[PATCH v2] locking/lockdep: skip irq save/restore in hardirq context in lock_release()

From: Deepanshu Kartikey

Date: Mon Jun 29 2026 - 19:37:07 EST


lock_release() performs a raw_local_irq_save/restore dance around its
validation work. While safe in process and softirq context, this is
dangerous in hardirq context where IRQs must remain disabled for the
entire duration of the handler.

When lock_release() calls raw_local_irq_restore() inside a hardirq
handler, it briefly re-enables IRQs, creating a window where a new
interrupt can fire before the handler returns. This was observed with
taprio's advance_sched() hrtimer callback - the temporary IRQ
re-enablement inside lock_release() prevented CPU 0 from acknowledging
a pending TLB flush IPI sent by CPU 1 via smp_call_function_many().
CPU 1 then spun indefinitely in csd_lock_wait(), starving the RCU
grace-period kthread and triggering an RCU stall with eventual OOM.

Fix this by conditionally skipping the irq save/restore when called
from hardirq context, rather than duplicating the validation code in
a separate path.

Reported-by: syzbot+0635dc2e2c3c21a6aa04@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://syzkaller.appspot.com/bug?extid=0635dc2e2c3c21a6aa04
Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
---
Changes in v2:
- Remove lockdep_hardirq() helper and recursion check as suggested by
Longman - we only need to know if we are in hardirq context
- Avoid code duplication by conditionally guarding irq save/restore
with in_hardirq() check instead of duplicating the validation path
---
kernel/locking/lockdep.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 2d4c5bab5af8..1ee69335d4ae 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -5882,14 +5882,17 @@ void lock_release(struct lockdep_map *lock, unsigned long ip)
lock->key == &__lockdep_no_track__))
return;

- raw_local_irq_save(flags);
- check_flags(flags);
+ if (!in_hardirq()) {
+ raw_local_irq_save(flags);
+ check_flags(flags);
+ }

lockdep_recursion_inc();
if (__lock_release(lock, ip))
check_chain_key(current);
lockdep_recursion_finish();
- raw_local_irq_restore(flags);
+ if (!in_hardirq())
+ raw_local_irq_restore(flags);
}
EXPORT_SYMBOL_GPL(lock_release);

--
2.43.0