program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) r2 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r3, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r4 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r4, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r2, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0x10000, 'syz0\x00', @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0xfffffdb6, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_netrom_SIOCADDRT(r2, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) ioctl$sock_netrom_SIOCADDRT(r2, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f0000000280)={0x0, @bcast, @bpq0, 0xffff, 'syz0\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0xfffffdba, 0x2, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) r5 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r5, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_ifreq(r7, 0x8910, &(0x7f00000000c0)={'veth0_macvtap\x00', @ifru_flags=0xa00}) ioctl$sock_SIOCGIFINDEX(r6, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r8 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r8, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000180)={0x0, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bpq0, 0x4, 'syz1\x00', @null, 0xfffffffd, 0x5, [@remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bcast, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @default]}) r9 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000100)={0x1, @null, @bpq0, 0xffffffff, 'syz1\x00', @null, 0xfff, 0x3, [@default, @null, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) ioctl$sock_netrom_SIOCDELRT(r9, 0x890c, &(0x7f0000000680)={0x1, @null, @bpq0, 0x89, 'syz1\x00', @null, 0x2, 0x8, [@null, @default, @null, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @bcast, @bcast]}) [ 76.019493][ T5313] Bluetooth: hci0: command tx timeout [ 76.102498][ T5335] 8021q: adding VLAN 0 to HW filter on device bond0 [ 76.122030][ T5335] bond0: (slave rose0): Enslaving as an active interface with an up link [ 76.140717][ T5335] [ 76.141799][ T5335] ====================================================== [ 76.144728][ T5335] WARNING: possible circular locking dependency detected [ 76.147844][ T5335] syzkaller #0 Not tainted [ 76.149777][ T5335] ------------------------------------------------------ [ 76.153137][ T5335] syz.0.0/5335 is trying to acquire lock: [ 76.155467][ T5335] ffffffff8f466bf8 (nr_neigh_list_lock){+...}-{3:3}, at: nr_del_node+0x517/0x8d0 [ 76.159467][ T5335] [ 76.159467][ T5335] but task is already holding lock: [ 76.162610][ T5335] ffff888030b6c770 (&nr_node->node_lock){+...}-{3:3}, at: nr_del_node+0x152/0x8d0 [ 76.166599][ T5335] [ 76.166599][ T5335] which lock already depends on the new lock. [ 76.166599][ T5335] [ 76.171204][ T5335] [ 76.171204][ T5335] the existing dependency chain (in reverse order) is: [ 76.175412][ T5335] [ 76.175412][ T5335] -> #2 (&nr_node->node_lock){+...}-{3:3}: [ 76.178665][ T5335] _raw_spin_lock_bh+0x36/0x50 [ 76.181090][ T5335] nr_rt_device_down+0x12a/0x720 [ 76.183507][ T5335] nr_device_event+0x137/0x150 [ 76.185827][ T5335] notifier_call_chain+0x19d/0x3a0 [ 76.188434][ T5335] netif_close_many+0x29c/0x410 [ 76.191172][ T5335] netif_close+0x158/0x210 [ 76.193667][ T5335] dev_close+0x10a/0x220 [ 76.195800][ T5335] bpq_device_event+0x377/0x6a0 [ 76.198147][ T5335] notifier_call_chain+0x19d/0x3a0 [ 76.200553][ T5335] netif_close_many+0x29c/0x410 [ 76.202858][ T5335] netif_close+0x158/0x210 [ 76.204995][ T5335] dev_close+0x10a/0x220 [ 76.206986][ T5335] bond_setup_by_slave+0x5f/0x3d0 [ 76.209389][ T5335] bond_enslave+0x6ca/0x38c0 [ 76.211605][ T5335] bond_do_ioctl+0x635/0x9b0 [ 76.213785][ T5335] dev_ifsioc+0x90b/0xf00 [ 76.215883][ T5335] dev_ioctl+0x7b4/0x1150 [ 76.217958][ T5335] sock_do_ioctl+0x22c/0x300 [ 76.220377][ T5335] sock_ioctl+0x576/0x790 [ 76.222512][ T5335] __se_sys_ioctl+0xfc/0x170 [ 76.224766][ T5335] do_syscall_64+0xfa/0xf80 [ 76.227114][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.230498][ T5335] [ 76.230498][ T5335] -> #1 (nr_node_list_lock){+...}-{3:3}: [ 76.234075][ T5335] _raw_spin_lock_bh+0x36/0x50 [ 76.236430][ T5335] nr_rt_device_down+0xa9/0x720 [ 76.238785][ T5335] nr_device_event+0x137/0x150 [ 76.241169][ T5335] notifier_call_chain+0x19d/0x3a0 [ 76.243649][ T5335] netif_close_many+0x29c/0x410 [ 76.246139][ T5335] netif_close+0x158/0x210 [ 76.248380][ T5335] dev_close+0x10a/0x220 [ 76.250574][ T5335] bpq_device_event+0x377/0x6a0 [ 76.253034][ T5335] notifier_call_chain+0x19d/0x3a0 [ 76.255554][ T5335] netif_close_many+0x29c/0x410 [ 76.257997][ T5335] netif_close+0x158/0x210 [ 76.260181][ T5335] dev_close+0x10a/0x220 [ 76.262236][ T5335] bond_setup_by_slave+0x5f/0x3d0 [ 76.264644][ T5335] bond_enslave+0x6ca/0x38c0 [ 76.266968][ T5335] bond_do_ioctl+0x635/0x9b0 [ 76.269224][ T5335] dev_ifsioc+0x90b/0xf00 [ 76.271399][ T5335] dev_ioctl+0x7b4/0x1150 [ 76.273681][ T5335] sock_do_ioctl+0x22c/0x300 [ 76.276092][ T5335] sock_ioctl+0x576/0x790 [ 76.278183][ T5335] __se_sys_ioctl+0xfc/0x170 [ 76.280490][ T5335] do_syscall_64+0xfa/0xf80 [ 76.282759][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.285588][ T5335] [ 76.285588][ T5335] -> #0 (nr_neigh_list_lock){+...}-{3:3}: [ 76.289019][ T5335] __lock_acquire+0x15a6/0x2cf0 [ 76.291359][ T5335] lock_acquire+0x117/0x340 [ 76.293605][ T5335] _raw_spin_lock_bh+0x36/0x50 [ 76.295856][ T5335] nr_del_node+0x517/0x8d0 [ 76.298014][ T5335] nr_rt_ioctl+0x989/0xd50 [ 76.300168][ T5335] sock_do_ioctl+0xdc/0x300 [ 76.302397][ T5335] sock_ioctl+0x576/0x790 [ 76.304689][ T5335] __se_sys_ioctl+0xfc/0x170 [ 76.307003][ T5335] do_syscall_64+0xfa/0xf80 [ 76.309245][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.312155][ T5335] [ 76.312155][ T5335] other info that might help us debug this: [ 76.312155][ T5335] [ 76.316594][ T5335] Chain exists of: [ 76.316594][ T5335] nr_neigh_list_lock --> nr_node_list_lock --> &nr_node->node_lock [ 76.316594][ T5335] [ 76.322495][ T5335] Possible unsafe locking scenario: [ 76.322495][ T5335] [ 76.325805][ T5335] CPU0 CPU1 [ 76.328194][ T5335] ---- ---- [ 76.330704][ T5335] lock(&nr_node->node_lock); [ 76.332841][ T5335] lock(nr_node_list_lock); [ 76.336216][ T5335] lock(&nr_node->node_lock); [ 76.339932][ T5335] lock(nr_neigh_list_lock); [ 76.342349][ T5335] [ 76.342349][ T5335] *** DEADLOCK *** [ 76.342349][ T5335] [ 76.345714][ T5335] 2 locks held by syz.0.0/5335: [ 76.347694][ T5335] #0: ffffffff8f466c58 (nr_node_list_lock){+...}-{3:3}, at: nr_del_node+0xfc/0x8d0 [ 76.351510][ T5335] #1: ffff888030b6c770 (&nr_node->node_lock){+...}-{3:3}, at: nr_del_node+0x152/0x8d0 [ 76.355698][ T5335] [ 76.355698][ T5335] stack backtrace: [ 76.358259][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.358278][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.358289][ T5335] Call Trace: [ 76.358297][ T5335] [ 76.358304][ T5335] dump_stack_lvl+0x189/0x250 [ 76.358328][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.358342][ T5335] ? __pfx__printk+0x10/0x10 [ 76.358362][ T5335] ? print_lock_name+0xde/0x100 [ 76.358378][ T5335] print_circular_bug+0x2e2/0x300 [ 76.358392][ T5335] check_noncircular+0x12e/0x150 [ 76.358406][ T5335] __lock_acquire+0x15a6/0x2cf0 [ 76.358419][ T5335] ? __lock_acquire+0x6b6/0x2cf0 [ 76.358431][ T5335] ? nr_del_node+0x517/0x8d0 [ 76.358444][ T5335] lock_acquire+0x117/0x340 [ 76.358454][ T5335] ? nr_del_node+0x517/0x8d0 [ 76.358465][ T5335] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 76.358482][ T5335] ? do_raw_spin_unlock+0x4d/0x240 [ 76.358496][ T5335] ? nr_neigh_get_dev+0xbd/0x140 [ 76.358508][ T5335] ? nr_del_node+0x517/0x8d0 [ 76.358517][ T5335] _raw_spin_lock_bh+0x36/0x50 [ 76.358530][ T5335] ? nr_del_node+0x517/0x8d0 [ 76.358538][ T5335] nr_del_node+0x517/0x8d0 [ 76.358548][ T5335] nr_rt_ioctl+0x989/0xd50 [ 76.358562][ T5335] ? __pfx_nr_rt_ioctl+0x10/0x10 [ 76.358574][ T5335] ? apparmor_capable+0x137/0x1a0 [ 76.358590][ T5335] ? capable+0x89/0xe0 [ 76.358604][ T5335] ? nr_ioctl+0x1b1/0x3b0 [ 76.358621][ T5335] sock_do_ioctl+0xdc/0x300 [ 76.358637][ T5335] ? __pfx_sock_do_ioctl+0x10/0x10 [ 76.358647][ T5335] ? do_futex+0x395/0x420 [ 76.358657][ T5335] sock_ioctl+0x576/0x790 [ 76.358666][ T5335] ? __pfx_sock_ioctl+0x10/0x10 [ 76.358676][ T5335] ? __fget_files+0x3a0/0x420 [ 76.358688][ T5335] ? __fget_files+0x2a/0x420 [ 76.358699][ T5335] ? bpf_lsm_file_ioctl+0x9/0x20 [ 76.358713][ T5335] ? __pfx_sock_ioctl+0x10/0x10 [ 76.358722][ T5335] __se_sys_ioctl+0xfc/0x170 [ 76.358735][ T5335] do_syscall_64+0xfa/0xf80 [ 76.358745][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.358755][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 76.358767][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.358777][ T5335] RIP: 0033:0x7f81be18f7c9 [ 76.358797][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.358806][ T5335] RSP: 002b:00007f81bf05e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 76.358822][ T5335] RAX: ffffffffffffffda RBX: 00007f81be3e5fa0 RCX: 00007f81be18f7c9 [ 76.358831][ T5335] RDX: 0000200000000680 RSI: 000000000000890c RDI: 000000000000000e [ 76.358839][ T5335] RBP: 00007f81be213f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.358845][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.358852][ T5335] R13: 00007f81be3e6038 R14: 00007f81be3e5fa0 R15: 00007ffe59fd60f8 [ 76.358863][ T5335]