================================ WARNING: inconsistent lock state syzkaller #0 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. syz-executor/5862 [HC0[0]:SC1[1]:HE1:SE0] takes: ffff88802896b8a8 (&p->tcfa_lock){+.?.}-{3:3}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff88802896b8a8 (&p->tcfa_lock){+.?.}-{3:3}, at: est_fetch_counters net/core/gen_estimator.c:67 [inline] ffff88802896b8a8 (&p->tcfa_lock){+.?.}-{3:3}, at: est_timer+0xd4/0x9f0 net/core/gen_estimator.c:83 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] tunnel_key_init+0xd10/0x14d0 net/sched/act_tunnel_key.c:534 tcf_action_init_1+0x460/0x6d0 net/sched/act_api.c:1431 tcf_action_init+0x2cf/0xab0 net/sched/act_api.c:1506 tcf_action_add net/sched/act_api.c:2100 [inline] tc_ctl_action+0x430/0xbd0 net/sched/act_api.c:2157 rtnetlink_rcv_msg+0x77c/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x205/0x470 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x82c/0x9e0 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 366094 hardirqs last enabled at (366094): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline] hardirqs last enabled at (366094): [] _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202 hardirqs last disabled at (366093): [] __raw_spin_lock_irq include/linux/spinlock_api_smp.h:117 [inline] hardirqs last disabled at (366093): [] _raw_spin_lock_irq+0x7d/0xf0 kernel/locking/spinlock.c:170 softirqs last enabled at (365430): [] restore_fpregs_from_user arch/x86/kernel/fpu/signal.c:-1 [inline] softirqs last enabled at (365430): [] __fpu_restore_sig arch/x86/kernel/fpu/signal.c:346 [inline] softirqs last enabled at (365430): [] fpu__restore_sig+0x4ab/0x1100 arch/x86/kernel/fpu/signal.c:480 softirqs last disabled at (366091): [] __do_softirq kernel/softirq.c:613 [inline] softirqs last disabled at (366091): [] invoke_softirq kernel/softirq.c:453 [inline] softirqs last disabled at (366091): [] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&p->tcfa_lock); lock(&p->tcfa_lock); *** DEADLOCK *** 3 locks held by syz-executor/5862: #0: ffff8880797d8428 (sb_writers#5){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:557 #1: ffff888024583708 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:914 [inline] #1: ffff888024583708 (&type->i_mutex_dir_key#5/1){+.+.}-{4:4}, at: filename_create+0x1f8/0x3c0 fs/namei.c:4139 #2: ffffc90000a08be0 ((&est->timer)){+.-.}-{0:0}, at: call_timer_fn+0xbe/0x5f0 kernel/time/timer.c:1744 stack backtrace: CPU: 1 UID: 0 PID: 5862 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_usage_bug+0x297/0x2e0 kernel/locking/lockdep.c:4042 valid_state+0xc3/0xf0 kernel/locking/lockdep.c:4056 mark_lock_irq+0x36/0x390 kernel/locking/lockdep.c:4267 mark_lock+0x11b/0x190 kernel/locking/lockdep.c:4753 mark_usage kernel/locking/lockdep.c:-1 [inline] __lock_acquire+0x680/0xd20 kernel/locking/lockdep.c:5191 lock_acquire+0x120/0x360 kernel/locking/lockdep.c:5868 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] est_fetch_counters net/core/gen_estimator.c:67 [inline] est_timer+0xd4/0x9f0 net/core/gen_estimator.c:83 call_timer_fn+0x17e/0x5f0 kernel/time/timer.c:1747 expire_timers kernel/time/timer.c:1798 [inline] __run_timers kernel/time/timer.c:2372 [inline] __run_timer_base+0x61a/0x860 kernel/time/timer.c:2384 run_timer_base kernel/time/timer.c:2393 [inline] run_timer_softirq+0xb7/0x180 kernel/time/timer.c:2403 handle_softirqs+0x283/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:should_failslab+0x93/0x100 mm/failslab.c:46 Code: 48 c1 e9 03 42 0f b6 0c 21 84 c9 75 62 41 f6 47 01 40 74 37 c1 eb 0d 83 e3 01 49 83 c6 1c 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 <84> c0 75 2a 41 8b 36 48 c7 c7 a0 95 25 8e 89 da e8 c8 b3 d9 02 31 RSP: 0018:ffffc9000416fb10 EFLAGS: 00000a07 RAX: 0000000000000000 RBX: 0000000000000000 RCX: e15da19a60cdac00 RDX: ffff888024fc0000 RSI: 0000000000000d40 RDI: ffff88801bad6280 RBP: 0000000000000d40 R08: 0000000000000000 R09: ffffffff8215c7dd R10: ffff88807dfe0818 R11: ffffed100fbfc105 R12: dffffc0000000000 R13: 0000000000000004 R14: ffff88801bad629c R15: dffffc0000000000 slab_pre_alloc_hook mm/slub.c:4133 [inline] slab_alloc_node mm/slub.c:4209 [inline] kmem_cache_alloc_noprof+0x73/0x3c0 mm/slub.c:4236 lsm_inode_alloc security/security.c:755 [inline] security_inode_alloc+0x39/0x330 security/security.c:1697 inode_init_always_gfp+0x9ed/0xdc0 fs/inode.c:306 inode_init_always include/linux/fs.h:3308 [inline] alloc_inode+0x82/0x1b0 fs/inode.c:353 new_inode+0x22/0x170 fs/inode.c:1145 __shmem_get_inode mm/shmem.c:3110 [inline] shmem_get_inode+0x346/0xe90 mm/shmem.c:3184 shmem_mknod+0x18c/0x3e0 mm/shmem.c:3905 shmem_mkdir+0x33/0x70 mm/shmem.c:3971 vfs_mkdir+0x306/0x510 fs/namei.c:4366 do_mkdirat+0x247/0x590 fs/namei.c:4399 __do_sys_mkdirat fs/namei.c:4416 [inline] __se_sys_mkdirat fs/namei.c:4414 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4414 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5c2258d457 Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffffccd61a8 EFLAGS: 00000202 ORIG_RAX: 0000000000000102 RAX: ffffffffffffffda RBX: 00007ffffccd6200 RCX: 00007f5c2258d457 RDX: 00000000000001ff RSI: 00007ffffccd6200 RDI: 00000000ffffff9c RBP: 00007ffffccd61ec R08: 0000000000000004 R09: 00007ffffccd5f46 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000047 R13: 00000000000927c0 R14: 0000000000020d0e R15: 00007ffffccd6240 ---------------- Code disassembly (best guess): 0: 48 c1 e9 03 shr $0x3,%rcx 4: 42 0f b6 0c 21 movzbl (%rcx,%r12,1),%ecx 9: 84 c9 test %cl,%cl b: 75 62 jne 0x6f d: 41 f6 47 01 40 testb $0x40,0x1(%r15) 12: 74 37 je 0x4b 14: c1 eb 0d shr $0xd,%ebx 17: 83 e3 01 and $0x1,%ebx 1a: 49 83 c6 1c add $0x1c,%r14 1e: 4c 89 f0 mov %r14,%rax 21: 48 c1 e8 03 shr $0x3,%rax 25: 42 0f b6 04 20 movzbl (%rax,%r12,1),%eax * 2a: 84 c0 test %al,%al <-- trapping instruction 2c: 75 2a jne 0x58 2e: 41 8b 36 mov (%r14),%esi 31: 48 c7 c7 a0 95 25 8e mov $0xffffffff8e2595a0,%rdi 38: 89 da mov %ebx,%edx 3a: e8 c8 b3 d9 02 call 0x2d9b407 3f: 31 .byte 0x31