program: preadv(0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0) socket$nl_generic(0x10, 0x3, 0x10) bpf$PROG_LOAD(0x5, 0x0, 0x0) r0 = bpf$MAP_CREATE(0x0, 0x0, 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB, @ANYRES32=r0], 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x94) r1 = bpf$MAP_CREATE(0x0, &(0x7f00000000c0)=@base={0xb, 0x8, 0x8, 0xffffffff, 0x1, 0x1, 0x0, '\x00', 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, @void, @value, @void, @value}, 0x50) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$MAP_UPDATE_BATCH(0x1a, &(0x7f0000000240)={0x0, 0x0, &(0x7f00000000c0), &(0x7f0000000140), 0x5, r1}, 0x38) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=@framed={{}, [@ringbuf_output={{0x18, 0x1, 0x1, 0x0, r1}, {}, {}, {}, {}, {}, {}, {0x85, 0x0, 0x0, 0x3}}]}, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0xfffffffffffffeb2, 0x0, 0x0, 0x24, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) r2 = bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x11, 0xc, &(0x7f0000000440)=ANY=[], &(0x7f0000000240)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @void, @value}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000000)={&(0x7f00000002c0)='hrtimer_start\x00', r2}, 0x3d) perf_event_open(&(0x7f0000000180)={0x1, 0x80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x8001, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_bp={0x0}, 0x0, 0x0, 0x0, 0x7}, 0x0, 0xbfffffffffffffff, 0xffffffffffffffff, 0x0) [ 59.518900][ T5108] [ 59.520147][ T5108] ====================================================== [ 59.523513][ T5108] WARNING: possible circular locking dependency detected [ 59.526269][ T5108] 6.12.0-rc3-syzkaller-00217-g4d939780b705 #0 Not tainted [ 59.529093][ T5108] ------------------------------------------------------ [ 59.532277][ T5108] syz.0.0/5108 is trying to acquire lock: [ 59.534938][ T5108] ffff88801fc29430 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x18a/0x790 [ 59.538597][ T5108] [ 59.538597][ T5108] but task is already holding lock: [ 59.541514][ T5108] ffff88801fc2c898 (hrtimer_bases.lock){-.-.}-{2:2}, at: hrtimer_start_range_ns+0x109/0xca0 [ 59.546559][ T5108] [ 59.546559][ T5108] which lock already depends on the new lock. [ 59.546559][ T5108] [ 59.550731][ T5108] [ 59.550731][ T5108] the existing dependency chain (in reverse order) is: [ 59.554568][ T5108] [ 59.554568][ T5108] -> #1 (hrtimer_bases.lock){-.-.}-{2:2}: [ 59.558204][ T5108] lock_acquire+0x1ed/0x550 [ 59.560278][ T5108] _raw_spin_lock_irqsave+0xd5/0x120 [ 59.562638][ T5108] hrtimer_start_range_ns+0x109/0xca0 [ 59.565346][ T5108] kvfree_call_rcu+0x5e6/0x790 [ 59.567846][ T5108] pwq_release_workfn+0x664/0x800 [ 59.570092][ T5108] kthread_worker_fn+0x500/0xb70 [ 59.572226][ T5108] kthread+0x2f0/0x390 [ 59.574187][ T5108] ret_from_fork+0x4b/0x80 [ 59.576692][ T5108] ret_from_fork_asm+0x1a/0x30 [ 59.579344][ T5108] [ 59.579344][ T5108] -> #0 (krc.lock){..-.}-{2:2}: [ 59.582128][ T5108] validate_chain+0x18ef/0x5920 [ 59.584207][ T5108] __lock_acquire+0x1384/0x2050 [ 59.586414][ T5108] lock_acquire+0x1ed/0x550 [ 59.588705][ T5108] _raw_spin_lock+0x2e/0x40 [ 59.591097][ T5108] kvfree_call_rcu+0x18a/0x790 [ 59.593343][ T5108] trie_delete_elem+0x546/0x6a0 [ 59.595458][ T5108] bpf_prog_2c29ac5cdc6b1842+0x43/0x47 [ 59.598117][ T5108] bpf_trace_run2+0x2ec/0x540 [ 59.600531][ T5108] enqueue_hrtimer+0x35a/0x3c0 [ 59.602701][ T5108] hrtimer_start_range_ns+0xac8/0xca0 [ 59.604839][ T5108] futex_wait_queue+0xb0/0x1d0 [ 59.606750][ T5108] __futex_wait+0x17f/0x320 [ 59.608613][ T5108] futex_wait+0x101/0x360 [ 59.610828][ T5108] do_futex+0x33b/0x560 [ 59.613127][ T5108] __se_sys_futex+0x3f9/0x480 [ 59.615301][ T5108] do_syscall_64+0xf3/0x230 [ 59.617081][ T5108] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.619353][ T5108] [ 59.619353][ T5108] other info that might help us debug this: [ 59.619353][ T5108] [ 59.623863][ T5108] Possible unsafe locking scenario: [ 59.623863][ T5108] [ 59.626910][ T5108] CPU0 CPU1 [ 59.628770][ T5108] ---- ---- [ 59.630787][ T5108] lock(hrtimer_bases.lock); [ 59.632671][ T5108] lock(krc.lock); [ 59.635419][ T5108] lock(hrtimer_bases.lock); [ 59.638876][ T5108] lock(krc.lock); [ 59.640401][ T5108] [ 59.640401][ T5108] *** DEADLOCK *** [ 59.640401][ T5108] [ 59.643578][ T5108] 2 locks held by syz.0.0/5108: [ 59.645710][ T5108] #0: ffff88801fc2c898 (hrtimer_bases.lock){-.-.}-{2:2}, at: hrtimer_start_range_ns+0x109/0xca0 [ 59.650291][ T5108] #1: ffffffff8e937de0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0x1fc/0x540 [ 59.654231][ T5108] [ 59.654231][ T5108] stack backtrace: [ 59.656858][ T5108] CPU: 0 UID: 0 PID: 5108 Comm: syz.0.0 Not tainted 6.12.0-rc3-syzkaller-00217-g4d939780b705 #0 [ 59.661219][ T5108] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 59.665565][ T5108] Call Trace: [ 59.667106][ T5108] [ 59.668473][ T5108] dump_stack_lvl+0x241/0x360 [ 59.670591][ T5108] ? __pfx_dump_stack_lvl+0x10/0x10 [ 59.672741][ T5108] ? __pfx__printk+0x10/0x10 [ 59.674664][ T5108] print_circular_bug+0x13a/0x1b0 [ 59.676876][ T5108] check_noncircular+0x36a/0x4a0 [ 59.679329][ T5108] ? __pfx_check_noncircular+0x10/0x10 [ 59.681779][ T5108] ? lockdep_lock+0x123/0x2b0 [ 59.683655][ T5108] ? mark_lock+0x9a/0x360 [ 59.685373][ T5108] validate_chain+0x18ef/0x5920 [ 59.687582][ T5108] ? __pfx_validate_chain+0x10/0x10 [ 59.689925][ T5108] ? stack_depot_save_flags+0x6e4/0x830 [ 59.692326][ T5108] ? do_raw_spin_lock+0x14f/0x370 [ 59.694353][ T5108] ? __pfx_lock_release+0x10/0x10 [ 59.696476][ T5108] ? do_raw_spin_unlock+0x58/0x8b0 [ 59.698937][ T5108] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.701643][ T5108] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 59.704191][ T5108] ? stack_trace_save+0x118/0x1d0 [ 59.706220][ T5108] ? mark_lock+0x9a/0x360 [ 59.707982][ T5108] __lock_acquire+0x1384/0x2050 [ 59.709876][ T5108] lock_acquire+0x1ed/0x550 [ 59.711709][ T5108] ? kvfree_call_rcu+0x18a/0x790 [ 59.713694][ T5108] ? __pfx_lock_acquire+0x10/0x10 [ 59.715693][ T5108] ? __phys_addr+0xba/0x170 [ 59.717478][ T5108] _raw_spin_lock+0x2e/0x40 [ 59.719334][ T5108] ? kvfree_call_rcu+0x18a/0x790 [ 59.721251][ T5108] kvfree_call_rcu+0x18a/0x790 [ 59.723168][ T5108] ? _raw_spin_unlock_irqrestore+0xdd/0x140 [ 59.725547][ T5108] ? __pfx_kvfree_call_rcu+0x10/0x10 [ 59.727641][ T5108] ? longest_prefix_match+0x330/0x650 [ 59.729696][ T5108] trie_delete_elem+0x546/0x6a0 [ 59.731665][ T5108] ? bpf_trace_run2+0x1fc/0x540 [ 59.733600][ T5108] bpf_prog_2c29ac5cdc6b1842+0x43/0x47 [ 59.735760][ T5108] bpf_trace_run2+0x2ec/0x540 [ 59.737728][ T5108] ? __pfx_bpf_trace_run2+0x10/0x10 [ 59.739775][ T5108] ? _raw_spin_lock_irqsave+0xe1/0x120 [ 59.741981][ T5108] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 59.744160][ T5108] enqueue_hrtimer+0x35a/0x3c0 [ 59.746050][ T5108] hrtimer_start_range_ns+0xac8/0xca0 [ 59.748136][ T5108] ? futex_wait_queue+0x27/0x1d0 [ 59.750125][ T5108] futex_wait_queue+0xb0/0x1d0 [ 59.752094][ T5108] __futex_wait+0x17f/0x320 [ 59.753944][ T5108] ? __pfx___futex_wait+0x10/0x10 [ 59.755996][ T5108] ? __pfx_futex_wake_mark+0x10/0x10 [ 59.758146][ T5108] ? ktime_add_safe+0x38/0x70 [ 59.760040][ T5108] futex_wait+0x101/0x360 [ 59.761776][ T5108] ? __pfx_futex_wait+0x10/0x10 [ 59.763797][ T5108] ? __pfx_hrtimer_wakeup+0x10/0x10 [ 59.766160][ T5108] ? seqcount_lockdep_reader_access+0x1d7/0x220 [ 59.768656][ T5108] ? __pfx_seqcount_lockdep_reader_access+0x10/0x10 [ 59.771979][ T5108] ? ktime_get+0x3c/0xb0 [ 59.773982][ T5108] do_futex+0x33b/0x560 [ 59.775636][ T5108] ? __pfx_do_futex+0x10/0x10 [ 59.777485][ T5108] __se_sys_futex+0x3f9/0x480 [ 59.779479][ T5108] ? __pfx___se_sys_futex+0x10/0x10 [ 59.781878][ T5108] ? __pfx_lockdep_hardirqs_on_prepare+0x10/0x10 [ 59.784926][ T5108] ? do_syscall_64+0x100/0x230 [ 59.786752][ T5108] ? __x64_sys_futex+0x21/0xf0 [ 59.788454][ T5108] do_syscall_64+0xf3/0x230 [ 59.790164][ T5108] ? clear_bhb_loop+0x35/0x90 [ 59.791991][ T5108] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 59.794482][ T5108] RIP: 0033:0x7f685517dff9 [ 59.796335][ T5108] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 59.804024][ T5108] RSP: 002b:00007ffd93179de8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 59.808011][ T5108] RAX: ffffffffffffffda RBX: 00007ffd93179f10 RCX: 00007f685517dff9 [ 59.811293][ T5108] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f6855335f8c [ 59.814606][ T5108] RBP: 00007f6855335f8c R08: 7fffffffffffffff R09: 00007ffd9317a0df [ 59.818024][ T5108] R10: 00007ffd93179ef0 R11: 0000000000000246 R12: 000000000000e81f [ 59.821486][ T5108] R13: 00007ffd93179ef0 R14: 0000000000000032 R15: 000000000000e7ed [ 59.824925][ T5108] [ 59.831858][ T5094] Bluetooth: hci0: command tx timeout