====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted ------------------------------------------------------ syz-executor/9550 is trying to acquire lock: ffff888057ccea38 (&trie->lock){-.-.}-{2:2}, at: trie_delete_elem+0x90/0x690 kernel/bpf/lpm_trie.c:467 but task is already holding lock: ffffffff8d1b4978 (pool_lock){-.-.}-{2:2}, at: fill_pool lib/debugobjects.c:176 [inline] ffffffff8d1b4978 (pool_lock){-.-.}-{2:2}, at: debug_objects_fill_pool+0x54c/0x650 lib/debugobjects.c:607 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (pool_lock){-.-.}-{2:2}: -> #1 (&obj_hash[i].lock){-.-.}-{2:2}: __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162 __debug_check_no_obj_freed lib/debugobjects.c:968 [inline] debug_check_no_obj_freed+0x136/0x530 lib/debugobjects.c:1009 slab_free_hook mm/slub.c:1704 [inline] slab_free_freelist_hook+0xd2/0x1a0 mm/slub.c:1755 slab_free mm/slub.c:3687 [inline] __kmem_cache_free+0xb6/0x1f0 mm/slub.c:3700 trie_update_elem+0x6c1/0xe90 kernel/bpf/lpm_trie.c:444 bpf_map_update_value+0x59e/0x670 kernel/bpf/syscall.c:228 generic_map_update_batch+0x569/0x850 kernel/bpf/syscall.c:1709 bpf_map_do_batch+0x466/0x600 kernel/bpf/syscall.c:-1 __sys_bpf+0x65f/0x6d0 kernel/bpf/syscall.c:-1 __do_sys_bpf kernel/bpf/syscall.c:5131 [inline] __se_sys_bpf kernel/bpf/syscall.c:5129 [inline] __x64_sys_bpf+0x78/0x90 kernel/bpf/syscall.c:5129 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 -> #0 (&trie->lock){-.-.}-{2:2}: check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3825 [inline] __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049 lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162 trie_delete_elem+0x90/0x690 kernel/bpf/lpm_trie.c:467 bpf_prog_1db1603a7cfa36fb+0x3d/0x41 bpf_dispatcher_nop_func include/linux/bpf.h:1011 [inline] __bpf_prog_run include/linux/filter.h:603 [inline] bpf_prog_run include/linux/filter.h:610 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2285 [inline] bpf_trace_run2+0x1cd/0x3b0 kernel/trace/bpf_trace.c:2324 trace_contention_end+0x13f/0x190 include/trace/events/lock.h:122 __pv_queued_spin_lock_slowpath+0x7e8/0x9c0 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath+0x43/0x50 arch/x86/include/asm/qspinlock.h:51 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x217/0x280 kernel/locking/spinlock_debug.c:115 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] _raw_spin_lock_irqsave+0xb0/0xf0 kernel/locking/spinlock.c:162 fill_pool lib/debugobjects.c:176 [inline] debug_objects_fill_pool+0x54c/0x650 lib/debugobjects.c:607 debug_object_activate+0x34/0x490 lib/debugobjects.c:694 debug_rcu_head_queue kernel/rcu/rcu.h:190 [inline] call_rcu+0xa7/0x980 kernel/rcu/tree.c:2834 destroy_inode fs/inode.c:316 [inline] evict+0x7da/0x870 fs/inode.c:720 proc_invalidate_siblings_dcache+0x428/0x6c0 fs/proc/inode.c:158 release_task+0x1450/0x1600 kernel/exit.c:278 wait_task_zombie kernel/exit.c:1208 [inline] wait_consider_task+0x1978/0x2e40 kernel/exit.c:1435 do_wait_thread kernel/exit.c:1498 [inline] do_wait+0x31c/0xb60 kernel/exit.c:1615 kernel_wait4+0x1ab/0x270 kernel/exit.c:1778 __do_sys_wait4 kernel/exit.c:1806 [inline] __se_sys_wait4 kernel/exit.c:1802 [inline] __x64_sys_wait4+0x130/0x1e0 kernel/exit.c:1802 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 other info that might help us debug this: Chain exists of: &trie->lock --> &obj_hash[i].lock --> pool_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(pool_lock); lock(&obj_hash[i].lock); lock(pool_lock); lock(&trie->lock); *** DEADLOCK *** 2 locks held by syz-executor/9550: #0: ffffffff8d1b4978 (pool_lock){-.-.}-{2:2}, at: fill_pool lib/debugobjects.c:176 [inline] #0: ffffffff8d1b4978 (pool_lock){-.-.}-{2:2}, at: debug_objects_fill_pool+0x54c/0x650 lib/debugobjects.c:607 #1: ffffffff8cb2abe0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline] #1: ffffffff8cb2abe0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline] #1: ffffffff8cb2abe0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2284 [inline] #1: ffffffff8cb2abe0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run2+0xda/0x3b0 kernel/trace/bpf_trace.c:2324 stack backtrace: CPU: 0 PID: 9550 Comm: syz-executor Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 Call Trace: dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106 check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2170 check_prev_add kernel/locking/lockdep.c:3090 [inline] check_prevs_add kernel/locking/lockdep.c:3209 [inline] validate_chain kernel/locking/lockdep.c:3825 [inline] __lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049 lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162 trie_delete_elem+0x90/0x690 kernel/bpf/lpm_trie.c:467 bpf_prog_1db1603a7cfa36fb+0x3d/0x41 bpf_dispatcher_nop_func include/linux/bpf.h:1011 [inline] __bpf_prog_run include/linux/filter.h:603 [inline] bpf_prog_run include/linux/filter.h:610 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2285 [inline] bpf_trace_run2+0x1cd/0x3b0 kernel/trace/bpf_trace.c:2324 trace_contention_end+0x13f/0x190 include/trace/events/lock.h:122 __pv_queued_spin_lock_slowpath+0x7e8/0x9c0 kernel/locking/qspinlock.c:560 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:591 [inline] queued_spin_lock_slowpath+0x43/0x50 arch/x86/include/asm/qspinlock.h:51 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline] do_raw_spin_lock+0x217/0x280 kernel/locking/spinlock_debug.c:115 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline] _raw_spin_lock_irqsave+0xb0/0xf0 kernel/locking/spinlock.c:162 fill_pool lib/debugobjects.c:176 [inline] debug_objects_fill_pool+0x54c/0x650 lib/debugobjects.c:607 debug_object_activate+0x34/0x490 lib/debugobjects.c:694 debug_rcu_head_queue kernel/rcu/rcu.h:190 [inline] call_rcu+0xa7/0x980 kernel/rcu/tree.c:2834 destroy_inode fs/inode.c:316 [inline] evict+0x7da/0x870 fs/inode.c:720 proc_invalidate_siblings_dcache+0x428/0x6c0 fs/proc/inode.c:158 release_task+0x1450/0x1600 kernel/exit.c:278 wait_task_zombie kernel/exit.c:1208 [inline] wait_consider_task+0x1978/0x2e40 kernel/exit.c:1435 do_wait_thread kernel/exit.c:1498 [inline] do_wait+0x31c/0xb60 kernel/exit.c:1615 kernel_wait4+0x1ab/0x270 kernel/exit.c:1778 __do_sys_wait4 kernel/exit.c:1806 [inline] __se_sys_wait4 kernel/exit.c:1802 [inline] __x64_sys_wait4+0x130/0x1e0 kernel/exit.c:1802 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f631eb85017 Code: 89 7c 24 10 48 89 4c 24 18 e8 65 1c 03 00 4c 8b 54 24 18 8b 54 24 14 41 89 c0 48 8b 74 24 08 8b 7c 24 10 b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 89 44 24 10 e8 b5 1c 03 00 8b 44 RSP: 002b:00007ffce86c9c00 EFLAGS: 00000293 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 0000000000000013 RCX: 00007f631eb85017 RDX: 0000000040000001 RSI: 00007ffce86c9c6c RDI: 00000000ffffffff RBP: 00007ffce86c9c6c R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000001388 R13: 00000000000927c0 R14: 000000000006e91d R15: 00007ffce86c9cc0