======================================================
WARNING: possible circular locking dependency detected
6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0 Not tainted
------------------------------------------------------
kworker/u32:3/62 is trying to acquire lock:
ffff88806b329558 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline]
ffff88806b329558 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline]
ffff88806b329558 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3444

but task is already holding lock:
ffff888029a569f8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0xb0/0x7e0 kernel/bpf/lpm_trie.c:451

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&trie->lock){..-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
       trie_delete_elem+0xb0/0x7e0 kernel/bpf/lpm_trie.c:451
       ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
       __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
       bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
       __bpf_prog_run include/linux/filter.h:657 [inline]
       bpf_prog_run include/linux/filter.h:664 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
       bpf_trace_run2+0x151/0x420 kernel/trace/bpf_trace.c:2420
       __bpf_trace_timer_start+0xc7/0x100 include/trace/events/timer.h:52
       trace_timer_start include/trace/events/timer.h:52 [inline]
       enqueue_timer+0x2b4/0x550 kernel/time/timer.c:664
       internal_add_timer kernel/time/timer.c:689 [inline]
       __mod_timer+0x8d7/0xdc0 kernel/time/timer.c:1184
       add_timer_global+0x8a/0xc0 kernel/time/timer.c:1331
       __queue_delayed_work+0x1ba/0x2e0 kernel/workqueue.c:2580
       mod_delayed_work_on+0xcc/0x1b0 kernel/workqueue.c:2647
       mod_delayed_work include/linux/workqueue.h:635 [inline]
       mld_ifc_start_work net/ipv6/mcast.c:1073 [inline]
       mld_ifc_event net/ipv6/mcast.c:2669 [inline]
       mld_ifc_event+0xa5/0x160 net/ipv6/mcast.c:2663
       igmp6_leave_group net/ipv6/mcast.c:2625 [inline]
       igmp6_group_dropped+0x735/0xe40 net/ipv6/mcast.c:722
       __ipv6_dev_mc_dec+0x281/0x360 net/ipv6/mcast.c:978
       addrconf_leave_solict net/ipv6/addrconf.c:2251 [inline]
       __ipv6_ifa_notify+0x3fd/0xe20 net/ipv6/addrconf.c:6282
       addrconf_ifdown.isra.0+0xef6/0x1b40 net/ipv6/addrconf.c:3978
       addrconf_notify+0x223/0x19e0 net/ipv6/addrconf.c:3777
       notifier_call_chain+0xb9/0x410 kernel/notifier.c:93
       call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:1950
       call_netdevice_notifiers_extack net/core/dev.c:1988 [inline]
       call_netdevice_notifiers net/core/dev.c:2002 [inline]
       dev_close_many+0x333/0x6a0 net/core/dev.c:1543
       unregister_netdevice_many_notify+0x46d/0x19f0 net/core/dev.c:11080
       unregister_netdevice_many net/core/dev.c:11163 [inline]
       default_device_exit_batch+0x85b/0xae0 net/core/dev.c:11640
       ops_exit_list+0x128/0x180 net/core/net_namespace.c:178
       cleanup_net+0x5b7/0xbf0 net/core/net_namespace.c:640
       process_one_work+0x9a9/0x1ac0 kernel/workqueue.c:3267
       process_scheduled_works kernel/workqueue.c:3348 [inline]
       worker_thread+0x6c8/0xf70 kernel/workqueue.c:3429
       kthread+0x2c1/0x3a0 kernel/kthread.c:388
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #1 (&base->lock){-.-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162
       lock_timer_base+0x5d/0x220 kernel/time/timer.c:1052
       __mod_timer+0x426/0xdc0 kernel/time/timer.c:1133
       add_timer_global+0x8a/0xc0 kernel/time/timer.c:1331
       __queue_delayed_work+0x1ba/0x2e0 kernel/workqueue.c:2580
       queue_delayed_work_on+0x10e/0x130 kernel/workqueue.c:2608
       kvfree_call_rcu+0x749/0xbe0 kernel/rcu/tree.c:3472
       rtnl_register_internal+0x343/0x670 net/core/rtnetlink.c:265
       rtnl_register+0x34/0x80 net/core/rtnetlink.c:315
       ip_rt_init+0x343/0x450 net/ipv4/route.c:3720
       ip_init+0xe/0x20 net/ipv4/ip_output.c:1663
       inet_init+0x3f0/0x6f0 net/ipv4/af_inet.c:2023
       do_one_initcall+0x128/0x700 init/main.c:1245
       do_initcall_level init/main.c:1307 [inline]
       do_initcalls init/main.c:1323 [inline]
       do_basic_setup init/main.c:1342 [inline]
       kernel_init_freeable+0x69d/0xca0 init/main.c:1555
       kernel_init+0x1c/0x2b0 init/main.c:1444
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

-> #0 (krc.lock){..-.}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:3134 [inline]
       check_prevs_add kernel/locking/lockdep.c:3253 [inline]
       validate_chain kernel/locking/lockdep.c:3869 [inline]
       __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
       lock_acquire kernel/locking/lockdep.c:5754 [inline]
       lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
       __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
       _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
       krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline]
       add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline]
       kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3444
       trie_delete_elem+0x593/0x7e0 kernel/bpf/lpm_trie.c:524
       ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
       __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
       bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
       __bpf_prog_run include/linux/filter.h:657 [inline]
       bpf_prog_run include/linux/filter.h:664 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
       bpf_trace_run3+0x167/0x440 kernel/trace/bpf_trace.c:2421
       __traceiter_kmem_cache_free+0x35/0x50 include/trace/events/kmem.h:114
       trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
       kmem_cache_free+0x1d4/0x390 mm/slub.c:4349
       skb_kfree_head net/core/skbuff.c:1094 [inline]
       skb_kfree_head net/core/skbuff.c:1091 [inline]
       skb_free_head+0x19a/0x1e0 net/core/skbuff.c:1108
       skb_release_data+0x76c/0x990 net/core/skbuff.c:1136
       skb_release_all net/core/skbuff.c:1202 [inline]
       __kfree_skb net/core/skbuff.c:1216 [inline]
       consume_skb net/core/skbuff.c:1432 [inline]
       consume_skb+0xd2/0x170 net/core/skbuff.c:1426
       netlink_broadcast_filtered+0x3d5/0xf10 net/netlink/af_netlink.c:1546
       nlmsg_multicast_filtered include/net/netlink.h:1111 [inline]
       nlmsg_multicast include/net/netlink.h:1130 [inline]
       nlmsg_notify+0x9e/0x220 net/netlink/af_netlink.c:2602
       inet6_ifa_notify net/ipv6/addrconf.c:5615 [inline]
       __ipv6_ifa_notify+0x26b/0xe20 net/ipv6/addrconf.c:6253
       ipv6_ifa_notify net/ipv6/addrconf.c:6305 [inline]
       addrconf_dad_completed+0x19d/0x1060 net/ipv6/addrconf.c:4318
       addrconf_dad_work+0x807/0x1500 net/ipv6/addrconf.c:4266
       process_one_work+0x9a9/0x1ac0 kernel/workqueue.c:3267
       process_scheduled_works kernel/workqueue.c:3348 [inline]
       worker_thread+0x6c8/0xf70 kernel/workqueue.c:3429
       kthread+0x2c1/0x3a0 kernel/kthread.c:388
       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

other info that might help us debug this:

Chain exists of:
  krc.lock --> &base->lock --> &trie->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&trie->lock);
                               lock(&base->lock);
                               lock(&trie->lock);
  lock(krc.lock);

 *** DEADLOCK ***

5 locks held by kworker/u32:3/62:
 #0: ffff888029652948 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1296/0x1ac0 kernel/workqueue.c:3242
 #1: ffffc90000ae7d80 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x906/0x1ac0 kernel/workqueue.c:3243
 #2: ffffffff8f5013c8 (rtnl_mutex){+.+.}-{3:3}, at: addrconf_dad_work+0xcf/0x1500 net/ipv6/addrconf.c:4192
 #3: ffffffff8d9b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:329 [inline]
 #3: ffffffff8d9b0e20 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:781 [inline]
 #3: ffffffff8d9b0e20 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2380 [inline]
 #3: ffffffff8d9b0e20 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run3+0xf8/0x440 kernel/trace/bpf_trace.c:2421
 #4: ffff888029a569f8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0xb0/0x7e0 kernel/bpf/lpm_trie.c:451

stack backtrace:
CPU: 1 PID: 62 Comm: kworker/u32:3 Not tainted 6.9.0-rc7-syzkaller-00183-gcf87f46fd34d #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 check_noncircular+0x31a/0x400 kernel/locking/lockdep.c:2187
 check_prev_add kernel/locking/lockdep.c:3134 [inline]
 check_prevs_add kernel/locking/lockdep.c:3253 [inline]
 validate_chain kernel/locking/lockdep.c:3869 [inline]
 __lock_acquire+0x2478/0x3b30 kernel/locking/lockdep.c:5137
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x560 kernel/locking/lockdep.c:5719
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
 krc_this_cpu_lock kernel/rcu/tree.c:2960 [inline]
 add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3359 [inline]
 kvfree_call_rcu+0xda/0xbe0 kernel/rcu/tree.c:3444
 trie_delete_elem+0x593/0x7e0 kernel/bpf/lpm_trie.c:524
 ___bpf_prog_run+0x3e51/0xabd0 kernel/bpf/core.c:1997
 __bpf_prog_run32+0xc1/0x100 kernel/bpf/core.c:2236
 bpf_dispatcher_nop_func include/linux/bpf.h:1234 [inline]
 __bpf_prog_run include/linux/filter.h:657 [inline]
 bpf_prog_run include/linux/filter.h:664 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:2381 [inline]
 bpf_trace_run3+0x167/0x440 kernel/trace/bpf_trace.c:2421
 __traceiter_kmem_cache_free+0x35/0x50 include/trace/events/kmem.h:114
 trace_kmem_cache_free include/trace/events/kmem.h:114 [inline]
 kmem_cache_free+0x1d4/0x390 mm/slub.c:4349
 skb_kfree_head net/core/skbuff.c:1094 [inline]
 skb_kfree_head net/core/skbuff.c:1091 [inline]
 skb_free_head+0x19a/0x1e0 net/core/skbuff.c:1108
 skb_release_data+0x76c/0x990 net/core/skbuff.c:1136
 skb_release_all net/core/skbuff.c:1202 [inline]
 __kfree_skb net/core/skbuff.c:1216 [inline]
 consume_skb net/core/skbuff.c:1432 [inline]
 consume_skb+0xd2/0x170 net/core/skbuff.c:1426
 netlink_broadcast_filtered+0x3d5/0xf10 net/netlink/af_netlink.c:1546
 nlmsg_multicast_filtered include/net/netlink.h:1111 [inline]
 nlmsg_multicast include/net/netlink.h:1130 [inline]
 nlmsg_notify+0x9e/0x220 net/netlink/af_netlink.c:2602
 inet6_ifa_notify net/ipv6/addrconf.c:5615 [inline]
 __ipv6_ifa_notify+0x26b/0xe20 net/ipv6/addrconf.c:6253
 ipv6_ifa_notify net/ipv6/addrconf.c:6305 [inline]
 addrconf_dad_completed+0x19d/0x1060 net/ipv6/addrconf.c:4318
 addrconf_dad_work+0x807/0x1500 net/ipv6/addrconf.c:4266
 process_one_work+0x9a9/0x1ac0 kernel/workqueue.c:3267
 process_scheduled_works kernel/workqueue.c:3348 [inline]
 worker_thread+0x6c8/0xf70 kernel/workqueue.c:3429
 kthread+0x2c1/0x3a0 kernel/kthread.c:388
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>