syzbot

------------[ cut here ]------------
======================================================
WARNING: possible circular locking dependency detected
6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted
------------------------------------------------------
sshd/5066 is trying to acquire lock:
ffffffff8e00dbb8 ((console_sem).lock){-...}-{2:2}, at: down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139

but task is already holding lock:
ffff8880b942a758 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 kernel/time/timer.c:1051

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #3 (&base->lock){-.-.}-{2:2}:
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       lock_timer_base+0x112/0x240 kernel/time/timer.c:1051
       __mod_timer+0x1ca/0xeb0 kernel/time/timer.c:1132
       queue_delayed_work_on+0x15a/0x260 kernel/workqueue.c:2595
       psi_task_change+0xfd/0x280 kernel/sched/psi.c:912
       psi_enqueue kernel/sched/stats.h:139 [inline]
       enqueue_task+0x2a6/0x2f0 kernel/sched/core.c:2112
       activate_task kernel/sched/core.c:2146 [inline]
       wake_up_new_task+0x564/0xc10 kernel/sched/core.c:4901
       kernel_clone+0x4d4/0x8d0 kernel/fork.c:2827
       user_mode_thread+0x132/0x1a0 kernel/fork.c:2874
       rest_init+0x27/0x300 init/main.c:695
       arch_call_rest_init+0xe/0x10 init/main.c:831
       start_kernel+0x47a/0x500 init/main.c:1077
       x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:509
       x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:490
       common_startup_64+0x13e/0x147

-> #2 (&rq->__lock){-.-.}-{2:2}:
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       _raw_spin_lock_nested+0x31/0x40 kernel/locking/spinlock.c:378
       raw_spin_rq_lock_nested+0x2a/0x140 kernel/sched/core.c:559
       raw_spin_rq_lock kernel/sched/sched.h:1385 [inline]
       rq_lock kernel/sched/sched.h:1699 [inline]
       task_fork_fair+0x61/0x1e0 kernel/sched/fair.c:12629
       sched_cgroup_fork+0x37e/0x410 kernel/sched/core.c:4845
       copy_process+0x2217/0x3df0 kernel/fork.c:2498
       kernel_clone+0x21e/0x8d0 kernel/fork.c:2796
       user_mode_thread+0x132/0x1a0 kernel/fork.c:2874
       rest_init+0x27/0x300 init/main.c:695
       arch_call_rest_init+0xe/0x10 init/main.c:831
       start_kernel+0x47a/0x500 init/main.c:1077
       x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:509
       x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:490
       common_startup_64+0x13e/0x147

-> #1 (&p->pi_lock){-.-.}-{2:2}:
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:553 [inline]
       try_to_wake_up+0xb0/0x1470 kernel/sched/core.c:4262
       up+0x72/0x90 kernel/locking/semaphore.c:191
       __up_console_sem kernel/printk/printk.c:340 [inline]
       __console_unlock kernel/printk/printk.c:2725 [inline]
       console_unlock+0x22f/0x4d0 kernel/printk/printk.c:3044
       vprintk_emit+0x5a6/0x770 kernel/printk/printk.c:2342
       dev_vprintk_emit+0x2ae/0x330 drivers/base/core.c:4864
       dev_printk_emit+0xdd/0x120 drivers/base/core.c:4875
       _dev_warn+0x122/0x170 drivers/base/core.c:4931
       firmware_fallback_sysfs+0x4cf/0x9e0 drivers/base/firmware_loader/fallback.c:233
       _request_firmware+0xc97/0x1250 drivers/base/firmware_loader/main.c:910
       request_firmware_work_func+0x12a/0x280 drivers/base/firmware_loader/main.c:1161
       process_one_work kernel/workqueue.c:3254 [inline]
       process_scheduled_works+0xa02/0x1770 kernel/workqueue.c:3335
       worker_thread+0x86d/0xd70 kernel/workqueue.c:3416
       kthread+0x2f2/0x390 kernel/kthread.c:388
       ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243

-> #0 ((console_sem).lock){-...}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
       __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
       lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
       down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139
       __down_trylock_console_sem+0x109/0x250 kernel/printk/printk.c:323
       console_trylock kernel/printk/printk.c:2678 [inline]
       console_trylock_spinning kernel/printk/printk.c:1958 [inline]
       vprintk_emit+0x283/0x770 kernel/printk/printk.c:2341
       _printk+0xd5/0x120 kernel/printk/printk.c:2367
       __report_bug lib/bug.c:195 [inline]
       report_bug+0x346/0x500 lib/bug.c:219
       handle_bug+0x3e/0x70 arch/x86/kernel/traps.c:239
       exc_invalid_op+0x1a/0x50 arch/x86/kernel/traps.c:260
       asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
       __local_bh_enable_ip+0x1be/0x200 kernel/softirq.c:362
       spin_unlock_bh include/linux/spinlock.h:396 [inline]
       sock_hash_delete_elem+0x1a6/0x300 net/core/sock_map.c:947
       bpf_prog_05fc780d7a5f93f9+0x4a/0x52
       bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
       __bpf_prog_run include/linux/filter.h:657 [inline]
       bpf_prog_run include/linux/filter.h:664 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
       bpf_trace_run2+0x206/0x420 kernel/trace/bpf_trace.c:2420
       trace_timer_start include/trace/events/timer.h:52 [inline]
       enqueue_timer+0x396/0x550 kernel/time/timer.c:663
       __mod_timer+0x953/0xeb0 kernel/time/timer.c:1181
       sk_reset_timer+0x23/0xc0 net/core/sock.c:3420
       tcp_event_new_data_sent+0x203/0x360 net/ipv4/tcp_output.c:81
       tcp_write_xmit+0x1468/0x6100 net/ipv4/tcp_output.c:2799
       __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:2977
       tcp_sendmsg_locked+0x42cc/0x4d00 net/ipv4/tcp.c:1310
       tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1342
       sock_sendmsg_nosec net/socket.c:730 [inline]
       __sock_sendmsg+0x1a6/0x270 net/socket.c:745
       sock_write_iter+0x2dd/0x400 net/socket.c:1160
       call_write_iter include/linux/fs.h:2108 [inline]
       new_sync_write fs/read_write.c:497 [inline]
       vfs_write+0xa86/0xcb0 fs/read_write.c:590
       ksys_write+0x1a0/0x2c0 fs/read_write.c:643
       do_syscall_64+0xfd/0x240
       entry_SYSCALL_64_after_hwframe+0x6d/0x75

other info that might help us debug this:

Chain exists of:
  (console_sem).lock --> &rq->__lock --> &base->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&base->lock);
                               lock(&rq->__lock);
                               lock(&base->lock);
  lock((console_sem).lock);

 *** DEADLOCK ***

3 locks held by sshd/5066:
 #0: ffff88807f00bf98 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline]
 #0: ffff88807f00bf98 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x22/0x50 net/ipv4/tcp.c:1341
 #1: ffff8880b942a758 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 kernel/time/timer.c:1051
 #2: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline]
 #2: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline]
 #2: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline]
 #2: ffffffff8e132020 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x114/0x420 kernel/trace/bpf_trace.c:2420

stack backtrace:
CPU: 0 PID: 5066 Comm: sshd Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869
 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137
 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
 down_trylock+0x20/0xa0 kernel/locking/semaphore.c:139
 __down_trylock_console_sem+0x109/0x250 kernel/printk/printk.c:323
 console_trylock kernel/printk/printk.c:2678 [inline]
 console_trylock_spinning kernel/printk/printk.c:1958 [inline]
 vprintk_emit+0x283/0x770 kernel/printk/printk.c:2341
 _printk+0xd5/0x120 kernel/printk/printk.c:2367
 __report_bug lib/bug.c:195 [inline]
 report_bug+0x346/0x500 lib/bug.c:219
 handle_bug+0x3e/0x70 arch/x86/kernel/traps.c:239
 exc_invalid_op+0x1a/0x50 arch/x86/kernel/traps.c:260
 asm_exc_invalid_op+0x1a/0x20 arch/x86/include/asm/idtentry.h:621
RIP: 0010:__local_bh_enable_ip+0x1be/0x200 kernel/softirq.c:362
Code: 3b 44 24 60 75 52 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d e9 b3 da 25 0a 90 0f 0b 90 e9 ca fe ff ff e8 55 00 00 00 eb 9c 90 <0f> 0b 90 e9 fa fe ff ff 48 c7 c1 9c 6d 87 8f 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90003a2f1a0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000745e38 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff89642276
RBP: ffffc90003a2f260 R08: ffff88802a65300b R09: 1ffff110054ca601
R10: dffffc0000000000 R11: ffffed10054ca602 R12: dffffc0000000000
R13: 0000000000000004 R14: ffffc90003a2f1e0 R15: 0000000000000201
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 sock_hash_delete_elem+0x1a6/0x300 net/core/sock_map.c:947
 bpf_prog_05fc780d7a5f93f9+0x4a/0x52
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x206/0x420 kernel/trace/bpf_trace.c:2420
 trace_timer_start include/trace/events/timer.h:52 [inline]
 enqueue_timer+0x396/0x550 kernel/time/timer.c:663
 __mod_timer+0x953/0xeb0 kernel/time/timer.c:1181
 sk_reset_timer+0x23/0xc0 net/core/sock.c:3420
 tcp_event_new_data_sent+0x203/0x360 net/ipv4/tcp_output.c:81
 tcp_write_xmit+0x1468/0x6100 net/ipv4/tcp_output.c:2799
 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:2977
 tcp_sendmsg_locked+0x42cc/0x4d00 net/ipv4/tcp.c:1310
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1342
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x1a6/0x270 net/socket.c:745
 sock_write_iter+0x2dd/0x400 net/socket.c:1160
 call_write_iter include/linux/fs.h:2108 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa86/0xcb0 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_64+0xfd/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7ff000116bf2
Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffdcc9f0118 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000002c RCX: 00007ff000116bf2
RDX: 000000000000002c RSI: 000055c32ef86960 RDI: 0000000000000004
RBP: 000055c32ef8fde0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000055c3172e8aa4
R13: 000000000000004a R14: 000055c3172e93e8 R15: 00007ffdcc9f0188
 </TASK>
WARNING: CPU: 0 PID: 5066 at kernel/softirq.c:362 __local_bh_enable_ip+0x1be/0x200 kernel/softirq.c:362
Modules linked in:
CPU: 0 PID: 5066 Comm: sshd Not tainted 6.8.0-syzkaller-08951-gfe46a7dd189e #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:__local_bh_enable_ip+0x1be/0x200 kernel/softirq.c:362
Code: 3b 44 24 60 75 52 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d e9 b3 da 25 0a 90 0f 0b 90 e9 ca fe ff ff e8 55 00 00 00 eb 9c 90 <0f> 0b 90 e9 fa fe ff ff 48 c7 c1 9c 6d 87 8f 80 e1 07 80 c1 03 38
RSP: 0018:ffffc90003a2f1a0 EFLAGS: 00010046
RAX: 0000000000000000 RBX: 1ffff92000745e38 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000201 RDI: ffffffff89642276
RBP: ffffc90003a2f260 R08: ffff88802a65300b R09: 1ffff110054ca601
R10: dffffc0000000000 R11: ffffed10054ca602 R12: dffffc0000000000
R13: 0000000000000004 R14: ffffc90003a2f1e0 R15: 0000000000000201
FS:  00007ff000518800(0000) GS:ffff8880b9400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 000000001e672000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 sock_hash_delete_elem+0x1a6/0x300 net/core/sock_map.c:947
 bpf_prog_05fc780d7a5f93f9+0x4a/0x52
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run2+0x206/0x420 kernel/trace/bpf_trace.c:2420
 trace_timer_start include/trace/events/timer.h:52 [inline]
 enqueue_timer+0x396/0x550 kernel/time/timer.c:663
 __mod_timer+0x953/0xeb0 kernel/time/timer.c:1181
 sk_reset_timer+0x23/0xc0 net/core/sock.c:3420
 tcp_event_new_data_sent+0x203/0x360 net/ipv4/tcp_output.c:81
 tcp_write_xmit+0x1468/0x6100 net/ipv4/tcp_output.c:2799
 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:2977
 tcp_sendmsg_locked+0x42cc/0x4d00 net/ipv4/tcp.c:1310
 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1342
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg+0x1a6/0x270 net/socket.c:745
 sock_write_iter+0x2dd/0x400 net/socket.c:1160
 call_write_iter include/linux/fs.h:2108 [inline]
 new_sync_write fs/read_write.c:497 [inline]
 vfs_write+0xa86/0xcb0 fs/read_write.c:590
 ksys_write+0x1a0/0x2c0 fs/read_write.c:643
 do_syscall_64+0xfd/0x240
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7ff000116bf2
Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83
RSP: 002b:00007ffdcc9f0118 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 000000000000002c RCX: 00007ff000116bf2
RDX: 000000000000002c RSI: 000055c32ef86960 RDI: 0000000000000004
RBP: 000055c32ef8fde0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000055c3172e8aa4
R13: 000000000000004a R14: 000055c3172e93e8 R15: 00007ffdcc9f0188
 </TASK>