inconsistent lock state in kernfs_path_from

Kernel	Title	Rank 🛈	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
linux-5.15	inconsistent lock state in kernfs_path_from_node origin:lts-only	4	C		error	35	1d02h	27d	0/3	upstream: reported C repro on 2026/05/20 14:09
linux-6.6	inconsistent lock state in kernfs_path_from_node	4	C			4	2d02h	9d07h	0/2	upstream: reported C repro on 2026/06/08 05:10

================================ WARNING: inconsistent lock state syzkaller #0 Not tainted -------------------------------- inconsistent {INITIAL USE} -> {IN-NMI} usage. syz.0.30/4443 [HC2[2]:SC0[0]:HE0:SE1] takes: ffffffff8cc845f8 (kernfs_rename_lock){....}-{2:2}, at: kernfs_path_from_node+0x85/0xd30 fs/kernfs/dir.c:232 {INITIAL USE} state was registered at: lock_acquire+0x1bb/0x4a0 kernel/locking/lockdep.c:5662 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:119 [inline] _raw_spin_lock_irq+0xab/0xf0 kernel/locking/spinlock.c:170 spin_lock_irq include/linux/spinlock.h:376 [inline] kernfs_rename_ns+0x550/0x990 fs/kernfs/dir.c:1734 sysfs_rename_link_ns+0x171/0x1b0 fs/sysfs/symlink.c:192 device_rename+0x11c/0x1a0 drivers/base/core.c:4577 dev_change_name+0x376/0x900 net/core/dev.c:1273 do_setlink+0x93d/0x3e60 net/core/rtnetlink.c:2817 __rtnl_newlink net/core/rtnetlink.c:3614 [inline] rtnl_newlink+0x17d9/0x20a0 net/core/rtnetlink.c:3661 rtnetlink_rcv_msg+0x87c/0xfc0 net/core/rtnetlink.c:6158 netlink_rcv_skb+0x1fb/0x450 net/netlink/af_netlink.c:2511 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x74d/0x8d0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x8ad/0xbd0 net/netlink/af_netlink.c:1872 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg net/socket.c:730 [inline] __sys_sendto+0x497/0x650 net/socket.c:2152 __do_sys_sendto net/socket.c:2164 [inline] __se_sys_sendto net/socket.c:2160 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2160 do_syscall_x64 arch/x86/entry/common.c:46 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:76 entry_SYSCALL_64_after_hwframe+0x68/0xd2 irq event stamp: 3556 hardirqs last enabled at (3555): [<ffffffff8a2f15d8>] do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:82 hardirqs last disabled at (3556): [<ffffffff8a2f5e8f>] irqentry_enter+0xf/0x50 kernel/entry/common.c:328 softirqs last enabled at (3394): [<ffffffff81a9903c>] rcu_lock_acquire include/linux/rcupdate.h:350 [inline] softirqs last enabled at (3394): [<ffffffff81a9903c>] rcu_read_lock include/linux/rcupdate.h:791 [inline] softirqs last enabled at (3394): [<ffffffff81a9903c>] __rhashtable_insert_fast include/linux/rhashtable.h:713 [inline] softirqs last enabled at (3394): [<ffffffff81a9903c>] rhltable_insert_key include/linux/rhashtable.h:852 [inline] softirqs last enabled at (3394): [<ffffffff81a9903c>] rhltable_insert include/linux/rhashtable.h:879 [inline] softirqs last enabled at (3394): [<ffffffff81a9903c>] toggle_bp_slot+0x199c/0x2bc0 kernel/events/hw_breakpoint.c:521 softirqs last disabled at (3392): [<ffffffff81a9ab5c>] local_bh_disable include/linux/bottom_half.h:20 [inline] softirqs last disabled at (3392): [<ffffffff81a9ab5c>] rht_lock+0x1c/0x150 include/linux/rhashtable.h:329 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(kernfs_rename_lock); <Interrupt> lock(kernfs_rename_lock); *** DEADLOCK *** 1 lock held by syz.0.30/4443: #0: ffffffff8cb2de60 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline] #0: ffffffff8cb2de60 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline] #0: ffffffff8cb2de60 (rcu_read_lock){....}-{1:2}, at: __perf_event_output kernel/events/core.c:7728 [inline] #0: ffffffff8cb2de60 (rcu_read_lock){....}-{1:2}, at: perf_event_output_forward+0xbe/0x2f0 kernel/events/core.c:7750 stack backtrace: CPU: 0 PID: 4443 Comm: syz.0.30 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Call Trace: <#DB> dump_stack_lvl+0x188/0x24e lib/dump_stack.c:106 lock_acquire+0x2df/0x4a0 kernel/locking/lockdep.c:5653 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xb0/0x100 kernel/locking/spinlock.c:162 kernfs_path_from_node+0x85/0xd30 fs/kernfs/dir.c:232 kernfs_path include/linux/kernfs.h:595 [inline] cgroup_path include/linux/cgroup.h:674 [inline] get_mm_memcg_path+0xb9/0x360 mm/mmap_lock.c:82 __mmap_lock_do_trace_acquire_returned+0xe7/0x390 mm/mmap_lock.c:102 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:137 [inline] stack_map_get_build_id_offset+0x6b2/0x970 kernel/bpf/stackmap.c:144 __bpf_get_stackid+0x55d/0x920 kernel/bpf/stackmap.c:250 bpf_prog_12712c88fd19bd5b+0x21/0x25 bpf_dispatcher_nop_func include/linux/bpf.h:1012 [inline] __bpf_prog_run include/linux/filter.h:607 [inline] bpf_prog_run include/linux/filter.h:614 [inline] bpf_overflow_handler+0x522/0x7c0 kernel/events/core.c:10321 __perf_event_overflow+0x448/0x610 kernel/events/core.c:9496 perf_swevent_overflow kernel/events/core.c:9579 [inline] perf_swevent_event+0x315/0x570 kernel/events/core.c:9630 perf_bp_event+0x312/0x3f0 kernel/events/core.c:10518 hw_breakpoint_handler arch/x86/kernel/hw_breakpoint.c:555 [inline] hw_breakpoint_exceptions_notify+0x152/0x470 arch/x86/kernel/hw_breakpoint.c:586 notifier_call_chain kernel/notifier.c:87 [inline] atomic_notifier_call_chain+0x17a/0x2b0 kernel/notifier.c:225 notify_die+0x141/0x1a0 kernel/notifier.c:593 notify_debug+0x20/0x30 arch/x86/kernel/traps.c:1018 exc_debug_kernel arch/x86/kernel/traps.c:1075 [inline] exc_debug+0xd9/0x130 arch/x86/kernel/traps.c:1175 asm_exc_debug+0x1a/0x40 arch/x86/include/asm/idtentry.h:648 RIP: 0010:__get_user_nocheck_8+0x9/0x13 arch/x86/lib/getuser.S:160 Code: 90 0f 01 cb 0f ae e8 0f b7 10 31 c0 0f 01 ca c3 90 0f 01 cb 0f ae e8 8b 10 31 c0 0f 01 ca c3 90 90 0f 01 cb 0f ae e8 48 8b 10 <31> c0 0f 01 ca c3 90 0f 01 ca 31 d2 48 c7 c0 f2 ff ff ff c3 00 00 RSP: 0000:ffffc900032d7640 EFLAGS: 00040806 RAX: 0000200000000300 RBX: dffffc0000000000 RCX: ffff8880276a8000 RDX: 00006370692f736e RSI: 0000200000000300 RDI: 00007fffffffeff0 RBP: 0000000000000000 R08: 000000000000007f R09: 0000000000000000 R10: dffffc0000000000 R11: fffff5200065af27 R12: 00000000ffffffff R13: 0000200000000300 R14: 000000000000007f R15: 00007fffffffeff0 </#DB> <TASK> perf_callchain_user+0x55d/0x13c0 arch/x86/events/core.c:2982 get_perf_callchain+0x39e/0x490 kernel/events/callchain.c:219 perf_callchain kernel/events/core.c:7512 [inline] perf_prepare_sample+0x399/0x2020 kernel/events/core.c:7545 __perf_event_output kernel/events/core.c:7730 [inline] perf_event_output_forward+0x197/0x2f0 kernel/events/core.c:7750 __perf_event_overflow+0x448/0x610 kernel/events/core.c:9496 perf_event_overflow kernel/events/core.c:9517 [inline] perf_swevent_hrtimer+0x472/0x630 kernel/events/core.c:10967 __run_hrtimer kernel/time/hrtimer.c:1751 [inline] __hrtimer_run_queues+0x50b/0xd50 kernel/time/hrtimer.c:1815 hrtimer_interrupt+0x3c5/0x9c0 kernel/time/hrtimer.c:1877 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1107 [inline] __sysvec_apic_timer_interrupt+0x153/0x5a0 arch/x86/kernel/apic/apic.c:1124 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1118 [inline] sysvec_apic_timer_interrupt+0x4d/0xc0 arch/x86/kernel/apic/apic.c:1118 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:691 RIP: 0033:0x7fc47ad4f4a0 Code: 43 08 48 3b 43 10 0f 84 11 08 00 00 48 8d 50 01 48 89 53 08 c6 00 20 8b 44 24 18 83 6c 24 10 01 89 44 24 14 e9 b9 f2 ff ff 90 <48> 89 ef e8 38 be ef ff 49 89 c4 e9 af ea ff ff 0f b6 4c 24 20 b8 RSP: 002b:00007fff6d7c7f30 EFLAGS: 00000246 RAX: 0000000000000001 RBX: 00007fff6d7c8460 RCX: 2f666c65732f636f RDX: 00007fff6d7c8558 RSI: 00007fc47ae5d140 RDI: 00007fc47afdcfe0 RBP: 0000200000000300 R08: 00007fff6d7c8690 R09: 00000000ffffffff R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000073 R14: 00007fc47ae320dd R15: 00007fff6d7c8520 </TASK> ---------------- Code disassembly (best guess): 0: 90 nop 1: 0f 01 cb stac 4: 0f ae e8 lfence 7: 0f b7 10 movzwl (%rax),%edx a: 31 c0 xor %eax,%eax c: 0f 01 ca clac f: c3 ret 10: 90 nop 11: 0f 01 cb stac 14: 0f ae e8 lfence 17: 8b 10 mov (%rax),%edx 19: 31 c0 xor %eax,%eax 1b: 0f 01 ca clac 1e: c3 ret 1f: 90 nop 20: 90 nop 21: 0f 01 cb stac 24: 0f ae e8 lfence 27: 48 8b 10 mov (%rax),%rdx * 2a: 31 c0 xor %eax,%eax <-- trapping instruction 2c: 0f 01 ca clac 2f: c3 ret 30: 90 nop 31: 0f 01 ca clac 34: 31 d2 xor %edx,%edx 36: 48 c7 c0 f2 ff ff ff mov $0xfffffffffffffff2,%rax 3d: c3 ret

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2026/06/07 02:18	linux-6.1.y	228da13e907e	cc095639	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-linux-6-1-kasan-perf	inconsistent lock state in kernfs_path_from_node
2026/06/07 16:24	linux-6.1.y	228da13e907e	cc095639	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-1-kasan-perf	inconsistent lock state in kernfs_path_from_node
2026/06/06 22:28	linux-6.1.y	228da13e907e	cc095639	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-1-kasan-perf	inconsistent lock state in kernfs_path_from_node
2026/05/30 05:19	linux-6.1.y	dcbcab9d7079	6b4a8443	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-linux-6-1-kasan-perf	inconsistent lock state in kernfs_path_from_node

Crashes (4):

Assets (help?)