program: r0 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000002c0)='memory.current\x00', 0x275a, 0x0) r1 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32, @ANYBLOB="0000000000000000b70800000000e7057b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b704000000000000850000000100000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) perf_event_open(&(0x7f0000000340)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1fc, 0x25, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={&(0x7f0000000200), 0x8}, 0x11100, 0x0, 0xfffffffc, 0x0, 0x0, 0x81}, 0x0, 0xafffffffffffffff, 0xffffffffffffffff, 0x0) close(0xffffffffffffffff) setsockopt$sock_attach_bpf(r0, 0x1, 0x32, &(0x7f0000000000)=r1, 0x4) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000180)='memory.events\x00', 0x26e1, 0x0) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000180)=ANY=[@ANYBLOB="0b00000007000000010001000900000001", @ANYRES32=0x0, @ANYRES32, @ANYBLOB='\x00\x00\x00'], 0x48) bpf$MAP_GET_NEXT_KEY(0x2, &(0x7f0000000080)={r2, &(0x7f0000000080), &(0x7f0000000200)=""/166}, 0x20) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="18000000000000000000000067dfb4a518110000", @ANYRES32, @ANYBLOB="0000000000000000b7080000060000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000003"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r2], 0x0, 0x4, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) r3 = bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='timer_start\x00', r3}, 0x10) socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000940)) [ 68.206653][ T4675] Bluetooth: hci0: command tx timeout [ 68.321202][ C0] hrtimer: interrupt took 30345 ns [ 68.384267][ T5328] [ 68.385141][ T5328] ====================================================== [ 68.387628][ T5328] WARNING: possible circular locking dependency detected [ 68.390190][ T5328] 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 Not tainted [ 68.392791][ T5328] ------------------------------------------------------ [ 68.395426][ T5328] syz.0.0/5328 is trying to acquire lock: [ 68.397548][ T5328] ffff88801fc29430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 [ 68.400841][ T5328] [ 68.400841][ T5328] but task is already holding lock: [ 68.403717][ T5328] ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 68.407156][ T5328] [ 68.407156][ T5328] which lock already depends on the new lock. [ 68.407156][ T5328] [ 68.411013][ T5328] [ 68.411013][ T5328] the existing dependency chain (in reverse order) is: [ 68.414395][ T5328] [ 68.414395][ T5328] -> #1 (&base->lock){-.-.}-{2:2}: [ 68.417123][ T5328] lock_acquire+0x1ed/0x550 [ 68.419093][ T5328] _raw_spin_lock_irqsave+0xd5/0x120 [ 68.421294][ T5328] lock_timer_base+0x112/0x240 [ 68.423427][ T5328] __mod_timer+0x1ca/0xeb0 [ 68.425338][ T5328] queue_delayed_work_on+0x1ca/0x390 [ 68.427505][ T5328] kvfree_call_rcu+0x47f/0x790 [ 68.429732][ T5328] pwq_release_workfn+0x664/0x800 [ 68.432135][ T5328] kthread_worker_fn+0x500/0xb70 [ 68.434247][ T5328] kthread+0x2f0/0x390 [ 68.436005][ T5328] ret_from_fork+0x4b/0x80 [ 68.437714][ T5328] ret_from_fork_asm+0x1a/0x30 [ 68.439705][ T5328] [ 68.439705][ T5328] -> #0 (krc.lock){..-.}-{2:2}: [ 68.442248][ T5328] validate_chain+0x18ef/0x5920 [ 68.444335][ T5328] __lock_acquire+0x1384/0x2050 [ 68.446334][ T5328] lock_acquire+0x1ed/0x550 [ 68.448112][ T5328] _raw_spin_lock+0x2e/0x40 [ 68.449998][ T5328] kvfree_call_rcu+0x18a/0x790 [ 68.451922][ T5328] trie_delete_elem+0x546/0x6a0 [ 68.453955][ T5328] bpf_prog_ae0c3e605f35524c+0x46/0x4a [ 68.456200][ T5328] bpf_trace_run2+0x2ec/0x540 [ 68.458224][ T5328] enqueue_timer+0x3ce/0x570 [ 68.460205][ T5328] __mod_timer+0xa0e/0xeb0 [ 68.462016][ T5328] sk_reset_timer+0x23/0xc0 [ 68.463974][ T5328] tipc_sk_finish_conn+0x16b/0x820 [ 68.466082][ T5328] tipc_socketpair+0x25c/0x4b0 [ 68.468051][ T5328] __sys_socketpair+0x40f/0x720 [ 68.470059][ T5328] __x64_sys_socketpair+0x9b/0xb0 [ 68.472173][ T5328] do_syscall_64+0xf3/0x230 [ 68.474010][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.476428][ T5328] [ 68.476428][ T5328] other info that might help us debug this: [ 68.476428][ T5328] [ 68.480296][ T5328] Possible unsafe locking scenario: [ 68.480296][ T5328] [ 68.483099][ T5328] CPU0 CPU1 [ 68.485543][ T5328] ---- ---- [ 68.487649][ T5328] lock(&base->lock); [ 68.489294][ T5328] lock(krc.lock); [ 68.491614][ T5328] lock(&base->lock); [ 68.494173][ T5328] lock(krc.lock); [ 68.495739][ T5328] [ 68.495739][ T5328] *** DEADLOCK *** [ 68.495739][ T5328] [ 68.498787][ T5328] 2 locks held by syz.0.0/5328: [ 68.500490][ T5328] #0: ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 68.503805][ T5328] #1: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 [ 68.507108][ T5328] [ 68.507108][ T5328] stack backtrace: [ 68.509176][ T5328] CPU: 0 UID: 0 PID: 5328 Comm: syz.0.0 Not tainted 6.12.0-rc7-syzkaller-00212-g4a5df3796467 #0 [ 68.512983][ T5328] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.516871][ T5328] Call Trace: [ 68.518164][ T5328] [ 68.519333][ T5328] dump_stack_lvl+0x241/0x360 [ 68.521158][ T5328] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.523173][ T5328] ? __pfx__printk+0x10/0x10 [ 68.524997][ T5328] print_circular_bug+0x13a/0x1b0 [ 68.526933][ T5328] check_noncircular+0x36a/0x4a0 [ 68.528751][ T5328] ? __pfx_check_noncircular+0x10/0x10 [ 68.530903][ T5328] ? lockdep_lock+0x123/0x2b0 [ 68.532637][ T5328] ? __bfs+0x368/0x6f0 [ 68.534259][ T5328] ? __pfx_validate_chain+0x10/0x10 [ 68.536173][ T5328] ? lockdep_unlock+0x16a/0x300 [ 68.538066][ T5328] validate_chain+0x18ef/0x5920 [ 68.539971][ T5328] ? __pfx_validate_chain+0x10/0x10 [ 68.541889][ T5328] ? mark_lock+0x9a/0x360 [ 68.543560][ T5328] ? __lock_acquire+0x1384/0x2050 [ 68.545459][ T5328] ? mark_lock+0x9a/0x360 [ 68.547058][ T5328] ? mark_lock+0x9a/0x360 [ 68.548595][ T5328] __lock_acquire+0x1384/0x2050 [ 68.550497][ T5328] lock_acquire+0x1ed/0x550 [ 68.552169][ T5328] ? kvfree_call_rcu+0x18a/0x790 [ 68.553968][ T5328] ? __pfx_lock_acquire+0x10/0x10 [ 68.555846][ T5328] ? debug_object_active_state+0x239/0x360 [ 68.558007][ T5328] ? __pfx_debug_object_active_state+0x10/0x10 [ 68.560369][ T5328] ? __virt_addr_valid+0x183/0x530 [ 68.562295][ T5328] ? __virt_addr_valid+0x183/0x530 [ 68.564268][ T5328] ? __virt_addr_valid+0x45f/0x530 [ 68.566318][ T5328] ? __phys_addr+0xba/0x170 [ 68.568026][ T5328] _raw_spin_lock+0x2e/0x40 [ 68.569732][ T5328] ? kvfree_call_rcu+0x18a/0x790 [ 68.571575][ T5328] kvfree_call_rcu+0x18a/0x790 [ 68.573444][ T5328] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 68.575685][ T5328] ? __pfx_kvfree_call_rcu+0x10/0x10 [ 68.577746][ T5328] ? longest_prefix_match+0x49f/0x650 [ 68.579803][ T5328] trie_delete_elem+0x546/0x6a0 [ 68.581619][ T5328] ? bpf_trace_run2+0x1fc/0x540 [ 68.583482][ T5328] bpf_prog_ae0c3e605f35524c+0x46/0x4a [ 68.585592][ T5328] bpf_trace_run2+0x2ec/0x540 [ 68.587358][ T5328] ? __pfx_bpf_trace_run2+0x10/0x10 [ 68.589296][ T5328] ? __pfx_debug_object_activate+0x10/0x10 [ 68.591452][ T5328] ? __lock_acquire+0x1384/0x2050 [ 68.593405][ T5328] enqueue_timer+0x3ce/0x570 [ 68.595116][ T5328] __mod_timer+0xa0e/0xeb0 [ 68.596827][ T5328] ? __pfx___mod_timer+0x10/0x10 [ 68.598671][ T5328] ? __pfx_lock_acquire+0x10/0x10 [ 68.600435][ T5328] ? net_generic+0x1f/0x240 [ 68.602290][ T5328] ? __pfx_lock_release+0x10/0x10 [ 68.604209][ T5328] sk_reset_timer+0x23/0xc0 [ 68.605987][ T5328] tipc_sk_finish_conn+0x16b/0x820 [ 68.607918][ T5328] tipc_socketpair+0x25c/0x4b0 [ 68.609705][ T5328] __sys_socketpair+0x40f/0x720 [ 68.611546][ T5328] ? __pfx___sys_socketpair+0x10/0x10 [ 68.613762][ T5328] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 68.616056][ T5328] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.618375][ T5328] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 68.620787][ T5328] ? __irq_exit_rcu+0x100/0x1c0 [ 68.622664][ T5328] __x64_sys_socketpair+0x9b/0xb0 [ 68.624540][ T5328] do_syscall_64+0xf3/0x230 [ 68.626282][ T5328] ? clear_bhb_loop+0x35/0x90 [ 68.627996][ T5328] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.630250][ T5328] RIP: 0033:0x7f8f52b7e719 [ 68.631956][ T5328] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.639112][ T5328] RSP: 002b:00007f8f539d8038 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 [ 68.642240][ T5328] RAX: ffffffffffffffda RBX: 00007f8f52d35f80 RCX: 00007f8f52b7e719 [ 68.645304][ T5328] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 000000000000001e [ 68.648246][ T5328] RBP: 00007f8f52bf175e R08: 0000000000000000 R09: 0000000000000000 [ 68.650951][ T5328] R10: 0000000020000940 R11: 0000000000000246 R12: 0000000000000000 [ 68.653336][ T5328] R13: 0000000000000000 R14: 00007f8f52d35f80 R15: 00007ffcf84ab018 [ 68.656204][ T5328]