======================================================
WARNING: possible circular locking dependency detected
5.15.189-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor.0/4824 is trying to acquire lock:
ffff88807d149db8 (&trie->lock){....}-{2:2}, at: trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467

but task is already holding lock:
ffff8880b9135da8 (lock){..-.}-{2:2}, at: local_lock_acquire+0x5/0x120 include/linux/local_lock_internal.h:28

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (lock){..-.}-{2:2}:
       local_lock_acquire+0x2b/0x120 include/linux/local_lock_internal.h:29
       rmqueue_pcplist mm/page_alloc.c:3699 [inline]
       rmqueue mm/page_alloc.c:3742 [inline]
       get_page_from_freelist+0x141e/0x1c60 mm/page_alloc.c:4189
       __alloc_pages+0x1e1/0x470 mm/page_alloc.c:5474
       alloc_slab_page mm/slub.c:1775 [inline]
       allocate_slab mm/slub.c:1912 [inline]
       new_slab+0xc0/0x4b0 mm/slub.c:1975
       ___slab_alloc+0x81e/0xdf0 mm/slub.c:3008
       __slab_alloc mm/slub.c:3095 [inline]
       slab_alloc_node mm/slub.c:3186 [inline]
       __kmalloc_node+0x200/0x3b0 mm/slub.c:4451
       kmalloc_node include/linux/slab.h:627 [inline]
       bpf_map_kmalloc_node+0xba/0x140 kernel/bpf/syscall.c:430
       lpm_trie_node_alloc kernel/bpf/lpm_trie.c:290 [inline]
       trie_update_elem+0x1cc/0xc50 kernel/bpf/lpm_trie.c:332
       bpf_map_update_value+0x57d/0x650 kernel/bpf/syscall.c:221
       generic_map_update_batch+0x525/0x7c0 kernel/bpf/syscall.c:1424
       bpf_map_do_batch+0x466/0x600 kernel/bpf/syscall.c:-1
       __sys_bpf+0x601/0x670 kernel/bpf/syscall.c:-1
       __do_sys_bpf kernel/bpf/syscall.c:4755 [inline]
       __se_sys_bpf kernel/bpf/syscall.c:4753 [inline]
       __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:4753
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x66/0xd0

-> #0 (&trie->lock){....}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:3053 [inline]
       check_prevs_add kernel/locking/lockdep.c:3172 [inline]
       validate_chain kernel/locking/lockdep.c:3788 [inline]
       __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
       lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
       trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
       bpf_prog_2c29ac5cdc6b1842+0x3a/0x8a0
       bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
       __bpf_prog_run include/linux/filter.h:628 [inline]
       bpf_prog_run include/linux/filter.h:635 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
       bpf_trace_run1+0x153/0x2d0 kernel/trace/bpf_trace.c:1914
       __bpf_trace_mm_page_free_batched+0x41/0x60 include/trace/events/kmem.h:182
       trace_mm_page_free_batched include/trace/events/kmem.h:182 [inline]
       free_unref_page_list+0x6bb/0x7e0 mm/page_alloc.c:3465
       release_pages+0x184b/0x1bb0 mm/swap.c:963
       tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
       tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
       tlb_flush_mmu+0xc5/0x170 mm/mmu_gather.c:247
       zap_pte_range mm/memory.c:1456 [inline]
       zap_pmd_range mm/memory.c:1505 [inline]
       zap_pud_range mm/memory.c:1534 [inline]
       zap_p4d_range mm/memory.c:1555 [inline]
       unmap_page_range+0x2096/0x2520 mm/memory.c:1576
       unmap_vmas+0x11b/0x230 mm/memory.c:1653
       exit_mmap+0x38f/0x5f0 mm/mmap.c:3212
       __mmput+0x115/0x3b0 kernel/fork.c:1127
       exit_mm+0x567/0x6c0 kernel/exit.c:550
       do_exit+0x5a1/0x20a0 kernel/exit.c:870
       do_group_exit+0x12e/0x300 kernel/exit.c:997
       get_signal+0x6ca/0x12c0 kernel/signal.c:2900
       arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
       handle_signal_work kernel/entry/common.c:154 [inline]
       exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
       exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
       __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
       syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
       do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
       entry_SYSCALL_64_after_hwframe+0x66/0xd0

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(lock);
                               lock(&trie->lock);
                               lock(lock);
  lock(&trie->lock);

 *** DEADLOCK ***

2 locks held by syz-executor.0/4824:
 #0: ffff8880b9135da8 (lock){..-.}-{2:2}, at: local_lock_acquire+0x5/0x120 include/linux/local_lock_internal.h:28
 #1: ffffffff8c11c360 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311

stack backtrace:
CPU: 1 PID: 4824 Comm: syz-executor.0 Not tainted 5.15.189-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2133
 check_prev_add kernel/locking/lockdep.c:3053 [inline]
 check_prevs_add kernel/locking/lockdep.c:3172 [inline]
 validate_chain kernel/locking/lockdep.c:3788 [inline]
 __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
 lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
 trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
 bpf_prog_2c29ac5cdc6b1842+0x3a/0x8a0
 bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
 __bpf_prog_run include/linux/filter.h:628 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
 bpf_trace_run1+0x153/0x2d0 kernel/trace/bpf_trace.c:1914
 __bpf_trace_mm_page_free_batched+0x41/0x60 include/trace/events/kmem.h:182
 trace_mm_page_free_batched include/trace/events/kmem.h:182 [inline]
 free_unref_page_list+0x6bb/0x7e0 mm/page_alloc.c:3465
 release_pages+0x184b/0x1bb0 mm/swap.c:963
 tlb_batch_pages_flush mm/mmu_gather.c:49 [inline]
 tlb_flush_mmu_free mm/mmu_gather.c:240 [inline]
 tlb_flush_mmu+0xc5/0x170 mm/mmu_gather.c:247
 zap_pte_range mm/memory.c:1456 [inline]
 zap_pmd_range mm/memory.c:1505 [inline]
 zap_pud_range mm/memory.c:1534 [inline]
 zap_p4d_range mm/memory.c:1555 [inline]
 unmap_page_range+0x2096/0x2520 mm/memory.c:1576
 unmap_vmas+0x11b/0x230 mm/memory.c:1653
 exit_mmap+0x38f/0x5f0 mm/mmap.c:3212
 __mmput+0x115/0x3b0 kernel/fork.c:1127
 exit_mm+0x567/0x6c0 kernel/exit.c:550
 do_exit+0x5a1/0x20a0 kernel/exit.c:870
 do_group_exit+0x12e/0x300 kernel/exit.c:997
 get_signal+0x6ca/0x12c0 kernel/signal.c:2900
 arch_do_signal_or_restart+0xc1/0x1300 arch/x86/kernel/signal.c:867
 handle_signal_work kernel/entry/common.c:154 [inline]
 exit_to_user_mode_loop+0x9e/0x130 kernel/entry/common.c:178
 exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
 __syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
 syscall_exit_to_user_mode+0x16/0x40 kernel/entry/common.c:307
 do_syscall_64+0x58/0xa0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7fc4c8798da9
Code: Unable to access opcode bytes at RIP 0x7fc4c8798d7f.
RSP: 002b:00007fc4c7b19178 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: fffffffffffffe00 RBX: 00007fc4c88c6f88 RCX: 00007fc4c8798da9
RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007fc4c88c6f88
RBP: 00007fc4c88c6f80 R08: 00007fc4c7b196c0 R09: 00007fc4c7b196c0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc4c88c6f8c
R13: 000000000000000b R14: 00007ffd27b6bfb0 R15: 00007ffd27b6c098
 </TASK>