================================ WARNING: inconsistent lock state syzkaller #0 Tainted: G L -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. syz.2.1847/12914 [HC1[1]:SC0[0]:HE0:SE1] takes: ffff888032c07068 (&dev->spinlock){?...}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline] ffff888032c07068 (&dev->spinlock){?...}-{3:3}, at: das16m1_interrupt+0x68/0x120 drivers/comedi/drivers/das16m1.c:460 {HARDIRQ-ON-W} state was registered at: lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:150 [inline] _raw_spin_lock_bh+0x33/0x40 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:347 [inline] waveform_ao_cancel+0x96/0x150 drivers/comedi/drivers/comedi_test.c:628 do_cancel+0xf4/0x180 drivers/comedi/comedi_fops.c:818 comedi_close+0x2f6/0x470 drivers/comedi/comedi_fops.c:3036 __fput+0x3ff/0xb40 fs/file_table.c:469 task_work_run+0x150/0x240 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0x100/0x4a0 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x67c/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f irq event stamp: 2574 hardirqs last enabled at (2573): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:187 [inline] hardirqs last enabled at (2573): [] _raw_spin_unlock_irq+0x23/0x50 kernel/locking/spinlock.c:202 hardirqs last disabled at (2574): [] common_interrupt+0x19/0xe0 arch/x86/kernel/irq.c:326 softirqs last enabled at (2566): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last enabled at (2566): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last enabled at (2566): [] __irq_exit_rcu+0xef/0x150 kernel/softirq.c:723 softirqs last disabled at (2557): [] __do_softirq kernel/softirq.c:656 [inline] softirqs last disabled at (2557): [] invoke_softirq kernel/softirq.c:496 [inline] softirqs last disabled at (2557): [] __irq_exit_rcu+0xef/0x150 kernel/softirq.c:723 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&dev->spinlock); lock(&dev->spinlock); *** DEADLOCK *** 3 locks held by syz.2.1847/12914: #0: ffff888037695900 (&mm->mmap_lock){++++}-{4:4}, at: mmap_read_lock include/linux/mmap_lock.h:592 [inline] #0: ffff888037695900 (&mm->mmap_lock){++++}-{4:4}, at: __mm_populate+0x229/0x3a0 mm/gup.c:1942 #1: ffffffff8e7e7920 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:312 [inline] #1: ffffffff8e7e7920 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:850 [inline] #1: ffffffff8e7e7920 (rcu_read_lock){....}-{1:3}, at: __pte_offset_map+0x2f/0x310 mm/pgtable-generic.c:288 #2: ffff888078312138 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: spin_lock include/linux/spinlock.h:341 [inline] #2: ffff888078312138 (ptlock_ptr(ptdesc)#2){+.+.}-{3:3}, at: pte_offset_map_lock+0x10f/0x320 mm/pgtable-generic.c:402 stack backtrace: CPU: 1 UID: 0 PID: 12914 Comm: syz.2.1847 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_usage_bug.part.0+0x257/0x340 kernel/locking/lockdep.c:4042 print_usage_bug kernel/locking/lockdep.c:4010 [inline] valid_state kernel/locking/lockdep.c:4056 [inline] mark_lock_irq kernel/locking/lockdep.c:4267 [inline] mark_lock+0x74a/0xa20 kernel/locking/lockdep.c:4753 mark_usage kernel/locking/lockdep.c:4639 [inline] __lock_acquire+0x10ff/0x2630 kernel/locking/lockdep.c:5191 lock_acquire kernel/locking/lockdep.c:5868 [inline] lock_acquire+0x1cf/0x380 kernel/locking/lockdep.c:5825 __raw_spin_lock include/linux/spinlock_api_smp.h:158 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:341 [inline] das16m1_interrupt+0x68/0x120 drivers/comedi/drivers/das16m1.c:460 __handle_irq_event_percpu+0x232/0x8e0 kernel/irq/handle.c:209 handle_irq_event_percpu kernel/irq/handle.c:246 [inline] handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:263 handle_edge_irq+0x375/0x970 kernel/irq/chip.c:855 generic_handle_irq_desc include/linux/irqdesc.h:186 [inline] handle_irq arch/x86/kernel/irq.c:262 [inline] call_irq_handler arch/x86/kernel/irq.c:318 [inline] __common_interrupt+0xd8/0x2f0 arch/x86/kernel/irq.c:333 common_interrupt+0xb9/0xe0 arch/x86/kernel/irq.c:326 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:688 RIP: 0010:native_irq_disable arch/x86/include/asm/irqflags.h:37 [inline] RIP: 0010:arch_local_irq_disable arch/x86/include/asm/irqflags.h:114 [inline] RIP: 0010:arch_local_irq_save arch/x86/include/asm/irqflags.h:128 [inline] RIP: 0010:lock_release kernel/locking/lockdep.c:5885 [inline] RIP: 0010:lock_release+0x8d/0x320 kernel/locking/lockdep.c:5875 Code: 00 00 65 4c 8b 25 2b 40 29 12 41 8b bc 24 54 0b 00 00 85 ff 0f 85 21 01 00 00 48 81 3b 40 27 15 94 0f 84 14 01 00 00 9c 41 5e 48 c7 c7 07 bc f6 8d e8 f6 04 ac 09 65 ff 05 67 87 29 12 8b 35 RSP: 0018:ffffc9000da0f958 EFLAGS: 00000287 RAX: 0000000000000000 RBX: ffff888078312138 RCX: ffffc9000ea11000 RDX: 0000000000000000 RSI: ffffffff8c1b19a0 RDI: 0000000000000000 RBP: ffffffff825695e5 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000000 R12: ffff88804655c980 R13: 0000000000000000 R14: 0000000000000287 R15: 1ffff92001b41f3d __raw_spin_unlock include/linux/spinlock_api_smp.h:167 [inline] _raw_spin_unlock+0x16/0x50 kernel/locking/spinlock.c:186 spin_unlock include/linux/spinlock.h:389 [inline] follow_page_pte+0x8b5/0x1400 mm/gup.c:889 follow_pmd_mask mm/gup.c:928 [inline] follow_pud_mask mm/gup.c:967 [inline] follow_p4d_mask mm/gup.c:984 [inline] follow_page_mask mm/gup.c:1023 [inline] __get_user_pages+0x745/0x34d0 mm/gup.c:1426 populate_vma_page_range+0x267/0x3f0 mm/gup.c:1860 __mm_populate+0x107/0x3a0 mm/gup.c:1963 mm_populate include/linux/mm.h:3894 [inline] vm_mmap_pgoff+0x37f/0x470 mm/util.c:586 ksys_mmap_pgoff+0xe1/0x650 mm/mmap.c:605 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline] __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x106/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe1d3f9c819 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fe1d4e7b028 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 00007fe1d4215fa0 RCX: 00007fe1d3f9c819 RDX: 0000000002000001 RSI: 0000000000600000 RDI: 00002000009fd000 RBP: 00007fe1d4032c91 R08: ffffffffffffffff R09: 0000000000002000 R10: 0000000000006031 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fe1d4216038 R14: 00007fe1d4215fa0 R15: 00007fff06dc2158 comedi comedi2: fifo overflow ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 65 4c 8b 25 2b 40 29 mov %gs:0x1229402b(%rip),%r12 # 0x12294035 9: 12 a: 41 8b bc 24 54 0b 00 mov 0xb54(%r12),%edi 11: 00 12: 85 ff test %edi,%edi 14: 0f 85 21 01 00 00 jne 0x13b 1a: 48 81 3b 40 27 15 94 cmpq $0xffffffff94152740,(%rbx) 21: 0f 84 14 01 00 00 je 0x13b 27: 9c pushf 28: 41 5e pop %r14 * 2a: fa cli <-- trapping instruction 2b: 48 c7 c7 07 bc f6 8d mov $0xffffffff8df6bc07,%rdi 32: e8 f6 04 ac 09 call 0x9ac052d 37: 65 ff 05 67 87 29 12 incl %gs:0x12298767(%rip) # 0x122987a5 3e: 8b .byte 0x8b 3f: 35 .byte 0x35