erspan2: entered allmulticast mode
bond10: (slave erspan2): making interface the new active one
erspan2: entered promiscuous mode
============================================
WARNING: possible recursive locking detected
syzkaller #0 Not tainted
--------------------------------------------
syz.1.8160/31185 is trying to acquire lock:
ffff88807d9b88d8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff88807d9b88d8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff88807d9b88d8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
but task is already holding lock:
ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&qdisc_xmit_lock_key#2);
lock(&qdisc_xmit_lock_key#2);
*** DEADLOCK ***
May be due to missing lock nesting notation
8 locks held by syz.1.8160/31185:
#0: ffffffff8e3c2ac8 (rtnl_mutex){+.+.}-{3:3}, at: rtnl_lock net/core/rtnetlink.c:78 [inline]
#0: ffffffff8e3c2ac8 (rtnl_mutex){+.+.}-{3:3}, at: rtnetlink_rcv_msg+0x811/0xfa0 net/core/rtnetlink.c:6472
#1: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#1: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
#1: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x265/0x3660 net/core/dev.c:4375
#2: ffff88807e1f5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
#2: ffff88807e1f5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
#2: ffff88807e1f5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3868 [inline]
#2: ffff88807e1f5258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x1186/0x3660 net/core/dev.c:4416
#3: ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
#3: ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: __netif_tx_lock include/linux/netdevice.h:4406 [inline]
#3: ffff888025a34cd8 (&qdisc_xmit_lock_key#2){+.-.}-{2:2}, at: sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
#4: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
#4: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
#4: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: ip_output+0x60/0x3b0 net/ipv4/ip_output.c:431
#5: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire include/linux/rcupdate.h:334 [inline]
#5: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: rcu_read_lock include/linux/rcupdate.h:786 [inline]
#5: ffffffff8d1320e0 (rcu_read_lock){....}-{1:2}, at: ip_finish_output2+0x457/0x11e0 net/ipv4/ip_output.c:228
#6: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: local_bh_disable include/linux/bottom_half.h:20 [inline]
#6: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: rcu_read_lock_bh include/linux/rcupdate.h:838 [inline]
#6: ffffffff8d132140 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x265/0x3660 net/core/dev.c:4375
#7: ffff88807e1f0258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: spin_trylock include/linux/spinlock.h:361 [inline]
#7: ffff88807e1f0258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: qdisc_run_begin include/net/sch_generic.h:195 [inline]
#7: ffff88807e1f0258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_xmit_skb net/core/dev.c:3868 [inline]
#7: ffff88807e1f0258 (dev->qdisc_tx_busylock ?: &qdisc_tx_busylock#2){+...}-{2:2}, at: __dev_queue_xmit+0x1186/0x3660 net/core/dev.c:4416
stack backtrace:
CPU: 1 PID: 31185 Comm: syz.1.8160 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026
Call Trace:
<TASK>
dump_stack_lvl+0x18c/0x250 lib/dump_stack.c:106
check_deadlock kernel/locking/lockdep.c:3062 [inline]
validate_chain kernel/locking/lockdep.c:3856 [inline]
__lock_acquire+0x5dbc/0x7d40 kernel/locking/lockdep.c:5137
lock_acquire+0x19e/0x420 kernel/locking/lockdep.c:5754
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x2e/0x40 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
__netif_tx_lock include/linux/netdevice.h:4406 [inline]
sch_direct_xmit+0x166/0x4c0 net/sched/sch_generic.c:343
__dev_xmit_skb net/core/dev.c:3881 [inline]
__dev_queue_xmit+0x165d/0x3660 net/core/dev.c:4416
dev_queue_xmit include/linux/netdevice.h:3113 [inline]
neigh_hh_output include/net/neighbour.h:527 [inline]
neigh_output include/net/neighbour.h:541 [inline]
ip_finish_output2+0xcec/0x11e0 net/ipv4/ip_output.c:235
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip_output+0x2a1/0x3b0 net/ipv4/ip_output.c:436
iptunnel_xmit+0x4f0/0x920 net/ipv4/ip_tunnel_core.c:82
ip_tunnel_xmit+0x1cbc/0x2410 net/ipv4/ip_tunnel.c:844
erspan_xmit+0x9c0/0x1440 net/ipv4/ip_gre.c:729
__netdev_start_xmit include/linux/netdevice.h:4943 [inline]
netdev_start_xmit include/linux/netdevice.h:4957 [inline]
xmit_one net/core/dev.c:3644 [inline]
dev_hard_start_xmit+0x246/0x740 net/core/dev.c:3660
sch_direct_xmit+0x25e/0x4c0 net/sched/sch_generic.c:345
__dev_xmit_skb net/core/dev.c:3881 [inline]
__dev_queue_xmit+0x165d/0x3660 net/core/dev.c:4416
dev_queue_xmit include/linux/netdevice.h:3113 [inline]
alb_send_lp_vid+0x2fc/0x4e0 drivers/net/bonding/bond_alb.c:949
alb_send_learning_packets+0x12d/0x300 drivers/net/bonding/bond_alb.c:1012
alb_fasten_mac_swap+0x650/0xf80 drivers/net/bonding/bond_alb.c:1076
bond_alb_handle_active_change+0xc68/0xf20 drivers/net/bonding/bond_alb.c:1776
bond_change_active_slave+0xf41/0x3600 drivers/net/bonding/bond_main.c:1254
bond_select_active_slave+0x912/0xd50 drivers/net/bonding/bond_main.c:1334
bond_enslave+0x23ba/0x3bd0 drivers/net/bonding/bond_main.c:2308
do_set_master net/core/rtnetlink.c:2709 [inline]
rtnl_newlink_create net/core/rtnetlink.c:3537 [inline]
__rtnl_newlink net/core/rtnetlink.c:3740 [inline]
rtnl_newlink+0x1bbc/0x20a0 net/core/rtnetlink.c:3753
rtnetlink_rcv_msg+0x869/0xfa0 net/core/rtnetlink.c:6475
netlink_rcv_skb+0x241/0x4d0 net/netlink/af_netlink.c:2545
netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline]
netlink_unicast+0x751/0x8d0 net/netlink/af_netlink.c:1346
netlink_sendmsg+0x8d0/0xbf0 net/netlink/af_netlink.c:1894
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x5ba/0x960 net/socket.c:2594
___sys_sendmsg+0x2a6/0x360 net/socket.c:2648
__sys_sendmsg net/socket.c:2677 [inline]
__do_sys_sendmsg net/socket.c:2686 [inline]
__se_sys_sendmsg+0x1c2/0x2b0 net/socket.c:2684
do_syscall_x64 arch/x86/entry/common.c:46 [inline]
do_syscall_64+0x55/0xa0 arch/x86/entry/common.c:76
entry_SYSCALL_64_after_hwframe+0x68/0xd2
RIP: 0033:0x7f216e59cdd9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f216f3f0028 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f216e816090 RCX: 00007f216e59cdd9
RDX: 0000000000000000 RSI: 00002000000000c0 RDI: 0000000000000004
RBP: 00007f216e632d69 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f216e816128 R14: 00007f216e816090 R15: 00007ffe9db270f8
</TASK>
bond10: (slave erspan2): Enslaving as an active interface with an up link
syz.1.8160 (31185) used greatest stack depth: 17544 bytes left