====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 Not tainted ------------------------------------------------------ sshd/5061 is trying to acquire lock: ffff8880b9529470 (krc.lock){....}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline] ffff8880b9529470 (krc.lock){....}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline] ffff8880b9529470 (krc.lock){....}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3444 but task is already holding lock: ffff88802f1521f8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x96/0x6a0 kernel/bpf/lpm_trie.c:459 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&trie->lock){..-.}-{2:2}: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 trie_delete_elem+0x96/0x6a0 kernel/bpf/lpm_trie.c:459 bpf_prog_2c29ac5cdc6b1842+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1233 [inline] __bpf_prog_run include/linux/filter.h:667 [inline] bpf_prog_run include/linux/filter.h:674 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2396 [inline] bpf_trace_run2+0x2ec/0x530 kernel/trace/bpf_trace.c:2437 trace_timer_start include/trace/events/timer.h:52 [inline] enqueue_timer+0x396/0x550 kernel/time/timer.c:663 internal_add_timer kernel/time/timer.c:688 [inline] __mod_timer+0xa0e/0xeb0 kernel/time/timer.c:1183 dsp_cmx_send+0x21bf/0x2240 drivers/isdn/mISDN/dsp_cmx.c:1839 call_timer_fn+0x17e/0x600 kernel/time/timer.c:1792 expire_timers kernel/time/timer.c:1843 [inline] __run_timers kernel/time/timer.c:2408 [inline] __run_timer_base+0x66a/0x8e0 kernel/time/timer.c:2419 run_timer_base kernel/time/timer.c:2428 [inline] run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2438 __do_softirq+0x2bc/0x943 kernel/softirq.c:554 invoke_softirq kernel/softirq.c:428 [inline] __irq_exit_rcu+0xf2/0x1c0 kernel/softirq.c:633 irq_exit_rcu+0x9/0x30 kernel/softirq.c:645 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 native_safe_halt arch/x86/include/asm/irqflags.h:48 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:86 [inline] acpi_safe_halt+0x21/0x30 drivers/acpi/processor_idle.c:112 acpi_idle_enter+0xe4/0x140 drivers/acpi/processor_idle.c:707 cpuidle_enter_state+0x118/0x490 drivers/cpuidle/cpuidle.c:267 cpuidle_enter+0x5d/0xa0 drivers/cpuidle/cpuidle.c:388 call_cpuidle kernel/sched/idle.c:155 [inline] cpuidle_idle_call kernel/sched/idle.c:236 [inline] do_idle+0x375/0x5d0 kernel/sched/idle.c:332 cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:430 rest_init+0x2e0/0x300 init/main.c:730 arch_call_rest_init+0xe/0x10 init/main.c:831 start_kernel+0x47a/0x500 init/main.c:1077 x86_64_start_reservations+0x2a/0x30 arch/x86/kernel/head64.c:509 x86_64_start_kernel+0x99/0xa0 arch/x86/kernel/head64.c:490 common_startup_64+0x13e/0x147 -> #1 (&base->lock){-.-.}-{2:2}: lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 lock_timer_base+0x112/0x240 kernel/time/timer.c:1051 __mod_timer+0x1ca/0xeb0 kernel/time/timer.c:1132 queue_delayed_work_on+0x15a/0x260 kernel/workqueue.c:2595 kvfree_call_rcu+0x47f/0x790 kernel/rcu/tree.c:3472 rtnl_register_internal+0x482/0x590 net/core/rtnetlink.c:265 rtnl_register+0x36/0x80 net/core/rtnetlink.c:315 ip_rt_init+0x2f5/0x3a0 net/ipv4/route.c:3719 ip_init+0xe/0x20 net/ipv4/ip_output.c:1664 inet_init+0x3d8/0x580 net/ipv4/af_inet.c:2022 do_one_initcall+0x238/0x830 init/main.c:1241 do_initcall_level+0x157/0x210 init/main.c:1303 do_initcalls+0x3f/0x80 init/main.c:1319 kernel_init_freeable+0x435/0x5d0 init/main.c:1557 kernel_init+0x1d/0x2a0 init/main.c:1446 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 -> #0 (krc.lock){....}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline] add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline] kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3444 trie_delete_elem+0x52c/0x6a0 bpf_prog_2c29ac5cdc6b1842+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1233 [inline] __bpf_prog_run include/linux/filter.h:667 [inline] bpf_prog_run include/linux/filter.h:674 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2396 [inline] bpf_trace_run2+0x2ec/0x530 kernel/trace/bpf_trace.c:2437 trace_timer_start include/trace/events/timer.h:52 [inline] enqueue_timer+0x396/0x550 kernel/time/timer.c:663 __mod_timer+0x953/0xeb0 kernel/time/timer.c:1181 sk_reset_timer+0x23/0xc0 net/core/sock.c:3420 tcp_event_new_data_sent+0x203/0x360 net/ipv4/tcp_output.c:81 tcp_write_xmit+0x1468/0x6100 net/ipv4/tcp_output.c:2799 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:2977 tcp_sendmsg_locked+0x42cc/0x4d00 net/ipv4/tcp.c:1310 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1342 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa84/0xcb0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 other info that might help us debug this: Chain exists of: krc.lock --> &base->lock --> &trie->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&trie->lock); lock(&base->lock); lock(&trie->lock); lock(krc.lock); *** DEADLOCK *** 4 locks held by sshd/5061: #0: ffff88807a1d0e98 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] #0: ffff88807a1d0e98 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x22/0x50 net/ipv4/tcp.c:1341 #1: ffff8880b952a758 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 kernel/time/timer.c:1051 #2: ffffffff8e131920 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:298 [inline] #2: ffffffff8e131920 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:750 [inline] #2: ffffffff8e131920 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2395 [inline] #2: ffffffff8e131920 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x530 kernel/trace/bpf_trace.c:2437 #3: ffff88802f1521f8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x96/0x6a0 kernel/bpf/lpm_trie.c:459 stack backtrace: CPU: 1 PID: 5061 Comm: sshd Not tainted 6.8.0-syzkaller-05243-g14bb1e8c8d4a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 check_noncircular+0x36a/0x4a0 kernel/locking/lockdep.c:2187 check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1e4/0x530 kernel/locking/lockdep.c:5754 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154 krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline] add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline] kvfree_call_rcu+0x18a/0x790 kernel/rcu/tree.c:3444 trie_delete_elem+0x52c/0x6a0 bpf_prog_2c29ac5cdc6b1842+0x42/0x46 bpf_dispatcher_nop_func include/linux/bpf.h:1233 [inline] __bpf_prog_run include/linux/filter.h:667 [inline] bpf_prog_run include/linux/filter.h:674 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2396 [inline] bpf_trace_run2+0x2ec/0x530 kernel/trace/bpf_trace.c:2437 trace_timer_start include/trace/events/timer.h:52 [inline] enqueue_timer+0x396/0x550 kernel/time/timer.c:663 __mod_timer+0x953/0xeb0 kernel/time/timer.c:1181 sk_reset_timer+0x23/0xc0 net/core/sock.c:3420 tcp_event_new_data_sent+0x203/0x360 net/ipv4/tcp_output.c:81 tcp_write_xmit+0x1468/0x6100 net/ipv4/tcp_output.c:2799 __tcp_push_pending_frames+0x9b/0x360 net/ipv4/tcp_output.c:2977 tcp_sendmsg_locked+0x42cc/0x4d00 net/ipv4/tcp.c:1310 tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1342 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 sock_write_iter+0x2dd/0x400 net/socket.c:1160 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xa84/0xcb0 fs/read_write.c:590 ksys_write+0x1a0/0x2c0 fs/read_write.c:643 do_syscall_64+0xfb/0x240 entry_SYSCALL_64_after_hwframe+0x6d/0x75 RIP: 0033:0x7f206c4ffbf2 Code: 89 c7 48 89 44 24 08 e8 7b 34 fa ff 48 8b 44 24 08 48 83 c4 28 c3 c3 64 8b 04 25 18 00 00 00 85 c0 75 20 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 76 6f 48 8b 15 07 a2 0d 00 f7 d8 64 89 02 48 83 RSP: 002b:00007ffdd3386548 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000000008c RCX: 00007f206c4ffbf2 RDX: 000000000000008c RSI: 000055a0d82b6960 RDI: 0000000000000004 RBP: 000055a0d82c4220 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000055a0a5d60aa4 R13: 000000000000003a R14: 000055a0a5d613e8 R15: 00007ffdd33865b8