INFO: task hung in cgroup_storage_map_free

[梅开彦]

Our fuzzer discovered a task hung vulnerability in the BPF subsystem. The crash can be trigger on bpf-next(93ce3bee311d6f885bffb4a83843bddbe6b126be). We have not yet been able to develop a stable PoC to reproduce this vulnerability, but we will continue to analyze it further and testing whether it can be triggered on the latest bpf-next branch.

Reported-by: Kaiyan Mei <M2024...@hust.edu.cn>
Reported-by: Yinhao Hu <ddd...@hust.edu.cn>
Reviewed-by: Dongliang Mu <dz...@hust.edu.cn>

# Crash Report
```
INFO: task kworker/u10:3:47 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u10:3 state:D stack:23560 pid:47 tgid:47 ppid:2 task_flags:0x4208060 flags:0x00080000
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_storage_map_free+0x30/0x240 kernel/bpf/local_storage.c:336
bpf_map_free kernel/bpf/syscall.c:894 [inline]
bpf_map_free_deferred+0x2e5/0x810 kernel/bpf/syscall.c:921
process_one_work+0x997/0x1b60 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x683/0xe90 kernel/workqueue.c:3427
kthread+0x3d5/0x780 kernel/kthread.c:463
ret_from_fork+0x67b/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task kworker/u9:3:67 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:kworker/u9:3 state:D stack:24392 pid:67 tgid:67 ppid:2 task_flags:0x4208060 flags:0x00080000
Workqueue: events_unbound bpf_map_free_deferred
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_storage_map_free+0x30/0x240 kernel/bpf/local_storage.c:336
bpf_map_free kernel/bpf/syscall.c:894 [inline]
bpf_map_free_deferred+0x2e5/0x810 kernel/bpf/syscall.c:921
process_one_work+0x997/0x1b60 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x683/0xe90 kernel/workqueue.c:3427
kthread+0x3d5/0x780 kernel/kthread.c:463
ret_from_fork+0x67b/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
INFO: task syz-executor:80112 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:22968 pid:80112 tgid:80112 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
__cgroup_procs_write+0xb9/0x790 kernel/cgroup/cgroup.c:5370
cgroup_procs_write+0x2b/0x60 kernel/cgroup/cgroup.c:5410
cgroup_file_write+0x1f3/0x790 kernel/cgroup/cgroup.c:4312
kernfs_fop_write_iter+0x3ac/0x580 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xc12/0x1180 fs/read_write.c:686
ksys_write+0x126/0x240 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4f7e3ac91f
RSP: 002b:00007ffdda5784b0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f4f7e3ac91f
RDX: 0000000000000001 RSI: 00007ffdda578500 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffdda578450
R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffdda578ab0
R13: 00007ffdda578500 R14: 0000000000000000 R15: 0000000000000002
</TASK>
INFO: task syz-executor:80220 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:23728 pid:80220 tgid:80220 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
__cgroup_procs_write+0xb9/0x790 kernel/cgroup/cgroup.c:5370
cgroup_procs_write+0x2b/0x60 kernel/cgroup/cgroup.c:5410
cgroup_file_write+0x1f3/0x790 kernel/cgroup/cgroup.c:4312
kernfs_fop_write_iter+0x3ac/0x580 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xc12/0x1180 fs/read_write.c:686
ksys_write+0x126/0x240 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0b15fac91f
RSP: 002b:00007ffeda8e2530 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f0b15fac91f
RDX: 0000000000000001 RSI: 00007ffeda8e2580 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffeda8e24d0
R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffeda8e2b30
R13: 00007ffeda8e2580 R14: 0000000000000000 R15: 0000000000000002
</TASK>
INFO: task syz-executor:80259 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:23616 pid:80259 tgid:80259 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
__cgroup_procs_write+0xb9/0x790 kernel/cgroup/cgroup.c:5370
cgroup_procs_write+0x2b/0x60 kernel/cgroup/cgroup.c:5410
cgroup_file_write+0x1f3/0x790 kernel/cgroup/cgroup.c:4312
kernfs_fop_write_iter+0x3ac/0x580 fs/kernfs/file.c:352
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0xc12/0x1180 fs/read_write.c:686
ksys_write+0x126/0x240 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbb085ac91f
RSP: 002b:00007ffe5498fe40 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fbb085ac91f
RDX: 0000000000000001 RSI: 00007ffe5498fe90 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 00007ffe5498fde0
R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe54990440
R13: 00007ffe5498fe90 R14: 0000000000000000 R15: 0000000000000002
</TASK>
INFO: task syz-executor:82898 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:23392 pid:82898 tgid:82898 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
cgroup_mkdir+0x54/0x1210 kernel/cgroup/cgroup.c:5999
kernfs_iop_mkdir+0x116/0x1a0 fs/kernfs/dir.c:1268
vfs_mkdir+0x59b/0x8d0 fs/namei.c:4453
do_mkdirat+0x2e1/0x3d0 fs/namei.c:4486
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x8c/0xb0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fdee01ac6db
RSP: 002b:00007ffecc086c38 EFLAGS: 00000202 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007fdee01ac6db
RDX: 00000000000001ff RSI: 00007ffecc086cc0 RDI: 00000000ffffff9c
RBP: 00007fdee03e5f40 R08: 0000000000000000 R09: 00007ffecc086ad0
R10: 000000000000000a R11: 0000000000000202 R12: 0000000000000001
R13: 00007ffecc086cc0 R14: 00007fdee02486ea R15: 0000000000000002
</TASK>
INFO: task syz.0.9508:83521 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.0.9508 state:D stack:25728 pid:83521 tgid:83520 ppid:80122 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
ftrace_set_hash+0x353/0x830 kernel/trace/ftrace.c:5889
ftrace_set_addr kernel/trace/ftrace.c:5904 [inline]
ftrace_set_filter_ip+0xc2/0x1f0 kernel/trace/ftrace.c:6235
register_fentry kernel/bpf/trampoline.c:223 [inline]
bpf_trampoline_update+0xa3b/0x1160 kernel/bpf/trampoline.c:474
__bpf_trampoline_link_prog+0x36a/0xac0 kernel/bpf/trampoline.c:593
bpf_trampoline_link_cgroup_shim+0x65d/0x860 kernel/bpf/trampoline.c:774
__cgroup_bpf_attach+0xceb/0x2030 kernel/bpf/cgroup.c:869
cgroup_bpf_attach kernel/bpf/cgroup.c:915 [inline]
cgroup_bpf_link_attach+0x2d2/0x470 kernel/bpf/cgroup.c:1506
link_create kernel/bpf/syscall.c:5715 [inline]
__sys_bpf+0x3395/0x5390 kernel/bpf/syscall.c:6241
__do_sys_bpf kernel/bpf/syscall.c:6281 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6279 [inline]
__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:6279
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa43adadead
RSP: 002b:00007fa438bf5f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007fa43afe5fa0 RCX: 00007fa43adadead
RDX: 0000000000000010 RSI: 0000200000000000 RDI: 000000000000001c
RBP: 00007fa43ae47d9f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007fa43afe5fa0 R15: 00007fa438bd6000
</TASK>
INFO: task syz.7.9518:83585 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.7.9518 state:D stack:26296 pid:83585 tgid:83584 ppid:80130 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_bpf_detach kernel/bpf/cgroup.c:1203 [inline]
cgroup_bpf_prog_detach+0x3dd/0x510 kernel/bpf/cgroup.c:1369
bpf_prog_detach kernel/bpf/syscall.c:4604 [inline]
__sys_bpf+0x41c4/0x5390 kernel/bpf/syscall.c:6183
__do_sys_bpf kernel/bpf/syscall.c:6281 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6279 [inline]
__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:6279
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f375b7adead
RSP: 002b:00007f375c6d1f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f375b9e5fa0 RCX: 00007f375b7adead
RDX: 0000000000000020 RSI: 00002000000003c0 RDI: 0000000000000009
RBP: 00007f375b847d9f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f375b9e5fa0 R15: 00007f375c6b2000
</TASK>
INFO: task syz-executor:83611 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor state:D stack:23552 pid:83611 tgid:83611 ppid:1 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
rwsem_down_write_slowpath+0x3fd/0x12d0 kernel/locking/rwsem.c:1185
__down_write_common kernel/locking/rwsem.c:1317 [inline]
__down_write kernel/locking/rwsem.c:1326 [inline]
down_write_nested+0x1de/0x210 kernel/locking/rwsem.c:1707
inode_lock_nested include/linux/fs.h:1025 [inline]
filename_create+0x1a1/0x490 fs/namei.c:4226
do_mkdirat+0xa9/0x3d0 fs/namei.c:4478
__do_sys_mkdirat fs/namei.c:4503 [inline]
__se_sys_mkdirat fs/namei.c:4501 [inline]
__x64_sys_mkdirat+0x8c/0xb0 fs/namei.c:4501
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f66a8fac6db
RSP: 002b:00007ffd752be698 EFLAGS: 00000202 ORIG_RAX: 0000000000000102
RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f66a8fac6db
RDX: 00000000000001ff RSI: 00007ffd752be720 RDI: 00000000ffffff9c
RBP: 00007f66a91e5f40 R08: 0000000000000000 R09: 00007ffd752be530
R10: 000000000000000a R11: 0000000000000202 R12: 0000000000000001
R13: 00007ffd752be720 R14: 00007f66a90486ea R15: 0000000000000002
</TASK>
INFO: task syz.2.9528:83660 blocked for more than 144 seconds.
Not tainted 6.18.0-rc4-g93ce3bee311d #3
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz.2.9528 state:D stack:28288 pid:83660 tgid:83659 ppid:80280 task_flags:0x400140 flags:0x00080002
Call Trace:
<TASK>
context_switch kernel/sched/core.c:5325 [inline]
__schedule+0x1044/0x5bb0 kernel/sched/core.c:6929
__schedule_loop kernel/sched/core.c:7011 [inline]
schedule+0xec/0x3b0 kernel/sched/core.c:7026
schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:7083
__mutex_lock_common kernel/locking/mutex.c:676 [inline]
__mutex_lock+0x773/0x1010 kernel/locking/mutex.c:760
cgroup_lock include/linux/cgroup.h:393 [inline]
cgroup_bpf_query kernel/bpf/cgroup.c:1319 [inline]
cgroup_bpf_prog_query+0xe8/0x12c0 kernel/bpf/cgroup.c:1532
bpf_prog_query kernel/bpf/syscall.c:4664 [inline]
__sys_bpf+0x2f11/0x5390 kernel/bpf/syscall.c:6186
__do_sys_bpf kernel/bpf/syscall.c:6281 [inline]
__se_sys_bpf kernel/bpf/syscall.c:6279 [inline]
__x64_sys_bpf+0x7d/0xc0 kernel/bpf/syscall.c:6279
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcb/0xfa0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f35607adead
RSP: 002b:00007f3561686f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f35609e5fa0 RCX: 00007f35607adead
RDX: 0000000000000040 RSI: 0000200000000440 RDI: 0000000000000010
RBP: 00007f3560847d9f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f35609e5fa0 R15: 00007f3561667000
</TASK>
Future hung task reports are suppressed, see sysctl kernel.hung_task_warnings

Showing all locks held in the system:
4 locks held by systemd/1:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: do_rmdir+0x1ec/0x3a0 fs/namei.c:4591
#1: ff1100007d06bce8 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1025 [inline]
#1: ff1100007d06bce8 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: do_rmdir+0x236/0x3a0 fs/namei.c:4595
#2: ff11000129192410 (&type->i_mutex_dir_key#6){++++}-{4:4}, at: inode_lock include/linux/fs.h:980 [inline]
#2: ff11000129192410 (&type->i_mutex_dir_key#6){++++}-{4:4}, at: vfs_rmdir fs/namei.c:4537 [inline]
#2: ff11000129192410 (&type->i_mutex_dir_key#6){++++}-{4:4}, at: vfs_rmdir+0xee/0x680 fs/namei.c:4525
#3: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#3: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
1 lock held by rcu_tasks_kthre/31:
#0: ffffffff8f1c3570 (rcu_tasks.tasks_gp_mutex){+.+.}-{4:4}, at: rcu_tasks_one_gp+0x70d/0xda0 kernel/rcu/tasks.h:614
1 lock held by khungtaskd/35:
#0: ffffffff8f1c3da0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
#0: ffffffff8f1c3da0 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:867 [inline]
#0: ffffffff8f1c3da0 (rcu_read_lock){....}-{1:3}, at: debug_show_all_locks+0x36/0x1c0 kernel/locking/lockdep.c:6775
3 locks held by kworker/u10:3/47:
#0: ff1100001c4a9948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa0000000b97d10 ((work_completion)(&map->work)){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_storage_map_free+0x30/0x240 kernel/bpf/local_storage.c:336
3 locks held by kworker/u9:3/67:
#0: ff1100001c4a9948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa0000001797d10 ((work_completion)(&map->work)){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_storage_map_free+0x30/0x240 kernel/bpf/local_storage.c:336
5 locks held by kworker/u8:2/9817:
#0: ff1100001d697948 ((wq_completion)netns){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa0000011a9fd10 (net_cleanup_work){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff90ecaeb0 (pernet_ops_rwsem){++++}-{4:4}, at: cleanup_net+0xb2/0x8b0 net/core/net_namespace.c:669
#3: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: ops_exit_rtnl_list net/core/net_namespace.c:173 [inline]
#3: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: ops_undo_list+0x7d6/0xa50 net/core/net_namespace.c:248
#4: ffffffff8f1cf638 (rcu_state.exp_mutex){+.+.}-{4:4}, at: exp_funnel_lock+0x28c/0x3b0 kernel/rcu/tree_exp.h:311
3 locks held by kworker/u8:4/11667:
#0: ff1100002d8c9148 ((wq_completion)ipv6_addrconf){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa00000038b7d10 ((work_completion)(&(&ifa->dad_work)->work)){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_net_lock include/linux/rtnetlink.h:130 [inline]
#2: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: addrconf_dad_work+0x109/0x1510 net/ipv6/addrconf.c:4194
3 locks held by kworker/1:6/12830:
#0: ff1100001c45d948 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa0000004cd7d10 (deferred_process_work){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: switchdev_deferred_process_work+0x13/0x20 net/switchdev/switchdev.c:104
3 locks held by syz-executor/80112:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff1100002e7ca088 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
3 locks held by syz-executor/80220:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff1100007c45e888 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
3 locks held by syz-executor/80259:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff11000108d47888 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
3 locks held by syz-executor/82898:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: filename_create+0xf8/0x490 fs/namei.c:4219
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1025 [inline]
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: filename_create+0x1a1/0x490 fs/namei.c:4226
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#2: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_kn_lock_live+0x11f/0x590 kernel/cgroup/cgroup.c:1735
3 locks held by syz.3.9434/82907:
#0: ff1100005f1d0880 (&tr->mutex){+.+.}-{4:4}, at: bpf_trampoline_unlink_prog+0x33/0x510 kernel/bpf/trampoline.c:642
#1: ffffffff8f2466c8 (direct_mutex){+.+.}-{4:4}, at: unregister_ftrace_direct+0x11c/0x640 kernel/trace/ftrace.c:6091
#2: ffffffff8f246aa8 (ftrace_lock){+.+.}-{4:4}, at: unregister_ftrace_function+0x28/0x420 kernel/trace/ftrace.c:8765
4 locks held by syz.0.9508/83521:
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_attach kernel/bpf/cgroup.c:914 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_link_attach+0x2b6/0x470 kernel/bpf/cgroup.c:1506
#1: ff11000051ed0c80 (&tr->mutex){+.+.}-{4:4}, at: bpf_trampoline_link_cgroup_shim+0x224/0x860 kernel/bpf/trampoline.c:754
#2: ff11000051ed20a0 (&ops->local_hash.regex_lock){+.+.}-{4:4}, at: ftrace_set_hash+0xea/0x830 kernel/trace/ftrace.c:5854
#3: ffffffff8f246aa8 (ftrace_lock){+.+.}-{4:4}, at: ftrace_set_hash+0x353/0x830 kernel/trace/ftrace.c:5889
1 lock held by syz.7.9518/83585:
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_detach kernel/bpf/cgroup.c:1203 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_prog_detach+0x3dd/0x510 kernel/bpf/cgroup.c:1369
2 locks held by syz-executor/83611:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: filename_create+0xf8/0x490 fs/namei.c:4219
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1025 [inline]
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: filename_create+0x1a1/0x490 fs/namei.c:4226
1 lock held by syz.2.9528/83660:
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_lock include/linux/cgroup.h:393 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_query kernel/bpf/cgroup.c:1319 [inline]
#0: ffffffff8f21f1c8 (cgroup_mutex){+.+.}-{4:4}, at: cgroup_bpf_prog_query+0xe8/0x12c0 kernel/bpf/cgroup.c:1532
2 locks held by syz-executor/84035:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: filename_create+0xf8/0x490 fs/namei.c:4219
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1025 [inline]
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: filename_create+0x1a1/0x490 fs/namei.c:4226
2 locks held by syz-executor/84170:
#0: ff11000024ede420 (sb_writers#8){.+.+}-{0:0}, at: filename_create+0xf8/0x490 fs/namei.c:4219
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: inode_lock_nested include/linux/fs.h:1025 [inline]
#1: ff110000272e8640 (&type->i_mutex_dir_key#6/1){+.+.}-{4:4}, at: filename_create+0x1a1/0x490 fs/namei.c:4226
7 locks held by syz-executor/86559:
#0: ff11000026b9a420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff1100004a882c88 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x305/0x580 fs/kernfs/file.c:344
#3: ffffffff904548e8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xce/0x4b0 drivers/net/netdevsim/bus.c:234
#4: ff110001228ec0e8 (&dev->mutex){....}-{4:4}, at: device_lock include/linux/device.h:914 [inline]
#4: ff110001228ec0e8 (&dev->mutex){....}-{4:4}, at: __device_driver_lock drivers/base/dd.c:1096 [inline]
#4: ff110001228ec0e8 (&dev->mutex){....}-{4:4}, at: device_release_driver_internal+0xa9/0x620 drivers/base/dd.c:1294
#5: ff11000125101250 (&devlink->lock_key#112){+.+.}-{4:4}, at: nsim_drv_remove+0x4f/0x1d0 drivers/net/netdevsim/dev.c:1721
#6: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: unregister_nexthop_notifier+0x1e/0x70 net/ipv4/nexthop.c:3999
4 locks held by syz-executor/86567:
#0: ff11000026b9a420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff11000066582488 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x305/0x580 fs/kernfs/file.c:344
#3: ffffffff904548e8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xce/0x4b0 drivers/net/netdevsim/bus.c:234
4 locks held by syz-executor/86594:
#0: ff11000026b9a420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff110001253bc088 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x305/0x580 fs/kernfs/file.c:344
#3: ffffffff904548e8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xce/0x4b0 drivers/net/netdevsim/bus.c:234
4 locks held by syz-executor/87269:
#0: ff11000026b9a420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff11000131b9c888 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x305/0x580 fs/kernfs/file.c:344
#3: ffffffff904548e8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xce/0x4b0 drivers/net/netdevsim/bus.c:234
1 lock held by syz-executor/88383:
4 locks held by syz-executor/88400:
#0: ff11000026b9a420 (sb_writers#5){.+.+}-{0:0}, at: ksys_write+0x126/0x240 fs/read_write.c:738
#1: ff11000023f3f488 (&of->mutex#2){+.+.}-{4:4}, at: kernfs_fop_write_iter+0x298/0x580 fs/kernfs/file.c:343
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_get_active_of fs/kernfs/file.c:80 [inline]
#2: ff110001091f9788 (kn->active#67){.+.+}-{0:0}, at: kernfs_fop_write_iter+0x305/0x580 fs/kernfs/file.c:344
#3: ffffffff904548e8 (nsim_bus_dev_list_lock){+.+.}-{4:4}, at: del_device_store+0xce/0x4b0 drivers/net/netdevsim/bus.c:234
1 lock held by (udev-worker)/89373:
#0: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#0: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x37c/0xfa0 net/core/rtnetlink.c:6957
2 locks held by syz-executor/89403:
2 locks held by syz-executor/89404:
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: rtnl_link_ops_get+0x11b/0x2d0 net/core/rtnetlink.c:574
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
2 locks held by syz-executor/89430:
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#0: ffffffff9027acc0 (&ops->srcu){.+.+}-{0:0}, at: rtnl_link_ops_get+0x11b/0x2d0 net/core/rtnetlink.c:574
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
1 lock held by syz-executor/89498:
#0: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#0: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#0: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
2 locks held by syz-executor/89520:
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: rtnl_link_ops_get+0x11b/0x2d0 net/core/rtnetlink.c:574
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
2 locks held by syz-executor/89590:
#0: ffffffff915fb760 (&ops->srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#0: ffffffff915fb760 (&ops->srcu){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#0: ffffffff915fb760 (&ops->srcu){.+.+}-{0:0}, at: rtnl_link_ops_get+0x11b/0x2d0 net/core/rtnetlink.c:574
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
2 locks held by syz-executor/89647:
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: srcu_lock_acquire include/linux/srcu.h:161 [inline]
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: srcu_read_lock include/linux/srcu.h:253 [inline]
#0: ffffffff915fba60 (&ops->srcu){.+.+}-{0:0}, at: rtnl_link_ops_get+0x11b/0x2d0 net/core/rtnetlink.c:574
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_nets_lock net/core/rtnetlink.c:341 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_newlink+0x7c5/0x1fc0 net/core/rtnetlink.c:4064
3 locks held by kworker/u10:12/89990:
#0: ff1100001c4a9948 ((wq_completion)events_unbound#2){+.+.}-{0:0}, at: process_one_work+0x1291/0x1b60 kernel/workqueue.c:3238
#1: ffa0000004147d10 ((linkwatch_work).work){+.+.}-{0:0}, at: process_one_work+0x8f1/0x1b60 kernel/workqueue.c:3239
#2: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: linkwatch_event+0x14/0x70 net/core/link_watch.c:303
2 locks held by ifquery/90335:
#0: ff1100010795d6e0 (nlk_cb_mutex-ROUTE){+.+.}-{4:4}, at: __netlink_dump_start+0x15b/0x980 net/netlink/af_netlink.c:2406
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_dumpit+0x19e/0x200 net/core/rtnetlink.c:6819
2 locks held by ifquery/90340:
#0: ff1100012bd1a6e0 (nlk_cb_mutex-ROUTE){+.+.}-{4:4}, at: __netlink_dump_start+0x15b/0x980 net/netlink/af_netlink.c:2406
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_dumpit+0x19e/0x200 net/core/rtnetlink.c:6819
2 locks held by ifquery/90414:
#0: ff11000069c1b6e0 (nlk_cb_mutex-ROUTE){+.+.}-{4:4}, at: __netlink_dump_start+0x15b/0x980 net/netlink/af_netlink.c:2406
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline]
#1: ffffffff90ee1688 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_dumpit+0x19e/0x200 net/core/rtnetlink.c:6819

=============================================

NMI backtrace for cpu 1
CPU: 1 UID: 0 PID: 35 Comm: khungtaskd Not tainted 6.18.0-rc4-g93ce3bee311d #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120
nmi_cpu_backtrace+0x2a0/0x350 lib/nmi_backtrace.c:113
nmi_trigger_cpumask_backtrace+0x29c/0x300 lib/nmi_backtrace.c:62
trigger_all_cpu_backtrace include/linux/nmi.h:160 [inline]
check_hung_uninterruptible_tasks kernel/hung_task.c:332 [inline]
watchdog+0xf1b/0x1150 kernel/hung_task.c:495
kthread+0x3d5/0x780 kernel/kthread.c:463
ret_from_fork+0x67b/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Sending NMI from CPU 1 to CPUs 0:
NMI backtrace for cpu 0
CPU: 0 UID: 0 PID: 9817 Comm: kworker/u8:2 Not tainted 6.18.0-rc4-g93ce3bee311d #3 PREEMPT(full)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:remove_class_from_lock_chain kernel/locking/lockdep.c:6197 [inline]
RIP: 0010:remove_class_from_lock_chains kernel/locking/lockdep.c:6236 [inline]
RIP: 0010:zap_class+0x108/0x360 kernel/locking/lockdep.c:6281
Code: 00 49 c7 c6 60 4a d9 97 49 c7 c7 60 4a 19 98 49 bd 22 01 00 00 00 00 ad de 49 8b 1e 48 85 db 74 61 48 83 eb 08 74 5b 0f b6 03 <44> 8b 03 c0 e8 02 41 c1 e8 08 0f b6 c0 45 8d 14 00 45 39 d0 7d 39
RSP: 0018:ffa0000011a9f860 EFLAGS: 00000082
RAX: 0000000000000014 RBX: ffffffff94ad6ee0 RCX: 0000000000037a9b
RDX: 00000000000000c2 RSI: 0000000000037a9a RDI: ffffffff96a43e88
RBP: 0000000000000ad3 R08: 0000000000037a95 R09: ffffffff96bbbf56
R10: 0000000000037a9b R11: 0000000000000000 R12: ffffffff9819ca78
R13: dead000000000122 R14: ffffffff97e9c788 R15: ffffffff98194a60
FS: 0000000000000000(0000) GS:ff1100010ccd0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055a04906ea08 CR3: 000000007a9e3000 CR4: 0000000000753ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
<TASK>
__lockdep_free_key_range+0x34/0x80 kernel/locking/lockdep.c:6407
lockdep_unregister_key+0xba/0x140 kernel/locking/lockdep.c:6609
__qdisc_destroy+0x11f/0x4d0 net/sched/sch_generic.c:1083
qdisc_put+0xb0/0xe0 net/sched/sch_generic.c:1109
dev_shutdown+0x1d5/0x440 net/sched/sch_generic.c:1497
unregister_netdevice_many_notify+0x8e5/0x24a0 net/core/dev.c:12272
ops_exit_rtnl_list net/core/net_namespace.c:187 [inline]
ops_undo_list+0x8e9/0xa50 net/core/net_namespace.c:248
cleanup_net+0x40a/0x8b0 net/core/net_namespace.c:695
process_one_work+0x997/0x1b60 kernel/workqueue.c:3263
process_scheduled_works kernel/workqueue.c:3346 [inline]
worker_thread+0x683/0xe90 kernel/workqueue.c:3427
kthread+0x3d5/0x780 kernel/kthread.c:463
ret_from_fork+0x67b/0x7d0 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>

```

## Kernel Configuration Requirements for Reproduction

The vulnerability can be triggered with the kernel config in the attachment. Additionally, we provide the execution logs in Syzkaller format to facilitate further verification.