program: r0 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) r1 = syz_init_net_socket$netrom(0x6, 0x5, 0x0) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)) (async) socketpair$unix(0x1, 0x1, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) (async) ioctl$sock_SIOCGIFINDEX(r2, 0x8933, &(0x7f0000000000)={'batadv_slave_0\x00'}) r3 = syz_init_net_socket$bt_sco(0x1f, 0x5, 0x2) setsockopt$netrom_NETROM_T2(r1, 0x103, 0x2, &(0x7f00000000c0)=0x8, 0x4) (async) setsockopt$netrom_NETROM_T2(r1, 0x103, 0x2, &(0x7f00000000c0)=0x8, 0x4) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) (async) setsockopt$ax25_SO_BINDTODEVICE(0xffffffffffffffff, 0x101, 0x19, &(0x7f0000000000)=@bpq0, 0xfffffffffffffe1d) ioctl$sock_netdev_private(r3, 0x8914, &(0x7f0000000000)) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f0000000280)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @bpq0, 0x10000, 'syz0\x00', @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, 0xfffffdb6, 0x2, [@default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f0000000000)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x10001, 'syz1\x00', @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x2}, 0x1, 0x0, [@null, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @bcast, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x3}, @default, @default]}) ioctl$SIOCNRDECOBS(r1, 0x89e2) ioctl$sock_netrom_SIOCADDRT(r1, 0x890b, &(0x7f00000001c0)={0x1, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @bpq0, 0x2, 'syz1\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0x5, 0x1, [@netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @null, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, @default, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}]}) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x0, @bcast, @bpq0, 0xffff, 'syz0\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0xfffffdba, 0x2, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) (async) ioctl$sock_netrom_SIOCADDRT(r0, 0x890b, &(0x7f0000000280)={0x0, @bcast, @bpq0, 0xffff, 'syz0\x00', @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, 0xfffffdba, 0x2, [@rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default, @default, @rose={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @default]}) r4 = syz_init_net_socket$x25(0x9, 0x5, 0x0) ioctl$sock_ifreq(r4, 0x8990, &(0x7f0000000180)={'bond0\x00', @ifru_names='rose0\x00'}) [ 154.529927][ T5326] Bluetooth: hci0: command tx timeout [ 154.759411][ T5348] [ 154.760654][ T5348] ====================================================== [ 154.764092][ T5348] WARNING: possible circular locking dependency detected [ 154.767389][ T5348] syzkaller #0 Not tainted [ 154.769649][ T5348] ------------------------------------------------------ [ 154.772868][ T5348] syz.0.0/5348 is trying to acquire lock: [ 154.775358][ T5348] ffffffff8fd4f578 (nr_node_list_lock){+...}-{3:3}, at: nr_rt_device_down+0xbe/0x860 [ 154.779967][ T5348] [ 154.779967][ T5348] but task is already holding lock: [ 154.784061][ T5348] ffffffff8fd4f518 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x860 [ 154.788044][ T5348] [ 154.788044][ T5348] which lock already depends on the new lock. [ 154.788044][ T5348] [ 154.792440][ T5348] [ 154.792440][ T5348] the existing dependency chain (in reverse order) is: [ 154.796628][ T5348] [ 154.796628][ T5348] -> #2 (nr_neigh_list_lock){+...}-{3:3}: [ 154.800216][ T5348] _raw_spin_lock_bh+0x36/0x50 [ 154.802480][ T5348] nr_rt_ioctl+0x40c/0xf90 [ 154.804507][ T5348] sock_do_ioctl+0x101/0x320 [ 154.806874][ T5348] sock_ioctl+0x5c6/0x7f0 [ 154.809550][ T5348] __se_sys_ioctl+0xfc/0x170 [ 154.812220][ T5348] do_syscall_64+0x14d/0xf80 [ 154.814540][ T5348] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 154.817317][ T5348] [ 154.817317][ T5348] -> #1 (&nr_node->node_lock){+...}-{3:3}: [ 154.821007][ T5348] _raw_spin_lock_bh+0x36/0x50 [ 154.824133][ T5348] nr_rt_ioctl+0x215/0xf90 [ 154.826987][ T5348] sock_do_ioctl+0x101/0x320 [ 154.829359][ T5348] sock_ioctl+0x5c6/0x7f0 [ 154.831496][ T5348] __se_sys_ioctl+0xfc/0x170 [ 154.833716][ T5348] do_syscall_64+0x14d/0xf80 [ 154.835731][ T5348] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 154.838422][ T5348] [ 154.838422][ T5348] -> #0 (nr_node_list_lock){+...}-{3:3}: [ 154.841847][ T5348] __lock_acquire+0x15a5/0x2cf0 [ 154.844799][ T5348] lock_acquire+0xf0/0x2e0 [ 154.847380][ T5348] _raw_spin_lock_bh+0x36/0x50 [ 154.849852][ T5348] nr_rt_device_down+0xbe/0x860 [ 154.852182][ T5348] nr_device_event+0x137/0x150 [ 154.854429][ T5348] notifier_call_chain+0x1be/0x400 [ 154.856885][ T5348] netif_close_many+0x2ae/0x420 [ 154.859663][ T5348] netif_close+0x160/0x220 [ 154.862465][ T5348] dev_close+0x10a/0x220 [ 154.864873][ T5348] bpq_device_event+0x377/0x6a0 [ 154.867239][ T5348] notifier_call_chain+0x1be/0x400 [ 154.869552][ T5348] netif_close_many+0x2ae/0x420 [ 154.872071][ T5348] netif_close+0x160/0x220 [ 154.874083][ T5348] dev_close+0x10a/0x220 [ 154.876312][ T5348] bond_setup_by_slave+0x5f/0x3e0 [ 154.878921][ T5348] bond_enslave+0x847/0x3c40 [ 154.881383][ T5348] bond_do_ioctl+0x6ec/0x8d0 [ 154.883920][ T5348] dev_ifsioc+0x961/0x1280 [ 154.886310][ T5348] dev_ioctl+0x7b4/0x1150 [ 154.888572][ T5348] sock_do_ioctl+0x23e/0x320 [ 154.890954][ T5348] sock_ioctl+0x5c6/0x7f0 [ 154.892828][ T5348] __se_sys_ioctl+0xfc/0x170 [ 154.894967][ T5348] do_syscall_64+0x14d/0xf80 [ 154.897215][ T5348] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 154.902436][ T5348] [ 154.902436][ T5348] other info that might help us debug this: [ 154.902436][ T5348] [ 154.907675][ T5348] Chain exists of: [ 154.907675][ T5348] nr_node_list_lock --> &nr_node->node_lock --> nr_neigh_list_lock [ 154.907675][ T5348] [ 154.913286][ T5348] Possible unsafe locking scenario: [ 154.913286][ T5348] [ 154.916794][ T5348] CPU0 CPU1 [ 154.919674][ T5348] ---- ---- [ 154.922211][ T5348] lock(nr_neigh_list_lock); [ 154.924458][ T5348] lock(&nr_node->node_lock); [ 154.927793][ T5348] lock(nr_neigh_list_lock); [ 154.930949][ T5348] lock(nr_node_list_lock); [ 154.933273][ T5348] [ 154.933273][ T5348] *** DEADLOCK *** [ 154.933273][ T5348] [ 154.937193][ T5348] 2 locks held by syz.0.0/5348: [ 154.939842][ T5348] #0: ffffffff8fbd2448 (rtnl_mutex){+.+.}-{4:4}, at: dev_ioctl+0x7a4/0x1150 [ 154.944171][ T5348] #1: ffffffff8fd4f518 (nr_neigh_list_lock){+...}-{3:3}, at: nr_rt_device_down+0x28/0x860 [ 154.948727][ T5348] [ 154.948727][ T5348] stack backtrace: [ 154.952279][ T5348] CPU: 0 UID: 0 PID: 5348 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 154.952305][ T5348] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 154.952344][ T5348] Call Trace: [ 154.952446][ T5348] [ 154.952457][ T5348] dump_stack_lvl+0xe8/0x150 [ 154.952486][ T5348] print_circular_bug+0x2e1/0x300 [ 154.952513][ T5348] check_noncircular+0x12e/0x150 [ 154.952538][ T5348] __lock_acquire+0x15a5/0x2cf0 [ 154.952562][ T5348] ? __lock_acquire+0x6b5/0x2cf0 [ 154.952584][ T5348] lock_acquire+0xf0/0x2e0 [ 154.952604][ T5348] ? nr_rt_device_down+0xbe/0x860 [ 154.952626][ T5348] ? nr_rt_device_down+0xbe/0x860 [ 154.952643][ T5348] _raw_spin_lock_bh+0x36/0x50 [ 154.952681][ T5348] ? nr_rt_device_down+0xbe/0x860 [ 154.952698][ T5348] nr_rt_device_down+0xbe/0x860 [ 154.952734][ T5348] ? nr_device_event+0x12f/0x150 [ 154.952753][ T5348] nr_device_event+0x137/0x150 [ 154.952770][ T5348] notifier_call_chain+0x1be/0x400 [ 154.952798][ T5348] netif_close_many+0x2ae/0x420 [ 154.952821][ T5348] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 154.952839][ T5348] ? __pfx_netif_close_many+0x10/0x10 [ 154.952861][ T5348] ? bond_netdev_event+0x231/0xfc0 [ 154.952887][ T5348] ? __neigh_ifdown+0x7fd/0x8c0 [ 154.952908][ T5348] netif_close+0x160/0x220 [ 154.952930][ T5348] ? __pfx_netif_close+0x10/0x10 [ 154.952950][ T5348] ? __asan_memset+0x22/0x50 [ 154.952973][ T5348] ? macvtap_device_event+0xd1/0x400 [ 154.952994][ T5348] dev_close+0x10a/0x220 [ 154.953009][ T5348] bpq_device_event+0x377/0x6a0 [ 154.953085][ T5348] notifier_call_chain+0x1be/0x400 [ 154.953112][ T5348] netif_close_many+0x2ae/0x420 [ 154.953135][ T5348] ? __pfx_netif_close_many+0x10/0x10 [ 154.953156][ T5348] ? __pfx_hsr_netdev_notify+0x10/0x10 [ 154.953178][ T5348] ? udp_tunnel_nic_netdevice_event+0x1ac/0x17d0 [ 154.953203][ T5348] netif_close+0x160/0x220 [ 154.953224][ T5348] ? __pfx_netif_close+0x10/0x10 [ 154.953244][ T5348] ? do_raw_spin_lock+0x12b/0x2f0 [ 154.953260][ T5348] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 154.953279][ T5348] dev_close+0x10a/0x220 [ 154.953295][ T5348] bond_setup_by_slave+0x5f/0x3e0 [ 154.953339][ T5348] bond_enslave+0x847/0x3c40 [ 154.953354][ T5348] ? arch_stack_walk+0xfb/0x150 [ 154.953382][ T5348] ? __pfx_stack_trace_save+0x10/0x10 [ 154.953398][ T5348] ? kasan_save_free_info+0x46/0x50 [ 154.953421][ T5348] ? __pfx_bond_enslave+0x10/0x10 [ 154.953441][ T5348] ? apparmor_capable+0x126/0x170 [ 154.953458][ T5348] ? full_name_hash+0x92/0xe0 [ 154.953479][ T5348] bond_do_ioctl+0x6ec/0x8d0 [ 154.953501][ T5348] ? rcu_is_watching+0x15/0xb0 [ 154.953525][ T5348] ? __pfx_bond_do_ioctl+0x10/0x10 [ 154.953543][ T5348] ? __mutex_lock+0x319/0x1300 [ 154.953564][ T5348] ? kasan_quarantine_put+0xbb/0x1f0 [ 154.953588][ T5348] ? full_name_hash+0x92/0xe0 [ 154.953609][ T5348] dev_ifsioc+0x961/0x1280 [ 154.953632][ T5348] ? dev_load+0x21/0x1f0 [ 154.953654][ T5348] dev_ioctl+0x7b4/0x1150 [ 154.953678][ T5348] sock_do_ioctl+0x23e/0x320 [ 154.953700][ T5348] ? __pfx_sock_do_ioctl+0x10/0x10 [ 154.953719][ T5348] ? do_futex+0x333/0x420 [ 154.953742][ T5348] sock_ioctl+0x5c6/0x7f0 [ 154.953761][ T5348] ? __pfx_sock_ioctl+0x10/0x10 [ 154.953781][ T5348] ? __fget_files+0x2a/0x420 [ 154.953802][ T5348] ? __fget_files+0x3a0/0x420 [ 154.953821][ T5348] ? __fget_files+0x2a/0x420 [ 154.953842][ T5348] ? bpf_lsm_file_ioctl+0x9/0x20 [ 154.953861][ T5348] ? __pfx_sock_ioctl+0x10/0x10 [ 154.953880][ T5348] __se_sys_ioctl+0xfc/0x170 [ 154.953897][ T5348] do_syscall_64+0x14d/0xf80 [ 154.953916][ T5348] ? trace_irq_disable+0x3b/0x150 [ 154.953930][ T5348] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 154.953946][ T5348] ? clear_bhb_loop+0x40/0x90 [ 154.953964][ T5348] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 154.953980][ T5348] RIP: 0033:0x7f8381f9c819 [ 154.954082][ T5348] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 154.954096][ T5348] RSP: 002b:00007f8382f01fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 154.954111][ T5348] RAX: ffffffffffffffda RBX: 00007f8382215fa0 RCX: 00007f8381f9c819 [ 154.954120][ T5348] RDX: 0000200000000180 RSI: 0000000000008990 RDI: 000000000000000b [ 154.954128][ T5348] RBP: 00007f8382032c91 R08: 0000000000000000 R09: 0000000000000000 [ 154.954136][ T5348] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 154.954143][ T5348] R13: 00007f8382216038 R14: 00007f8382215fa0 R15: 00007ffc78e73908 [ 154.954154][ T5348] [ 155.259598][ T5348] 8021q: adding VLAN 0 to HW filter on device bond0 [ 155.289493][ T5348] bond0: (slave rose0): Enslaving as an active interface with an up link