===================================================== WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected 5.15.153-syzkaller #0 Not tainted ----------------------------------------------------- syz-executor.1/3803 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire: ffff8880769b1820 (&htab->buckets[i].lock){+...}-{2:2} , at: sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 and this task is already holding: ffff8880b9b39b18 (&pool->lock){-.-.}-{2:2}, at: __queue_work+0x56d/0xd00 which would create a new lock dependency: ( &pool->lock){-.-.}-{2:2} -> ( &htab->buckets[i].lock){+...}-{2:2} but this new dependency connects a HARDIRQ-irq-safe lock: (&pool->lock){-.-.}-{2:2} ... which became HARDIRQ-irq-safe at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 __queue_work+0x56d/0xd00 queue_work_on+0x14b/0x250 kernel/workqueue.c:1559 hrtimer_switch_to_hres kernel/time/hrtimer.c:747 [inline] hrtimer_run_queues+0x14b/0x450 kernel/time/hrtimer.c:1912 run_local_timers kernel/time/timer.c:1762 [inline] update_process_times+0xca/0x200 kernel/time/timer.c:1787 tick_periodic+0x197/0x210 kernel/time/tick-common.c:100 tick_handle_periodic+0x46/0x150 kernel/time/tick-common.c:112 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline] __sysvec_apic_timer_interrupt+0x139/0x470 arch/x86/kernel/apic/apic.c:1102 sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638 native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] default_idle+0xb/0x10 arch/x86/kernel/process.c:717 default_idle_call+0x81/0xc0 kernel/sched/idle.c:112 cpuidle_idle_call kernel/sched/idle.c:194 [inline] do_idle+0x271/0x670 kernel/sched/idle.c:306 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403 start_kernel+0x48c/0x535 init/main.c:1138 secondary_startup_64_no_verify+0xb1/0xbb to a HARDIRQ-irq-unsafe lock: (&htab->buckets[i].lock ){+...}-{2:2} ... which became HARDIRQ-irq-unsafe at: ... lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_update_common+0x20c/0xa30 net/core/sock_map.c:1005 sock_map_update_elem_sys+0x485/0x770 net/core/sock_map.c:587 map_update_elem+0x6a0/0x7c0 kernel/bpf/syscall.c:1185 __sys_bpf+0x2fd/0x670 kernel/bpf/syscall.c:4639 __do_sys_bpf kernel/bpf/syscall.c:4755 [inline] __se_sys_bpf kernel/bpf/syscall.c:4753 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&htab->buckets[i].lock); local_irq_disable(); lock(&pool->lock); lock(&htab->buckets[i].lock); lock(&pool->lock); *** DEADLOCK *** 5 locks held by syz-executor.1/3803: #0: ffffffff8d9dc108 (rtnl_mutex){+.+.}-{3:3}, at: ppp_release+0x86/0x1f0 drivers/net/ppp/ppp_generic.c:404 #1: ffffffff8c923ce8 (rcu_state.exp_mutex){+.+.}-{3:3}, at: exp_funnel_lock kernel/rcu/tree_exp.h:290 [inline] (rcu_state.exp_mutex){+.+.}-{3:3}, at: synchronize_rcu_expedited+0x280/0x740 kernel/rcu/tree_exp.h:845 #2: ffffffff8c91f720 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311 #3: ffff8880b9b39b18 (&pool->lock){-.-.}-{2:2}, at: __queue_work+0x56d/0xd00 #4: ffffffff8c91f720 (rcu_read_lock ){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311 the dependencies between HARDIRQ-irq-safe lock and the holding lock: -> (&pool->lock){-.-.}-{2:2} { IN-HARDIRQ-W at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 __queue_work+0x56d/0xd00 queue_work_on+0x14b/0x250 kernel/workqueue.c:1559 hrtimer_switch_to_hres kernel/time/hrtimer.c:747 [inline] hrtimer_run_queues+0x14b/0x450 kernel/time/hrtimer.c:1912 run_local_timers kernel/time/timer.c:1762 [inline] update_process_times+0xca/0x200 kernel/time/timer.c:1787 tick_periodic+0x197/0x210 kernel/time/tick-common.c:100 tick_handle_periodic+0x46/0x150 kernel/time/tick-common.c:112 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline] __sysvec_apic_timer_interrupt+0x139/0x470 arch/x86/kernel/apic/apic.c:1102 sysvec_apic_timer_interrupt+0x8c/0xb0 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638 native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] default_idle+0xb/0x10 arch/x86/kernel/process.c:717 default_idle_call+0x81/0xc0 kernel/sched/idle.c:112 cpuidle_idle_call kernel/sched/idle.c:194 [inline] do_idle+0x271/0x670 kernel/sched/idle.c:306 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403 start_kernel+0x48c/0x535 init/main.c:1138 secondary_startup_64_no_verify+0xb1/0xbb IN-SOFTIRQ-W at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 __queue_work+0x56d/0xd00 call_timer_fn+0x16d/0x560 kernel/time/timer.c:1421 expire_timers kernel/time/timer.c:1461 [inline] __run_timers+0x6a8/0x890 kernel/time/timer.c:1737 __do_softirq+0x3b3/0x93a kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x155/0x240 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1096 asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638 native_safe_halt arch/x86/include/asm/irqflags.h:51 [inline] arch_safe_halt arch/x86/include/asm/irqflags.h:89 [inline] default_idle+0xb/0x10 arch/x86/kernel/process.c:717 default_idle_call+0x81/0xc0 kernel/sched/idle.c:112 cpuidle_idle_call kernel/sched/idle.c:194 [inline] do_idle+0x271/0x670 kernel/sched/idle.c:306 cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:403 start_kernel+0x48c/0x535 init/main.c:1138 secondary_startup_64_no_verify+0xb1/0xbb INITIAL USE at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162 pwq_adjust_max_active+0x14e/0x550 kernel/workqueue.c:3783 link_pwq kernel/workqueue.c:3849 [inline] alloc_and_link_pwqs kernel/workqueue.c:4243 [inline] alloc_workqueue+0xbb4/0x13f0 kernel/workqueue.c:4365 workqueue_init_early+0x7b2/0x96c kernel/workqueue.c:6099 start_kernel+0x1fa/0x535 init/main.c:1025 secondary_startup_64_no_verify+0xb1/0xbb } ... key at: [] init_worker_pool.__key+0x0/0x20 the dependencies between the lock to be acquired and HARDIRQ-irq-unsafe lock: -> ( &htab->buckets[i].lock ){+...}-{2:2} { HARDIRQ-ON-W at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_update_common+0x20c/0xa30 net/core/sock_map.c:1005 sock_map_update_elem_sys+0x485/0x770 net/core/sock_map.c:587 map_update_elem+0x6a0/0x7c0 kernel/bpf/syscall.c:1185 __sys_bpf+0x2fd/0x670 kernel/bpf/syscall.c:4639 __do_sys_bpf kernel/bpf/syscall.c:4755 [inline] __se_sys_bpf kernel/bpf/syscall.c:4753 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb INITIAL USE at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_update_common+0x20c/0xa30 net/core/sock_map.c:1005 sock_map_update_elem_sys+0x485/0x770 net/core/sock_map.c:587 map_update_elem+0x6a0/0x7c0 kernel/bpf/syscall.c:1185 __sys_bpf+0x2fd/0x670 kernel/bpf/syscall.c:4639 __do_sys_bpf kernel/bpf/syscall.c:4755 [inline] __se_sys_bpf kernel/bpf/syscall.c:4753 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb } ... key at: [] sock_hash_alloc.__key+0x0/0x20 ... acquired at: lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 bpf_prog_2c29ac5cdc6b1842+0x3a/0xadc bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline] bpf_trace_run1+0x168/0x2f0 kernel/trace/bpf_trace.c:1916 trace_workqueue_activate_work+0x150/0x1b0 include/trace/events/workqueue.h:59 __queue_work+0x89e/0xd00 kernel/workqueue.c:1521 queue_work_on+0x14b/0x250 kernel/workqueue.c:1559 queue_work include/linux/workqueue.h:512 [inline] synchronize_rcu_expedited+0x4eb/0x740 kernel/rcu/tree_exp.h:856 dev_deactivate_many+0x608/0xbf0 net/sched/sch_generic.c:1310 __dev_close_many+0x26d/0x3c0 net/core/dev.c:1577 dev_close_many+0x22a/0x530 net/core/dev.c:1615 unregister_netdevice_many+0x4b0/0x18f0 net/core/dev.c:11069 unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11026 unregister_netdevice include/linux/netdevice.h:3012 [inline] ppp_release+0xec/0x1f0 drivers/net/ppp/ppp_generic.c:406 __fput+0x3bf/0x890 fs/file_table.c:280 task_work_run+0x129/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:301 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x61/0xcb stack backtrace: CPU: 1 PID: 3803 Comm: syz-executor.1 Not tainted 5.15.153-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 print_bad_irq_dependency kernel/locking/lockdep.c:2567 [inline] check_irq_usage kernel/locking/lockdep.c:2806 [inline] check_prev_add kernel/locking/lockdep.c:3057 [inline] check_prevs_add kernel/locking/lockdep.c:3172 [inline] validate_chain+0x4d01/0x5930 kernel/locking/lockdep.c:3788 __lock_acquire+0x1295/0x1ff0 kernel/locking/lockdep.c:5012 lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:178 sock_hash_delete_elem+0xac/0x2f0 net/core/sock_map.c:937 bpf_prog_2c29ac5cdc6b1842+0x3a/0xadc bpf_dispatcher_nop_func include/linux/bpf.h:785 [inline] __bpf_prog_run include/linux/filter.h:628 [inline] bpf_prog_run include/linux/filter.h:635 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:1880 [inline] bpf_trace_run1+0x168/0x2f0 kernel/trace/bpf_trace.c:1916 trace_workqueue_activate_work+0x150/0x1b0 include/trace/events/workqueue.h:59 __queue_work+0x89e/0xd00 kernel/workqueue.c:1521 queue_work_on+0x14b/0x250 kernel/workqueue.c:1559 queue_work include/linux/workqueue.h:512 [inline] synchronize_rcu_expedited+0x4eb/0x740 kernel/rcu/tree_exp.h:856 dev_deactivate_many+0x608/0xbf0 net/sched/sch_generic.c:1310 __dev_close_many+0x26d/0x3c0 net/core/dev.c:1577 dev_close_many+0x22a/0x530 net/core/dev.c:1615 unregister_netdevice_many+0x4b0/0x18f0 net/core/dev.c:11069 unregister_netdevice_queue+0x2e6/0x350 net/core/dev.c:11026 unregister_netdevice include/linux/netdevice.h:3012 [inline] ppp_release+0xec/0x1f0 drivers/net/ppp/ppp_generic.c:406 __fput+0x3bf/0x890 fs/file_table.c:280 task_work_run+0x129/0x1a0 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:175 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x5d/0x250 kernel/entry/common.c:301 do_syscall_64+0x49/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7f4bb3727c9a Code: 48 3d 00 f0 ff ff 77 48 c3 0f 1f 80 00 00 00 00 48 83 ec 18 89 7c 24 0c e8 03 7f 02 00 8b 7c 24 0c 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 36 89 d7 89 44 24 0c e8 63 7f 02 00 8b 44 24 RSP: 002b:00007ffd563e3960 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000007 RCX: 00007f4bb3727c9a RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 0000000000000032 R08: 0000001b2f520000 R09: 0000000000000065 R10: 0000000081a6f5ad R11: 0000000000000293 R12: 00007f4bb32aca10 R13: ffffffffffffffff R14: 00007f4bb32ab000 R15: 000000000000f550