===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 5.15.153-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.3/4279 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire: ffff88801eaaa020 (&htab->buckets[i].lock){+...}-{2:2}, at: sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 and this task is already holding: ffff88801fa72518 (&sighand->siglock){-...}-{2:2}, at: force_sig_info_to_task+0x69/0x470 kernel/signal.c:1327 which would create a new lock dependency: (&sighand->siglock){-...}-{2:2} -> (&htab->buckets[i].lock){+...}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&sighand->siglock){-...}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 __lock_task_sighand+0x11a/0x290 kernel/signal.c:1404 lock_task_sighand include/linux/sched/signal.h:704 [inline] send_sigqueue+0x1bc/0x6e0 kernel/signal.c:1971 posix_timer_event kernel/time/posix-timers.c:359 [inline] posix_timer_fn+0x186/0x390 kernel/time/posix-timers.c:385 __run_hrtimer kernel/time/hrtimer.c:1686 [inline] __hrtimer_run_queues+0x598/0xcf0 kernel/time/hrtimer.c:1750 hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline] __sysvec_apic_timer_interrupt+0x139/0x470 arch/x86/kernel/apic/apic.c:1102 sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638 lock_acquire+0x252/0x4f0 kernel/locking/lockdep.c:5627 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:312 rcu_read_lock include/linux/rcupdate.h:739 [inline] inet_twsk_purge+0x11e/0xa20 net/ipv4/inet_timewait_sock.c:268 ops_exit_list net/core/net_namespace.c:174 [inline] cleanup_net+0x763/0xb60 net/core/net_namespace.c:596 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 to a HARDIRQ-irq-unsafe lock: (&htab->buckets[i].lock){+...}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_free+0x14c/0x780 net/core/sock_map.c:1154 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&sighand->siglock); lock(&htab->buckets[i].lock); lock(&sighand->siglock); *** DEADLOCK *** 2 locks held by syz-executor.3/4279: #0: ffff88801fa72518 (&sighand->siglock){-...}-{2:2}, at: force_sig_info_to_task+0x69/0x470 kernel/signal.c:1327 #1: ffffffff8c91f720 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&sighand->siglock ){-...}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 __lock_task_sighand+0x11a/0x290 kernel/signal.c:1404 lock_task_sighand include/linux/sched/signal.h:704 [inline] send_sigqueue+0x1bc/0x6e0 kernel/signal.c:1971 posix_timer_event kernel/time/posix-timers.c:359 [inline] posix_timer_fn+0x186/0x390 kernel/time/posix-timers.c:385 __run_hrtimer kernel/time/hrtimer.c:1686 [inline] __hrtimer_run_queues+0x598/0xcf0 kernel/time/hrtimer.c:1750 hrtimer_interrupt+0x392/0x980 kernel/time/hrtimer.c:1812 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline] __sysvec_apic_timer_interrupt+0x139/0x470 arch/x86/kernel/apic/apic.c:1102 sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638 lock_acquire+0x252/0x4f0 kernel/locking/lockdep.c:5627 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:312 rcu_read_lock include/linux/rcupdate.h:739 [inline] inet_twsk_purge+0x11e/0xa20 net/ipv4/inet_timewait_sock.c:268 ops_exit_list net/core/net_namespace.c:174 [inline] cleanup_net+0x763/0xb60 net/core/net_namespace.c:596 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 INITIAL USE at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] _raw_spin_lock_irq+0xcf/0x110 kernel/locking/spinlock.c:170 spin_lock_irq include/linux/spinlock.h:388 [inline] calculate_sigpending+0x4a/0x80 kernel/signal.c:195 ret_from_fork+0x8/0x30 arch/x86/entry/entry_64.S:283 } ... key at: [] sighand_ctor.__key+0x0/0x20 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> (&htab->buckets[i].lock){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_free+0x14c/0x780 net/core/sock_map.c:1154 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 INITIAL USE at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_free+0x14c/0x780 net/core/sock_map.c:1154 process_one_work+0x8a1/0x10c0 kernel/workqueue.c:2310 worker_thread+0xaca/0x1280 kernel/workqueue.c:2457 kthread+0x3f6/0x4f0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 } ... key at: [] sock_hash_alloc.__key+0x0/0x20 ... acquired at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 bpf_prog_2c29ac5cdc6b1842+0x3a/0x7a4 bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline] bpf_trace_run5+0x222/0x3e0 kernel/trace/bpf_trace.c:1920 trace_signal_generate+0x182/0x1f0 include/trace/events/signal.h:50 __send_signal+0xadc/0xd40 kernel/signal.c:1184 force_sig_info_to_task+0x327/0x470 kernel/signal.c:1347 force_sig_info kernel/signal.c:1355 [inline] force_sig+0x114/0x1d0 kernel/signal.c:1658 __exc_general_protection arch/x86/kernel/traps.c:597 [inline] exc_general_protection+0x122/0x4f0 arch/x86/kernel/traps.c:562 asm_exc_general_protection+0x22/0x30 arch/x86/include/asm/idtentry.h:562 stack backtrace: CPU: 0 PID: 4279 Comm: syz-executor.3 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_bad_irq_dependency kernel/locking/lockdep.c:2567 [inline] check_irq_usage kernel/locking/lockdep.c:2806 [inline] check_prev_add kernel/locking/lockdep.c:3057 [inline] check_prevs_add kernel/locking/lockdep.c:3172 [inline] validate_chain+0x4d01/0x5930 kernel/locking/lockdep.c:3788 __lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012 lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 bpf_prog_2c29ac5cdc6b1842+0x3a/0x7a4 bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline] bpf_trace_run5+0x222/0x3e0 kernel/trace/bpf_trace.c:1920 trace_signal_generate+0x182/0x1f0 include/trace/events/signal.h:50 __send_signal+0xadc/0xd40 kernel/signal.c:1184 force_sig_info_to_task+0x327/0x470 kernel/signal.c:1347 force_sig_info kernel/signal.c:1355 [inline] force_sig+0x114/0x1d0 kernel/signal.c:1658 __exc_general_protection arch/x86/kernel/traps.c:597 [inline] exc_general_protection+0x122/0x4f0 arch/x86/kernel/traps.c:562 asm_exc_general_protection+0x22/0x30 arch/x86/include/asm/idtentry.h:562 RIP: 0033:0x7fa0a0e07cf9 Code: f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 fd 74 0f c5 fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 RSP: 002b:00007fa09f387858 EFLAGS: 00010283 RAX: 0000000000000999 RBX: 00007fa09f387dc0 RCX: 00007fa0a0f0dbc0 RDX: 9999999999999999 RSI: 00007fa0a0e61062 RDI: 9999999999999999 RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000000073 R13: 00007fa09f387f40 R14: 9999999999999999 R15: 0000000000000000 ------------[ cut here ]------------ raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 0 PID: 4279 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 Modules linked in: CPU: 0 PID: 4279 Comm: syz-executor.3 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:warn_bogus_irq_restore+0x1d/0x20 kernel/locking/irqflag-debug.c:10 Code: 24 48 c7 c7 a0 d1 89 8a e8 6c d1 fe ff 80 3d fc 56 b4 03 00 74 01 c3 c6 05 f2 56 b4 03 01 48 c7 c7 80 0c 8b 8a e8 13 ec 2f f7 <0f> 0b c3 41 56 53 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 RSP: 0000:ffffc90003de7c38 EFLAGS: 00010246 RAX: 385e729993ae9800 RBX: 1ffff920007bcf8c RCX: 0000000000040000 RDX: ffffc900062c3000 RSI: 000000000003ffff RDI: 0000000000040000 RBP: ffffc90003de7cd0 R08: ffffffff8166661c R09: fffffbfff1922849 R10: 0000000000000000 R11: dffffc0000000001 R12: dffffc0000000000 R13: 1ffff920007bcf88 R14: ffffc90003de7c60 R15: 0000000000000246 FS: 00007fa09f3886c0(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa09f387f78 CR3: 000000007ca7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] _raw_spin_unlock_irqrestore+0x118/0x130 kernel/locking/spinlock.c:194 spin_unlock_irqrestore include/linux/spinlock.h:418 [inline] force_sig_info_to_task+0x34a/0x470 kernel/signal.c:1348 force_sig_info kernel/signal.c:1355 [inline] force_sig+0x114/0x1d0 kernel/signal.c:1658 __exc_general_protection arch/x86/kernel/traps.c:597 [inline] exc_general_protection+0x122/0x4f0 arch/x86/kernel/traps.c:562 asm_exc_general_protection+0x22/0x30 arch/x86/include/asm/idtentry.h:562 RIP: 0033:0x7fa0a0e07cf9 Code: f8 77 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 27 01 00 00 fd 74 0f c5 fd d7 c1 85 c0 74 5b f3 0f bc c0 e9 30 01 00 00 66 RSP: 002b:00007fa09f387858 EFLAGS: 00010283 RAX: 0000000000000999 RBX: 00007fa09f387dc0 RCX: 00007fa0a0f0dbc0 RDX: 9999999999999999 RSI: 00007fa0a0e61062 RDI: 9999999999999999 RBP: 000000000000000b R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000000 R12: 0000000000000073 R13: 00007fa09f387f40 R14: 9999999999999999 R15: 0000000000000000