======================================================
WARNING: possible circular locking dependency detected
5.15.185-syzkaller #0 Not tainted
------------------------------------------------------
syz.2.93/4554 is trying to acquire lock:
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597
but task is already holding lock:
ffff88806139b5b8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&trie->lock){..-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
bpf_prog_63d1fe5ed215ff41+0xe00/0xf30
bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
trace_timer_start include/trace/events/timer.h:52 [inline]
enqueue_timer+0x394/0x520 kernel/time/timer.c:586
internal_add_timer kernel/time/timer.c:611 [inline]
__mod_timer+0x8e1/0xd20 kernel/time/timer.c:1062
addrconf_mod_rs_timer net/ipv6/addrconf.c:328 [inline]
addrconf_dad_completed+0x918/0xca0 net/ipv6/addrconf.c:4289
addrconf_dad_work+0xc70/0x1520 net/ipv6/addrconf.c:-1
process_one_work+0x863/0x1000 kernel/workqueue.c:2310
worker_thread+0xaa8/0x12a0 kernel/workqueue.c:2457
kthread+0x436/0x520 kernel/kthread.c:334
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
-> #1 (&base->lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
lock_timer_base+0x123/0x270 kernel/time/timer.c:946
__mod_timer+0x117/0xd20 kernel/time/timer.c:1019
queue_delayed_work_on+0x126/0x1e0 kernel/workqueue.c:1715
queue_delayed_work include/linux/workqueue.h:527 [inline]
schedule_delayed_work include/linux/workqueue.h:631 [inline]
kvfree_call_rcu+0x4a9/0x7c0 kernel/rcu/tree.c:3625
rtnl_register_internal+0x44e/0x540 net/core/rtnetlink.c:223
rtnl_register+0x2e/0x70 net/core/rtnetlink.c:273
ip_rt_init+0x2e0/0x3a0 net/ipv4/route.c:3791
ip_init+0xa/0x20 net/ipv4/ip_output.c:1749
inet_init+0x28b/0x3a0 net/ipv4/af_inet.c:2007
do_one_initcall+0x1ee/0x680 init/main.c:1302
do_initcall_level+0x137/0x1f0 init/main.c:1375
do_initcalls+0x4b/0x90 init/main.c:1391
kernel_init_freeable+0x3ce/0x560 init/main.c:1615
kernel_init+0x19/0x1b0 init/main.c:1506
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287
-> #0 (krc.lock){..-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597
trie_delete_elem+0x58c/0x710 kernel/bpf/lpm_trie.c:-1
bpf_prog_8c8ab8634bca3061+0x3a/0x99c
bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
__bpf_trace_kmem_cache_free+0x99/0xc0 include/trace/events/kmem.h:138
trace_kmem_cache_free include/trace/events/kmem.h:138 [inline]
kmem_cache_free+0x1e7/0x210 mm/slub.c:3516
rcu_do_batch kernel/rcu/tree.c:2523 [inline]
rcu_core+0x962/0x15d0 kernel/rcu/tree.c:2763
handle_softirqs+0x328/0x820 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
finish_lock_switch+0x134/0x280 kernel/sched/core.c:4785
finish_task_switch+0x12f/0x640 kernel/sched/core.c:4902
context_switch kernel/sched/core.c:5033 [inline]
__schedule+0x11c0/0x43b0 kernel/sched/core.c:6376
schedule+0x11b/0x1e0 kernel/sched/core.c:6459
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x1f1/0x760 kernel/time/hrtimer.c:2049
hrtimer_nanosleep+0x2f7/0x520 kernel/time/hrtimer.c:2102
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1314 [inline]
__se_sys_clock_nanosleep+0x2e6/0x370 kernel/time/posix-timers.c:1291
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
other info that might help us debug this:
Chain exists of:
krc.lock --> &base->lock --> &trie->lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&trie->lock);
lock(&base->lock);
lock(&trie->lock);
lock(krc.lock);
*** DEADLOCK ***
3 locks held by syz.2.93/4554:
#0: ffffffff8c11c0c0 (rcu_callback){....}-{0:0}, at: rcu_lock_acquire+0x0/0x20
#1: ffffffff8c11bfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
#2: ffff88806139b5b8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
stack backtrace:
CPU: 1 PID: 4554 Comm: syz.2.93 Not tainted 5.15.185-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2133
check_prev_add kernel/locking/lockdep.c:3053 [inline]
check_prevs_add kernel/locking/lockdep.c:3172 [inline]
validate_chain kernel/locking/lockdep.c:3788 [inline]
__lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597
trie_delete_elem+0x58c/0x710 kernel/bpf/lpm_trie.c:-1
bpf_prog_8c8ab8634bca3061+0x3a/0x99c
bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
__bpf_prog_run include/linux/filter.h:628 [inline]
bpf_prog_run include/linux/filter.h:635 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
__bpf_trace_kmem_cache_free+0x99/0xc0 include/trace/events/kmem.h:138
trace_kmem_cache_free include/trace/events/kmem.h:138 [inline]
kmem_cache_free+0x1e7/0x210 mm/slub.c:3516
rcu_do_batch kernel/rcu/tree.c:2523 [inline]
rcu_core+0x962/0x15d0 kernel/rcu/tree.c:2763
handle_softirqs+0x328/0x820 kernel/softirq.c:576
__do_softirq kernel/softirq.c:610 [inline]
invoke_softirq kernel/softirq.c:450 [inline]
__irq_exit_rcu+0x12f/0x220 kernel/softirq.c:659
irq_exit_rcu+0x5/0x20 kernel/softirq.c:671
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1108 [inline]
sysvec_apic_timer_interrupt+0xa0/0xc0 arch/x86/kernel/apic/apic.c:1108
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:676
RIP: 0010:finish_lock_switch+0x134/0x280 kernel/sched/core.c:4785
Code: be ff ff ff ff e8 2c 0e 4e 08 85 c0 74 4a 4d 85 ff 75 66 0f 1f 44 00 00 48 89 df e8 26 6a 57 08 e8 21 7f 2a 00 fb 48 83 c4 08 <5b> 41 5c 41 5d 41 5e 41 5f 5d c3 48 89 df e8 99 10 fe ff 43 80 3c
RSP: 0018:ffffc900032df968 EFLAGS: 00000282
RAX: ab6b97d0b18d4c00 RBX: ffff8880b913a300 RCX: ab6b97d0b18d4c00
RDX: dffffc0000000000 RSI: ffffffff8a0b11c0 RDI: ffffffff8a59a740
RBP: 1ffff1101722760b R08: dffffc0000000000 R09: ffffed1017227461
R10: ffffed1017227461 R11: 1ffff11017227460 R12: 1ffff110172275b9
R13: dffffc0000000000 R14: ffff8880b913adc8 R15: 0000000000000000
finish_task_switch+0x12f/0x640 kernel/sched/core.c:4902
context_switch kernel/sched/core.c:5033 [inline]
__schedule+0x11c0/0x43b0 kernel/sched/core.c:6376
schedule+0x11b/0x1e0 kernel/sched/core.c:6459
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x1f1/0x760 kernel/time/hrtimer.c:2049
hrtimer_nanosleep+0x2f7/0x520 kernel/time/hrtimer.c:2102
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1314 [inline]
__se_sys_clock_nanosleep+0x2e6/0x370 kernel/time/posix-timers.c:1291
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7faefed171e5
Code: 24 0c 89 3c 24 48 89 4c 24 18 e8 f6 54 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 8b 74 24 0c 8b 3c 24 b8 e6 00 00 00 0f 05 <44> 89 c7 48 89 04 24 e8 4f 55 ff ff 48 8b 04 24 48 83 c4 28 f7 d8
RSP: 002b:00007ffd9c80b570 EFLAGS: 00000293 ORIG_RAX: 00000000000000e6
RAX: ffffffffffffffda RBX: 00007faefef0bfa0 RCX: 00007faefed171e5
RDX: 00007ffd9c80b5b0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00007faefef0dba0 R08: 0000000000000000 R09: 0015cdb716dfc898
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000015173
R13: 00007ffd9c80b6d0 R14: ffffffffffffffff R15: 00007ffd9c80b6f0
----------------
Code disassembly (best guess):
0: be ff ff ff ff mov $0xffffffff,%esi
5: e8 2c 0e 4e 08 call 0x84e0e36
a: 85 c0 test %eax,%eax
c: 74 4a je 0x58
e: 4d 85 ff test %r15,%r15
11: 75 66 jne 0x79
13: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
18: 48 89 df mov %rbx,%rdi
1b: e8 26 6a 57 08 call 0x8576a46
20: e8 21 7f 2a 00 call 0x2a7f46
25: fb sti
26: 48 83 c4 08 add $0x8,%rsp
* 2a: 5b pop %rbx <-- trapping instruction
2b: 41 5c pop %r12
2d: 41 5d pop %r13
2f: 41 5e pop %r14
31: 41 5f pop %r15
33: 5d pop %rbp
34: c3 ret
35: 48 89 df mov %rbx,%rdi
38: e8 99 10 fe ff call 0xfffe10d6
3d: 43 rex.XB
3e: 80 .byte 0x80
3f: 3c .byte 0x3c