======================================================
WARNING: possible circular locking dependency detected
5.15.186-syzkaller #0 Not tainted
------------------------------------------------------
syz.3.338/5513 is trying to acquire lock:
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
ffff8880b9127e78 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597

but task is already holding lock:
ffff88805d3bc1b8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&trie->lock){..-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
       trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467
       0xffffffffa002e09c
       bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
       __bpf_prog_run include/linux/filter.h:628 [inline]
       bpf_prog_run include/linux/filter.h:635 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
       bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
       __traceiter_timer_start+0x73/0xc0 include/trace/events/timer.h:52
       trace_timer_start include/trace/events/timer.h:52 [inline]
       enqueue_timer+0x394/0x520 kernel/time/timer.c:586
       internal_add_timer kernel/time/timer.c:611 [inline]
       __mod_timer+0x8e1/0xd20 kernel/time/timer.c:1062
       sk_reset_timer+0x1f/0xb0 net/core/sock.c:3137
       tipc_sk_finish_conn+0x154/0x7e0 net/tipc/socket.c:1675
       tipc_socketpair+0x250/0x470 net/tipc/socket.c:3348
       __sys_socketpair+0x2ac/0x540 net/socket.c:1659
       __do_sys_socketpair net/socket.c:1695 [inline]
       __se_sys_socketpair net/socket.c:1692 [inline]
       __x64_sys_socketpair+0x97/0xb0 net/socket.c:1692
       do_syscall_x64 arch/x86/entry/common.c:50 [inline]
       do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:80
       entry_SYSCALL_64_after_hwframe+0x66/0xd0

-> #1 (&base->lock){-.-.}-{2:2}:
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
       lock_timer_base+0x123/0x270 kernel/time/timer.c:946
       __mod_timer+0x117/0xd20 kernel/time/timer.c:1019
       queue_delayed_work_on+0x126/0x1e0 kernel/workqueue.c:1715
       queue_delayed_work include/linux/workqueue.h:527 [inline]
       schedule_delayed_work include/linux/workqueue.h:631 [inline]
       kvfree_call_rcu+0x4a9/0x7c0 kernel/rcu/tree.c:3625
       rtnl_register_internal+0x44e/0x540 net/core/rtnetlink.c:223
       rtnl_register+0x2e/0x70 net/core/rtnetlink.c:273
       ip_rt_init+0x2e0/0x3a0 net/ipv4/route.c:3795
       ip_init+0xa/0x20 net/ipv4/ip_output.c:1749
       inet_init+0x28b/0x3a0 net/ipv4/af_inet.c:2007
       do_one_initcall+0x1ee/0x680 init/main.c:1302
       do_initcall_level+0x137/0x1f0 init/main.c:1375
       do_initcalls+0x4b/0x90 init/main.c:1391
       kernel_init_freeable+0x3ce/0x560 init/main.c:1615
       kernel_init+0x19/0x1b0 init/main.c:1506
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:287

-> #0 (krc.lock){..-.}-{2:2}:
       check_prev_add kernel/locking/lockdep.c:3053 [inline]
       check_prevs_add kernel/locking/lockdep.c:3172 [inline]
       validate_chain kernel/locking/lockdep.c:3788 [inline]
       __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
       lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
       __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
       _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
       krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
       add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
       kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597
       trie_delete_elem+0x58c/0x710 kernel/bpf/lpm_trie.c:-1
       bpf_prog_8c8ab8634bca3061+0x3a/0x598
       bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
       __bpf_prog_run include/linux/filter.h:628 [inline]
       bpf_prog_run include/linux/filter.h:635 [inline]
       __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
       bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
       __bpf_trace_kmem_cache_free+0x99/0xc0 include/trace/events/kmem.h:138
       trace_kmem_cache_free include/trace/events/kmem.h:138 [inline]
       kmem_cache_free+0x1e7/0x210 mm/slub.c:3516
       jbd2_free_handle include/linux/jbd2.h:1602 [inline]
       jbd2_journal_stop+0x8c2/0xd20 fs/jbd2/transaction.c:1965
       __ext4_journal_stop+0xf2/0x190 fs/ext4/ext4_jbd2.c:127
       __mark_inode_dirty+0x2b0/0xc60 fs/fs-writeback.c:2464
       generic_update_time+0x1cd/0x1f0 fs/inode.c:1881
       inode_update_time fs/inode.c:1894 [inline]
       file_update_time+0x38b/0x400 fs/inode.c:2083
       ext4_page_mkwrite+0x1b4/0x1240 fs/ext4/inode.c:6158
       do_page_mkwrite+0x168/0x3c0 mm/memory.c:2922
       do_shared_fault mm/memory.c:4328 [inline]
       do_fault mm/memory.c:4396 [inline]
       handle_pte_fault mm/memory.c:4650 [inline]
       __handle_mm_fault mm/memory.c:4785 [inline]
       handle_mm_fault+0x1d4b/0x43c0 mm/memory.c:4883
       do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1357
       handle_page_fault arch/x86/mm/fault.c:1445 [inline]
       exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1501
       asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606

other info that might help us debug this:

Chain exists of:
  krc.lock --> &base->lock --> &trie->lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(&trie->lock);
                               lock(&base->lock);
                               lock(&trie->lock);
  lock(krc.lock);

 *** DEADLOCK ***

4 locks held by syz.3.338/5513:
 #0: ffff88802bbf2428 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
 #0: ffff88802bbf2428 (&mm->mmap_lock){++++}-{3:3}, at: do_user_addr_fault+0x2b9/0xc80 arch/x86/mm/fault.c:1298
 #1: ffff88807e80e558 (sb_pagefaults){.+.+}-{0:0}, at: __sb_start_write include/linux/fs.h:1811 [inline]
 #1: ffff88807e80e558 (sb_pagefaults){.+.+}-{0:0}, at: sb_start_pagefault include/linux/fs.h:1910 [inline]
 #1: ffff88807e80e558 (sb_pagefaults){.+.+}-{0:0}, at: ext4_page_mkwrite+0x19d/0x1240 fs/ext4/inode.c:6157
 #2: ffffffff8c11bfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x5/0x30 include/linux/rcupdate.h:311
 #3: ffff88805d3bc1b8 (&trie->lock){..-.}-{2:2}, at: trie_delete_elem+0x90/0x710 kernel/bpf/lpm_trie.c:467

stack backtrace:
CPU: 1 PID: 5513 Comm: syz.3.338 Not tainted 5.15.186-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0x168/0x230 lib/dump_stack.c:106
 check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2133
 check_prev_add kernel/locking/lockdep.c:3053 [inline]
 check_prevs_add kernel/locking/lockdep.c:3172 [inline]
 validate_chain kernel/locking/lockdep.c:3788 [inline]
 __lock_acquire+0x2c33/0x7c60 kernel/locking/lockdep.c:5012
 lock_acquire+0x197/0x3f0 kernel/locking/lockdep.c:5623
 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 krc_this_cpu_lock kernel/rcu/tree.c:3199 [inline]
 add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3506 [inline]
 kvfree_call_rcu+0x186/0x7c0 kernel/rcu/tree.c:3597
 trie_delete_elem+0x58c/0x710 kernel/bpf/lpm_trie.c:-1
 bpf_prog_8c8ab8634bca3061+0x3a/0x598
 bpf_dispatcher_nop_func include/linux/bpf.h:790 [inline]
 __bpf_prog_run include/linux/filter.h:628 [inline]
 bpf_prog_run include/linux/filter.h:635 [inline]
 __bpf_trace_run kernel/trace/bpf_trace.c:1878 [inline]
 bpf_trace_run3+0x17e/0x320 kernel/trace/bpf_trace.c:1916
 __bpf_trace_kmem_cache_free+0x99/0xc0 include/trace/events/kmem.h:138
 trace_kmem_cache_free include/trace/events/kmem.h:138 [inline]
 kmem_cache_free+0x1e7/0x210 mm/slub.c:3516
 jbd2_free_handle include/linux/jbd2.h:1602 [inline]
 jbd2_journal_stop+0x8c2/0xd20 fs/jbd2/transaction.c:1965
 __ext4_journal_stop+0xf2/0x190 fs/ext4/ext4_jbd2.c:127
 __mark_inode_dirty+0x2b0/0xc60 fs/fs-writeback.c:2464
 generic_update_time+0x1cd/0x1f0 fs/inode.c:1881
 inode_update_time fs/inode.c:1894 [inline]
 file_update_time+0x38b/0x400 fs/inode.c:2083
 ext4_page_mkwrite+0x1b4/0x1240 fs/ext4/inode.c:6158
 do_page_mkwrite+0x168/0x3c0 mm/memory.c:2922
 do_shared_fault mm/memory.c:4328 [inline]
 do_fault mm/memory.c:4396 [inline]
 handle_pte_fault mm/memory.c:4650 [inline]
 __handle_mm_fault mm/memory.c:4785 [inline]
 handle_mm_fault+0x1d4b/0x43c0 mm/memory.c:4883
 do_user_addr_fault+0x489/0xc80 arch/x86/mm/fault.c:1357
 handle_page_fault arch/x86/mm/fault.c:1445 [inline]
 exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1501
 asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:606
RIP: 0033:0x7f0a6ea51262
Code: 0f 1f 84 00 00 00 00 00 be 08 00 00 00 48 89 df e8 c3 75 fe ff 48 8b 53 38 48 8d 42 f8 48 89 43 38 8b 43 28 83 c0 08 89 43 28 <4c> 89 62 f8 41 8d 56 01 41 39 ee 0f 83 8d 00 00 00 41 89 d6 48 8b
RSP: 002b:00007ffc2b05fe30 EFLAGS: 00010202
RAX: 0000000000005008 RBX: 00007f0a6f8c7720 RCX: 0000000000000000
RDX: 0000001b3081b000 RSI: 0000000000000008 RDI: 00007f0a6f8c7720
RBP: 000000000000015f R08: 00007f0a6e1e1060 R09: 00007f0a6ed84000
R10: 00007f0a6e1e1008 R11: 0000000000000006 R12: ffffffff87c6f921
R13: 00007f0a6ed98038 R14: 0000000000000056 R15: ffffffffffffb000
 </TASK>