======================================================
WARNING: possible circular locking dependency detected
6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0 Not tainted
------------------------------------------------------
syz-executor.4/5848 is trying to acquire lock:
ffff8880b9229558 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
ffff8880b9229558 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
ffff8880b9229558 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3782

but task is already holding lock:
ffff8880b922a858 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x5d/0x220 kernel/time/timer.c:1051

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&base->lock){-.-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
       lock_timer_base+0x5d/0x220 kernel/time/timer.c:1051
       __mod_timer+0x426/0xdc0 kernel/time/timer.c:1132
       add_timer_global+0x8a/0xc0 kernel/time/timer.c:1330
       __queue_delayed_work+0x1ba/0x2e0 kernel/workqueue.c:2543
       queue_delayed_work_on+0x12a/0x150 kernel/workqueue.c:2572
       kvfree_call_rcu+0x749/0xbe0 kernel/rcu/tree.c:3810
       rtnl_register_internal+0x343/0x670 net/core/rtnetlink.c:265
       rtnl_register+0x34/0x80 net/core/rtnetlink.c:315
       ip_rt_init+0x34a/0x450 net/ipv4/route.c:3696
       ip_init+0xe/0x20 net/ipv4/ip_output.c:1663
       inet_init+0x3f0/0x6f0 net/ipv4/af_inet.c:1983
       do_one_initcall+0x12b/0x700 init/main.c:1267
       do_initcall_level init/main.c:1329 [inline]
       do_initcalls init/main.c:1345 [inline]
       do_basic_setup init/main.c:1364 [inline]
       kernel_init_freeable+0x69d/0xca0 init/main.c:1578
       kernel_init+0x1c/0x2b0 init/main.c:1467
       ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 (krc.lock){..-.}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain kernel/locking/lockdep.c:3869 [inline]
       __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
       lock_acquire kernel/locking/lockdep.c:5754 [inline]
       lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
       __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
       add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
       kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3782
       trie_delete_elem+0x5c5/0x820 kernel/bpf/lpm_trie.c:540
       bpf_prog_2c29ac5cdc6b1842+0x42/0x4a
       bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
       __bpf_prog_run include/linux/filter.h:691 [inline]
       bpf_prog_run include/linux/filter.h:698 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline]
       bpf_trace_run2+0x234/0x590 kernel/trace/bpf_trace.c:2444
       __bpf_trace_timer_start+0xc7/0x100 include/trace/events/timer.h:52
       trace_timer_start include/trace/events/timer.h:52 [inline]
       enqueue_timer+0x2b4/0x550 kernel/time/timer.c:663
       internal_add_timer kernel/time/timer.c:688 [inline]
       __mod_timer+0x8d7/0xdc0 kernel/time/timer.c:1183
       call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
       expire_timers kernel/time/timer.c:1843 [inline]
       __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
       __run_timer_base kernel/time/timer.c:2428 [inline]
       __run_timer_base kernel/time/timer.c:2421 [inline]
       run_timer_base+0x111/0x190 kernel/time/timer.c:2437
       run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
       handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
       __do_softirq kernel/softirq.c:588 [inline]
       invoke_softirq kernel/softirq.c:428 [inline]
       __irq_exit_rcu kernel/softirq.c:637 [inline]
       irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
       instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
       sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
       asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
       stack_access_ok+0xfc/0x270 arch/x86/kernel/unwind_orc.c:398
       deref_stack_reg arch/x86/kernel/unwind_orc.c:403 [inline]
       unwind_next_frame+0xd9b/0x23a0 arch/x86/kernel/unwind_orc.c:585
       arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25
       stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
       save_stack+0x162/0x1f0 mm/page_owner.c:156
       __reset_page_owner+0x8d/0x400 mm/page_owner.c:297
       reset_page_owner include/linux/page_owner.h:25 [inline]
       free_pages_prepare mm/page_alloc.c:1088 [inline]
       free_unref_folios+0x991/0x1310 mm/page_alloc.c:2632
       folios_put_refs+0x487/0x6d0 mm/swap.c:1024
       folio_batch_release include/linux/pagevec.h:101 [inline]
       shmem_undo_range+0x5a1/0x1160 mm/shmem.c:1005
       shmem_truncate_range mm/shmem.c:1114 [inline]
       shmem_evict_inode+0x3a3/0xbb0 mm/shmem.c:1242
       evict+0x2f0/0x6c0 fs/inode.c:667
       iput_final fs/inode.c:1741 [inline]
       iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
       iput+0x5c/0x80 fs/inode.c:1757
       dentry_unlink_inode+0x295/0x480 fs/dcache.c:400
       __dentry_kill+0x1d0/0x600 fs/dcache.c:603
       dput.part.0+0x4b1/0x9b0 fs/dcache.c:845
       dput+0x1f/0x30 fs/dcache.c:835
       __fput+0x54e/0xbb0 fs/file_table.c:430
       task_work_run+0x151/0x250 kernel/task_work.c:180
       exit_task_work include/linux/task_work.h:38 [inline]
       do_exit+0xa9b/0x2ba0 kernel/exit.c:874
       do_group_exit+0xd3/0x2a0 kernel/exit.c:1023
       get_signal+0x2616/0x2710 kernel/signal.c:2909
       arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
       exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
       exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
       __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
       syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218
       do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&base->lock);
                               lock(krc.lock);
                               lock(&base->lock);
  lock(krc.lock);

 *** DEADLOCK ***

4 locks held by syz-executor.4/5848:
 #0: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #0: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #0: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: page_ext_get+0x34/0x310 mm/page_ext.c:521
 #1: ffffc90000007cb0 ((&app->join_timer)){+.-.}-{0:0}, at: call_timer_fn+0x11a/0x610 kernel/time/timer.c:1789
 #2: ffff8880b922a858 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x5d/0x220 kernel/time/timer.c:1051
 #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2402 [inline]
 #3: ffffffff8dbb5be0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1c2/0x590 kernel/trace/bpf_trace.c:2444

stack backtrace:
CPU: 0 PID: 5848 Comm: syz-executor.4 Not tainted 6.10.0-rc3-syzkaller-00044-g2ccbdf43d5e7 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3869 [inline]
 __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 krc_this_cpu_lock kernel/rcu/tree.c:3298 [inline]
 add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3697 [inline]
 kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3782
 trie_delete_elem+0x5c5/0x820 kernel/bpf/lpm_trie.c:540
 bpf_prog_2c29ac5cdc6b1842+0x42/0x4a
 bpf_dispatcher_nop_func include/linux/bpf.h:1243 [inline]
 __bpf_prog_run include/linux/filter.h:691 [inline]
 bpf_prog_run include/linux/filter.h:698 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2403 [inline]
 bpf_trace_run2+0x234/0x590 kernel/trace/bpf_trace.c:2444
 __bpf_trace_timer_start+0xc7/0x100 include/trace/events/timer.h:52
 trace_timer_start include/trace/events/timer.h:52 [inline]
 enqueue_timer+0x2b4/0x550 kernel/time/timer.c:663
 internal_add_timer kernel/time/timer.c:688 [inline]
 __mod_timer+0x8d7/0xdc0 kernel/time/timer.c:1183
 call_timer_fn+0x1a3/0x610 kernel/time/timer.c:1792
 expire_timers kernel/time/timer.c:1843 [inline]
 __run_timers+0x74b/0xaf0 kernel/time/timer.c:2417
 __run_timer_base kernel/time/timer.c:2428 [inline]
 __run_timer_base kernel/time/timer.c:2421 [inline]
 run_timer_base+0x111/0x190 kernel/time/timer.c:2437
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2447
 handle_softirqs+0x219/0x8f0 kernel/softirq.c:554
 __do_softirq kernel/softirq.c:588 [inline]
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu kernel/softirq.c:637 [inline]
 irq_exit_rcu+0xbb/0x120 kernel/softirq.c:649
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0x95/0xb0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:stack_access_ok+0xfc/0x270 arch/x86/kernel/unwind_orc.c:398
Code: 8b 73 28 48 89 da 48 89 ef e8 20 bd f3 ff 31 ff 41 89 c6 89 c6 e8 34 54 52 00 45 85 f6 74 1e 45 31 f6 e8 27 59 52 00 44 89 f0 <48> 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f e9 7c 6b d3 09 e8 0c 59
RSP: 0018:ffffc90015daefb8 EFLAGS: 00000293
RAX: 0000000000000001 RBX: ffffc90015daf080 RCX: ffffffff813cd516
RDX: ffff88801e915a00 RSI: ffffffff813cd579 RDI: 0000000000000005
RBP: ffffc90015daf2b8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffc90015daf088
R13: ffffc90015daf090 R14: 0000000000000001 R15: ffffc90015db0000
 deref_stack_reg arch/x86/kernel/unwind_orc.c:403 [inline]
 unwind_next_frame+0xd9b/0x23a0 arch/x86/kernel/unwind_orc.c:585
 arch_stack_walk+0x100/0x170 arch/x86/kernel/stacktrace.c:25
 stack_trace_save+0x95/0xd0 kernel/stacktrace.c:122
 save_stack+0x162/0x1f0 mm/page_owner.c:156
 __reset_page_owner+0x8d/0x400 mm/page_owner.c:297
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1088 [inline]
 free_unref_folios+0x991/0x1310 mm/page_alloc.c:2632
 folios_put_refs+0x487/0x6d0 mm/swap.c:1024
 folio_batch_release include/linux/pagevec.h:101 [inline]
 shmem_undo_range+0x5a1/0x1160 mm/shmem.c:1005
 shmem_truncate_range mm/shmem.c:1114 [inline]
 shmem_evict_inode+0x3a3/0xbb0 mm/shmem.c:1242
 evict+0x2f0/0x6c0 fs/inode.c:667
 iput_final fs/inode.c:1741 [inline]
 iput.part.0+0x5a8/0x7f0 fs/inode.c:1767
 iput+0x5c/0x80 fs/inode.c:1757
 dentry_unlink_inode+0x295/0x480 fs/dcache.c:400
 __dentry_kill+0x1d0/0x600 fs/dcache.c:603
 dput.part.0+0x4b1/0x9b0 fs/dcache.c:845
 dput+0x1f/0x30 fs/dcache.c:835
 __fput+0x54e/0xbb0 fs/file_table.c:430
 task_work_run+0x151/0x250 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa9b/0x2ba0 kernel/exit.c:874
 do_group_exit+0xd3/0x2a0 kernel/exit.c:1023
 get_signal+0x2616/0x2710 kernel/signal.c:2909
 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x14a/0x2a0 kernel/entry/common.c:218
 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa0b467cea9
Code: Unable to access opcode bytes at 0x7fa0b467ce7f.
RSP: 002b:00007fa0b53ff0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
RAX: 0000000000010106 RBX: 00007fa0b47b4050 RCX: 00007fa0b467cea9
RDX: 0000000000010106 RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 00007fa0b46ebff4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000002 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000006e R14: 00007fa0b47b4050 R15: 00007fff10fbfa08
 </TASK>
----------------
Code disassembly (best guess):
   0:	8b 73 28             	mov    0x28(%rbx),%esi
   3:	48 89 da             	mov    %rbx,%rdx
   6:	48 89 ef             	mov    %rbp,%rdi
   9:	e8 20 bd f3 ff       	call   0xfff3bd2e
   e:	31 ff                	xor    %edi,%edi
  10:	41 89 c6             	mov    %eax,%r14d
  13:	89 c6                	mov    %eax,%esi
  15:	e8 34 54 52 00       	call   0x52544e
  1a:	45 85 f6             	test   %r14d,%r14d
  1d:	74 1e                	je     0x3d
  1f:	45 31 f6             	xor    %r14d,%r14d
  22:	e8 27 59 52 00       	call   0x52594e
  27:	44 89 f0             	mov    %r14d,%eax
* 2a:	48 83 c4 10          	add    $0x10,%rsp <-- trapping instruction
  2e:	5b                   	pop    %rbx
  2f:	5d                   	pop    %rbp
  30:	41 5c                	pop    %r12
  32:	41 5d                	pop    %r13
  34:	41 5e                	pop    %r14
  36:	41 5f                	pop    %r15
  38:	e9 7c 6b d3 09       	jmp    0x9d36bb9
  3d:	e8                   	.byte 0xe8
  3e:	0c 59                	or     $0x59,%al