program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r1, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r2 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r2, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0xffff, 'syz0\x00', @default, 0xfffffdba, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}]}) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000000)={0x1, @default, @bpq0, 0x6, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) ioctl$SIOCNRDECOBS(r0, 0x89e2) r3 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r3, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 85.300502][ T5308] Bluetooth: hci0: command tx timeout [ 85.366330][ T5332] [ 85.367606][ T5332] ====================================================== [ 85.370683][ T5332] WARNING: possible circular locking dependency detected [ 85.373860][ T5332] 6.16.0-rc4-syzkaller-00049-gb4911fb0b060 #0 Not tainted [ 85.376939][ T5332] ------------------------------------------------------ [ 85.380089][ T5332] syz.0.0/5332 is trying to acquire lock: [ 85.382608][ T5332] ffffffff8f668378 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xa9/0x720 [ 85.386987][ T5332] [ 85.386987][ T5332] but task is already holding lock: [ 85.390262][ T5332] ffffffff8f668318 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720 [ 85.394320][ T5332] [ 85.394320][ T5332] which lock already depends on the new lock. [ 85.394320][ T5332] [ 85.398784][ T5332] [ 85.398784][ T5332] the existing dependency chain (in reverse order) is: [ 85.402595][ T5332] [ 85.402595][ T5332] -> #2 (nr_neigh_list_lock){+...}-{3:3}: [ 85.406052][ T5332] lock_acquire+0x120/0x360 [ 85.408378][ T5332] _raw_spin_lock_bh+0x36/0x50 [ 85.410984][ T5332] nr_rt_ioctl+0x390/0xd50 [ 85.413433][ T5332] sock_do_ioctl+0xdc/0x300 [ 85.415979][ T5332] sock_ioctl+0x576/0x790 [ 85.418576][ T5332] __se_sys_ioctl+0xf9/0x170 [ 85.421196][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.423816][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.427186][ T5332] [ 85.427186][ T5332] -> #1 (&nr_node->node_lock){+...}-{3:3}: [ 85.430962][ T5332] lock_acquire+0x120/0x360 [ 85.433353][ T5332] _raw_spin_lock_bh+0x36/0x50 [ 85.435826][ T5332] nr_rt_ioctl+0x193/0xd50 [ 85.437996][ T5332] sock_do_ioctl+0xdc/0x300 [ 85.440224][ T5332] sock_ioctl+0x576/0x790 [ 85.442583][ T5332] __se_sys_ioctl+0xf9/0x170 [ 85.445135][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.447454][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.450162][ T5332] [ 85.450162][ T5332] -> #0 (nr_node_list_lock){+...}-{3:3}: [ 85.453575][ T5332] validate_chain+0xb9b/0x2140 [ 85.455880][ T5332] __lock_acquire+0xab9/0xd20 [ 85.458278][ T5332] lock_acquire+0x120/0x360 [ 85.460548][ T5332] _raw_spin_lock_bh+0x36/0x50 [ 85.462857][ T5332] nr_rt_device_down+0xa9/0x720 [ 85.465132][ T5332] nr_device_event+0x137/0x150 [ 85.467526][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.469992][ T5332] dev_close_many+0x29c/0x410 [ 85.472391][ T5332] netif_close+0x158/0x210 [ 85.474579][ T5332] dev_close+0x10a/0x220 [ 85.476418][ T5332] bpq_device_event+0x2f4/0x600 [ 85.478562][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.481084][ T5332] dev_close_many+0x29c/0x410 [ 85.483508][ T5332] netif_close+0x158/0x210 [ 85.485717][ T5332] dev_close+0x10a/0x220 [ 85.487808][ T5332] bond_setup_by_slave+0x5f/0x3f0 [ 85.490190][ T5332] bond_enslave+0x7a0/0x3a20 [ 85.492538][ T5332] bond_do_ioctl+0x635/0x9b0 [ 85.494854][ T5332] dev_ifsioc+0x90b/0xf00 [ 85.497129][ T5332] dev_ioctl+0x7b4/0x1150 [ 85.499825][ T5332] sock_do_ioctl+0x22c/0x300 [ 85.502398][ T5332] sock_ioctl+0x576/0x790 [ 85.504590][ T5332] __se_sys_ioctl+0xf9/0x170 [ 85.506904][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.509232][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.512030][ T5332] [ 85.512030][ T5332] other info that might help us debug this: [ 85.512030][ T5332] [ 85.516478][ T5332] Chain exists of: [ 85.516478][ T5332] nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock [ 85.516478][ T5332] [ 85.523323][ T5332] Possible unsafe locking scenario: [ 85.523323][ T5332] [ 85.526602][ T5332] CPU0 CPU1 [ 85.529010][ T5332] ---- ---- [ 85.531460][ T5332] lock(nr_neigh_list_lock); [ 85.533657][ T5332] lock(&nr_node->node_lock); [ 85.536613][ T5332] lock(nr_neigh_list_lock); [ 85.539938][ T5332] lock(nr_node_list_lock); [ 85.542065][ T5332] [ 85.542065][ T5332] *** DEADLOCK *** [ 85.542065][ T5332] [ 85.545373][ T5332] 2 locks held by syz.0.0/5332: [ 85.547416][ T5332] #0: ffffffff8f50f908 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150 [ 85.551101][ T5332] #1: ffffffff8f668318 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x720 [ 85.555229][ T5332] [ 85.555229][ T5332] stack backtrace: [ 85.557967][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller-00049-gb4911fb0b060 #0 PREEMPT(full) [ 85.557989][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.558006][ T5332] Call Trace: [ 85.558060][ T5332] [ 85.558067][ T5332] dump_stack_lvl+0x189/0x250 [ 85.558091][ T5332] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.558109][ T5332] ? __pfx__printk+0x10/0x10 [ 85.558122][ T5332] ? print_lock_name+0xde/0x100 [ 85.558134][ T5332] print_circular_bug+0x2ee/0x310 [ 85.558148][ T5332] check_noncircular+0x134/0x160 [ 85.558160][ T5332] validate_chain+0xb9b/0x2140 [ 85.558170][ T5332] ? rt6_disable_ip+0x6b3/0x720 [ 85.558185][ T5332] ? __lock_acquire+0xab9/0xd20 [ 85.558202][ T5332] __lock_acquire+0xab9/0xd20 [ 85.558218][ T5332] ? nr_rt_device_down+0xa9/0x720 [ 85.558236][ T5332] lock_acquire+0x120/0x360 [ 85.558251][ T5332] ? nr_rt_device_down+0xa9/0x720 [ 85.558268][ T5332] ? nr_rt_device_down+0xa9/0x720 [ 85.558283][ T5332] _raw_spin_lock_bh+0x36/0x50 [ 85.558346][ T5332] ? nr_rt_device_down+0xa9/0x720 [ 85.558364][ T5332] nr_rt_device_down+0xa9/0x720 [ 85.558389][ T5332] ? do_raw_spin_unlock+0x4d/0x240 [ 85.558403][ T5332] nr_device_event+0x137/0x150 [ 85.558418][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.558438][ T5332] dev_close_many+0x29c/0x410 [ 85.558468][ T5332] ? __pfx_dev_close_many+0x10/0x10 [ 85.558478][ T5332] ? __try_to_del_timer_sync+0x34a/0x3a0 [ 85.558492][ T5332] ? bond_netdev_event+0x227/0xe80 [ 85.558506][ T5332] netif_close+0x158/0x210 [ 85.558516][ T5332] ? __pfx_netif_close+0x10/0x10 [ 85.558526][ T5332] ? tun_device_event+0x77/0x1020 [ 85.558544][ T5332] dev_close+0x10a/0x220 [ 85.558555][ T5332] bpq_device_event+0x2f4/0x600 [ 85.558606][ T5332] notifier_call_chain+0x1b3/0x3e0 [ 85.558626][ T5332] dev_close_many+0x29c/0x410 [ 85.558638][ T5332] ? __pfx_dev_close_many+0x10/0x10 [ 85.558651][ T5332] netif_close+0x158/0x210 [ 85.558661][ T5332] ? __pfx_netif_close+0x10/0x10 [ 85.558671][ T5332] ? do_raw_spin_lock+0x121/0x290 [ 85.558684][ T5332] ? __local_bh_enable_ip+0x12d/0x1c0 [ 85.558702][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.558719][ T5332] dev_close+0x10a/0x220 [ 85.558731][ T5332] bond_setup_by_slave+0x5f/0x3f0 [ 85.558746][ T5332] bond_enslave+0x7a0/0x3a20 [ 85.558761][ T5332] ? trace_sched_exit_tp+0x38/0x120 [ 85.558775][ T5332] ? __schedule+0x1713/0x4d00 [ 85.558792][ T5332] ? __pfx_bond_enslave+0x10/0x10 [ 85.558814][ T5332] ? apparmor_capable+0x137/0x1b0 [ 85.558838][ T5332] ? full_name_hash+0x92/0xe0 [ 85.558854][ T5332] ? netdev_name_node_lookup+0xdf/0x120 [ 85.558869][ T5332] bond_do_ioctl+0x635/0x9b0 [ 85.558884][ T5332] ? __pfx_bond_do_ioctl+0x10/0x10 [ 85.558898][ T5332] ? __mutex_lock+0xa6d/0xe80 [ 85.558914][ T5332] ? full_name_hash+0x92/0xe0 [ 85.558928][ T5332] ? netdev_name_node_lookup+0xdf/0x120 [ 85.558939][ T5332] dev_ifsioc+0x90b/0xf00 [ 85.558949][ T5332] ? dev_load+0x21/0x1f0 [ 85.558963][ T5332] dev_ioctl+0x7b4/0x1150 [ 85.558972][ T5332] sock_do_ioctl+0x22c/0x300 [ 85.558986][ T5332] ? __pfx_sock_do_ioctl+0x10/0x10 [ 85.558998][ T5332] ? __lock_acquire+0xab9/0xd20 [ 85.559014][ T5332] sock_ioctl+0x576/0x790 [ 85.559028][ T5332] ? __pfx_sock_ioctl+0x10/0x10 [ 85.559040][ T5332] ? __fget_files+0x2a/0x420 [ 85.559050][ T5332] ? __fget_files+0x3a0/0x420 [ 85.559058][ T5332] ? __fget_files+0x2a/0x420 [ 85.559067][ T5332] ? bpf_lsm_file_ioctl+0x9/0x20 [ 85.559080][ T5332] ? __pfx_sock_ioctl+0x10/0x10 [ 85.559091][ T5332] __se_sys_ioctl+0xf9/0x170 [ 85.559105][ T5332] do_syscall_64+0xfa/0x3b0 [ 85.559120][ T5332] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.559133][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.559144][ T5332] ? clear_bhb_loop+0x60/0xb0 [ 85.559155][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.559165][ T5332] RIP: 0033:0x7f42ee38e929 [ 85.559227][ T5332] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.559238][ T5332] RSP: 002b:00007f42ef270038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 85.559251][ T5332] RAX: ffffffffffffffda RBX: 00007f42ee5b5fa0 RCX: 00007f42ee38e929 [ 85.559259][ T5332] RDX: 0000200000000180 RSI: 0000000000008990 RDI: 0000000000000008 [ 85.559267][ T5332] RBP: 00007f42ee410b39 R08: 0000000000000000 R09: 0000000000000000 [ 85.559273][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.559306][ T5332] R13: 0000000000000000 R14: 00007f42ee5b5fa0 R15: 00007ffd47349068 [ 85.559317][ T5332] [ 85.866968][ T5332] 8021q: adding VLAN 0 to HW filter on device bond0 [ 85.873057][ T5332] bond0: (slave rose0): Enslaving as an active interface with an up link