======================================================== WARNING: possible irq lock inversion dependency detected 6.18.0-next-20251210 #1 Tainted: G W -------------------------------------------------------- syz-executor.7/85267 just changed the state of lock: ffff888009ff2230 (&dev->event_lock){..-.}-{3:3}, at: input_inject_event+0x9f/0x3b0 but this lock took another, SOFTIRQ-READ-unsafe lock in the past: (tasklist_lock){.+.+}-{3:3} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Chain exists of: &dev->event_lock --> &client->buffer_lock --> tasklist_lock Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(tasklist_lock); local_irq_disable(); lock(&dev->event_lock); lock(&client->buffer_lock); lock(&dev->event_lock); *** DEADLOCK *** 3 locks held by syz-executor.7/85267: #0: ffff888015c63e00 (&mm->mmap_lock){++++}-{4:4}, at: exit_mmap+0x1bc/0xa70 #1: ffffffff85e21ae0 (rcu_read_lock){....}-{1:3}, at: is_module_text_address+0x1e/0x100 #2: ffffffff85e21ae0 (rcu_read_lock){....}-{1:3}, at: led_trigger_event+0x61/0x270 the shortest dependencies between 2nd lock and 1st lock: -> (tasklist_lock){.+.+}-{3:3} { HARDIRQ-ON-R at: lock_acquire+0x15e/0x2d0 _raw_read_lock+0x5c/0x70 __do_wait+0x13e/0x8f0 do_wait+0x19f/0x530 kernel_wait+0x9f/0x160 call_usermodehelper_exec_work+0xf9/0x180 process_one_work+0x8e1/0x1960 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 SOFTIRQ-ON-R at: lock_acquire+0x15e/0x2d0 _raw_read_lock+0x5c/0x70 __do_wait+0x13e/0x8f0 do_wait+0x19f/0x530 kernel_wait+0x9f/0x160 call_usermodehelper_exec_work+0xf9/0x180 process_one_work+0x8e1/0x1960 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 INITIAL USE at: lock_acquire+0x15e/0x2d0 _raw_write_lock_irq+0x33/0x50 copy_process+0x4e71/0x7230 kernel_clone+0xea/0x7c0 user_mode_thread+0xc8/0x110 rest_init+0x24/0x290 start_kernel+0x3fa/0x510 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x109/0x120 common_startup_64+0x13e/0x148 INITIAL READ USE at: lock_acquire+0x15e/0x2d0 _raw_read_lock+0x5c/0x70 __do_wait+0x13e/0x8f0 do_wait+0x19f/0x530 kernel_wait+0x9f/0x160 call_usermodehelper_exec_work+0xf9/0x180 process_one_work+0x8e1/0x1960 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 } ... key at: [] tasklist_lock+0x18/0x40 ... acquired at: _raw_read_lock+0x5c/0x70 send_sigio+0xbb/0x370 kill_fasync+0x218/0x520 lease_break_callback+0x23/0x30 __break_lease+0x6c4/0x1760 do_dentry_open+0x701/0x1460 vfs_open+0x82/0x3f0 path_openat+0x1f9c/0x2d30 do_filp_open+0x1e8/0x450 do_sys_openat2+0x107/0x240 __x64_sys_creat+0xcc/0x120 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&f_owner->lock){....}-{3:3} { INITIAL USE at: lock_acquire+0x15e/0x2d0 _raw_write_lock_irq+0x33/0x50 __f_setown+0x60/0x3c0 generic_setlease+0xfb4/0x16e0 kernel_setlease+0x10c/0x130 vfs_setlease+0x1f1/0x290 do_fcntl_add_lease+0x3b0/0x540 fcntl_setlease+0xfa/0x180 do_fcntl+0x4e3/0x1500 __x64_sys_fcntl+0x155/0x1f0 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL READ USE at: lock_acquire+0x15e/0x2d0 _raw_read_lock_irqsave+0x75/0x90 send_sigio+0x31/0x370 kill_fasync+0x218/0x520 lease_break_callback+0x23/0x30 __break_lease+0x6c4/0x1760 do_dentry_open+0x701/0x1460 vfs_open+0x82/0x3f0 path_openat+0x1f9c/0x2d30 do_filp_open+0x1e8/0x450 do_sys_openat2+0x107/0x240 __x64_sys_creat+0xcc/0x120 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.1+0x0/0x40 ... acquired at: _raw_read_lock_irqsave+0x75/0x90 send_sigio+0x31/0x370 kill_fasync+0x218/0x520 lease_break_callback+0x23/0x30 __break_lease+0x6c4/0x1760 do_dentry_open+0x701/0x1460 vfs_open+0x82/0x3f0 path_openat+0x1f9c/0x2d30 do_filp_open+0x1e8/0x450 do_sys_openat2+0x107/0x240 __x64_sys_creat+0xcc/0x120 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&new->fa_lock){...-}-{3:3} { IN-SOFTIRQ-R at: lock_acquire+0x15e/0x2d0 _raw_read_lock_irqsave+0x46/0x90 kill_fasync+0x137/0x520 sock_wake_async+0xd6/0x160 sock_def_error_report+0x352/0x400 sk_error_report+0x3f/0x200 __udp6_lib_err+0x904/0x13f0 udplitev6_err+0x40/0x50 icmpv6_notify+0x33d/0x7e0 icmpv6_rcv+0xce1/0x1a50 ip6_protocol_deliver_rcu+0xaf8/0x1150 ip6_input_finish+0x1e1/0x4a0 ip6_input+0x10b/0x300 ipv6_rcv+0x161/0x500 __netif_receive_skb_one_core+0x12d/0x1e0 __netif_receive_skb+0x1d/0x160 process_backlog+0x329/0x12b0 __napi_poll+0xb7/0x6c0 net_rx_action+0x9cf/0xdb0 handle_softirqs+0x1b1/0x7d0 do_softirq+0x48/0x80 __local_bh_enable_ip+0xf1/0x110 __dev_queue_xmit+0xca9/0x3d50 ip6_finish_output2+0xf61/0x1780 __ip6_finish_output+0x5d5/0xd10 ip6_output+0x24d/0x700 ip6_local_out+0xd5/0x4d0 ip6_send_skb+0x117/0x460 udp_v6_send_skb+0x7d9/0x1620 udpv6_sendmsg+0x1fa7/0x2ad0 inet6_sendmsg+0x109/0x150 sock_write_iter+0x44b/0x610 do_iter_readv_writev+0x5b3/0x910 vfs_writev+0x2d4/0xcd0 do_writev+0x283/0x330 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL USE at: lock_acquire+0x15e/0x2d0 _raw_write_lock_irq+0x33/0x50 fasync_remove_entry+0xb2/0x1e0 fasync_helper+0xa6/0xc0 lease_modify+0x2ab/0x620 locks_remove_file+0x294/0x5a0 __fput+0x351/0xb50 fput_close_sync+0x10f/0x230 __x64_sys_close+0x8f/0x120 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL READ USE at: lock_acquire+0x15e/0x2d0 _raw_read_lock_irqsave+0x75/0x90 kill_fasync+0x137/0x520 fsnotify_insert_event+0x356/0x460 inotify_handle_inode_event+0x396/0x5c0 inotify_ignored_and_remove_idr+0x28/0x70 fsnotify_free_mark+0xec/0x140 fsnotify_destroy_marks+0x27b/0x3d0 dentry_unlink_inode+0x3e5/0x4a0 d_delete+0x210/0x280 vfs_unlink+0x688/0xb50 do_unlinkat+0x361/0x620 __x64_sys_unlink+0xc7/0x110 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.0+0x0/0x40 ... acquired at: _raw_read_lock_irqsave+0x75/0x90 kill_fasync+0x137/0x520 evdev_pass_values.part.0+0x665/0x940 evdev_events+0x3b5/0x430 input_pass_values+0x708/0x860 input_handle_event+0xdcf/0x13d0 input_inject_event+0x1e5/0x3b0 evdev_write+0x2e1/0x420 vfs_write+0x2b7/0x1150 ksys_write+0x1ef/0x240 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&client->buffer_lock){....}-{3:3} { INITIAL USE at: lock_acquire+0x15e/0x2d0 _raw_spin_lock+0x2b/0x40 evdev_handle_get_val+0x70/0x5c0 evdev_do_ioctl+0xf6d/0x1990 evdev_ioctl+0x14a/0x1b0 __x64_sys_ioctl+0x18f/0x210 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f } ... key at: [] __key.93+0x0/0x40 ... acquired at: _raw_spin_lock+0x2b/0x40 evdev_handle_get_val+0x70/0x5c0 evdev_do_ioctl+0xf6d/0x1990 evdev_ioctl+0x14a/0x1b0 __x64_sys_ioctl+0x18f/0x210 do_syscall_64+0xbf/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> (&dev->event_lock){..-.}-{3:3} { IN-SOFTIRQ-W at: lock_acquire+0x15e/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 input_inject_event+0x9f/0x3b0 led_set_brightness+0x215/0x290 led_trigger_event+0xda/0x270 kbd_bh+0x23a/0x310 tasklet_action_common+0x270/0x730 handle_softirqs+0x1b1/0x7d0 __irq_exit_rcu+0xc4/0x100 irq_exit_rcu+0x9/0x20 sysvec_call_function_single+0xa6/0xc0 asm_sysvec_call_function_single+0x1a/0x20 rcu_is_watching+0x30/0x70 is_module_text_address+0xb8/0x100 kernel_text_address+0x35/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x59/0xa0 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x8e/0xc0 set_track_prepare+0x35/0x70 __alloc_object+0xf0/0x2c0 __create_object+0x1d/0x80 __kmalloc_cache_noprof+0x4a4/0x780 kmem_cache_free+0x13a/0x660 __put_anon_vma+0x114/0x390 unlink_anon_vmas+0x4ae/0x740 free_pgtables+0x1c8/0xbf0 exit_mmap+0x392/0xa70 mmput+0xd5/0x390 do_exit+0x7ad/0x2950 do_group_exit+0xd3/0x2a0 get_signal+0x24aa/0x25d0 arch_do_signal_or_restart+0x80/0x7a0 exit_to_user_mode_loop+0x92/0x4d0 do_syscall_64+0x3c3/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f INITIAL USE at: lock_acquire+0x15e/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 input_inject_event+0x9f/0x3b0 led_set_brightness+0x215/0x290 kbd_led_trigger_activate+0xcd/0x110 led_trigger_set+0x4cc/0xaa0 led_trigger_set_default+0x1e7/0x2e0 led_classdev_register_ext+0x615/0x950 input_leds_connect+0x49b/0x870 input_attach_handler+0x17a/0x260 input_register_device+0x9ff/0x1050 atkbd_connect+0x5e6/0xa10 serio_driver_probe+0x84/0xe0 really_probe+0x240/0x820 __driver_probe_device+0x2c4/0x380 driver_probe_device+0x4e/0x2a0 __driver_attach+0x1b0/0x590 bus_for_each_dev+0x12b/0x1c0 serio_handle_event+0x23b/0xaa0 process_one_work+0x8e1/0x1960 worker_thread+0x67e/0xe90 kthread+0x3c8/0x740 ret_from_fork+0x67a/0x7a0 ret_from_fork_asm+0x1a/0x30 } ... key at: [] __key.4+0x0/0x40 ... acquired at: __lock_acquire+0x975/0x2250 lock_acquire+0x15e/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 input_inject_event+0x9f/0x3b0 led_set_brightness+0x215/0x290 led_trigger_event+0xda/0x270 kbd_bh+0x23a/0x310 tasklet_action_common+0x270/0x730 handle_softirqs+0x1b1/0x7d0 __irq_exit_rcu+0xc4/0x100 irq_exit_rcu+0x9/0x20 sysvec_call_function_single+0xa6/0xc0 asm_sysvec_call_function_single+0x1a/0x20 rcu_is_watching+0x30/0x70 is_module_text_address+0xb8/0x100 kernel_text_address+0x35/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x59/0xa0 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x8e/0xc0 set_track_prepare+0x35/0x70 __alloc_object+0xf0/0x2c0 __create_object+0x1d/0x80 __kmalloc_cache_noprof+0x4a4/0x780 kmem_cache_free+0x13a/0x660 __put_anon_vma+0x114/0x390 unlink_anon_vmas+0x4ae/0x740 free_pgtables+0x1c8/0xbf0 exit_mmap+0x392/0xa70 mmput+0xd5/0x390 do_exit+0x7ad/0x2950 do_group_exit+0xd3/0x2a0 get_signal+0x24aa/0x25d0 arch_do_signal_or_restart+0x80/0x7a0 exit_to_user_mode_loop+0x92/0x4d0 do_syscall_64+0x3c3/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f stack backtrace: CPU: 1 UID: 0 PID: 85267 Comm: syz-executor.7 Tainted: G W 6.18.0-next-20251210 #1 PREEMPT(voluntary) Tainted: [W]=WARN Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0xca/0x120 print_irq_inversion_bug.part.0+0x20a/0x260 mark_lock+0x850/0xf70 __lock_acquire+0x975/0x2250 lock_acquire+0x15e/0x2d0 _raw_spin_lock_irqsave+0x3a/0x60 input_inject_event+0x9f/0x3b0 led_set_brightness+0x215/0x290 led_trigger_event+0xda/0x270 kbd_bh+0x23a/0x310 tasklet_action_common+0x270/0x730 handle_softirqs+0x1b1/0x7d0 __irq_exit_rcu+0xc4/0x100 irq_exit_rcu+0x9/0x20 sysvec_call_function_single+0xa6/0xc0 asm_sysvec_call_function_single+0x1a/0x20 RIP: 0010:rcu_is_watching+0x30/0x70 Code: ff 05 f4 1d 50 06 65 48 8b 1d e4 1d 50 06 48 8d bb d0 5e ad 87 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 <48> 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 26 8b 83 d0 5e ad RSP: 0018:ffff8880526ef488 EFLAGS: 00000212 RAX: dffffc0000000000 RBX: ffff8880e545c000 RCX: 00000000ccefea11 RDX: 0000000000000000 RSI: ffff88804e9cddc0 RDI: ffff88806cf31ed0 RBP: 00007f0eb3d33b19 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000005 R11: 0000000000000001 R12: ffff8880526ef500 R13: 0000000000000000 R14: ffff88804e9cd340 R15: 0000000000002800 is_module_text_address+0xb8/0x100 kernel_text_address+0x35/0xc0 __kernel_text_address+0xd/0x40 unwind_get_return_address+0x59/0xa0 arch_stack_walk+0x9c/0xf0 stack_trace_save+0x8e/0xc0 set_track_prepare+0x35/0x70 __alloc_object+0xf0/0x2c0 __create_object+0x1d/0x80 __kmalloc_cache_noprof+0x4a4/0x780 kmem_cache_free+0x13a/0x660 __put_anon_vma+0x114/0x390 unlink_anon_vmas+0x4ae/0x740 free_pgtables+0x1c8/0xbf0 exit_mmap+0x392/0xa70 mmput+0xd5/0x390 do_exit+0x7ad/0x2950 do_group_exit+0xd3/0x2a0 get_signal+0x24aa/0x25d0 arch_do_signal_or_restart+0x80/0x7a0 exit_to_user_mode_loop+0x92/0x4d0 do_syscall_64+0x3c3/0x420 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0eb3d33b19 Code: Unable to access opcode bytes at 0x7f0eb3d33aef. RSP: 002b:00007f0eb12a9218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca RAX: 0000000000000001 RBX: 00007f0eb3e46f68 RCX: 00007f0eb3d33b19 RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007f0eb3e46f6c RBP: 00007f0eb3e46f60 R08: 000000000000000e R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 00007f0eb3e46f6c R13: 00007ffc60304c4f R14: 00007f0eb12a9300 R15: 0000000000022000 9pnet_fd: p9_fd_create_tcp (85411): problem connecting socket to 127.0.0.1 cgroup: Bad value for 'name' cgroup: Bad value for 'name' cgroup: Bad value for 'name' cgroup: Bad value for 'name' cgroup: Bad value for 'name' cgroup: Bad value for 'name' cgroup: Bad value for 'name' tmpfs: Bad value for 'nr_inodes' tmpfs: Bad value for 'nr_inodes' tmpfs: Bad value for 'nr_inodes' tmpfs: Bad value for 'nr_inodes' tmpfs: Bad value for 'nr_inodes' nfs4: Bad value for 'port' nfs4: Bad value for 'port' nfs4: Bad value for 'port' nfs4: Bad value for 'port' nfs4: Bad value for 'port' netlink: 'syz-executor.4': attribute type 30 has an invalid length. netlink: 'syz-executor.4': attribute type 30 has an invalid length. netlink: 'syz-executor.4': attribute type 30 has an invalid length. netlink: 'syz-executor.4': attribute type 30 has an invalid length. netlink: 'syz-executor.4': attribute type 30 has an invalid length. loop0: detected capacity change from 0 to 64 FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) loop0: detected capacity change from 0 to 64 FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) loop0: detected capacity change from 0 to 64 FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) loop0: detected capacity change from 0 to 64 FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) FAT-fs (loop0): Invalid FSINFO signature: 0x00000000, 0x00000000 (sector = 1) ---------------- Code disassembly (best guess): 0: ff 05 f4 1d 50 06 incl 0x6501df4(%rip) # 0x6501dfa 6: 65 48 8b 1d e4 1d 50 mov %gs:0x6501de4(%rip),%rbx # 0x6501df2 d: 06 e: 48 8d bb d0 5e ad 87 lea -0x7852a130(%rbx),%rdi 15: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax 1c: fc ff df 1f: 48 89 fa mov %rdi,%rdx 22: 48 c1 ea 03 shr $0x3,%rdx 26: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx * 2a: 48 89 f8 mov %rdi,%rax <-- trapping instruction 2d: 83 e0 07 and $0x7,%eax 30: 83 c0 03 add $0x3,%eax 33: 38 d0 cmp %dl,%al 35: 7c 04 jl 0x3b 37: 84 d2 test %dl,%dl 39: 75 26 jne 0x61 3b: 8b .byte 0x8b 3c: 83 d0 5e adc $0x5e,%eax 3f: ad lods %ds:(%rsi),%eax