================================ WARNING: inconsistent lock state syzkaller #0 Tainted: G L -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz.2.4422/17894 [HC1[1]:SC1[1]:HE0:SE0] takes: ffff8880313e6868 (&dev->spinlock){?...}-{3:3}, at: spin_lock include/linux/spinlock.h:342 [inline] ffff8880313e6868 (&dev->spinlock){?...}-{3:3}, at: das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460 {HARDIRQ-ON-W} state was registered at: lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:182 spin_lock_bh include/linux/spinlock.h:348 [inline] waveform_ao_cancel+0x8d/0x120 drivers/comedi/drivers/comedi_test.c:628 do_cancel drivers/comedi/comedi_fops.c:818 [inline] comedi_close+0x27e/0x5e0 drivers/comedi/comedi_fops.c:3036 __fput+0x451/0x8c0 fs/file_table.c:500 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:238 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:269 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 51845 hardirqs last enabled at (51844): [] handle_softirqs+0x158/0x840 kernel/softirq.c:610 hardirqs last disabled at (51845): [] common_interrupt+0x13/0xe0 arch/x86/kernel/irq.c:326 softirqs last enabled at (51794): [] __do_softirq kernel/softirq.c:660 [inline] softirqs last enabled at (51794): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (51794): [] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:739 softirqs last disabled at (51843): [] __do_softirq kernel/softirq.c:660 [inline] softirqs last disabled at (51843): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (51843): [] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:739 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&dev->spinlock); lock(&dev->spinlock); *** DEADLOCK *** 10 locks held by syz.2.4422/17894: #0: ffff88802bb16410 (sb_writers#15){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 fs/namespace.c:493 #1: ffff8880461c25a0 (&type->i_mutex_dir_key#20){++++}-{4:4}, at: inode_lock include/linux/fs.h:1028 [inline] #1: ffff8880461c25a0 (&type->i_mutex_dir_key#20){++++}-{4:4}, at: open_last_lookups fs/namei.c:4602 [inline] #1: ffff8880461c25a0 (&type->i_mutex_dir_key#20){++++}-{4:4}, at: path_openat+0xb4c/0x3860 fs/namei.c:4849 #2: ffff8880461c2258 (&ocfs2_file_ip_alloc_sem_key){++++}-{4:4}, at: ocfs2_expand_inline_dir fs/ocfs2/dir.c:2846 [inline] #2: ffff8880461c2258 (&ocfs2_file_ip_alloc_sem_key){++++}-{4:4}, at: ocfs2_extend_dir+0x69a/0x4a30 fs/ocfs2/dir.c:3227 #3: ffff8880461c33a0 (&ocfs2_sysfile_lock_key[LOCAL_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1028 [inline] #3: ffff8880461c33a0 (&ocfs2_sysfile_lock_key[LOCAL_ALLOC_SYSTEM_INODE]){+.+.}-{4:4}, at: ocfs2_reserve_local_alloc_bits+0x11f/0x2660 fs/ocfs2/localalloc.c:636 #4: ffff88804619c1a0 (&ocfs2_sysfile_lock_key[GLOBAL_BITMAP_SYSTEM_INODE]){+.+.}-{4:4}, at: inode_lock include/linux/fs.h:1028 [inline] #4: ffff88804619c1a0 (&ocfs2_sysfile_lock_key[GLOBAL_BITMAP_SYSTEM_INODE]){+.+.}-{4:4}, at: ocfs2_reserve_suballoc_bits+0x16d/0x4840 fs/ocfs2/suballoc.c:857 #5: ffff88802bb16600 (sb_internal#3){.+.+}-{0:0}, at: ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1252 [inline] #5: ffff88802bb16600 (sb_internal#3){.+.+}-{0:0}, at: ocfs2_reserve_local_alloc_bits+0xb43/0x2660 fs/ocfs2/localalloc.c:669 #6: ffff88805a247ce0 (&journal->j_trans_barrier){.+.+}-{4:4}, at: ocfs2_start_trans+0x3ab/0x700 fs/ocfs2/journal.c:369 #7: ffff888079cb6938 (jbd2_handle#2){.+.+}-{0:0}, at: start_this_handle+0x2054/0x2290 fs/jbd2/transaction.c:444 #8: ffff88804619bfd0 (&oi->ip_io_mutex){+.+.}-{4:4}, at: ocfs2_read_blocks+0x1ed/0x1530 fs/ocfs2/buffer_head_io.c:233 #9: ffffffff8e75d7e0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] #9: ffffffff8e75d7e0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] #9: ffffffff8e75d7e0 (rcu_read_lock){....}-{1:3}, at: blk_mq_dispatch_queue_requests+0x552/0x800 block/blk-mq.c:2908 stack backtrace: CPU: 0 UID: 0 PID: 17894 Comm: syz.2.4422 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_usage_bug+0x28b/0x2e0 kernel/locking/lockdep.c:4042 valid_state kernel/locking/lockdep.c:4056 [inline] mark_lock_irq+0x410/0x420 kernel/locking/lockdep.c:-1 mark_lock+0x115/0x190 kernel/locking/lockdep.c:4753 mark_usage kernel/locking/lockdep.c:4639 [inline] __lock_acquire+0x661/0x2cf0 kernel/locking/lockdep.c:5191 lock_acquire+0x106/0x350 kernel/locking/lockdep.c:5868 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:158 spin_lock include/linux/spinlock.h:342 [inline] das16m1_interrupt+0x5e/0x180 drivers/comedi/drivers/das16m1.c:460 __handle_irq_event_percpu+0x216/0x9a0 kernel/irq/handle.c:209 handle_irq_event_percpu kernel/irq/handle.c:246 [inline] handle_irq_event+0x8b/0x1e0 kernel/irq/handle.c:263 handle_edge_irq+0x23b/0x9f0 kernel/irq/chip.c:855 generic_handle_irq_desc include/linux/irqdesc.h:186 [inline] handle_irq arch/x86/kernel/irq.c:262 [inline] call_irq_handler arch/x86/kernel/irq.c:-1 [inline] __common_interrupt+0x141/0x1f0 arch/x86/kernel/irq.c:333 common_interrupt+0x5e/0xe0 arch/x86/kernel/irq.c:326 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688 RIP: 0010:variable_ffs arch/x86/include/asm/bitops.h:312 [inline] RIP: 0010:handle_softirqs+0x160/0x840 kernel/softirq.c:614 Code: 89 6c 24 20 0f b7 db 48 c7 c7 e0 2e cb 8b e8 17 29 28 0a 65 66 c7 05 d5 c9 94 11 00 00 e8 68 a9 45 00 fb 48 c7 c5 c0 a0 40 8e ff ff ff ff 0f bc c3 41 89 c6 41 ff c6 0f 84 09 04 00 00 89 5c RSP: 0018:ffffc90000007f28 EFLAGS: 00000206 RAX: 000000000000ca84 RBX: 0000000000000002 RCX: 0000000000000101 RDX: 0000000000000002 RSI: ffffffff8df3ffaf RDI: ffffffff8c287c00 RBP: ffffffff8e40a0c0 R08: ffffffff90123cf7 R09: 1ffffffff202479e R10: dffffc0000000000 R11: fffffbfff202479f R12: 0000000000000000 R13: 0000000000000000 R14: ffff88805a363d00 R15: dffffc0000000000 __do_softirq kernel/softirq.c:660 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xca/0x220 kernel/softirq.c:739 irq_exit_rcu+0x9/0x30 kernel/softirq.c:756 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1061 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1061 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:finish_task_switch+0x427/0xbe0 kernel/sched/core.c:5209 Code: 41 c7 84 24 e0 0d 00 00 00 00 00 00 0f 1f 44 00 00 49 83 c4 48 4c 89 e7 e8 d6 a8 1d 0a e8 c1 a1 38 00 fb 49 8d bd 68 16 00 00 <48> 89 f8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 7b 03 00 00 41 80 RSP: 0018:ffffc900038c4f30 EFLAGS: 00000206 RAX: 000000000000ca81 RBX: 1ffff110170c777c RCX: 0000000080000001 RDX: 0000000000000006 RSI: ffffffff8df3ffaf RDI: ffff88805a365368 RBP: ffffc900038c4f90 R08: ffffffff90123cf7 R09: 1ffffffff202479e R10: dffffc0000000000 R11: fffffbfff202479f R12: ffff8880b863ae48 R13: ffff88805a363d00 R14: ffff888048b73d00 R15: dffffc0000000000 context_switch kernel/sched/core.c:5355 [inline] __schedule+0x1664/0x5560 kernel/sched/core.c:6964 preempt_schedule_common+0x82/0xd0 kernel/sched/core.c:7149 preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12 __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:188 [inline] _raw_spin_unlock_irq+0x45/0x50 kernel/locking/spinlock.c:206 spin_unlock_irq include/linux/spinlock.h:402 [inline] loop_queue_work drivers/block/loop.c:863 [inline] loop_queue_rq+0x9f8/0xb00 drivers/block/loop.c:1889 __blk_mq_issue_directly block/blk-mq.c:2725 [inline] blk_mq_request_issue_directly+0x3bb/0x6d0 block/blk-mq.c:2812 blk_mq_issue_direct+0x2a0/0x660 block/blk-mq.c:2833 blk_mq_dispatch_queue_requests+0x6fe/0x800 block/blk-mq.c:2908 blk_mq_flush_plug_list+0x456/0x570 block/blk-mq.c:2991 __blk_flush_plug+0x3ed/0x4d0 block/blk-core.c:1230 blk_finish_plug block/blk-core.c:1257 [inline] __submit_bio+0x28d/0x580 block/blk-core.c:649 __submit_bio_noacct_mq block/blk-core.c:722 [inline] submit_bio_noacct_nocheck+0x2f4/0xa40 block/blk-core.c:753 ocfs2_read_blocks+0x887/0x1530 fs/ocfs2/buffer_head_io.c:330 ocfs2_read_block fs/ocfs2/buffer_head_io.h:52 [inline] ocfs2_read_group_descriptor fs/ocfs2/suballoc.c:372 [inline] ocfs2_search_chain+0x2b2/0x1e10 fs/ocfs2/suballoc.c:1884 ocfs2_claim_suballoc_bits+0x901/0x1f40 fs/ocfs2/suballoc.c:2088 __ocfs2_claim_clusters+0x31d/0x970 fs/ocfs2/suballoc.c:2515 ocfs2_local_alloc_new_window fs/ocfs2/localalloc.c:1164 [inline] ocfs2_local_alloc_slide_window fs/ocfs2/localalloc.c:1293 [inline] ocfs2_reserve_local_alloc_bits+0x12df/0x2660 fs/ocfs2/localalloc.c:669 ocfs2_reserve_clusters_with_limit+0x1b9/0xc20 fs/ocfs2/suballoc.c:1237 ocfs2_expand_inline_dir fs/ocfs2/dir.c:2882 [inline] ocfs2_extend_dir+0x754/0x4a30 fs/ocfs2/dir.c:3227 ocfs2_prepare_dir_for_insert+0x347a/0x52f0 fs/ocfs2/dir.c:4345 ocfs2_mknod+0xa1b/0x2260 fs/ocfs2/namei.c:298 ocfs2_create+0x195/0x460 fs/ocfs2/namei.c:677 lookup_open fs/namei.c:4505 [inline] open_last_lookups fs/namei.c:4605 [inline] path_openat+0x1395/0x3860 fs/namei.c:4849 do_file_open+0x23e/0x4a0 fs/namei.c:4881 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_creat fs/open.c:1450 [inline] __se_sys_creat fs/open.c:1444 [inline] __x64_sys_creat+0x8f/0xc0 fs/open.c:1444 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fd895d9c799 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fd896cf5028 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 RAX: ffffffffffffffda RBX: 00007fd896015fa0 RCX: 00007fd895d9c799 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000e00 RBP: 00007fd895e32c99 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fd896016038 R14: 00007fd896015fa0 R15: 00007ffe1c9e6e68 comedi comedi3: fifo overflow ---------------- Code disassembly (best guess): 0: 89 6c 24 20 mov %ebp,0x20(%rsp) 4: 0f b7 db movzwl %bx,%ebx 7: 48 c7 c7 e0 2e cb 8b mov $0xffffffff8bcb2ee0,%rdi e: e8 17 29 28 0a call 0xa28292a 13: 65 66 c7 05 d5 c9 94 movw $0x0,%gs:0x1194c9d5(%rip) # 0x1194c9f2 1a: 11 00 00 1d: e8 68 a9 45 00 call 0x45a98a 22: fb sti 23: 48 c7 c5 c0 a0 40 8e mov $0xffffffff8e40a0c0,%rbp * 2a: b8 ff ff ff ff mov $0xffffffff,%eax <-- trapping instruction 2f: 0f bc c3 bsf %ebx,%eax 32: 41 89 c6 mov %eax,%r14d 35: 41 ff c6 inc %r14d 38: 0f 84 09 04 00 00 je 0x447 3e: 89 .byte 0x89 3f: 5c pop %rsp