================================
WARNING: inconsistent lock state
5.16.0-rc2-syzkaller #0 Not tainted
--------------------------------
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
syz-executor.3/24915 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffff888081b59418 (&ctx->timeout_lock){?.+.}-{2:2}, at: io_timeout_fn+0x6f/0x360 fs/io_uring.c:5943
{HARDIRQ-ON-W} state was registered at:
  __trace_hardirqs_on_caller kernel/locking/lockdep.c:4224 [inline]
  lockdep_hardirqs_on_prepare kernel/locking/lockdep.c:4292 [inline]
  lockdep_hardirqs_on_prepare+0x135/0x400 kernel/locking/lockdep.c:4244
  trace_hardirqs_on+0x5b/0x1c0 kernel/trace/trace_preemptirq.c:49
  __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:159 [inline]
  _raw_spin_unlock_irq+0x1f/0x40 kernel/locking/spinlock.c:202
  spin_unlock_irq include/linux/spinlock.h:399 [inline]
  __io_poll_remove_one fs/io_uring.c:5669 [inline]
  __io_poll_remove_one fs/io_uring.c:5654 [inline]
  io_poll_remove_one+0x236/0x870 fs/io_uring.c:5680
  io_poll_remove_all+0x1af/0x235 fs/io_uring.c:5709
  io_uring_try_cancel_requests+0x66d/0x717 fs/io_uring.c:9668
  io_uring_cancel_generic+0x3b8/0x690 fs/io_uring.c:9833
  io_uring_files_cancel include/linux/io_uring.h:16 [inline]
  do_exit+0x60c/0x2b40 kernel/exit.c:787
  do_group_exit+0x125/0x310 kernel/exit.c:929
  get_signal+0x47d/0x2220 kernel/signal.c:2852
  arch_do_signal_or_restart+0x2a9/0x1c40 arch/x86/kernel/signal.c:868
  handle_signal_work kernel/entry/common.c:148 [inline]
  exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
  exit_to_user_mode_prepare+0x17d/0x290 kernel/entry/common.c:207
  __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
  syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
  do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
  entry_SYSCALL_64_after_hwframe+0x44/0xae
irq event stamp: 5812852
hardirqs last  enabled at (5812851): [<ffffffff81bc9553>] kfree+0x1d3/0x2c0 mm/slab.c:3803
hardirqs last disabled at (5812852): [<ffffffff8944090b>] sysvec_apic_timer_interrupt+0xb/0xc0 arch/x86/kernel/apic/apic.c:1097
softirqs last  enabled at (5811878): [<ffffffff8145dea3>] invoke_softirq kernel/softirq.c:432 [inline]
softirqs last  enabled at (5811878): [<ffffffff8145dea3>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636
softirqs last disabled at (5811855): [<ffffffff8145dea3>] invoke_softirq kernel/softirq.c:432 [inline]
softirqs last disabled at (5811855): [<ffffffff8145dea3>] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:636

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&ctx->timeout_lock);
  <Interrupt>
    lock(&ctx->timeout_lock);

 *** DEADLOCK ***

1 lock held by syz-executor.3/24915:
 #0: ffffffff8c372a38 (tomoyo_ss){....}-{0:0}, at: tomoyo_path_perm+0x1c1/0x400 security/tomoyo/file.c:847

stack backtrace:
CPU: 0 PID: 24915 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_usage_bug kernel/locking/lockdep.c:203 [inline]
 valid_state kernel/locking/lockdep.c:3945 [inline]
 mark_lock_irq kernel/locking/lockdep.c:4148 [inline]
 mark_lock.cold+0x61/0x8e kernel/locking/lockdep.c:4605
 mark_usage kernel/locking/lockdep.c:4497 [inline]
 __lock_acquire+0x149d/0x54a0 kernel/locking/lockdep.c:4981
 lock_acquire kernel/locking/lockdep.c:5637 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 io_timeout_fn+0x6f/0x360 fs/io_uring.c:5943
 __run_hrtimer kernel/time/hrtimer.c:1685 [inline]
 __hrtimer_run_queues+0x609/0xe50 kernel/time/hrtimer.c:1749
 hrtimer_interrupt+0x31c/0x790 kernel/time/hrtimer.c:1811
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1086 [inline]
 __sysvec_apic_timer_interrupt+0x146/0x530 arch/x86/kernel/apic/apic.c:1103
 sysvec_apic_timer_interrupt+0x8e/0xc0 arch/x86/kernel/apic/apic.c:1097
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:check_kcov_mode+0xf/0x40 kernel/kcov.c:166
Code: 7c 24 08 e8 33 3b 46 00 e9 61 fd ff ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 65 8b 05 c9 a1 8b 7e 89 c2 81 e2 00 01 00 00 <a9> 00 01 ff 00 74 10 31 c0 85 d2 74 15 8b 96 a4 15 00 00 85 d2 74
RSP: 0018:ffffc90004547838 EFLAGS: 00000246
RAX: 0000000080000000 RBX: 0000000000000001 RCX: 0000000000000004
RDX: 0000000000000000 RSI: ffff888022596040 RDI: 0000000000000003
RBP: 0000000000000005 R08: ffffffff89fee220 R09: ffffffff83aa2be9
R10: 0000000000000007 R11: 0000000000000002 R12: ffff888022596040
R13: 00000000000000a3 R14: dffffc0000000000 R15: 0000000000000000
 write_comp_data kernel/kcov.c:221 [inline]
 __sanitizer_cov_trace_switch+0x63/0xf0 kernel/kcov.c:323
 tomoyo_domain_quota_is_ok+0x1c9/0x550 security/tomoyo/util.c:1066
 tomoyo_supervisor+0x2f2/0xf00 security/tomoyo/common.c:2089
 tomoyo_audit_path_log security/tomoyo/file.c:168 [inline]
 tomoyo_path_permission security/tomoyo/file.c:587 [inline]
 tomoyo_path_permission+0x270/0x3a0 security/tomoyo/file.c:573
 tomoyo_path_perm+0x2f0/0x400 security/tomoyo/file.c:838
 security_inode_getattr+0xcf/0x140 security/security.c:1334
 vfs_getattr fs/stat.c:157 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:225
 vfs_fstatat fs/stat.c:243 [inline]
 vfs_lstat include/linux/fs.h:3357 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:398
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f0692d02b86
Code: ff ff ff 64 c7 00 16 00 00 00 b8 ff ff ff ff c3 0f 1f 40 00 41 89 f8 48 89 f7 48 89 d6 41 83 f8 01 77 29 b8 06 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 02 c3 90 48 c7 c2 bc ff ff ff f7 d8 64 89 02
RSP: 002b:00007ffcfff682a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000006
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0692d02b86
RDX: 00007ffcfff682e0 RSI: 00007ffcfff682e0 RDI: 00007ffcfff68370
RBP: 00007ffcfff68370 R08: 0000000000000001 R09: 00007ffcfff68140
R10: 000055555744a8ab R11: 0000000000000246 R12: 00007f0692d5d105
R13: 00007ffcfff69430 R14: 000055555744a810 R15: 00007ffcfff69470
 </TASK>
----------------
Code disassembly (best guess), 1 bytes skipped:
   0:	24 08                	and    $0x8,%al
   2:	e8 33 3b 46 00       	callq  0x463b3a
   7:	e9 61 fd ff ff       	jmpq   0xfffffd6d
   c:	cc                   	int3
   d:	cc                   	int3
   e:	cc                   	int3
   f:	cc                   	int3
  10:	cc                   	int3
  11:	cc                   	int3
  12:	cc                   	int3
  13:	cc                   	int3
  14:	cc                   	int3
  15:	cc                   	int3
  16:	cc                   	int3
  17:	cc                   	int3
  18:	cc                   	int3
  19:	cc                   	int3
  1a:	65 8b 05 c9 a1 8b 7e 	mov    %gs:0x7e8ba1c9(%rip),%eax        # 0x7e8ba1ea
  21:	89 c2                	mov    %eax,%edx
  23:	81 e2 00 01 00 00    	and    $0x100,%edx
* 29:	a9 00 01 ff 00       	test   $0xff0100,%eax <-- trapping instruction
  2e:	74 10                	je     0x40
  30:	31 c0                	xor    %eax,%eax
  32:	85 d2                	test   %edx,%edx
  34:	74 15                	je     0x4b
  36:	8b 96 a4 15 00 00    	mov    0x15a4(%rsi),%edx
  3c:	85 d2                	test   %edx,%edx
  3e:	74                   	.byte 0x74