================================
WARNING: inconsistent lock state
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
syz-executor.0/6368 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffff88802941d948 (&timer->lock){?.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88802941d948 (&timer->lock){?.+.}-{2:2}, at: class_spinlock_constructor include/linux/spinlock.h:561 [inline]
ffff88802941d948 (&timer->lock){?.+.}-{2:2}, at: snd_hrtimer_callback+0x4d/0x420 sound/core/hrtimer.c:38
{HARDIRQ-ON-W} state was registered at:
  lock_acquire kernel/locking/lockdep.c:5754 [inline]
  lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
  __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
  _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
  spin_lock include/linux/spinlock.h:351 [inline]
  class_spinlock_constructor include/linux/spinlock.h:561 [inline]
  snd_timer_close_locked+0x65/0xbd0 sound/core/timer.c:412
  snd_timer_close+0x8b/0xf0 sound/core/timer.c:464
  snd_seq_timer_close+0xa4/0x100 sound/core/seq/seq_timer.c:302
  queue_delete+0x49/0xa0 sound/core/seq/seq_queue.c:126
  snd_seq_queue_delete+0x45/0x60 sound/core/seq/seq_queue.c:188
  snd_seq_kernel_client_ctl+0x107/0x1c0 sound/core/seq/seq_clientmgr.c:2526
  delete_seq_queue.isra.0+0xc8/0x150 sound/core/seq/oss/seq_oss_init.c:371
  odev_release+0x52/0x80 sound/core/seq/oss/seq_oss.c:144
  __fput+0x270/0xb80 fs/file_table.c:422
  __fput_sync+0x47/0x50 fs/file_table.c:507
  __do_sys_close fs/open.c:1556 [inline]
  __se_sys_close fs/open.c:1541 [inline]
  __x64_sys_close+0x86/0x100 fs/open.c:1541
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
  entry_SYSCALL_64_after_hwframe+0x6d/0x75
irq event stamp: 372
hardirqs last  enabled at (371): [<ffffffff81dac226>] seqcount_lockdep_reader_access include/linux/seqlock.h:74 [inline]
hardirqs last  enabled at (371): [<ffffffff81dac226>] read_seqbegin include/linux/seqlock.h:772 [inline]
hardirqs last  enabled at (371): [<ffffffff81dac226>] zone_span_seqbegin include/linux/memory_hotplug.h:134 [inline]
hardirqs last  enabled at (371): [<ffffffff81dac226>] page_outside_zone_boundaries mm/page_alloc.c:450 [inline]
hardirqs last  enabled at (371): [<ffffffff81dac226>] bad_range+0x266/0x440 mm/page_alloc.c:469
hardirqs last disabled at (372): [<ffffffff8ad239ae>] sysvec_apic_timer_interrupt+0xe/0xb0 arch/x86/kernel/apic/apic.c:1043
softirqs last  enabled at (350): [<ffffffff8ad63156>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last  enabled at (350): [<ffffffff8ad63156>] __do_softirq+0x596/0x8de kernel/softirq.c:583
softirqs last disabled at (341): [<ffffffff8151a149>] invoke_softirq kernel/softirq.c:428 [inline]
softirqs last disabled at (341): [<ffffffff8151a149>] __irq_exit_rcu kernel/softirq.c:633 [inline]
softirqs last disabled at (341): [<ffffffff8151a149>] irq_exit_rcu+0xb9/0x120 kernel/softirq.c:645

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&timer->lock);
  <Interrupt>
    lock(&timer->lock);

 *** DEADLOCK ***

4 locks held by syz-executor.0/6368:
 #0: ffff88807f4f9e20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
 #0: ffff88807f4f9e20 (&mm->mmap_lock){++++}-{3:3}, at: exit_mmap+0x107/0xb60 mm/mmap.c:3271
 #1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #1: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: __pte_offset_map+0x42/0x540 mm/pgtable-generic.c:285
 #2: ffff88807adc57f8 (ptlock_ptr(ptdesc)#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
 #2: ffff88807adc57f8 (ptlock_ptr(ptdesc)#2){+.+.}-{2:2}, at: __pte_offset_map_lock+0xf1/0x300 mm/pgtable-generic.c:373
 #3: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #3: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #3: ffffffff8d7b08e0 (rcu_read_lock){....}-{1:2}, at: page_ext_get+0x34/0x310 mm/page_ext.c:508

stack backtrace:
CPU: 0 PID: 6368 Comm: syz-executor.0 Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 print_usage_bug kernel/locking/lockdep.c:3971 [inline]
 valid_state kernel/locking/lockdep.c:4013 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4216 [inline]
 mark_lock+0x923/0xc60 kernel/locking/lockdep.c:4678
 mark_usage kernel/locking/lockdep.c:4564 [inline]
 __lock_acquire+0x1359/0x3b30 kernel/locking/lockdep.c:5091
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 spin_lock include/linux/spinlock.h:351 [inline]
 class_spinlock_constructor include/linux/spinlock.h:561 [inline]
 snd_hrtimer_callback+0x4d/0x420 sound/core/hrtimer.c:38
 __run_hrtimer kernel/time/hrtimer.c:1692 [inline]
 __hrtimer_run_queues+0x20c/0xc20 kernel/time/hrtimer.c:1756
 hrtimer_interrupt+0x31b/0x800 kernel/time/hrtimer.c:1818
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1032 [inline]
 __sysvec_apic_timer_interrupt+0x10f/0x410 arch/x86/kernel/apic/apic.c:1049
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x90/0xb0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lockdep_enabled kernel/locking/lockdep.c:122 [inline]
RIP: 0010:lock_is_held_type+0x45/0x150 kernel/locking/lockdep.c:5818
Code: 5b cc 04 85 c9 0f 84 dd 00 00 00 65 8b 05 eb 43 30 75 85 c0 0f 85 ce 00 00 00 65 4c 8b 25 53 8c 31 75 41 8b 94 24 d4 0a 00 00 <85> d2 0f 85 b6 00 00 00 48 89 fd 41 89 f6 9c 8f 04 24 fa 48 c7 c7
RSP: 0018:ffffc9000369f590 EFLAGS: 00000246
RAX: 0000000000000000 RBX: 000000000002abcb RCX: 0000000000000001
RDX: 0000000000000000 RSI: 00000000ffffffff RDI: ffffffff8d7b08e0
RBP: ffff88813fff90a0 R08: 0000000000000007 R09: 000000000007ffff
R10: 0000000000000005 R11: 0000000000000003 R12: ffff8880200b1e00
R13: 00000000ffffffff R14: 0000000000000001 R15: 800000002abcb007
 lookup_page_ext mm/page_ext.c:240 [inline]
 page_ext_get+0x132/0x310 mm/page_ext.c:509
 page_table_check_clear.part.0+0x36/0x7f0 mm/page_table_check.c:72
 page_table_check_clear mm/page_table_check.c:68 [inline]
 __page_table_check_pte_clear+0x31c/0x570 mm/page_table_check.c:158
 page_table_check_pte_clear include/linux/page_table_check.h:49 [inline]
 ptep_get_and_clear_full arch/x86/include/asm/pgtable.h:1302 [inline]
 zap_pte_range mm/memory.c:1452 [inline]
 zap_pmd_range mm/memory.c:1597 [inline]
 zap_pud_range mm/memory.c:1626 [inline]
 zap_p4d_range mm/memory.c:1647 [inline]
 unmap_page_range+0x17ff/0x2af0 mm/memory.c:1668
 unmap_single_vma+0x194/0x2b0 mm/memory.c:1714
 unmap_vmas+0x22f/0x490 mm/memory.c:1758
 exit_mmap+0x1c1/0xb60 mm/mmap.c:3287
 __mmput+0x12a/0x4d0 kernel/fork.c:1345
 mmput+0x62/0x70 kernel/fork.c:1367
 exit_mm kernel/exit.c:569 [inline]
 do_exit+0x999/0x2be0 kernel/exit.c:865
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1027
 get_signal+0x2390/0x2760 kernel/signal.c:2907
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:105 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:201 [inline]
 syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:212
 do_syscall_64+0xe2/0x260 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7faa85a7de69
Code: Unable to access opcode bytes at 0x7faa85a7de3f.
RSP: 002b:00007faa86854178 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007faa85babf88 RCX: 00007faa85a7de69
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007faa85babf88
RBP: 00007faa85babf80 R08: 00007faa868546c0 R09: 00007faa868546c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007faa85babf8c
R13: 000000000000000b R14: 00007fff964eb7a0 R15: 00007fff964eb888
 </TASK>
----------------
Code disassembly (best guess):
   0:	5b                   	pop    %rbx
   1:	cc                   	int3
   2:	04 85                	add    $0x85,%al
   4:	c9                   	leave
   5:	0f 84 dd 00 00 00    	je     0xe8
   b:	65 8b 05 eb 43 30 75 	mov    %gs:0x753043eb(%rip),%eax        # 0x753043fd
  12:	85 c0                	test   %eax,%eax
  14:	0f 85 ce 00 00 00    	jne    0xe8
  1a:	65 4c 8b 25 53 8c 31 	mov    %gs:0x75318c53(%rip),%r12        # 0x75318c75
  21:	75
  22:	41 8b 94 24 d4 0a 00 	mov    0xad4(%r12),%edx
  29:	00
* 2a:	85 d2                	test   %edx,%edx <-- trapping instruction
  2c:	0f 85 b6 00 00 00    	jne    0xe8
  32:	48 89 fd             	mov    %rdi,%rbp
  35:	41 89 f6             	mov    %esi,%r14d
  38:	9c                   	pushf
  39:	8f 04 24             	pop    (%rsp)
  3c:	fa                   	cli
  3d:	48                   	rex.W
  3e:	c7                   	.byte 0xc7
  3f:	c7                   	.byte 0xc7