program: bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="18000000000000000000000000000000850000000f00000018010000646c6c2500000000000000007b1af8ff00000000bfa100000000000007010000f8ffffffb702000008000000b703000000000000850000000600000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) r0 = bpf$PROG_LOAD(0x5, &(0x7f0000000340)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='timer_start\x00', r0}, 0x10) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=@base={0xb, 0x8, 0xc, 0xffffffff, 0x1, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0), &(0x7f0000000140), 0x5, r1}, 0x38) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r1, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000080b7040000000000008500000003"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='timer_start\x00', r2}, 0x10) socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000940)) [ 79.858094][ T4537] Bluetooth: hci0: command tx timeout [ 80.009329][ T5111] [ 80.010386][ T5111] ====================================================== [ 80.013042][ T5111] WARNING: possible circular locking dependency detected [ 80.016191][ T5111] 6.12.0-rc3-syzkaller-00183-g6efbea77b390 #0 Not tainted [ 80.019406][ T5111] ------------------------------------------------------ [ 80.022288][ T5111] syz.0.0/5111 is trying to acquire lock: [ 80.024366][ T5111] ffff88801fc29430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 [ 80.028403][ T5111] [ 80.028403][ T5111] but task is already holding lock: [ 80.033092][ T5111] ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 80.037015][ T5111] [ 80.037015][ T5111] which lock already depends on the new lock. [ 80.037015][ T5111] [ 80.041002][ T5111] [ 80.041002][ T5111] the existing dependency chain (in reverse order) is: [ 80.044596][ T5111] [ 80.044596][ T5111] -> #1 (&base->lock){-.-.}-{2:2}: [ 80.048047][ T5111] lock_acquire+0x1ed/0x550 [ 80.050512][ T5111] _raw_spin_lock_irqsave+0xd5/0x120 [ 80.052960][ T5111] lock_timer_base+0x112/0x240 [ 80.054919][ T5111] __mod_timer+0x1ca/0xeb0 [ 80.056840][ T5111] queue_delayed_work_on+0x1ca/0x390 [ 80.059145][ T5111] kvfree_call_rcu+0x47f/0x790 [ 80.060988][ T5111] pwq_release_workfn+0x664/0x800 [ 80.063519][ T5111] kthread_worker_fn+0x500/0xb70 [ 80.065872][ T5111] kthread+0x2f0/0x390 [ 80.067945][ T5111] ret_from_fork+0x4b/0x80 [ 80.070069][ T5111] ret_from_fork_asm+0x1a/0x30 [ 80.071963][ T5111] [ 80.071963][ T5111] -> #0 (krc.lock){..-.}-{2:2}: [ 80.074595][ T5111] validate_chain+0x18ef/0x5920 [ 80.076662][ T5111] __lock_acquire+0x1384/0x2050 [ 80.078775][ T5111] lock_acquire+0x1ed/0x550 [ 80.080625][ T5111] _raw_spin_lock+0x2e/0x40 [ 80.082988][ T5111] kvfree_call_rcu+0x18a/0x790 [ 80.085797][ T5111] trie_delete_elem+0x546/0x6a0 [ 80.088423][ T5111] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 80.090788][ T5111] bpf_trace_run2+0x2ec/0x540 [ 80.092825][ T5111] __traceiter_timer_start+0x75/0xc0 [ 80.095019][ T5111] enqueue_timer+0x3ce/0x570 [ 80.097039][ T5111] __mod_timer+0xa0e/0xeb0 [ 80.098953][ T5111] sk_reset_timer+0x23/0xc0 [ 80.101402][ T5111] tipc_sk_finish_conn+0x16b/0x820 [ 80.104337][ T5111] tipc_socketpair+0x25c/0x4b0 [ 80.106403][ T5111] __sys_socketpair+0x40f/0x720 [ 80.108376][ T5111] __x64_sys_socketpair+0x9b/0xb0 [ 80.110461][ T5111] do_syscall_64+0xf3/0x230 [ 80.112418][ T5111] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.115400][ T5111] [ 80.115400][ T5111] other info that might help us debug this: [ 80.115400][ T5111] [ 80.120328][ T5111] Possible unsafe locking scenario: [ 80.120328][ T5111] [ 80.123115][ T5111] CPU0 CPU1 [ 80.124865][ T5111] ---- ---- [ 80.126900][ T5111] lock(&base->lock); [ 80.128496][ T5111] lock(krc.lock); [ 80.131389][ T5111] lock(&base->lock); [ 80.134935][ T5111] lock(krc.lock); [ 80.136769][ T5111] [ 80.136769][ T5111] *** DEADLOCK *** [ 80.136769][ T5111] [ 80.139980][ T5111] 2 locks held by syz.0.0/5111: [ 80.141915][ T5111] #0: ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 80.145294][ T5111] #1: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 [ 80.149401][ T5111] [ 80.149401][ T5111] stack backtrace: [ 80.152191][ T5111] CPU: 0 UID: 0 PID: 5111 Comm: syz.0.0 Not tainted 6.12.0-rc3-syzkaller-00183-g6efbea77b390 #0 [ 80.156671][ T5111] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 80.160641][ T5111] Call Trace: [ 80.161935][ T5111] [ 80.163110][ T5111] dump_stack_lvl+0x241/0x360 [ 80.165143][ T5111] ? __pfx_dump_stack_lvl+0x10/0x10 [ 80.167758][ T5111] ? __pfx__printk+0x10/0x10 [ 80.170480][ T5111] print_circular_bug+0x13a/0x1b0 [ 80.172622][ T5111] check_noncircular+0x36a/0x4a0 [ 80.174453][ T5111] ? __pfx_check_noncircular+0x10/0x10 [ 80.176426][ T5111] ? lockdep_lock+0x123/0x2b0 [ 80.178213][ T5111] ? mark_lock+0x9a/0x360 [ 80.179828][ T5111] validate_chain+0x18ef/0x5920 [ 80.181883][ T5111] ? __pfx_validate_chain+0x10/0x10 [ 80.184194][ T5111] ? stack_depot_save_flags+0x6e4/0x830 [ 80.186566][ T5111] ? do_raw_spin_lock+0x14f/0x370 [ 80.188357][ T5111] ? __pfx_lock_release+0x10/0x10 [ 80.190353][ T5111] ? do_raw_spin_unlock+0x58/0x8b0 [ 80.192330][ T5111] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 80.194613][ T5111] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 80.197115][ T5111] ? stack_trace_save+0x118/0x1d0 [ 80.199654][ T5111] ? mark_lock+0x9a/0x360 [ 80.201638][ T5111] __lock_acquire+0x1384/0x2050 [ 80.203814][ T5111] lock_acquire+0x1ed/0x550 [ 80.205524][ T5111] ? kvfree_call_rcu+0x18a/0x790 [ 80.210270][ T5111] ? __pfx_lock_acquire+0x10/0x10 [ 80.212312][ T5111] ? __phys_addr+0xba/0x170 [ 80.215081][ T5111] _raw_spin_lock+0x2e/0x40 [ 80.218165][ T5111] ? kvfree_call_rcu+0x18a/0x790 [ 80.220197][ T5111] kvfree_call_rcu+0x18a/0x790 [ 80.223446][ T5111] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 80.226207][ T5111] ? __pfx_kvfree_call_rcu+0x10/0x10 [ 80.230056][ T5111] ? longest_prefix_match+0x330/0x650 [ 80.232711][ T5111] trie_delete_elem+0x546/0x6a0 [ 80.235101][ T5111] ? bpf_trace_run2+0x1fc/0x540 [ 80.237332][ T5111] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 80.239764][ T5111] bpf_trace_run2+0x2ec/0x540 [ 80.241868][ T5111] ? __pfx_bpf_trace_run2+0x10/0x10 [ 80.244107][ T5111] ? debug_object_activate+0x3e4/0x510 [ 80.246284][ T5111] ? __pfx_debug_object_activate+0x10/0x10 [ 80.248645][ T5111] ? __pfx___bpf_trace_timer_start+0x10/0x10 [ 80.250961][ T5111] __traceiter_timer_start+0x75/0xc0 [ 80.252959][ T5111] enqueue_timer+0x3ce/0x570 [ 80.254665][ T5111] __mod_timer+0xa0e/0xeb0 [ 80.256339][ T5111] ? __pfx___mod_timer+0x10/0x10 [ 80.258603][ T5111] ? __pfx_lock_acquire+0x10/0x10 [ 80.260619][ T5111] ? net_generic+0x1f/0x240 [ 80.262669][ T5111] ? __pfx_lock_release+0x10/0x10 [ 80.264747][ T5111] sk_reset_timer+0x23/0xc0 [ 80.267328][ T5111] tipc_sk_finish_conn+0x16b/0x820 [ 80.269815][ T5111] tipc_socketpair+0x25c/0x4b0 [ 80.271922][ T5111] __sys_socketpair+0x40f/0x720 [ 80.273800][ T5111] ? __pfx___sys_socketpair+0x10/0x10 [ 80.275876][ T5111] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 80.278129][ T5111] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 80.280312][ T5111] ? do_syscall_64+0x100/0x230 [ 80.282201][ T5111] __x64_sys_socketpair+0x9b/0xb0 [ 80.284317][ T5111] do_syscall_64+0xf3/0x230 [ 80.286495][ T5111] ? clear_bhb_loop+0x35/0x90 [ 80.288525][ T5111] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.290936][ T5111] RIP: 0033:0x7f0c7537dff9 [ 80.292726][ T5111] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 80.300375][ T5111] RSP: 002b:00007f0c76096038 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 [ 80.303975][ T5111] RAX: ffffffffffffffda RBX: 00007f0c75535f80 RCX: 00007f0c7537dff9 [ 80.307234][ T5111] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 000000000000001e [ 80.310197][ T5111] RBP: 00007f0c753f0296 R08: 0000000000000000 R09: 0000000000000000 [ 80.313214][ T5111] R10: 0000000020000940 R11: 0000000000000246 R12: 0000000000000000 [ 80.317279][ T5111] R13: 0000000000000000 R14: 00007f0c75535f80 R15: 00007ffcc25e25e8 [ 80.321215][ T5111]