b 4d 8d 74 ed 00 48 c7 c7 00 47 e1 8d e8 60 e9 6d 09 4c 89 f0 48 c1 e8 03 48 89 04 24 42 80 3c 38 00 <74> 08 4c 89 f7 e8 c6 26 e7 ff 49 8b 2e 48 85 ed 0f 84 c9 01 00 00 RSP: 0018:ffffc90014e0f9f0 EFLAGS: 00000246 RAX: 1ffff920001c7d11 RBX: 0000138514f6eb3f RCX: 0000000000000001 RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90014e0f960 RBP: 0000000000047d11 R08: 0000000000000003 R09: fffff520029c1f2c R10: dffffc0000000000 R11: fffff520029c1f2c R12: 00000000000007b5 R13: ffffc90000c00000 R14: ffffc90000e3e888 R15: dffffc0000000000 __ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272 ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395 vfs_symlink+0x139/0x2a0 fs/namei.c:4484 do_symlinkat+0x222/0x3a0 fs/namei.c:4510 __do_sys_symlinkat fs/namei.c:4526 [inline] __se_sys_symlinkat fs/namei.c:4523 [inline] __x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523 do_syscall_64+0xfd/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f7b4a47d5e7 Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0a 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe540d67c8 EFLAGS: 00000202 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 00007ffe540d6890 RCX: 00007f7b4a47d5e7 RDX: 00007f7b4a4ca53c RSI: 00000000ffffff9c RDI: 00007ffe540d6890 RBP: 0000000000000001 R08: 0000000000000013 R09: 00007ffe540d6517 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001 vkms_vblank_simulate: vblank timer overrun ---------------- Code disassembly (best guess): 0: eb 31 jmp 0x33 2: dd 23 frstor (%rbx) 4: 2d e5 f7 9f 0b sub $0xb9ff7e5,%eax 9: 4d 8d 74 ed 00 lea 0x0(%r13,%rbp,8),%r14 e: 48 c7 c7 00 47 e1 8d mov $0xffffffff8de14700,%rdi 15: e8 60 e9 6d 09 call 0x96de97a 1a: 4c 89 f0 mov %r14,%rax 1d: 48 c1 e8 03 shr $0x3,%rax 21: 48 89 04 24 mov %rax,(%rsp) 25: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1) * 2a: 74 08 je 0x34 <-- trapping instruction 2c: 4c 89 f7 mov %r14,%rdi 2f: e8 c6 26 e7 ff call 0xffe726fa 34: 49 8b 2e mov (%r14),%rbp 37: 48 85 ed test %rbp,%rbp 3a: 0f 84 c9 01 00 00 je 0x209