========================================================
WARNING: possible irq lock inversion dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------------------------------
syz-executor.5/8357 just changed the state of lock:
ffff888029d6a910 (&group->lock#2){..-.}-{2:2}, at: class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
ffff888029d6a910 (&group->lock#2){..-.}-{2:2}, at: snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
but this lock took another, SOFTIRQ-unsafe lock in the past:
(&timer->lock){+.+.}-{2:2}
and interrupts could create inverse lock ordering between them.
other info that might help us debug this:
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&timer->lock);
local_irq_disable();
lock(&group->lock#2);
lock(&timer->lock);
<Interrupt>
lock(&group->lock#2);
*** DEADLOCK ***
4 locks held by syz-executor.5/8357:
#0: ffff88802ecf4420 (sb_writers#4){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 fs/namespace.c:409
#1: ffff88805f3d4a00 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: inode_lock_nested include/linux/fs.h:828 [inline]
#1: ffff88805f3d4a00 (&type->i_mutex_dir_key#3/1){+.+.}-{3:3}, at: filename_create+0x260/0x540 fs/namei.c:3892
#2: ffff88802f000950 (jbd2_handle){++++}-{0:0}, at: start_this_handle+0x1faa/0x2200 fs/jbd2/transaction.c:463
#3: ffffffff8de14718 (inode_hash_lock){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffffffff8de14718 (inode_hash_lock){+.+.}-{2:2}, at: insert_inode_locked+0xd0/0x410 fs/inode.c:1629
the shortest dependencies between 2nd lock and 1st lock:
-> (&timer->lock){+.+.}-{2:2} {
HARDIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_client_leave+0x7f/0x2b0 sound/core/seq/seq_queue.c:543
seq_free_client1+0xfe/0x2b0 sound/core/seq/seq_clientmgr.c:285
seq_free_client+0x6c/0x180 sound/core/seq/seq_clientmgr.c:306
snd_seq_release+0x48/0xc0 sound/core/seq/seq_clientmgr.c:387
__fput+0x42b/0x8a0 fs/file_table.c:422
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close fs/open.c:1541 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1541
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
SOFTIRQ-ON-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
class_spinlock_constructor include/linux/spinlock.h:561 [inline]
snd_timer_close_locked+0x53/0x8d0 sound/core/timer.c:412
snd_timer_close+0xae/0x130 sound/core/timer.c:464
snd_seq_timer_close+0xa9/0xe0 sound/core/seq/seq_timer.c:302
queue_delete sound/core/seq/seq_queue.c:126 [inline]
snd_seq_queue_client_leave+0x7f/0x2b0 sound/core/seq/seq_queue.c:543
seq_free_client1+0xfe/0x2b0 sound/core/seq/seq_clientmgr.c:285
seq_free_client+0x6c/0x180 sound/core/seq/seq_clientmgr.c:306
snd_seq_release+0x48/0xc0 sound/core/seq/seq_clientmgr.c:387
__fput+0x42b/0x8a0 fs/file_table.c:422
__do_sys_close fs/open.c:1556 [inline]
__se_sys_close fs/open.c:1541 [inline]
__x64_sys_close+0x7f/0x110 fs/open.c:1541
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline]
snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040
snd_pcm_timer_notify sound/core/pcm_native.c:622 [inline]
snd_pcm_post_stop sound/core/pcm_native.c:1520 [inline]
snd_pcm_action sound/core/pcm_native.c:1370 [inline]
snd_pcm_stop+0x358/0x490 sound/core/pcm_native.c:1543
snd_pcm_drop+0x158/0x250 sound/core/pcm_native.c:2208
snd_pcm_oss_sync+0x202/0xc30 sound/core/oss/pcm_oss.c:1734
snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575
__fput+0x42b/0x8a0 fs/file_table.c:422
task_work_run+0x251/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
get_signal+0x176e/0x1850 kernel/signal.c:2907
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212
do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff94896220>] snd_timer_new.__key+0x0/0x20
... acquired at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_spinlock_irqsave_constructor include/linux/spinlock.h:574 [inline]
snd_timer_notify+0x103/0x3d0 sound/core/timer.c:1040
snd_pcm_timer_notify sound/core/pcm_native.c:622 [inline]
snd_pcm_post_stop sound/core/pcm_native.c:1520 [inline]
snd_pcm_action sound/core/pcm_native.c:1370 [inline]
snd_pcm_stop+0x358/0x490 sound/core/pcm_native.c:1543
snd_pcm_drop+0x158/0x250 sound/core/pcm_native.c:2208
snd_pcm_oss_sync+0x202/0xc30 sound/core/oss/pcm_oss.c:1734
snd_pcm_oss_release+0x11e/0x280 sound/core/oss/pcm_oss.c:2575
__fput+0x42b/0x8a0 fs/file_table.c:422
task_work_run+0x251/0x310 kernel/task_work.c:180
exit_task_work include/linux/task_work.h:38 [inline]
do_exit+0xa1b/0x27e0 kernel/exit.c:878
do_group_exit+0x207/0x2c0 kernel/exit.c:1027
get_signal+0x176e/0x1850 kernel/signal.c:2907
arch_do_signal_or_restart+0x96/0x860 arch/x86/kernel/signal.c:310
exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
__syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
syscall_exit_to_user_mode+0xc9/0x360 kernel/entry/common.c:212
do_syscall_64+0x10a/0x240 arch/x86/entry/common.c:89
entry_SYSCALL_64_after_hwframe+0x6d/0x75
-> (&group->lock#2){..-.}-{2:2} {
IN-SOFTIRQ-W at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2be/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
insert_inode_locked+0xe0/0x410 fs/inode.c:1630
__ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272
ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395
vfs_symlink+0x139/0x2a0 fs/namei.c:4484
do_symlinkat+0x222/0x3a0 fs/namei.c:4510
__do_sys_symlinkat fs/namei.c:4526 [inline]
__se_sys_symlinkat fs/namei.c:4523 [inline]
__x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
INITIAL USE at:
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline]
_raw_spin_lock_irq+0xd3/0x120 kernel/locking/spinlock.c:170
spin_lock_irq include/linux/spinlock.h:376 [inline]
snd_pcm_group_lock_irq sound/core/pcm_native.c:97 [inline]
snd_pcm_stream_lock_irq sound/core/pcm_native.c:136 [inline]
class_pcm_stream_lock_irq_constructor include/sound/pcm.h:666 [inline]
snd_pcm_hw_params+0x201/0x1ea0 sound/core/pcm_native.c:740
snd_pcm_oss_change_params_locked+0x20d5/0x3e00 sound/core/oss/pcm_oss.c:965
snd_pcm_oss_change_params sound/core/oss/pcm_oss.c:1105 [inline]
snd_pcm_oss_make_ready+0x11d/0x350 sound/core/oss/pcm_oss.c:1164
snd_pcm_oss_get_odelay+0xbd/0x340 sound/core/oss/pcm_oss.c:2166
snd_pcm_oss_ioctl+0x87f/0xff0 sound/core/oss/pcm_oss.c:2732
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:904 [inline]
__se_sys_ioctl+0xfe/0x170 fs/ioctl.c:890
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
}
... key at: [<ffffffff94896440>] snd_pcm_group_init.__key+0x0/0x20
... acquired at:
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2be/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
insert_inode_locked+0xe0/0x410 fs/inode.c:1630
__ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272
ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395
vfs_symlink+0x139/0x2a0 fs/namei.c:4484
do_symlinkat+0x222/0x3a0 fs/namei.c:4510
__do_sys_symlinkat fs/namei.c:4526 [inline]
__se_sys_symlinkat fs/namei.c:4523 [inline]
__x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
stack backtrace:
CPU: 1 PID: 8357 Comm: syz-executor.5 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
mark_lock_irq+0x80c/0xc20 kernel/locking/lockdep.c:4243
mark_lock+0x223/0x350 kernel/locking/lockdep.c:4678
__lock_acquire+0xbcd/0x1fd0 kernel/locking/lockdep.c:5091
lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_pcm_stream_lock_irqsave_constructor include/sound/pcm.h:669 [inline]
snd_pcm_period_elapsed+0x21/0x50 sound/core/pcm_lib.c:1904
dummy_hrtimer_callback+0x7f/0x180 sound/drivers/dummy.c:385
__run_hrtimer kernel/time/hrtimer.c:1692 [inline]
__hrtimer_run_queues+0x597/0xd00 kernel/time/hrtimer.c:1756
hrtimer_run_softirq+0x19a/0x2c0 kernel/time/hrtimer.c:1773
__do_softirq+0x2be/0x943 kernel/softirq.c:554
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633
irq_exit_rcu+0x9/0x30 kernel/softirq.c:645
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:insert_inode_locked+0xe0/0x410 fs/inode.c:1630
Code: eb 31 dd 23 2d e5 f7 9f 0b 4d 8d 74 ed 00 48 c7 c7 00 47 e1 8d e8 60 e9 6d 09 4c 89 f0 48 c1 e8 03 48 89 04 24 42 80 3c 38 00 <74> 08 4c 89 f7 e8 c6 26 e7 ff 49 8b 2e 48 85 ed 0f 84 c9 01 00 00
RSP: 0018:ffffc90014e0f9f0 EFLAGS: 00000246
RAX: 1ffff920001c7d11 RBX: 0000138514f6eb3f RCX: 0000000000000001
RDX: dffffc0000000000 RSI: 0000000000000004 RDI: ffffc90014e0f960
RBP: 0000000000047d11 R08: 0000000000000003 R09: fffff520029c1f2c
R10: dffffc0000000000 R11: fffff520029c1f2c R12: 00000000000007b5
R13: ffffc90000c00000 R14: ffffc90000e3e888 R15: dffffc0000000000
__ext4_new_inode+0x2f0f/0x4360 fs/ext4/ialloc.c:1272
ext4_symlink+0x38d/0xb50 fs/ext4/namei.c:3395
vfs_symlink+0x139/0x2a0 fs/namei.c:4484
do_symlinkat+0x222/0x3a0 fs/namei.c:4510
__do_sys_symlinkat fs/namei.c:4526 [inline]
__se_sys_symlinkat fs/namei.c:4523 [inline]
__x64_sys_symlinkat+0x99/0xb0 fs/namei.c:4523
do_syscall_64+0xfd/0x240
entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7f7b4a47d5e7
Code: 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 0a 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe540d67c8 EFLAGS: 00000202 ORIG_RAX: 000000000000010a
RAX: ffffffffffffffda RBX: 00007ffe540d6890 RCX: 00007f7b4a47d5e7
RDX: 00007f7b4a4ca53c RSI: 00000000ffffff9c RDI: 00007ffe540d6890
RBP: 0000000000000001 R08: 0000000000000013 R09: 00007ffe540d6517
R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001
</TASK>
vkms_vblank_simulate: vblank timer overrun
----------------
Code disassembly (best guess):
0: eb 31 jmp 0x33
2: dd 23 frstor (%rbx)
4: 2d e5 f7 9f 0b sub $0xb9ff7e5,%eax
9: 4d 8d 74 ed 00 lea 0x0(%r13,%rbp,8),%r14
e: 48 c7 c7 00 47 e1 8d mov $0xffffffff8de14700,%rdi
15: e8 60 e9 6d 09 call 0x96de97a
1a: 4c 89 f0 mov %r14,%rax
1d: 48 c1 e8 03 shr $0x3,%rax
21: 48 89 04 24 mov %rax,(%rsp)
25: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
* 2a: 74 08 je 0x34 <-- trapping instruction
2c: 4c 89 f7 mov %r14,%rdi
2f: e8 c6 26 e7 ff call 0xffe726fa
34: 49 8b 2e mov (%r14),%rbp
37: 48 85 ed test %rbp,%rbp
3a: 0f 84 c9 01 00 00 je 0x209