====================================================== WARNING: possible circular locking dependency detected 5.5.0-rc4-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.3/8253 is trying to acquire lock: ffff888094bf80a0 (&htab->buckets[i].lock){....}, at: htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 but task is already holding lock: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] ffff888094bf8a18 (&l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&l->lock){....}: __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x2d/0x40 kernel/locking/spinlock.c:151 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&loc_l->lock){....}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:516 [inline] bpf_lru_push_free+0x1d5/0x4f0 kernel/bpf/bpf_lru_list.c:555 __htab_map_lookup_and_delete_batch+0x6e2/0x1170 kernel/bpf/hashtab.c:1374 htab_lru_map_lookup_and_delete_batch+0x17/0x20 kernel/bpf/hashtab.c:1491 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x17f4/0x32e0 kernel/bpf/syscall.c:3441 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&htab->buckets[i].lock){....}: check_prev_add kernel/locking/lockdep.c:2476 [inline] check_prevs_add kernel/locking/lockdep.c:2581 [inline] validate_chain kernel/locking/lockdep.c:2971 [inline] __lock_acquire+0x2899/0x4ef0 kernel/locking/lockdep.c:3955 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4485 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 __bpf_lru_list_shrink_inactive kernel/bpf/bpf_lru_list.c:220 [inline] __bpf_lru_list_shrink+0xf3/0x3c0 kernel/bpf/bpf_lru_list.c:266 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:340 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x4cc/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe other info that might help us debug this: Chain exists of: &htab->buckets[i].lock --> &loc_l->lock --> &l->lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&l->lock); lock(&loc_l->lock); lock(&l->lock); lock(&htab->buckets[i].lock); *** DEADLOCK *** 3 locks held by syz-executor.3/8253: #0: ffffffff88d99180 (rcu_read_lock){....}, at: bpf_percpu_hash_update+0x0/0x150 kernel/bpf/hashtab.c:1565 #1: ffffe8ffffcbe2f0 (&loc_l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:443 [inline] #1: ffffe8ffffcbe2f0 (&loc_l->lock){....}, at: bpf_lru_pop_free+0x2d7/0x13e0 kernel/bpf/bpf_lru_list.c:499 #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:325 [inline] #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] #2: ffff888094bf8a18 (&l->lock){....}, at: bpf_lru_pop_free+0x31e/0x13e0 kernel/bpf/bpf_lru_list.c:499 stack backtrace: CPU: 0 PID: 8253 Comm: syz-executor.3 Not tainted 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_circular_bug.isra.39.cold.58+0x15a/0x169 kernel/locking/lockdep.c:1685 check_noncircular+0x349/0x400 kernel/locking/lockdep.c:1809 check_prev_add kernel/locking/lockdep.c:2476 [inline] check_prevs_add kernel/locking/lockdep.c:2581 [inline] validate_chain kernel/locking/lockdep.c:2971 [inline] __lock_acquire+0x2899/0x4ef0 kernel/locking/lockdep.c:3955 lock_acquire+0x194/0x410 kernel/locking/lockdep.c:4485 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x99/0xd0 kernel/locking/spinlock.c:159 htab_lru_map_delete_node+0xbf/0x2d0 kernel/bpf/hashtab.c:593 __bpf_lru_list_shrink_inactive kernel/bpf/bpf_lru_list.c:220 [inline] __bpf_lru_list_shrink+0xf3/0x3c0 kernel/bpf/bpf_lru_list.c:266 bpf_lru_list_pop_free_to_local kernel/bpf/bpf_lru_list.c:340 [inline] bpf_common_lru_pop_free kernel/bpf/bpf_lru_list.c:447 [inline] bpf_lru_pop_free+0x4cc/0x13e0 kernel/bpf/bpf_lru_list.c:499 prealloc_lru_pop+0x24/0x90 kernel/bpf/hashtab.c:132 __htab_lru_percpu_map_update_elem+0x5b0/0x950 kernel/bpf/hashtab.c:1069 bpf_percpu_hash_update+0xe3/0x150 kernel/bpf/hashtab.c:1585 bpf_map_update_value.isra.25+0x1e8/0x6b0 kernel/bpf/syscall.c:181 generic_map_update_batch+0x3e3/0x4b0 kernel/bpf/syscall.c:1311 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c6c9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fefcb1dcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fefcb1dd6d4 RCX: 000000000045c6c9 RDX: 0000000000000038 RSI: 0000000020000040 RDI: 000000000000001a RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000062 R14: 00000000004c2ec4 R15: 000000000076bf2c ------------[ cut here ]------------ kernel BUG at arch/x86/mm/physaddr.c:22! invalid opcode: 0000 [#2] PREEMPT SMP KASAN CPU: 0 PID: 8253 Comm: syz-executor.3 Tainted: G D 5.5.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__phys_addr+0xac/0xc0 arch/x86/mm/physaddr.c:22 Code: 88 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 15 48 8b 05 e0 46 98 07 48 01 d8 48 81 fb ff ff ff 1f 76 b8 <0f> 0b e8 0d e6 6f 00 eb e4 90 66 2e 0f 1f 84 00 00 00 00 00 b8 00 RSP: 0018:ffffc90002e07a38 EFLAGS: 00010016 RAX: 000000007ffffff2 RBX: 000000007ffffff2 RCX: ffff888077121000 RDX: 1ffffffff118ea02 RSI: ffff8880aa4001c0 RDI: ffffffff88c75010 RBP: ffffc90002e07a48 R08: 00000000fcd58199 R09: fffffbfff135ebc1 R10: fffffbfff135ebc0 R11: ffffffff89af5e07 R12: fffffffffffffff2 R13: ffffffff8174c3bb R14: 0000000000000010 R15: ffff888094bf8800 FS: 00007fefcb1dd700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000021000000 CR3: 000000008efa8000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: virt_to_head_page include/linux/mm.h:731 [inline] virt_to_cache mm/slab.h:472 [inline] kfree+0x7b/0x2c0 mm/slab.c:3749 generic_map_update_batch+0x2fb/0x4b0 kernel/bpf/syscall.c:1322 bpf_map_do_batch+0x2f1/0x4c0 kernel/bpf/syscall.c:3333 __do_sys_bpf+0x6d7/0x32e0 kernel/bpf/syscall.c:3445 __se_sys_bpf kernel/bpf/syscall.c:3340 [inline] __x64_sys_bpf+0x6e/0xb0 kernel/bpf/syscall.c:3340 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c6c9 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fefcb1dcc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 00007fefcb1dd6d4 RCX: 000000000045c6c9 RDX: 0000000000000038 RSI: 0000000020000040 RDI: 000000000000001a RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000062 R14: 00000000004c2ec4 R15: 000000000076bf2c Modules linked in: ---[ end trace 475c69e4b5df6179 ]--- RIP: 0010:__phys_addr+0xac/0xc0 arch/x86/mm/physaddr.c:22 Code: 88 b8 ff ff 37 00 48 89 fa 48 c1 e0 2a 48 c1 ea 03 80 3c 02 00 75 15 48 8b 05 e0 46 98 07 48 01 d8 48 81 fb ff ff ff 1f 76 b8 <0f> 0b e8 0d e6 6f 00 eb e4 90 66 2e 0f 1f 84 00 00 00 00 00 b8 00 RSP: 0018:ffffc90002e27a38 EFLAGS: 00010016 RAX: 000000007ffffff2 RBX: 000000007ffffff2 RCX: ffff888077065400 RDX: 1ffffffff118ea02 RSI: ffff8880aa4001c0 RDI: ffffffff88c75010 RBP: ffffc90002e27a48 R08: fffffbfff1243531 R09: fffffbfff1243531 R10: fffffbfff1243530 R11: ffffffff8921a983 R12: fffffffffffffff2 R13: ffffffff8174c3bb R14: 0000000000000010 R15: ffff888079041000 FS: 00007fefcb1dd700(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000021000000 CR3: 000000008efa8000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400