======================================================
WARNING: possible circular locking dependency detected
5.12.0-syzkaller #0 Not tainted
------------------------------------------------------
kworker/u4:22/11108 is trying to acquire lock:
ffff888072bb30a0 (slock-AF_INET#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff888072bb30a0 (slock-AF_INET#2){+.-.}-{2:2}, at: sctp_addr_wq_timeout_handler+0x192/0x470 net/sctp/protocol.c:666

but task is already holding lock:
ffff888028cacaa0 (&net->sctp.addr_wq_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline]
ffff888028cacaa0 (&net->sctp.addr_wq_lock){+.-.}-{2:2}, at: sctp_addr_wq_timeout_handler+0x2c/0x470 net/sctp/protocol.c:626

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&net->sctp.addr_wq_lock){+.-.}-{2:2}:
       lock_acquire+0x17f/0x720 kernel/locking/lockdep.c:5512
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
       _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175
       spin_lock_bh include/linux/spinlock.h:359 [inline]
       sctp_destroy_sock+0xc9/0x370 net/sctp/socket.c:5028
       sk_common_release+0x6a/0x2e0 net/core/sock.c:3264
       sctp_close+0x761/0x8f0 net/sctp/socket.c:1531
       inet_release+0x16e/0x1f0 net/ipv4/af_inet.c:431
       __sock_release net/socket.c:599 [inline]
       sock_close+0xd8/0x260 net/socket.c:1258
       __fput+0x352/0x7b0 fs/file_table.c:280
       task_work_run+0x146/0x1c0 kernel/task_work.c:161
       exit_task_work include/linux/task_work.h:32 [inline]
       do_exit+0x736/0x23d0 kernel/exit.c:826
       do_group_exit+0x168/0x2d0 kernel/exit.c:923
       get_signal+0x1770/0x2180 kernel/signal.c:2818
       arch_do_signal_or_restart+0x8e/0x6c0 arch/x86/kernel/signal.c:789
       handle_signal_work kernel/entry/common.c:147 [inline]
       exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
       exit_to_user_mode_prepare+0xac/0x200 kernel/entry/common.c:208
       __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
       syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301
       do_syscall_64+0x4b/0xb0 arch/x86/entry/common.c:57
       entry_SYSCALL_64_after_hwframe+0x44/0xae

-> #0 (slock-AF_INET#2){+.-.}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:2938 [inline]
       check_prevs_add+0x4d6/0x5a90 kernel/locking/lockdep.c:3061
       validate_chain kernel/locking/lockdep.c:3676 [inline]
       __lock_acquire+0x4307/0x6040 kernel/locking/lockdep.c:4902
       lock_acquire+0x17f/0x720 kernel/locking/lockdep.c:5512
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
       spin_lock include/linux/spinlock.h:354 [inline]
       sctp_addr_wq_timeout_handler+0x192/0x470 net/sctp/protocol.c:666
       call_timer_fn+0xf6/0x210 kernel/time/timer.c:1431
       expire_timers kernel/time/timer.c:1476 [inline]
       __run_timers+0x6ff/0x910 kernel/time/timer.c:1745
       run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758
       __do_softirq+0x372/0x7a6 kernel/softirq.c:559
       invoke_softirq kernel/softirq.c:433 [inline]
       __irq_exit_rcu+0x245/0x280 kernel/softirq.c:637
       irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
       sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
       __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
       _raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199
       finish_task_switch+0x145/0x620 kernel/sched/core.c:4210
       context_switch kernel/sched/core.c:4342 [inline]
       __schedule+0xba0/0x1120 kernel/sched/core.c:5147
       preempt_schedule_irq+0xe3/0x190 kernel/sched/core.c:5535
       irqentry_exit+0x56/0x90 kernel/entry/common.c:426
       asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
       lock_is_held_type+0x129/0x180 arch/x86/include/asm/irqflags.h:45
       lock_is_held include/linux/lockdep.h:283 [inline]
       ___might_sleep+0xab/0x6b0 kernel/sched/core.c:8304
       get_next_corpse net/netfilter/nf_conntrack_core.c:2223 [inline]
       nf_ct_iterate_cleanup+0x36a/0x3f0 net/netfilter/nf_conntrack_core.c:2245
       nf_conntrack_cleanup_net_list+0x7c/0x210 net/netfilter/nf_conntrack_core.c:2432
       ops_exit_list net/core/net_namespace.c:178 [inline]
       cleanup_net+0x7ec/0xc60 net/core/net_namespace.c:595
       process_one_work+0x833/0x10c0 kernel/workqueue.c:2275
       worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
       kthread+0x39a/0x3c0 kernel/kthread.c:313
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&net->sctp.addr_wq_lock);
                               lock(slock-AF_INET#2);
                               lock(&net->sctp.addr_wq_lock);
  lock(slock-AF_INET#2);

 *** DEADLOCK ***

5 locks held by kworker/u4:22/11108:
 #0: ffff8880122d3138 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x7aa/0x10c0 kernel/workqueue.c:2248
 #1: ffffc90015df7d20 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x7e8/0x10c0 kernel/workqueue.c:2250
 #2: ffffffff8dd0a770 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0xf0/0xc60 net/core/net_namespace.c:557
 #3: ffffc90000007be0 ((&net->sctp.addr_wq_timer)){+.-.}-{0:0}, at: lockdep_copy_map include/linux/lockdep.h:45 [inline]
 #3: ffffc90000007be0 ((&net->sctp.addr_wq_timer)){+.-.}-{0:0}, at: call_timer_fn+0xbd/0x210 kernel/time/timer.c:1421
 #4: ffff888028cacaa0 (&net->sctp.addr_wq_lock){+.-.}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:359 [inline]
 #4: ffff888028cacaa0 (&net->sctp.addr_wq_lock){+.-.}-{2:2}, at: sctp_addr_wq_timeout_handler+0x2c/0x470 net/sctp/protocol.c:626

stack backtrace:
CPU: 0 PID: 11108 Comm: kworker/u4:22 Not tainted 5.12.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 print_circular_bug+0xb17/0xdc0 kernel/locking/lockdep.c:2007
 check_noncircular+0x2cc/0x390 kernel/locking/lockdep.c:2129
 check_prev_add kernel/locking/lockdep.c:2938 [inline]
 check_prevs_add+0x4d6/0x5a90 kernel/locking/lockdep.c:3061
 validate_chain kernel/locking/lockdep.c:3676 [inline]
 __lock_acquire+0x4307/0x6040 kernel/locking/lockdep.c:4902
 lock_acquire+0x17f/0x720 kernel/locking/lockdep.c:5512
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
 spin_lock include/linux/spinlock.h:354 [inline]
 sctp_addr_wq_timeout_handler+0x192/0x470 net/sctp/protocol.c:666
 call_timer_fn+0xf6/0x210 kernel/time/timer.c:1431
 expire_timers kernel/time/timer.c:1476 [inline]
 __run_timers+0x6ff/0x910 kernel/time/timer.c:1745
 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1758
 __do_softirq+0x372/0x7a6 kernel/softirq.c:559
 invoke_softirq kernel/softirq.c:433 [inline]
 __irq_exit_rcu+0x245/0x280 kernel/softirq.c:637
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
 </IRQ>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199
Code: 00 00 00 00 00 53 48 89 fb 48 83 c7 18 48 8b 74 24 08 e8 ee ff ae f7 48 89 df e8 c6 a1 b0 f7 e8 61 ad d2 f7 fb bf 01 00 00 00 <e8> b6 73 a4 f7 65 8b 05 e7 8f 4f 76 85 c0 74 02 5b c3 e8 1b f2 4d
RSP: 0018:ffffc90015df7650 EFLAGS: 00000282
RAX: 21e412e549963800 RBX: ffff8880b9a34cc0 RCX: ffffffff8161b2a9
RDX: dffffc0000000000 RSI: 0000000000000002 RDI: 0000000000000001
RBP: ffffc90015df76b0 R08: dffffc0000000000 R09: fffffbfff2000db2
R10: fffffbfff2000db2 R11: 0000000000000000 R12: ffff8880b9a34cc0
R13: ffff888075d49c40 R14: dffffc0000000000 R15: 0000000000000000
 finish_task_switch+0x145/0x620 kernel/sched/core.c:4210
 context_switch kernel/sched/core.c:4342 [inline]
 __schedule+0xba0/0x1120 kernel/sched/core.c:5147
 preempt_schedule_irq+0xe3/0x190 kernel/sched/core.c:5535
 irqentry_exit+0x56/0x90 kernel/entry/common.c:426
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:lock_is_held_type+0x129/0x180 arch/x86/include/asm/irqflags.h:45
Code: 05 2c 50 52 76 83 f8 01 75 38 9c 8f 04 24 f7 04 24 00 02 00 00 75 46 41 f7 c4 00 02 00 00 74 01 fb 65 48 8b 04 25 28 00 00 00 <48> 3b 44 24 08 75 3c 89 d8 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f
RSP: 0018:ffffc90015df7978 EFLAGS: 00000206
RAX: 21e412e549963800 RBX: 0000000000000000 RCX: ffff888075d49c40
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: dffffc0000000000 R09: fffffbfff2000db2
R10: fffffbfff2000db2 R11: 0000000000000000 R12: 0000000000000246
R13: ffff888075d49c40 R14: 00000000ffffffff R15: ffffffff8cd145e0
 lock_is_held include/linux/lockdep.h:283 [inline]
 ___might_sleep+0xab/0x6b0 kernel/sched/core.c:8304
 get_next_corpse net/netfilter/nf_conntrack_core.c:2223 [inline]
 nf_ct_iterate_cleanup+0x36a/0x3f0 net/netfilter/nf_conntrack_core.c:2245
 nf_conntrack_cleanup_net_list+0x7c/0x210 net/netfilter/nf_conntrack_core.c:2432
 ops_exit_list net/core/net_namespace.c:178 [inline]
 cleanup_net+0x7ec/0xc60 net/core/net_namespace.c:595
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2275
 worker_thread+0xac1/0x1300 kernel/workqueue.c:2421
 kthread+0x39a/0x3c0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294