======================================================
WARNING: possible circular locking dependency detected
6.1.142-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor/7597 is trying to acquire lock:
ffff8880b8e281d8 (krc.lock){..-.}-{2:2}, at: krc_this_cpu_lock kernel/rcu/tree.c:2991 [inline]
ffff8880b8e281d8 (krc.lock){..-.}-{2:2}, at: add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3311 [inline]
ffff8880b8e281d8 (krc.lock){..-.}-{2:2}, at: kvfree_call_rcu+0x184/0x870 kernel/rcu/tree.c:3402
but task is already holding lock:
ffff8880b8e28418 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x123/0x270 kernel/time/timer.c:999
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&base->lock){-.-.}-{2:2}:
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xa4/0xf0 kernel/locking/spinlock.c:162
lock_timer_base+0x123/0x270 kernel/time/timer.c:999
__mod_timer+0x117/0xd20 kernel/time/timer.c:1072
queue_delayed_work_on+0x126/0x1e0 kernel/workqueue.c:1704
queue_delayed_work include/linux/workqueue.h:527 [inline]
schedule_delayed_monitor_work kernel/rcu/tree.c:3172 [inline]
kvfree_call_rcu+0x4cb/0x870 kernel/rcu/tree.c:3428
rtnl_register_internal+0x489/0x590 net/core/rtnetlink.c:260
rtnl_register+0x2e/0x70 net/core/rtnetlink.c:310
ip_rt_init+0x323/0x3b5 net/ipv4/route.c:3793
ip_init+0xa/0x14 net/ipv4/ip_output.c:1771
inet_init+0x2bd/0x3cf net/ipv4/af_inet.c:2033
do_one_initcall+0x214/0x7a0 init/main.c:1298
do_initcall_level+0x137/0x1e4 init/main.c:1371
do_initcalls+0x4b/0x8a init/main.c:1387
kernel_init_freeable+0x3fa/0x5ac init/main.c:1626
kernel_init+0x19/0x1b0 init/main.c:1514
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
-> #0 (krc.lock){..-.}-{2:2}:
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:2991 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3311 [inline]
kvfree_call_rcu+0x184/0x870 kernel/rcu/tree.c:3402
trie_delete_elem+0x52d/0x690 kernel/bpf/lpm_trie.c:545
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:1001 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2285 [inline]
bpf_trace_run3+0x1e3/0x400 kernel/trace/bpf_trace.c:2325
trace_timer_start include/trace/events/timer.h:53 [inline]
enqueue_timer+0x411/0x5c0 kernel/time/timer.c:609
__mod_timer+0x88e/0xd20 kernel/time/timer.c:1113
sk_reset_timer+0x1f/0xb0 net/core/sock.c:3374
tcp_event_new_data_sent+0x20e/0x370 net/ipv4/tcp_output.c:81
tcp_write_xmit+0x1780/0x62b0 net/ipv4/tcp_output.c:2716
__tcp_push_pending_frames+0x93/0x340 net/ipv4/tcp_output.c:2894
tcp_push_pending_frames include/net/tcp.h:1986 [inline]
tcp_data_snd_check net/ipv4/tcp_input.c:5599 [inline]
tcp_rcv_established+0xf62/0x1d30 net/ipv4/tcp_input.c:6023
tcp_v4_do_rcv+0x48d/0xb00 net/ipv4/tcp_ipv4.c:1683
tcp_v4_rcv+0x2789/0x2e30 net/ipv4/tcp_ipv4.c:2114
ip_protocol_deliver_rcu+0x3ad/0x780 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2c7/0x510 net/ipv4/ip_input.c:233
NF_HOOK+0x2ff/0x390 include/linux/netfilter.h:302
dst_input include/net/dst.h:463 [inline]
ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
ip_sublist_rcv+0xa30/0xd10 net/ipv4/ip_input.c:639
ip_list_rcv+0x3df/0x430 net/ipv4/ip_input.c:674
__netif_receive_skb_list_ptype net/core/dev.c:5612 [inline]
__netif_receive_skb_list_core+0x574/0x740 net/core/dev.c:5660
__netif_receive_skb_list net/core/dev.c:5712 [inline]
netif_receive_skb_list_internal+0x90f/0xc50 net/core/dev.c:5803
gro_normal_list include/net/gro.h:433 [inline]
napi_complete_done+0x37d/0x830 net/core/dev.c:6144
virtqueue_napi_complete drivers/net/virtio_net.c:403 [inline]
virtnet_poll+0x991/0x1150 drivers/net/virtio_net.c:1687
__napi_poll+0xc0/0x460 net/core/dev.c:6578
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x5b1/0xad0 net/core/dev.c:6759
handle_softirqs+0x2a1/0x920 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x12f/0x220 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
common_interrupt+0xb5/0xd0 arch/x86/kernel/irq.c:242
asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:682
lock_release+0x593/0x910 kernel/locking/lockdep.c:5686
rcu_lock_release include/linux/rcupdate.h:355 [inline]
rcu_read_unlock_sched include/linux/rcupdate.h:904 [inline]
pfn_valid+0x3c5/0x420 include/linux/mmzone.h:1867
page_table_check_set+0x25/0x6d0 mm/page_table_check.c:108
page_table_check_pte_set include/linux/page_table_check.h:83 [inline]
set_pte_at arch/x86/include/asm/pgtable.h:1009 [inline]
do_set_pte+0x452/0x460 mm/memory.c:4426
filemap_map_pages+0xcab/0x10d0 mm/filemap.c:3481
do_fault_around mm/memory.c:4600 [inline]
do_read_fault mm/memory.c:4626 [inline]
do_fault mm/memory.c:4760 [inline]
handle_pte_fault mm/memory.c:5031 [inline]
__handle_mm_fault mm/memory.c:5173 [inline]
handle_mm_fault+0x2889/0x3e70 mm/memory.c:5294
do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&base->lock);
lock(krc.lock);
lock(&base->lock);
lock(krc.lock);
*** DEADLOCK ***
8 locks held by syz-executor/7597:
#0: ffff88807ebf6a58 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_trylock include/linux/mmap_lock.h:136 [inline]
#0: ffff88807ebf6a58 (&mm->mmap_lock){++++}-{3:3}, at: get_mmap_lock_carefully mm/memory.c:5322 [inline]
#0: ffff88807ebf6a58 (&mm->mmap_lock){++++}-{3:3}, at: lock_mm_and_find_vma+0x2e/0x2f0 mm/memory.c:5384
#1: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#1: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#1: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: filemap_map_pages+0x18b/0x10d0 mm/filemap.c:3444
#2: ffff8880792aae58 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#2: ffff8880792aae58 (ptlock_ptr(page)#2){+.+.}-{2:2}, at: filemap_map_pages+0x8c1/0x10d0 mm/filemap.c:3455
#3: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#3: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#3: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: netif_receive_skb_list_internal+0x4a5/0xc50 net/core/dev.c:5788
#4: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#4: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#4: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: ip_local_deliver_finish+0x1c8/0x510 net/ipv4/ip_input.c:232
#5: ffff888028418cf0 (slock-AF_INET/1){+.-.}-{2:2}, at: tcp_v4_rcv+0x2733/0x2e30 net/ipv4/tcp_ipv4.c:2110
#6: ffff8880b8e28418 (&base->lock){-.-.}-{2:2}, at: lock_timer_base+0x123/0x270 kernel/time/timer.c:999
#7: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:350 [inline]
#7: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:791 [inline]
#7: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: __bpf_trace_run kernel/trace/bpf_trace.c:2284 [inline]
#7: ffffffff8c92aaa0 (rcu_read_lock){....}-{1:2}, at: bpf_trace_run3+0xf0/0x400 kernel/trace/bpf_trace.c:2325
stack backtrace:
CPU: 0 PID: 7597 Comm: syz-executor Not tainted 6.1.142-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Call Trace:
dump_stack_lvl+0x168/0x22e lib/dump_stack.c:106
check_noncircular+0x274/0x310 kernel/locking/lockdep.c:2170
check_prev_add kernel/locking/lockdep.c:3090 [inline]
check_prevs_add kernel/locking/lockdep.c:3209 [inline]
validate_chain kernel/locking/lockdep.c:3825 [inline]
__lock_acquire+0x2cf8/0x7c50 kernel/locking/lockdep.c:5049
lock_acquire+0x1b4/0x490 kernel/locking/lockdep.c:5662
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
krc_this_cpu_lock kernel/rcu/tree.c:2991 [inline]
add_ptr_to_bulk_krc_lock kernel/rcu/tree.c:3311 [inline]
kvfree_call_rcu+0x184/0x870 kernel/rcu/tree.c:3402
trie_delete_elem+0x52d/0x690 kernel/bpf/lpm_trie.c:545
bpf_prog_2c29ac5cdc6b1842+0x3a/0x3e
bpf_dispatcher_nop_func include/linux/bpf.h:1001 [inline]
__bpf_prog_run include/linux/filter.h:603 [inline]
bpf_prog_run include/linux/filter.h:610 [inline]
__bpf_trace_run kernel/trace/bpf_trace.c:2285 [inline]
bpf_trace_run3+0x1e3/0x400 kernel/trace/bpf_trace.c:2325
trace_timer_start include/trace/events/timer.h:53 [inline]
enqueue_timer+0x411/0x5c0 kernel/time/timer.c:609
__mod_timer+0x88e/0xd20 kernel/time/timer.c:1113
sk_reset_timer+0x1f/0xb0 net/core/sock.c:3374
tcp_event_new_data_sent+0x20e/0x370 net/ipv4/tcp_output.c:81
tcp_write_xmit+0x1780/0x62b0 net/ipv4/tcp_output.c:2716
__tcp_push_pending_frames+0x93/0x340 net/ipv4/tcp_output.c:2894
tcp_push_pending_frames include/net/tcp.h:1986 [inline]
tcp_data_snd_check net/ipv4/tcp_input.c:5599 [inline]
tcp_rcv_established+0xf62/0x1d30 net/ipv4/tcp_input.c:6023
tcp_v4_do_rcv+0x48d/0xb00 net/ipv4/tcp_ipv4.c:1683
tcp_v4_rcv+0x2789/0x2e30 net/ipv4/tcp_ipv4.c:2114
ip_protocol_deliver_rcu+0x3ad/0x780 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x2c7/0x510 net/ipv4/ip_input.c:233
NF_HOOK+0x2ff/0x390 include/linux/netfilter.h:302
dst_input include/net/dst.h:463 [inline]
ip_sublist_rcv_finish net/ipv4/ip_input.c:580 [inline]
ip_list_rcv_finish net/ipv4/ip_input.c:631 [inline]
ip_sublist_rcv+0xa30/0xd10 net/ipv4/ip_input.c:639
ip_list_rcv+0x3df/0x430 net/ipv4/ip_input.c:674
__netif_receive_skb_list_ptype net/core/dev.c:5612 [inline]
__netif_receive_skb_list_core+0x574/0x740 net/core/dev.c:5660
__netif_receive_skb_list net/core/dev.c:5712 [inline]
netif_receive_skb_list_internal+0x90f/0xc50 net/core/dev.c:5803
gro_normal_list include/net/gro.h:433 [inline]
napi_complete_done+0x37d/0x830 net/core/dev.c:6144
virtqueue_napi_complete drivers/net/virtio_net.c:403 [inline]
virtnet_poll+0x991/0x1150 drivers/net/virtio_net.c:1687
__napi_poll+0xc0/0x460 net/core/dev.c:6578
napi_poll net/core/dev.c:6645 [inline]
net_rx_action+0x5b1/0xad0 net/core/dev.c:6759
handle_softirqs+0x2a1/0x920 kernel/softirq.c:596
__do_softirq kernel/softirq.c:630 [inline]
invoke_softirq kernel/softirq.c:470 [inline]
__irq_exit_rcu+0x12f/0x220 kernel/softirq.c:679
irq_exit_rcu+0x5/0x20 kernel/softirq.c:691
common_interrupt+0xb5/0xd0 arch/x86/kernel/irq.c:242
asm_common_interrupt+0x22/0x40 arch/x86/include/asm/idtentry.h:682
RIP: 0010:lock_release+0x593/0x910 kernel/locking/lockdep.c:5686
Code: 00 00 00 00 9c 8f 84 24 80 00 00 00 f6 84 24 81 00 00 00 02 75 75 f7 44 24 50 00 02 00 00 74 01 fb 48 c7 44 24 60 0e 36 e0 45 <4b> c7 04 2f 00 00 00 00 66 43 c7 44 2f 09 00 00 43 c6 44 2f 0b 00
RSP: 0000:ffffc900058c78e0 EFLAGS: 00000206
RAX: 0000000000000001 RBX: 394e4298a39ac2a1 RCX: 11c664fd34424000
RDX: 0000000000000003 RSI: ffffffff8a6c1160 RDI: ffffffff8abf14a0
RBP: ffffc900058c79f0 R08: dffffc0000000000 R09: fffffbfff1bfd1a6
R10: fffffbfff1bfd1a6 R11: 1ffffffff1bfd1a5 R12: ffff8880583ca918
R13: dffffc0000000000 R14: ffff8880583ca890 R15: 1ffff92000b18f28
rcu_lock_release include/linux/rcupdate.h:355 [inline]
rcu_read_unlock_sched include/linux/rcupdate.h:904 [inline]
pfn_valid+0x3c5/0x420 include/linux/mmzone.h:1867
page_table_check_set+0x25/0x6d0 mm/page_table_check.c:108
page_table_check_pte_set include/linux/page_table_check.h:83 [inline]
set_pte_at arch/x86/include/asm/pgtable.h:1009 [inline]
do_set_pte+0x452/0x460 mm/memory.c:4426
filemap_map_pages+0xcab/0x10d0 mm/filemap.c:3481
do_fault_around mm/memory.c:4600 [inline]
do_read_fault mm/memory.c:4626 [inline]
do_fault mm/memory.c:4760 [inline]
handle_pte_fault mm/memory.c:5031 [inline]
__handle_mm_fault mm/memory.c:5173 [inline]
handle_mm_fault+0x2889/0x3e70 mm/memory.c:5294
do_user_addr_fault+0x51f/0xb10 arch/x86/mm/fault.c:1340
handle_page_fault arch/x86/mm/fault.c:1431 [inline]
exc_page_fault+0x60/0x100 arch/x86/mm/fault.c:1487
asm_exc_page_fault+0x22/0x30 arch/x86/include/asm/idtentry.h:608
RIP: 0033:0x7fa5da54d550
Code: Unable to access opcode bytes at 0x7fa5da54d526.
RSP: 002b:00007ffdfbc2f078 EFLAGS: 00010206
RAX: 0000000000000008 RBX: 0000000000000000 RCX: 00007fa5da5851cd
RDX: 0000000000000000 RSI: 0000000000000018 RDI: 000055557e2947e0
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000001
R10: 000055557e2947d0 R11: 0000000000000246 R12: 0000000000000000
R13: 00000000000927c0 R14: 0000000000043724 R15: 00007ffdfbc2f210
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 9c pushf
5: 8f 84 24 80 00 00 00 pop 0x80(%rsp)
c: f6 84 24 81 00 00 00 testb $0x2,0x81(%rsp)
13: 02
14: 75 75 jne 0x8b
16: f7 44 24 50 00 02 00 testl $0x200,0x50(%rsp)
1d: 00
1e: 74 01 je 0x21
20: fb sti
21: 48 c7 44 24 60 0e 36 movq $0x45e0360e,0x60(%rsp)
28: e0 45
* 2a: 4b c7 04 2f 00 00 00 movq $0x0,(%r15,%r13,1) <-- trapping instruction
31: 00
32: 66 43 c7 44 2f 09 00 movw $0x0,0x9(%r15,%r13,1)
39: 00
3a: 43 c6 44 2f 0b 00 movb $0x0,0xb(%r15,%r13,1)