program: bpf$MAP_CREATE_RINGBUF(0x0, 0x0, 0x0) bpf$PROG_LOAD(0x2, 0x0, 0x0) bpf$MAP_CREATE(0x0, 0x0, 0x0) openat$cgroup_ro(0xffffffffffffff9c, 0x0, 0x7a05, 0x1700) r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000640)=@base={0x16, 0x0, 0x4, 0xff, 0x0, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xb, &(0x7f0000000180)=ANY=[], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, 0x0, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r1, 0x8924, &(0x7f0000000000)={'bridge_slave_0\x00', @random="010000201000"}) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r0, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000000000000b704000000000000850000005700000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, 0x0, &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f0000000100)='kmem_cache_free\x00', r2}, 0x10) bpf$PROG_LOAD_XDP(0x5, &(0x7f0000000a40)={0x3, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000008000000000000000000018110000", @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000000b7040000000000008500000058"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x25, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r3 = bpf$MAP_CREATE(0x0, &(0x7f00000008c0)=@base={0xb, 0x8, 0xc, 0xffffffff, 0x1, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0), &(0x7f0000000140), 0x5, r3}, 0x38) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32=r3, @ANYBLOB="0000000000000000b7080000000000007b8af8ff00000000bfa200000000000007020000f8ffffffb703000008000080b704000000000000850000000300000095"], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) r4 = bpf$PROG_LOAD(0x5, &(0x7f00000007c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000880)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000040)={&(0x7f0000000000)='timer_start\x00', r4}, 0x10) bpf$MAP_CREATE(0x0, &(0x7f0000000180)=@base={0x9, 0x4, 0x8, 0x8, 0x14e, 0xffffffffffffffff, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x48) socketpair$tipc(0x1e, 0x5, 0x0, &(0x7f0000000940)) r5 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000740)={&(0x7f0000000300)='sched_switch\x00', r5}, 0x10) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r6, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @remote}) perf_event_open(&(0x7f0000000500)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x200, 0x20, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x400000, 0x0, @perf_config_ext, 0x105c34}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$SIOCSIFHWADDR(r7, 0x8914, &(0x7f0000000000)={'veth0_vlan\x00', @random="0106002010ff"}) [ 70.765606][ T4672] Bluetooth: hci0: command tx timeout [ 70.842859][ T5332] [ 70.843860][ T5332] ====================================================== [ 70.846544][ T5332] WARNING: possible circular locking dependency detected [ 70.849162][ T5332] 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1 #0 Not tainted [ 70.851787][ T5332] ------------------------------------------------------ [ 70.854362][ T5332] syz.0.0/5332 is trying to acquire lock: [ 70.856476][ T5332] ffff88801fc29430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 [ 70.859751][ T5332] [ 70.859751][ T5332] but task is already holding lock: [ 70.862501][ T5332] ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 70.865926][ T5332] [ 70.865926][ T5332] which lock already depends on the new lock. [ 70.865926][ T5332] [ 70.869892][ T5332] [ 70.869892][ T5332] the existing dependency chain (in reverse order) is: [ 70.873059][ T5332] [ 70.873059][ T5332] -> #1 (&base->lock){-.-.}-{2:2}: [ 70.875490][ T5332] lock_acquire+0x1ed/0x550 [ 70.877264][ T5332] _raw_spin_lock_irqsave+0xd5/0x120 [ 70.879637][ T5332] lock_timer_base+0x112/0x240 [ 70.881777][ T5332] __mod_timer+0x1ca/0xeb0 [ 70.883742][ T5332] queue_delayed_work_on+0x1ca/0x390 [ 70.886011][ T5332] kvfree_call_rcu+0x47f/0x790 [ 70.887867][ T5332] pwq_release_workfn+0x664/0x800 [ 70.890039][ T5332] kthread_worker_fn+0x500/0xb70 [ 70.892080][ T5332] kthread+0x2f0/0x390 [ 70.893596][ T5332] ret_from_fork+0x4b/0x80 [ 70.895251][ T5332] ret_from_fork_asm+0x1a/0x30 [ 70.897115][ T5332] [ 70.897115][ T5332] -> #0 (krc.lock){..-.}-{2:2}: [ 70.899588][ T5332] validate_chain+0x18ef/0x5920 [ 70.901708][ T5332] __lock_acquire+0x1384/0x2050 [ 70.903765][ T5332] lock_acquire+0x1ed/0x550 [ 70.905809][ T5332] _raw_spin_lock+0x2e/0x40 [ 70.907725][ T5332] kvfree_call_rcu+0x18a/0x790 [ 70.909531][ T5332] trie_delete_elem+0x546/0x6a0 [ 70.911459][ T5332] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 70.913731][ T5332] bpf_trace_run2+0x2ec/0x540 [ 70.915504][ T5332] enqueue_timer+0x3ce/0x570 [ 70.917290][ T5332] __mod_timer+0xa0e/0xeb0 [ 70.918966][ T5332] sk_reset_timer+0x23/0xc0 [ 70.920727][ T5332] tipc_sk_finish_conn+0x16b/0x820 [ 70.922674][ T5332] tipc_socketpair+0x25c/0x4b0 [ 70.924539][ T5332] __sys_socketpair+0x40f/0x720 [ 70.926454][ T5332] __x64_sys_socketpair+0x9b/0xb0 [ 70.928425][ T5332] do_syscall_64+0xf3/0x230 [ 70.930436][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 70.932953][ T5332] [ 70.932953][ T5332] other info that might help us debug this: [ 70.932953][ T5332] [ 70.936941][ T5332] Possible unsafe locking scenario: [ 70.936941][ T5332] [ 70.939908][ T5332] CPU0 CPU1 [ 70.942030][ T5332] ---- ---- [ 70.944195][ T5332] lock(&base->lock); [ 70.945921][ T5332] lock(krc.lock); [ 70.948422][ T5332] lock(&base->lock); [ 70.951101][ T5332] lock(krc.lock); [ 70.952700][ T5332] [ 70.952700][ T5332] *** DEADLOCK *** [ 70.952700][ T5332] [ 70.955874][ T5332] 2 locks held by syz.0.0/5332: [ 70.957866][ T5332] #0: ffff88801fc2a718 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x112/0x240 [ 70.961397][ T5332] #1: ffffffff8e937da0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 [ 70.964794][ T5332] [ 70.964794][ T5332] stack backtrace: [ 70.967071][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted 6.12.0-rc6-syzkaller-00110-gff7afaeca1a1 #0 [ 70.971025][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 70.975110][ T5332] Call Trace: [ 70.976367][ T5332] [ 70.977541][ T5332] dump_stack_lvl+0x241/0x360 [ 70.979438][ T5332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 70.981450][ T5332] ? __pfx__printk+0x10/0x10 [ 70.983177][ T5332] print_circular_bug+0x13a/0x1b0 [ 70.985071][ T5332] check_noncircular+0x36a/0x4a0 [ 70.986966][ T5332] ? __pfx_check_noncircular+0x10/0x10 [ 70.988968][ T5332] ? lockdep_lock+0x123/0x2b0 [ 70.990691][ T5332] ? mark_lock+0x9a/0x360 [ 70.992387][ T5332] validate_chain+0x18ef/0x5920 [ 70.994216][ T5332] ? __pfx_validate_chain+0x10/0x10 [ 70.995942][ T5332] ? stack_depot_save_flags+0x6e4/0x830 [ 70.998032][ T5332] ? do_raw_spin_lock+0x14f/0x370 [ 70.999993][ T5332] ? __pfx_lock_release+0x10/0x10 [ 71.001912][ T5332] ? do_raw_spin_unlock+0x58/0x8b0 [ 71.003845][ T5332] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 71.006044][ T5332] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 71.008499][ T5332] ? stack_trace_save+0x118/0x1d0 [ 71.010514][ T5332] ? mark_lock+0x9a/0x360 [ 71.012148][ T5332] __lock_acquire+0x1384/0x2050 [ 71.013929][ T5332] lock_acquire+0x1ed/0x550 [ 71.015756][ T5332] ? kvfree_call_rcu+0x18a/0x790 [ 71.017661][ T5332] ? __pfx_lock_acquire+0x10/0x10 [ 71.019640][ T5332] ? __phys_addr+0xba/0x170 [ 71.021466][ T5332] _raw_spin_lock+0x2e/0x40 [ 71.023201][ T5332] ? kvfree_call_rcu+0x18a/0x790 [ 71.025080][ T5332] kvfree_call_rcu+0x18a/0x790 [ 71.026881][ T5332] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 71.029078][ T5332] ? __pfx_kvfree_call_rcu+0x10/0x10 [ 71.031195][ T5332] ? longest_prefix_match+0x330/0x650 [ 71.033312][ T5332] trie_delete_elem+0x546/0x6a0 [ 71.035262][ T5332] ? bpf_trace_run2+0x1fc/0x540 [ 71.037066][ T5332] bpf_prog_2e5e7763945ac34e+0x45/0x49 [ 71.039104][ T5332] bpf_trace_run2+0x2ec/0x540 [ 71.040947][ T5332] ? __pfx_bpf_trace_run2+0x10/0x10 [ 71.042875][ T5332] ? __pfx_debug_object_activate+0x10/0x10 [ 71.045070][ T5332] ? __lock_acquire+0x1384/0x2050 [ 71.046815][ T5332] enqueue_timer+0x3ce/0x570 [ 71.048537][ T5332] __mod_timer+0xa0e/0xeb0 [ 71.050207][ T5332] ? __pfx___mod_timer+0x10/0x10 [ 71.052072][ T5332] ? __pfx_lock_acquire+0x10/0x10 [ 71.053883][ T5332] ? net_generic+0x1f/0x240 [ 71.055469][ T5332] ? __pfx_lock_release+0x10/0x10 [ 71.057271][ T5332] sk_reset_timer+0x23/0xc0 [ 71.059032][ T5332] tipc_sk_finish_conn+0x16b/0x820 [ 71.060943][ T5332] tipc_socketpair+0x25c/0x4b0 [ 71.062789][ T5332] __sys_socketpair+0x40f/0x720 [ 71.064579][ T5332] ? __pfx___sys_socketpair+0x10/0x10 [ 71.066654][ T5332] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 71.068744][ T5332] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 71.070988][ T5332] ? do_syscall_64+0x100/0x230 [ 71.072705][ T5332] __x64_sys_socketpair+0x9b/0xb0 [ 71.074483][ T5332] do_syscall_64+0xf3/0x230 [ 71.075986][ T5332] ? clear_bhb_loop+0x35/0x90 [ 71.077560][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 71.079629][ T5332] RIP: 0033:0x7f7408b7e719 [ 71.081085][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 71.087906][ T5332] RSP: 002b:00007f74098fa038 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 [ 71.091087][ T5332] RAX: ffffffffffffffda RBX: 00007f7408d35f80 RCX: 00007f7408b7e719 [ 71.094072][ T5332] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 000000000000001e [ 71.097092][ T5332] RBP: 00007f7408bf139e R08: 0000000000000000 R09: 0000000000000000 [ 71.100127][ T5332] R10: 0000000020000940 R11: 0000000000000246 R12: 0000000000000000 [ 71.103148][ T5332] R13: 0000000000000000 R14: 00007f7408d35f80 R15: 00007ffe4a202c18 [ 71.106148][ T5332] [ 71.123306][ T5333] veth0_vlan: entered allmulticast mode [ 71.172710][ C0] hrtimer: interrupt took 29511 ns [ 71.197116][ T5332] veth0_vlan: left promiscuous mode [ 71.200303][ T5332] veth0_vlan: entered promiscuous mode