program: bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0) bpf$PROG_LOAD(0x2, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=@base={0x16, 0x0, 0x4, 0xff, 0x0, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r1, 0x8924, &(0x7f0000000000)={'bridge_slave_0\x00', @random="010000201000"}) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b704000000000000850000005700000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, 0x0, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='kmem_cache_free\x00', r2}, 0x10) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000008000000000000000000018110000", @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000058"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=@base={0xb, 0x8, 0xc, 0xffffffff, 0x1, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0), &(0x7f0000000140), 0x5, r3}, 0x38) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000080b704000000000000850000000300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='timer_start\x00', r4}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x9, 0x4, 0x8, 0x8, 0x14e, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000940)) r5 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000740)={&(0x7f0000000300)='sched_switch\x00', r5}, 0x10) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r6, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @remote}) perf_event_open(&(0x7f0000000500)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0x20, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400000, 0x0, @perf_config_ext, 0x105c34}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r7, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @random="0106002010ff"}) [ 58.894884][ T5322] [ 58.895860][ T5322] ====================================================== [ 58.898286][ T5322] WARNING: possible circular locking dependency detected [ 58.900508][ T5322] 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1 #0 Not tainted [ 58.902879][ T5322] ------------------------------------------------------ [ 58.905448][ T5322] syz.0.0/5322 is trying to acquire lock: [ 58.907467][ T5322] ffff88801fc29430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 [ 58.910493][ T5322] [ 58.910493][ T5322] but task is already holding lock: [ 58.913192][ T5322] ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 58.916476][ T5322] [ 58.916476][ T5322] which lock already depends on the new lock. [ 58.916476][ T5322] [ 58.920442][ T5322] [ 58.920442][ T5322] the existing dependency chain (in reverse order) is: [ 58.923761][ T5322] [ 58.923761][ T5322] -> #1 (&base->lock){-.-.}-{2:2}: [ 58.926612][ T5322] lock_acquire+0x1ed/0x550 [ 58.928556][ T5322] _raw_spin_lock_irqsave+0xd5/0x120 [ 58.930796][ T5322] lock_timer_base+0x112/0x240 [ 58.932781][ T5322] __mod_timer+0x1ca/0xeb0 [ 58.934673][ T5322] queue_delayed_work_on+0x1ca/0x390 [ 58.936842][ T5322] kvfree_call_rcu+0x47f/0x790 [ 58.938731][ T5322] pwq_release_workfn+0x664/0x800 [ 58.940648][ T5322] kthread_worker_fn+0x500/0xb70 [ 58.942452][ T5322] kthread+0x2f0/0x390 [ 58.944056][ T5322] ret_from_fork+0x4b/0x80 [ 58.945790][ T5322] ret_from_fork_asm+0x1a/0x30 [ 58.947797][ T5322] [ 58.947797][ T5322] -> #0 (krc.lock){..-.}-{2:2}: [ 58.950364][ T5322] validate_chain+0x18ef/0x5920 [ 58.952335][ T5322] __lock_acquire+0x1384/0x2050 [ 58.954220][ T5322] lock_acquire+0x1ed/0x550 [ 58.956029][ T5322] _raw_spin_lock+0x2e/0x40 [ 58.957883][ T5322] kvfree_call_rcu+0x18a/0x790 [ 58.959918][ T5322] trie_delete_elem+0x546/0x6a0 [ 58.962088][ T5322] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 58.964468][ T5322] bpf_trace_run2+0x2ec/0x540 [ 58.966424][ T5322] enqueue_timer+0x3ce/0x570 [ 58.968395][ T5322] __mod_timer+0xa0e/0xeb0 [ 58.970368][ T5322] sk_reset_timer+0x23/0xc0 [ 58.972354][ T5322] tipc_sk_finish_conn+0x16b/0x820 [ 58.974528][ T5322] tipc_socketpair+0x25c/0x4b0 [ 58.976447][ T5322] __sys_socketpair+0x40f/0x720 [ 58.978197][ T5322] __x64_sys_socketpair+0x9b/0xb0 [ 58.980329][ T5322] do_syscall_64+0xf3/0x230 [ 58.982281][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 58.984762][ T5322] [ 58.984762][ T5322] other info that might help us debug this: [ 58.984762][ T5322] [ 58.988565][ T5322] Possible unsafe locking scenario: [ 58.988565][ T5322] [ 58.991493][ T5322] CPU0 CPU1 [ 58.993558][ T5322] ---- ---- [ 58.995533][ T5322] lock(&base->lock); [ 58.997099][ T5322] lock(krc.lock); [ 58.999530][ T5322] lock(&base->lock); [ 59.001973][ T5322] lock(krc.lock); [ 59.003497][ T5322] [ 59.003497][ T5322] *** DEADLOCK *** [ 59.003497][ T5322] [ 59.006674][ T5322] 2 locks held by syz.0.0/5322: [ 59.008576][ T5322] #0: ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 59.011963][ T5322] #1: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 [ 59.015414][ T5322] [ 59.015414][ T5322] stack backtrace: [ 59.017678][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1 #0 [ 59.021329][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.025311][ T5322] Call Trace: [ 59.026596][ T5322] [ 59.027727][ T5322] dump_stack_lvl+0x241/0x360 [ 59.029591][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.031572][ T5322] ? __pfx__printk+0x10/0x10 [ 59.033280][ T5322] print_circular_bug+0x13a/0x1b0 [ 59.035176][ T5322] check_noncircular+0x36a/0x4a0 [ 59.036890][ T5322] ? __pfx_check_noncircular+0x10/0x10 [ 59.038820][ T5322] ? lockdep_lock+0x123/0x2b0 [ 59.040503][ T5322] ? mark_lock+0x9a/0x360 [ 59.041966][ T5322] validate_chain+0x18ef/0x5920 [ 59.043699][ T5322] ? __pfx_validate_chain+0x10/0x10 [ 59.045506][ T5322] ? stack_depot_save_flags+0x6e4/0x830 [ 59.047313][ T5322] ? do_raw_spin_lock+0x14f/0x370 [ 59.048990][ T5322] ? __pfx_lock_release+0x10/0x10 [ 59.051001][ T5322] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.052996][ T5322] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.055161][ T5322] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.057528][ T5322] ? stack_trace_save+0x118/0x1d0 [ 59.059381][ T5322] ? mark_lock+0x9a/0x360 [ 59.061135][ T5322] __lock_acquire+0x1384/0x2050 [ 59.063023][ T5322] lock_acquire+0x1ed/0x550 [ 59.064830][ T5322] ? kvfree_call_rcu+0x18a/0x790 [ 59.066755][ T5322] ? __pfx_lock_acquire+0x10/0x10 [ 59.068669][ T5322] ? __phys_addr+0xba/0x170 [ 59.070424][ T5322] _raw_spin_lock+0x2e/0x40 [ 59.072174][ T5322] ? kvfree_call_rcu+0x18a/0x790 [ 59.073930][ T5322] kvfree_call_rcu+0x18a/0x790 [ 59.075472][ T5322] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.077325][ T5322] ? __pfx_kvfree_call_rcu+0x10/0x10 [ 59.079021][ T5322] ? longest_prefix_match+0x330/0x650 [ 59.080931][ T5322] trie_delete_elem+0x546/0x6a0 [ 59.082603][ T5322] ? bpf_trace_run2+0x1fc/0x540 [ 59.084486][ T5322] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 59.086449][ T5322] bpf_trace_run2+0x2ec/0x540 [ 59.088247][ T5322] ? __pfx_bpf_trace_run2+0x10/0x10 [ 59.090134][ T5322] ? __pfx_debug_object_activate+0x10/0x10 [ 59.092288][ T5322] ? __lock_acquire+0x1384/0x2050 [ 59.093962][ T5322] enqueue_timer+0x3ce/0x570 [ 59.095610][ T5322] __mod_timer+0xa0e/0xeb0 [ 59.097088][ T5322] ? __pfx___mod_timer+0x10/0x10 [ 59.098928][ T5322] ? __pfx_lock_acquire+0x10/0x10 [ 59.100921][ T5322] ? net_generic+0x1f/0x240 [ 59.102665][ T5322] ? __pfx_lock_release+0x10/0x10 [ 59.104588][ T5322] sk_reset_timer+0x23/0xc0 [ 59.106397][ T5322] tipc_sk_finish_conn+0x16b/0x820 [ 59.108389][ T5322] tipc_socketpair+0x25c/0x4b0 [ 59.110239][ T5322] __sys_socketpair+0x40f/0x720 [ 59.112085][ T5322] ? __pfx___sys_socketpair+0x10/0x10 [ 59.114061][ T5322] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 59.116454][ T5322] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 59.118967][ T5322] ? do_syscall_64+0x100/0x230 [ 59.120858][ T5322] __x64_sys_socketpair+0x9b/0xb0 [ 59.122759][ T5322] do_syscall_64+0xf3/0x230 [ 59.124445][ T5322] ? clear_bhb_loop+0x35/0x90 [ 59.126259][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.128515][ T5322] RIP: 0033:0x7f1e5957e719 [ 59.130264][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 59.137650][ T5322] RSP: 002b:00007f1e5a2a0038 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 [ 59.140946][ T5322] RAX: ffffffffffffffda RBX: 00007f1e59735f80 RCX: 00007f1e5957e719 [ 59.143870][ T5322] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 000000000000001e [ 59.146446][ T5322] RBP: 00007f1e595f139e R08: 0000000000000000 R09: 0000000000000000 [ 59.149465][ T5322] R10: 0000000020000940 R11: 0000000000000246 R12: 0000000000000000 [ 59.152220][ T5322] R13: 0000000000000000 R14: 00007f1e59735f80 R15: 00007ffdcdf036f8 [ 59.154942][ T5322] [ 59.157810][ T4670] Bluetooth: hci0: command tx timeout [ 59.170405][ T5322] veth0_vlan: entered allmulticast mode [ 59.196246][ C0] hrtimer: interrupt took 38190 ns [ 59.232714][ T5322] veth0_vlan: left promiscuous mode [ 59.353822][ T5322] veth0_vlan: entered promiscuous mode